{"id":13390823,"url":"https://github.com/fox-it/Invoke-ACLPwn","last_synced_at":"2025-03-13T15:32:12.250Z","repository":{"id":44454324,"uuid":"131131545","full_name":"fox-it/Invoke-ACLPwn","owner":"fox-it","description":null,"archived":false,"fork":false,"pushed_at":"2022-09-15T15:13:00.000Z","size":42,"stargazers_count":509,"open_issues_count":6,"forks_count":87,"subscribers_count":22,"default_branch":"master","last_synced_at":"2024-08-01T14:18:44.953Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fox-it.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-04-26T09:21:27.000Z","updated_at":"2024-07-30T08:05:55.000Z","dependencies_parsed_at":"2023-01-18T09:01:09.936Z","dependency_job_id":null,"html_url":"https://github.com/fox-it/Invoke-ACLPwn","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fox-it%2FInvoke-ACLPwn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fox-it%2FInvoke-ACLPwn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fox-it%2FInvoke-ACLPwn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fox-it%2FInvoke-ACLPwn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fox-it","download_url":"https://codeload.github.com/fox-it/Invoke-ACLPwn/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":221380084,"owners_count":16809018,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-30T14:01:27.444Z","updated_at":"2024-10-25T03:30:44.460Z","avatar_url":"https://github.com/fox-it.png","language":"PowerShell","funding_links":[],"categories":["PowerShell"],"sub_categories":[],"readme":"# Invoke-ACLpwn\n\nInvoke-ACLpwn is a tool that automates the discovery and pwnage of ACLs in \nActive Directory that are unsafe configured. \n\nFor background information, read the release blog: https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/\n\nInvoke-ACLpwn is designed to run with integrated credentials as well as \nwith specified network credentials. The script works by creating an export \nof all ACLs in the domain with SharpHound as well as the group membership of \nthe user account that the tool is running under. If the user does not already \nhave writeDACL permissions on the domain object, the tool will enumerate all \nACEs of the ACL of the domain. Every identity in an ACE has an ACL of its own, \nwhich is added to the enumeration queue. If the identity is a group and the \ngroup has members, every group member is added to the enumeration queue as well.\n\nIt may take some time to calculate and parse every ACL, but could end up with\na \"chain\" that leads to domain administrative privilges in the target domain.\n\n\n## Dependencies and installation\nNo installation is needed, however, in order to run Invoke-ACLpwn, a few\ndepedencies must be met:\n* `.NET 3.5` or later\n* `sharphound.exe`\n* If you want to run DCsync, you need `mimikatz.exe` as well.\n\n## Usage\n\nParameters:\n```\n    Required parameters:        \n        SharpHoundLocation: location of sharphound.exe    \n\n    Optional parameters:\n        Domain            : FQDN of the target domain\n        Username          : Username to authenticate with\n        Password          : Password to authenticate with\n        WhatIf            : Displays only the action the script intends to do. No exploitation.\n                            Access as well as potential access will increase if the user account is added\n                            to security groups, so the result of this switch may look incomplete.\n        NoSecCleanup      : By default, the user will be removed from the ACL and the groups that were added during runtime when the script is finished. \n                            Setting this switch will leave that in tact.\n        NoDCSync          : Will not run DCSync after all necessary steps have been taken\n        userAccountToPwn  : User account to retrieve NTLM hash of. Only single user accounts supported now. Defaults to krbtgt account.\n        logToFile         : Switch to write console output to file with the same name as script.\n        mimiKatzLocation  : location of mimikatz.exe\n```\n\nPlease note that specifying the mimikatz location is required unless the \n`-NoDCSync` switch is specified.\n\nExample usage:\n\n```Powershell\n    ./Invoke-ACL.ps1 -SharpHoundLocation .\\sharphound.exe -NoDCSync\n    ./Invoke-ACL.ps1 -SharpHoundLocation .\\sharphound.exe -mimiKatzLocation .\\mimikatz.exe\n    ./Invoke-ACL.ps1 -SharpHoundLocation .\\sharphound.exe -mimiKatzLocation .\\mimikatz.exe -userAccountToPwn 'Administrator'\n    ./Invoke-ACL.ps1 -SharpHoundLocation .\\sharphound.exe -mimiKatzLocation .\\mimikatz.exe -LogToFile\n    ./Invoke-ACL.ps1 -SharpHoundLocation .\\sharphound.exe -mimiKatzLocation .\\mimikatz.exe -NoSecCleanup\n    ./Invoke-ACL.ps1 -SharpHoundLocation .\\sharphound.exe -mimiKatzLocation .\\mimikatz.exe -Username 'testuser' -Domain 'xenoflux.local' -Password 'Welcome01!'\n```\n\n## About restoring ACLs and groupmemberships\nIf the `-NoSecCleanup` switch is not specified, the script will remove any\npermission that was set by the script as well as group memberships. \n\n\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffox-it%2FInvoke-ACLPwn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffox-it%2FInvoke-ACLPwn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffox-it%2FInvoke-ACLPwn/lists"}