Light

nccgroup / windowsdaclenumproject Goto Github PK

View Code? Open in Web Editor NEW

105.0 17.0 45.0 399 KB

A collection of tools to enumerate and analyse Windows DACLs

License: GNU Affero General Public License v3.0

C++ 92.63% C 7.10% Batchfile 0.26%

windowsdaclenumproject's Introduction

Windows DACL Enum Project

A collection of tools to enumerate and analyse Windows DACLs

Released as open source by NCC Group Plc - http://www.nccgroup.com/

Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com

https://github.com/nccgroup/WindowsDACLEnumProject

Released under AGPL see LICENSE for more information

Overview of Windows DACLs and ACEs

Read - http://msdn.microsoft.com/en-us/library/windows/desktop/aa446597(v=vs.85).aspx

Tool #1: Process Perms

Features

The first tool released as part of this project. Will enumerate:

Processes and the integrity level and user they are running as.
Optionally: the DACLs associated with the process object.
Optionally: the threads for a process and the DACLs associated with them.
Optionally: The modules loaded by a process
Optionally: Exclude non mapped SIDs from the output

The tool will automatically flag any suspicious DACLs.

Command Line Options

The command line take the following options:

-p Process permissions
-m Modules
-t Threads and permissions
-o [PID]
-x exclude non mapped SIDs from alerts

Typical Usage

Typical usage will be with a command line such as: processperms -px

The tool is designed for Windows Vista / Server 2008 and higher due to integrity level awareness.

Screenshot

======= Designed for Windows Vista / Server 2008 and higher due to integrity level awareness.

Tool #2: Window Stations and Desktops

Features

The second tool released as part of this project. Will enumerate:

Window Stations within the session that it is executed and the associated DACL
Desktops within those Window Stations and the associated DACLs

Tool #3: Services

Features

The third tool released as part of this project. Will enumerate:

Services including kernel drivers, filter drivers and user land services.
DACLs associated with the service entries in the service control manager.
Service status, PID, binary path.
DACLs associated with with the binaries associated
Flag obviously weak DACLs

Tool #4: File System

Features

The fourth tool released as part of this project. Will enumerate:

Files and access control lists
Directories and access control lists
Alert on files or directories with access control which appear weak

Tool #5: Registry

Features

The fifth tool released as part of this project. Will enumerate:

Registry keys and access control lists
Alert on keys with access control which appear weak
-s parameter to exclude all but the most suspicious output (see -h).
-x paramater to only alert on suspicious output (see -h).

windowsdaclenumproject's People

Stargazers

Watchers

windowsdaclenumproject's Issues

Processes: Check permissions for every DLL loaded by process

Sherief's request to check the file system permissions for every DLL that is loaded by a process;

All: Low Integrity

Re-implement and add to all the utilities

WLAN Secureable Objects

http://msdn.microsoft.com/en-us/library/windows/desktop/ms707396(v=vs.85).aspx

Processes: Process and thread tokens

Need to add support for extracting these to ProcessPerms:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa374909(v=vs.85).aspx

Idea will be to show at a granular level what primary and impersonation tokens different processes and thread have and their attributes.

VS 2013 - ServicePerms

Trying to build using VS 2013 I received the following error:

Error        1        error C2011: '_SERVICE_LAUNCH_PROTECTED_INFO' : 'struct' type redefinition C:\GitHub\WindowsDACLEnumProject\ServicePerms\ServicePerms\ServicePerms.cpp        20        1        ServicePerms

ServicePerms doesn't compile after conversion to VS2013 on x86 setting

Changing the charset to "Not Set" and adding the following line (thanks @OJ ):

#pragma comment(lib, "Wtsapi32.lib")

below the includes, and removing the lines:

typedef struct _SERVICE_LAUNCH_PROTECTED_INFO {
        DWORD  dwLaunchProtected;
        } SERVICE_LAUNCH_PROTECTED_INFO, *PSERVICE_LAUNCH_PROTECTED_INFO;

made it compile correctly.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.