Comments (4)
Thanks, it worked for me too
from adaudit.
Update AdAudit.ps1 #20
from adaudit.
Can be closed as per #20
from adaudit.
I am having a similar issue with Find-DangerousACLPermissions
on Server 2012 R2
Modifying the function to use the old syntax no longer produces an error but I'm not able to confirm whether it's working properly at this time.
$acl = (Get-Acl AD:$computer).Access
(using $object.DistinguishedName) produces a type error.
#Specify the ACLs and Groups to check against
$dangerousAces = @('GenericAll', 'GenericWrite', 'ForceChangePassword', 'WriteDacl', 'WriteOwner', 'Delete')
$groupsToCheck = @('NT AUTHORITY\Authenticated Users', 'DOMAIN\Domain Users', 'Everyone')
# Find dangerous permissions on Computers
$computers = Get-ADObject -Filter { objectClass -eq 'computer' -and objectCategory -eq 'computer' } -Properties *
$computerResults = foreach ($computer in $computers) {
try {
#$acl = Get-Acl -Path "Microsoft.ActiveDirectory.Management.dll\ActiveDirectory:://RootDSE/$($computer.DistinguishedName)"
$acl = (Get-Acl AD:$computer).Access
}
catch {
Write-Warning "Could not retrieve ACL for computer '$computer': $_"
continue
}
$dangerousRules = $acl.Access | Where-Object { $_.ActiveDirectoryRights -in $dangerousAces -and $_.IdentityReference -in $groupsToCheck }
if ($dangerousRules) {
foreach ($rule in $dangerousRules) {
[PSCustomObject]@{
ObjectType = 'Computer'
ObjectName = $computer
IdentityReference = $rule.IdentityReference
AccessControlType = $rule.AccessControlType
ActiveDirectoryRights = $rule.ActiveDirectoryRights
}
}
}
Write-Progress -Activity "Searching for dangerous ACL permissions on computers" -Status "Computers searched: $($computers.IndexOf($computer) + 1)/$($computers.Count)" -PercentComplete (($computers.IndexOf($computer) + 1) / $computers.Count * 100)
}
# Find dangerous permissions on groups
$groups = Get-ADObject -Filter { objectClass -eq 'group' -and objectCategory -eq 'group' } -Properties *
$groupResults = foreach ($group in $groups) {
try {
#$acl = Get-Acl -Path "Microsoft.ActiveDirectory.Management.dll\ActiveDirectory:://RootDSE/$($group.DistinguishedName)"
$acl = (Get-Acl AD:$group).Access
}
catch {
Write-Warning "Could not retrieve ACL for group '$group': $_"
continue
}
$dangerousRules = $acl.Access | Where-Object { $_.ActiveDirectoryRights -in $dangerousAces -and $_.IdentityReference -in $groupsToCheck }
if ($dangerousRules) {
foreach ($rule in $dangerousRules) {
[PSCustomObject]@{
ObjectType = 'Group'
ObjectName = $group
IdentityReference = $rule.IdentityReference
AccessControlType = $rule.AccessControlType
ActiveDirectoryRights = $rule.ActiveDirectoryRights
}
}
}
Write-Progress -Activity "Searching for dangerous ACL permissions on groups" -Status "Groups searched: $($groups.IndexOf($group) + 1)/$($groups.Count)" -PercentComplete (($groups.IndexOf($group) + 1) / $groups.Count * 100)
}
# Find dangerous permissions on users
$users = Get-ADObject -Filter { objectClass -eq 'user' -and objectCategory -eq 'person' } -Properties *
$userResults = foreach ($user in $users) {
$acl = $null
#$acl = Get-Acl -Path "Microsoft.ActiveDirectory.Management.dll\ActiveDirectory:://RootDSE/$($user.DistinguishedName)"
$acl = (Get-Acl AD:$user).Access
if ($acl) {
$dangerousRules = $acl.Access | Where-Object { $_.ActiveDirectoryRights -in $dangerousAces -and $_.IdentityReference -in $groupsToCheck }
if ($dangerousRules) {
foreach ($rule in $dangerousRules) {
[PSCustomObject]@{
ObjectType = 'User'
ObjectName = $user
IdentityReference = $rule.IdentityReference
