{"id":1341,"date":"2025-02-08T06:42:34","date_gmt":"2025-02-08T06:42:34","guid":{"rendered":"https:\/\/hackmybox.com\/?p=1341"},"modified":"2025-09-08T16:26:22","modified_gmt":"2025-09-08T16:26:22","slug":"acl-enumeration-using-powerview-bloodhound","status":"publish","type":"post","link":"https:\/\/hackmybox.com\/index.php\/2025\/02\/08\/acl-enumeration-using-powerview-bloodhound\/","title":{"rendered":"ACL Enumeration Using Powerview &amp; Bloodhound"},"content":{"rendered":"<div class=\"vce-row-container\" data-vce-boxed-width=\"true\"><div class=\"vce-row vce-row--col-gap-30 vce-row-equal-height vce-row-content--top\" id=\"el-f3cc3cae\" data-vce-do-apply=\"all el-f3cc3cae\"><div class=\"vce-row-content\" data-vce-element-content=\"true\"><div class=\"vce-col vce-col--md-auto vce-col--xs-1 vce-col--xs-last vce-col--xs-first vce-col--sm-last vce-col--sm-first vce-col--md-last vce-col--lg-last vce-col--xl-last vce-col--md-first vce-col--lg-first vce-col--xl-first\" id=\"el-0a0d78c7\"><div class=\"vce-col-inner\" data-vce-do-apply=\"border margin background  el-0a0d78c7\"><div class=\"vce-col-content\" data-vce-element-content=\"true\" data-vce-do-apply=\"padding el-0a0d78c7\"><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-2e97d726\" data-vce-do-apply=\"all el-2e97d726\"><p style=\"text-align: center;\"><span style=\"color: #00ff00; font-size: 16pt;\">(Insights From HTB Academy)<\/span><\/p><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-11024821\" data-vce-do-apply=\"all el-11024821\"><p><span style=\"color: #00ff00;\">What is ACL Enumeration?<\/span><\/p><p>ACL (Access Control List): A list of permissions attached to an object (like a user, group, or computer) in Active Directory.<\/p><p>Enumeration: The process of listing out these permissions to find potential weaknesses or misconfigurations that can be exploited.<\/p><p><span style=\"color: #00ff00;\">Why is ACL Enumeration Important?<\/span><\/p><p>It helps attackers (or defenders) identify&nbsp;who has access to what&nbsp;in a network.<\/p><p>Misconfigured ACLs can allow attackers to escalate privileges, move laterally, or gain control over critical systems.<\/p><p style=\"text-align: center;\"><span style=\"color: #00ff00; font-size: 14pt;\">Tools<\/span><\/p><ul><li><span style=\"color: #00ff00;\">PowerView:<\/span> A PowerShell tool for querying Active Directory. &nbsp; &nbsp;<a href=\"https:\/\/github.com\/PowerShellMafia\/PowerSploit\/blob\/master\/Recon\/PowerView.ps1\">https:\/\/github.com\/PowerShellMafia\/PowerSploit\/blob\/master\/Recon\/PowerView.ps1<\/a><\/li><\/ul><p>&nbsp;<\/p><ul><li><span style=\"color: #00ff00;\">BloodHound:<\/span> A graphical tool that maps out relationships and permissions in AD, making it easier to find attack paths<\/li><\/ul><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-3c7163ec\" data-vce-do-apply=\"all el-3c7163ec\"><p style=\"text-align: center;\"><span style=\"color: #00ff00; font-size: 14pt;\">Key Steps in ACL Enumeration<\/span><\/p><p>&nbsp;<\/p><p><span style=\"color: #00ff00;\">1.Find Interesting ACLs:<\/span><\/p><p><br>Use PowerView's Find-InterestingDomainAcl to list all ACLs in the domain.<\/p><p>This can return a lot of data, so it\u2019s better to focus on specific users or groups.<\/p><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-f7e0bcb6\" data-vce-do-apply=\"all el-f7e0bcb6\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 850px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 78.2353%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"850\" height=\"665\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/powerview-320x250.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/powerview-480x376.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/powerview-800x626.png 800w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/powerview-850x665.png 850w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/powerview-850x665.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/powerview.png\" data-attachment-id=\"1345\"  alt=\"\" title=\"powerview\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-4d0e957f\" data-vce-do-apply=\"all el-4d0e957f\"><p><span style=\"color: #00ff00;\">2.Targeted Enumeration:<\/span><\/p><p>Start with a user you control (e.g., wley).<br>Convert the username to a Security Identifier (SID) using <span style=\"color: #ffff00;\">Convert-NameToSid.<\/span><\/p><p>Use<span style=\"color: #ffff00;\"> Get-DomainObjectACL<\/span> to find objects the user has rights over.