Add get_writable Module #1229
Conversation
Enumerates all AD objects on which the current user has write permissions by querying DC-computed operational attributes: - allowedAttributesEffective: writable attributes on the object (WRITE) - allowedChildClassesEffective: creatable child object classes (CREATE_CHILD) - sDRightsEffective: bitmask for Security Descriptor rights (OWNER, DACL, SACL) The DC evaluates ACLs server-side for the authenticated caller, so no client-side ACL parsing is needed. A single LDAP search over all objects is sufficient to surface writable targets. Inspired by bloodyAD get writable.
…r non-detail count - Move sDRightsEffective into its own block separate from WRITE - Add SD to options docstring and validation - Store full attribute lists in all modes (count shown in non-detail via '(N attrs)') - Merge OWNER/DACL/SACL into simple_rights to avoid duplicate 'Permission :' in detail mode
Goultarde
requested review from
Marshall-Hallenbeck,
NeffIsBack,
mpgn and
zblurx
as code owners
|
Hey and thanks for the PR! This definitely looks cool, but I think at least some of it is already covered by #1176. We should probably integrate all of these ACE enumeration techniques into one module. |
|
Thanks for the feedback! I did look at #1176 before submitting and I thought the approaches were fundamentally different. acl_abuse parses nTSecurityDescriptor client-side and looks for known attack patterns (WriteDACL, GenericAll, ForceChangePassword, DCSync...). get_writable uses AD operational attributes where the DC itself computes the effective rights, with no client-side ACL parsing at all. It also surfaces every writable attribute, not just known abuse paths, which can reveal non-obvious attack vectors. I see them as complementary rather than redundant - acl_abuse gives you specific exploitable ACE chains from a target principal, while get_writable tells you everything the current user can actually write across the domain. Happy to discuss if merging them into a single module makes more sense for the project ! |
2 participants
Description
Adds a new LDAP module
get_writablethat enumerates AD objects on which the current userhas write permissions, using DC-computed operational attributes:
allowedAttributesEffective- attributes the user can writeallowedChildClassesEffective- child object classes the user can createsDRightsEffective- security descriptor rights (OWNER, DACL, SACL)No client-side ACL parsing needed - the DC computes the effective rights directly.
Inspired by bloodyAD
get writable.Options:
OTYPE- filter by object type: all, user, computer, group, ou, gpo, domain (default: all)RIGHT- filter by right: ALL, WRITE, CHILD, SD (default: ALL)DETAIL- show attribute/class names instead of counts (default: False)This PR was created with the assistance of AI (Claude code, used for code
structure, output formatting, and bitmask correctness review).
Type of change
Setup guide for the review
Screenshots (if appropriate):
Default mode (low-priv user, all objects):
Detail mode (admin, OTYPE=domain DETAIL=true):
Default mode (admin, OTYPE=user):
References
get writable: https://github.com/CravateRouge/bloodyADallowedAttributesEffective: https://learn.microsoft.com/en-us/windows/win32/adschema/a-allowedattributeseffectiveallowedChildClassesEffective: https://learn.microsoft.com/en-us/windows/win32/adschema/a-allowedChildClassesEffectivesDRightsEffective: https://learn.microsoft.com/en-us/windows/win32/adschema/a-sDRightsEffectiveChecklist:
poetry run ruff check ., use--fixto automatically fix what it can)tests/e2e_commands.txtfile if necessary (new modules or features are required to be added to the e2e tests)