AccessControlType = $rule.AccessControlType
ActiveDirectoryRights = $rule.ActiveDirectoryRights
}
}
}
Write-Progress -Activity "Searching for dangerous ACL permissions on users" -Status "Users searched: $($users.IndexOf($user) + 1)/$($users.Count)" -PercentComplete (($users.IndexOf($user) + 1) / $users.Count * 100)
}
}
# Output results
if ($computerResults) {
$computerResults | ConvertTo-Html -Property @{ Label = "Type"; Expression = { "Computer" } }, @{ Label = "Computer Name"; Expression = { $_.ObjectName } }, @{ Label = "Allowed Group"; Expression = { $_.IdentityReference } }, AccessControlType, ActiveDirectoryRights | Out-File -Encoding UTF8 $outputdir\dangerousACLs.html -Append
$computerResults | Format-Table -AutoSize -Property ObjectType, ObjectName, IdentityReference, AccessControlType | Out-File $outputdir\dangerousACL_Computer.txt -Encoding UTF8
Write-Both " [!] Issue identified, vulnerable ACL on Computer, see $outputdir\dangerousACL_Computer.txt"
Write-Nessus-Finding "Weak Computer Permissions" "KB551" ([System.IO.File]::ReadAllText("$outputdir\dangerousACL_Computer.txt"))
}
else {
Write-Host " [+] No dangerous ACL permissions were found on any computer."
}
if ($groupResults) {
$groupResults | ConvertTo-Html -Property @{ Label = "Type"; Expression = { "Group" } }, @{ Label = "Group Name"; Expression = { $_.ObjectName } }, @{ Label = "Allowed Group"; Expression = { $_.IdentityReference } }, AccessControlType, ActiveDirectoryRights | Out-File -Encoding UTF8 $outputdir\dangerousACLs.html -Append
$groupResults | Format-Table -AutoSize -Property ObjectType, ObjectName, IdentityReference, AccessControlType, ActiveDirectoryRights | Out-File $outputdir\dangerousACL_Groups.txt
Write-Both " [!] Issue identified, vulnerable ACL on Group, see $outputdir\dangerousACL_Groups.txt"
Write-Nessus-Finding "Weak Group Permissions" "KB551" ([System.IO.File]::ReadAllText("$outputdir\dangerousACL_Groups.txt"))
}
else {
Write-Host " [+] No dangerous ACL permissions were found on any group."
}
if ($userResults) {
$userResults | ConvertTo-Html -Property @{ Label = "Type"; Expression = { "User" } }, @{ Label = "User"; Expression = { $_.ObjectName } }, @{ Label = "Allowed Group"; Expression = { $_.IdentityReference } }, AccessControlType, ActiveDirectoryRights | Out-File -Encoding UTF8 $outputdir\dangerousACLs.html -Append
$userResults | Format-Table -AutoSize -Property ObjectType, ObjectName, IdentityReference, AccessControlType, ActiveDirectoryRights | Out-File $outputdir\dangerousACLUsers.txt
Write-Both " [!] Issue identified, vulnerable ACL on User, see $outputdir\dangerousACLUsers.txt"
Write-Nessus-Finding "Weak User Permissions" "KB551" ([System.IO.File]::ReadAllText("$outputdir\dangerousACLUsers.txt"))
}
else {
Write-Host " [+] No dangerous ACL permissions were found on any user."
}
Edit for clarity
from adaudit.
Related Issues (20)
- Inaccurate Inactive Account List HOT 2
- Question about KB references HOT 1
- No way to contact =( HOT 5
- Disabled accounts taken into statistics HOT 2
- Method Not Found - op_Division HOT 2
- I get this error below HOT 1
- Add in ntdsaudit
- Password Complexity returns incorrect result. HOT 1
- Account created dates HOT 3
- adaudit.nessus HOT 1
- Fix for other languages HOT 2
- New checks HOT 1
- Include DSInternals? HOT 2
- Prepare for other languages
- GenericAll active directory HOT 1
- Result File HOT 1
- Active Directory Groups
- Administrators Group
- Azure headless AD cloud review
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from adaudit.