A python tool to parse and describe the contents of a raw ntSecurityDescriptor structure.
- Reads source value from a file or from the LDAP
- Outputs a human readable summary of accesses with
--summary
- Parsing of Access Control Entries (ACE) of various types:
- ACE type
ACCESS_ALLOWED_ACE
- ACE type
ACCESS_ALLOWED_OBJECT_ACE
- ACE type
ACCESS_DENIED_ACE
- ACE type
ACCESS_DENIED_OBJECT_ACE
- ACE type
ACCESS_ALLOWED_CALLBACK_ACE
- ACE type
ACCESS_DENIED_CALLBACK_ACE
- ACE type
ACCESS_ALLOWED_CALLBACK_OBJECT_ACE
- ACE type
ACCESS_DENIED_CALLBACK_OBJECT_ACE
- ACE type
SYSTEM_AUDIT_ACE
- ACE type
SYSTEM_AUDIT_OBJECT_ACE
- ACE type
SYSTEM_AUDIT_CALLBACK_ACE
- ACE type
SYSTEM_MANDATORY_LABEL_ACE
- ACE type
SYSTEM_AUDIT_CALLBACK_OBJECT_ACE
- ACE type
SYSTEM_RESOURCE_ATTRIBUTE_ACE
- ACE type
SYSTEM_SCOPED_POLICY_ID_ACE
- ACE type
- Parsing of SID
- Connect to LDAP to resolve sAMAccountNames of not well known SIDs
- Resolve names of well known SIDs
- Parsing of Access Control Lists (ACL):
- Print if ACL is in canonical form
Here is an example of the output of the tool when parsing the ntSecurityDescriptor contained in the file example_value.txt. This file contains a raw ntSecurityDescriptor
structure in hex dump format:
0100148cc4090000e0090000140000008c0000000400780002000000075a38002000000003000000be3b0ef3f09fd111b6030000f80367c1a57a96bfe60dd011a28500aa003049e2010100000000000100000000075a380020000000030000
...
02000000000005200000002a02000000121800bd010f0001020000000000052000000020020000010500000000000515000000a3cd06bf0e0fe808c335b8e600020000010500000000000515000000a3cd06bf0e0fe808c335b8e600020000
Using DescribeNTSecurityDescriptor.py, we can open the file and parse its content precisely:
./DescribeNTSecurityDescriptor.py ./example_value.txt
$ ./DescribeNTSecurityDescriptor.py
usage: DescribeNTSecurityDescriptor.py [-h] [-v] value
Parse and describe the contents of a raw ntSecurityDescriptor structure
positional arguments:
value The value to be described by the NTSecurityDescriptor
options:
-h, --help show this help message and exit
-v, --verbose Verbose mode. (default: False)
./DescribeNTSecurityDescriptor.py -u Administrator -p 'Admin123!' -d LAB --dc-ip 10.0.0.101 -D "CN=user user,CN=Users,DC=LAB,DC=local" --summary --describe
Pull requests are welcome. Feel free to open an issue if you want to add other features.