<\/p><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-a4991c4f\" data-vce-do-apply=\"all el-a4991c4f\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 957px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 48.0669%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"957\" height=\"460\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/wley-320x154.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/wley-480x231.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/wley-800x385.png 800w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/wley-957x460.png 957w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/wley-957x460.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/wley.png\" data-attachment-id=\"1344\"  alt=\"\" title=\"wley\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-raw-html\"><div class=\"vce-raw-html-wrapper\" id=\"el-3db61333\" data-vce-do-apply=\"all el-3db61333\"><script async=\"\" src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-1499161372675368\" crossorigin=\"anonymous\"><\/script>\n<ins class=\"adsbygoogle\" style=\"display:block\" data-ad-format=\"fluid\" data-ad-layout-key=\"-c2+73+2h-1m-4u\" data-ad-client=\"ca-pub-1499161372675368\" data-ad-slot=\"8728040126\"><\/ins>\n<script>\n     (adsbygoogle = window.adsbygoogle || []).push({});\n<\/script><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-90153272\" data-vce-do-apply=\"all el-90153272\"><p><span style=\"color: #00ff00;\">3.Resolve GUIDs:<\/span><\/p><p><br>ACLs often use <span style=\"color: #ffff00;\">GUIDs<\/span> (e.g., 00299570-246d-11d0-a768-00aa006e0529) to represent permissions.<\/p><p>To convert GUIDs into human-readable names (e.g., User-Force-Change-Password) follow step below.<\/p><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-ffc08a84\" data-vce-do-apply=\"all el-ffc08a84\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 939px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 48.4558%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"939\" height=\"455\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/GUID-320x155.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/GUID-480x233.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/GUID-800x388.png 800w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/GUID-939x455.png 939w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/GUID-939x455.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/GUID.png\" data-attachment-id=\"1348\"  alt=\"\" title=\"GUID\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-8e0e4412\" data-vce-do-apply=\"all el-8e0e4412\"><p><span style=\"color: #00ff00;\">4.Exploit Misconfigured Permissions:<\/span><\/p><p><br>If a user has the <span style=\"color: #ffff00;\">User-Force-Change-Password<\/span> right over another user, they can reset that user's password and take control of their account.<\/p><p>If a user has<span style=\"color: #ffff00;\"> GenericWrite<\/span> over a group, they can add themselves to that group and inherit its permissions.<\/p><p>We can also try to enumerate ACLs visually using BloodHound.<\/p><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-d5dc0075\" data-vce-do-apply=\"all el-d5dc0075\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 741px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 67.7463%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"741\" height=\"502\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/wley1-320x217.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/wley1-480x325.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/wley1-741x502.png 741w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/wley1-741x502.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/wley1.png\" data-attachment-id=\"1350\"  alt=\"\" title=\"wley1\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-62177c86\" data-vce-do-apply=\"all el-62177c86\"><p><span style=\"color: #00ff00;\">5.<\/span>Follow the Attack Chain by using&nbsp; BloodHound to visualize the attack path.<br><br><\/p><ul><li>User wley can reset the password for damundsen.<\/li><li>damundsen has GenericWrite over the Help Desk Level 1 group.<\/li><li>The Help Desk Level 1 group is nested in the Information Technology group.<\/li><li>The Information Technology group has GenericAll over user adunn.<\/li><li>adunn has DCSync rights, which can be used to extract password hashes for the entire domain.<\/li><\/ul><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-f76226b0\" data-vce-do-apply=\"all el-f76226b0\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 1024px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 31.1523%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"1024\" height=\"319\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/Screenshot-from-2025-02-08-10-40-54-e1738996900716-1024x319.png 1024w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/Screenshot-from-2025-02-08-10-40-54-e1738996900716-320x100.