Inspired by the CQURE 5 day challenge I’ve decided to document some of the things that I’ve learned from the daily assesments. 🙂
Table of Content
- Analyze a Windows Service
- Auditing permissions
- About handles and the SAM file
- Password Hashes
- Memory Dump
There are some command line tools in windows to check permissions. In the case above we have a file called will_Guest_read_it.txt with both flags «Full Access» and «Denied» set on it. That’s a strange case, but possible indeed. And that lead us to the question which permission is stronger?
By typing the following command we get the SDDL of the File:
get-acl "Filepath" |fl
sddl: (A;ID;FA;;;LG) (D;ID;FA;;;LG)
A= Allow
D= Denied
FA= Full Access
LG= Guest Account
Another command to read out file permissions is:
icacls "Filepath"
(I)(F) Full Access
(I)(N) No (Denied)
In that case Allow Full Access wins, because windows goes allways top down in ACL and Full Access comes first!
Another cool thing is to get the numeric values of system rights.
[system.enum]::getnames([System.Security.AccessControl.FileSystemRights])
[int]([System.Security.Accesscontrol.FileSystemRights]::write)
[int]([System.Security.Accesscontrol.FileSystemRights]::read)
The powershell code below outputs all possible values:
foreach
(
$right
in
[System.Enum]
::GetNames(
[System.Security.AccessControl.FileSystemRights]
)) {
$intValue
=
[int]
(
[System.Security.AccessControl.FileSystemRights]
$right
)
Write-Host
(
"{0,-30} : {1}"
-f
$right
,
$intValue
)
}
Get-Acl "Folderpath" | Select-Object -ExpandProperty Access
Some repeating questions:
Which OS command allows you to work with file permissions in Windows10?
icalcs.exe
Can one file have both deny and allow entry for the same user/group on the Access Control list?
Yes with «Advanced» tab of «File properties» dialog box in graphical interface. –> wrong
Yes, however it is not easy to make this from graphical userinterface
What happens to a file when it has «allow» and «deny» for the same group of ACL?
it depends for the order of ACE in ACL
How can you set file permissions from Powershell?
Set-ACL
Do Registry hives have permissions (ACLs)?
Yes with the same rights as files and folders –>wrong
Yes, but with rights different than files and folders
Schreib einen Kommentar