{"id":5560,"date":"2021-07-07T00:16:57","date_gmt":"2021-07-06T16:16:57","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=5560"},"modified":"2021-07-07T00:17:16","modified_gmt":"2021-07-06T16:17:16","slug":"aclpwn-py-exploit-acl-based-privilege-escalation-paths-in-active-directory","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2021\/07\/aclpwn-py-exploit-acl-based-privilege-escalation-paths-in-active-directory\/","title":{"rendered":"Aclpwn.Py &#8211; Exploit ACL Based Privilege Escalation Paths in Active Directory"},"content":{"rendered":"<p>Aclpwn.py is a tool that interacts with <a href=\"https:\/\/www.darknet.org.uk\/2019\/06\/bloodhound-hacking-active-directory-trust-relationships\/\">BloodHound<\/a> to identify and exploit ACL based privilege escalation paths.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2021\/07\/Aclpwn.Py-Exploit-ACL-Based-Privilege-Escalation-Paths-in-Active-Directory.png\" alt=\"Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory\" width=\"640\" height=\"346\" class=\"aligncenter size-full wp-image-5562\" \/><\/p>\n<script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3033787195489589\"\r\n     crossorigin=\"anonymous\"><\/script>\r\n<!-- Darknet Responsive Post Ad Links [previously link ad unit] -->\r\n<ins class=\"adsbygoogle\"\r\n     style=\"display:block\"\r\n     data-ad-client=\"ca-pub-3033787195489589\"\r\n     data-ad-slot=\"5456620019\"\r\n     data-ad-format=\"auto\"><\/ins>\r\n<script>\r\n     (adsbygoogle = window.adsbygoogle || []).push({});\r\n<\/script>\n<p>It takes a starting and ending point and will use Neo4j pathfinding algorithms to find the most efficient ACL based privilege escalation path. <\/p>\n<h2>Features of Aclpwn.Py Exploit ACL Based Privilege Escalation Paths in Active Directory<\/h2>\n<p>Aclpwn.Py currently has the following features:<\/p>\n<ul>\n<li>Direct integration with BloodHound and the Neo4j graph database (fast pathfinding)<\/li>\n<li>Supports any reversible ACL based attack chain (no support for resetting user passwords right now)<\/li>\n<li>Advanced pathfinding (Dijkstra) to find the most efficient paths<\/li>\n<li>Support for exploitation with NTLM hashes (pass-the-hash)<\/li>\n<li>Saves restore state, easy rollback of changes<\/li>\n<li>Can be run via a SOCKS tunnel<\/li>\n<li>Written in Python (2.7 and 3.5+), so OS independent<\/li>\n<\/ul>\n<h3>Installation of Aclpwn.py ACL Based Privilege Escalation<\/h3>\n<p>Aclpwn.py is compatible with both Python 2.7 and 3.5+. It requires the <code>neo4j-driver<\/code>, <code>impacket<\/code> and <code>ldap3<\/code> libraries. You can install aclpwn.py via pip: <code>pip install aclpwn<\/code>. For Python 3, you will need the <code>python36<\/code> branch of impacket since the master branch (and versions published on PyPI) are Python 2 only at this point.<\/p>\n<p>This tool does not exploit any vulnerabilities, but relies on misconfigured (often because of delegated privileges) or insecure default ACLs. To solve these issues, it is important to identify potentially dangerous ACLs in your Active Directory environment with BloodHound. For detection, Windows Event Logs can be used.<\/p>\n<p>You can download Aclpwn.py here:<\/p>\n<p><a href=\"https:\/\/github.com\/fox-it\/aclpwn.py\/archive\/refs\/heads\/master.zip\">aclpwn.py-master.zip<\/a><\/p>\n<p>Or read more here.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Aclpwn.py is a tool that interacts with BloodHound to identify and exploit ACL based privilege escalation paths. It takes a starting and ending point and will use Neo4j pathfinding algorithms to find the most efficient ACL based privilege escalation path. Features of Aclpwn.Py Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py currently has [&hellip;]<\/p>\n","protected":false},"author":25,"featured_media":5562,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"none","_seopress_titles_title":"Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory","_seopress_titles_desc":"Aclpwn.py is a tool that interacts with BloodHound&lt; to identify and exploit ACL based privilege escalation paths.","_seopress_robots_index":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[9],"tags":[],"featured_image_src":"https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2021\/07\/Aclpwn.Py-Exploit-ACL-Based-Privilege-Escalation-Paths-in-Active-Directory.png","featured_image_src_square":"https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2021\/07\/Aclpwn.Py-Exploit-ACL-Based-Privilege-Escalation-Paths-in-Active-Directory.png","author_info":{"display_name":"Darknet","author_link":"https:\/\/www.darknet.org.uk\/author\/darknet\/"},"_links":{"self":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/5560"}],"collection":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/comments?post=5560"}],"version-history":[{"count":0,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/5560\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media\/5562"}],"wp:attachment":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media?parent=5560"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/categories?post=5560"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/tags?post=5560"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}