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/Screenshot-from-2025-02-08-10-40-54-e1738996900716-480x150.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/Screenshot-from-2025-02-08-10-40-54-e1738996900716-800x249.png 800w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/Screenshot-from-2025-02-08-10-40-54-e1738996900716-1024x319.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/Screenshot-from-2025-02-08-10-40-54-e1738996900716.png\" data-attachment-id=\"1361\"  alt=\"\" title=\"Screenshot from 2025-02-08 10-40-54\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-f6cc2920\" data-vce-do-apply=\"all el-f6cc2920\"><figure><div class=\"vce-single-image-figure-inner\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%;\"><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-7f23d1af\" data-vce-do-apply=\"all el-7f23d1af\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 1024px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 43.2617%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"1024\" height=\"443\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/path2-e1738996403447-1024x444.png 1024w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/path2-e1738996403447-320x139.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/path2-e1738996403447-480x208.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/path2-e1738996403447-800x347.png 800w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/path2-e1738996403447-1024x444.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/02\/path2-e1738996403447.png\" data-attachment-id=\"1360\"  alt=\"\" title=\"path2\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce vce-separator-container vce-separator--align-center vce-separator--style-solid\" id=\"el-6b3e3253\" data-vce-do-apply=\"margin el-6b3e3253\"><div class=\"vce-separator vce-separator--color-bfc0c1 vce-separator--width-60 vce-separator--thickness-1\" data-vce-do-apply=\"border padding background  el-6b3e3253\"><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-6e7300ef\" data-vce-do-apply=\"all el-6e7300ef\"><p style=\"text-align: center;\">Want to learn more and gain hands-on experience? Sign up with HTB Academy by clicking the link below.<\/p><\/div><\/div><div class=\"vce-button--style-basic-container vce-button--style-basic-container--align-center\"><span class=\"vce-button--style-basic-wrapper vce\" id=\"el-64f153ea\" data-vce-do-apply=\"margin el-64f153ea\"><a class=\"vce-button vce-button--style-basic vce-button--style-basic--border-rounded vce-button--style-basic--size-medium vce-button--style-basic--color-b-138-198-10--b-255-255-255\" href=\"https:\/\/hacktheboxltd.sjv.io\/19DPP6\" title=\"\" data-vce-do-apply=\"padding border background  el-64f153ea\">JOIN NOW<\/a><\/span><\/div><\/div><\/div><\/div><\/div><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>(Insights From HTB Academy)What is ACL Enumeration?ACL (Access Control List): A list of permissions attached to an object (like a user, group, or computer) in Active Directory.Enumeration: The process of listing out these permissions to find potential weaknesses or misconfigurations that can be exploited.Why is ACL Enumeration Important?It helps attackers (or defenders) identify&nbsp;who has access [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2017,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","site-transparent-header":"default","prose-style":"enable","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[18],"tags":[],"class_list":["post-1341","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-active-directory"],"_links":{"self":[{"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/posts\/1341","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/comments?post=1341"}],"version-history":[{"count":25,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/posts\/1341\/revisions"}],"predecessor-version":[{"id":2065,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/posts\/1341\/revisions\/2065"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/media\/2017"}],"wp:attachment":[{"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/media?parent=1341"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/categories?post=1341"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/tags?post=1341"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}