A python tool to parse and describe the contents of a raw ntSecurityDescriptor structure.
- Reads source value from a file containing a raw ntSecurityDescriptor structure, in raw bytes, hex string or base64 string formats.
- Reads source value from the LDAP.
- Outputs a human readable summary of accesses with
--summary - Parsing of Access Control Entries (ACE) of various types:
- ACE type
ACCESS_ALLOWED_ACE - ACE type
ACCESS_ALLOWED_OBJECT_ACE - ACE type
ACCESS_DENIED_ACE - ACE type
ACCESS_DENIED_OBJECT_ACE - ACE type
ACCESS_ALLOWED_CALLBACK_ACE - ACE type
ACCESS_DENIED_CALLBACK_ACE - ACE type
ACCESS_ALLOWED_CALLBACK_OBJECT_ACE - ACE type
ACCESS_DENIED_CALLBACK_OBJECT_ACE - ACE type
SYSTEM_AUDIT_ACE - ACE type
SYSTEM_AUDIT_OBJECT_ACE - ACE type
SYSTEM_AUDIT_CALLBACK_ACE - ACE type
SYSTEM_MANDATORY_LABEL_ACE - ACE type
SYSTEM_AUDIT_CALLBACK_OBJECT_ACE - ACE type
SYSTEM_RESOURCE_ATTRIBUTE_ACE - ACE type
SYSTEM_SCOPED_POLICY_ID_ACE
- ACE type
- Parsing of SID
- Connect to LDAP to resolve sAMAccountNames of not well known SIDs
- Resolve names of well known SIDs
- Parsing of Access Control Lists (ACL):
- Print if ACL is in canonical form
Here is an example of the output of the tool when parsing the ntSecurityDescriptor contained in the file example_value.txt. This file contains a raw ntSecurityDescriptor structure in hex dump format:
0100148cc4090000e0090000140000008c0000000400780002000000075a38002000000003000000be3b0ef3f09fd111b6030000f80367c1a57a96bfe60dd011a28500aa003049e2010100000000000100000000075a380020000000030000
...
02000000000005200000002a02000000121800bd010f0001020000000000052000000020020000010500000000000515000000a3cd06bf0e0fe808c335b8e600020000010500000000000515000000a3cd06bf0e0fe808c335b8e600020000
Using DescribeNTSecurityDescriptor.py, we can open the file and parse its content precisely:
./DescribeNTSecurityDescriptor.py -v ./example_value.txt
$ ./DescribeNTSecurityDescriptor.py -h
DescribeNTSecurityDescriptor.py v1.2 - by Podalirius
usage: DescribeNTSecurityDescriptor.py [-h] [-V] [-v VALUE | -D DISTINGUISHEDNAME] [--use-ldaps] [--summary] [--describe] [--dc-ip ip address] [--kdcHost FQDN KDC] [-d DOMAIN] [-u USER]
[--no-pass | -p PASSWORD | -H [LMHASH:]NTHASH | --aes-key hex key] [-k]
Parse and describe the contents of a raw ntSecurityDescriptor structure
options:
-h, --help show this help message and exit
-V, --verbose Verbose mode. (default: False)
-v VALUE, --value VALUE
The value to be described by the NTSecurityDescriptor
-D DISTINGUISHEDNAME, --distinguishedName DISTINGUISHEDNAME
The distinguishedName of the object to be described by the NTSecurityDescriptor
--use-ldaps Use LDAPS instead of LDAP
--summary Generate a human readable summary of the rights.
--describe Describe the raw structure.
authentication & connection:
--dc-ip ip address IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted it will use the domain part (FQDN) specified in the identity parameter
--kdcHost FQDN KDC FQDN of KDC for Kerberos.
-d DOMAIN, --domain DOMAIN
(FQDN) domain to authenticate to
-u USER, --user USER user to authenticate with
--no-pass don"t ask for password (useful for -k)
-p PASSWORD, --password PASSWORD
password to authenticate with
-H [LMHASH:]NTHASH, --hashes [LMHASH:]NTHASH
NT/LM hashes, format is LMhash:NThash
--aes-key hex key AES key to use for Kerberos Authentication (128 or 256 bits)
-k, --kerberos Use Kerberos authentication. Grabs credentials from .ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones
specified in the command line
./DescribeNTSecurityDescriptor.py -u Administrator -p 'Admin123!' -d LAB --dc-ip 10.0.0.101 -D "CN=user user,CN=Users,DC=LAB,DC=local" --describePull requests are welcome. Feel free to open an issue if you want to add other features.
