Gain FullControl on arbitrary objects trough ldapshell

[dadevel]

This PR implements a new command in ldap_shell.py called gain_fullcontrol.
It appends a FullControl ACE to the security desriptor of an arbitrary LDAP object.
This target object is specified by a search filter and an optional search base.

In the example below the user jdoe is granted full control over a certificate template and a computer account.

[gabrielg5]

Hello @dadevel,

This command is pretty much similar to the grant_control already in the shell...
Main difference is that in gain_fullcontrol you can define the target as a search filter; while in grant_control it's a sAMAccountName.

I think it's better to allow passing a search filter in the grant_control command and inferring this in the function in order to support both "targets definition", whether a search filter or a sAMAccountName
To avoid having many commands fulfilling "same" goal, what do you think?

[dadevel]

Yes, sounds good. I will update the PR in the next days.

[dadevel]

Hi @gabrielg5, I updated the PR.

❯ nc localhost 11000
Type help for list of commands

# help
...
 grant_control [search_base] target grantee - Grant full control on a given target object (sAMAccountName or search filter plus search base) to the grantee (sAMAccountName).
...

# grant_control cn=configuration,dc=sentinel,dc=local (cn=webserver) jdoe
Resolved 'jdoe' to 'S-1-5-21-1074441319-913972020-3079788021-1103'
Resolved '(cn=webserver)' to 'CN=WebServer,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=sentinel,DC=local'
DACL modified successfully!
jdoe now has control of 'CN=WebServer,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=sentinel,DC=local'

# grant_control dc01$ jdoe
Resolved 'jdoe' to 'S-1-5-21-1074441319-913972020-3079788021-1103'
Resolved '(sAMAccountName=dc01$)' to 'CN=DC01,OU=Domain Controllers,DC=sentinel,DC=local'
DACL modified successfully!
jdoe now has control of 'CN=DC01,OU=Domain Controllers,DC=sentinel,DC=local'

# exit

[gabrielg5]

Hey @dadevel thanks!

Been testing it a bit and found a couple use cases that perhaps we could enhance. I tried these:

Target as ldap filter

grant_control (sAMAccountName=target) grantee

We could support setting the target both as a sAMAccountName or as an ldap filter (despite setting or not the search_base)

Target matching multiple objects

grant_control (objectClass=computer) grantee

Leveraging ability to set the target as an ldap filter, we could allow grating control over multiple objects...

[dadevel]

Hi, I'll implement the first idea, but I'm unsure about the second. It could easily lead to unintended/surprising changes.

[dadevel]

Target as LDAP filter is implemented.

# grant_control (samaccountname=dc01$) jdoe
Resolved 'jdoe' to 'S-1-5-21-1074441319-913972020-3079788021-1103'
Resolved '(samaccountname=dc01$)' to 'CN=DC01,OU=Domain Controllers,DC=sentinel,DC=local'
DACL modified successfully!
'jdoe' now has control of 'CN=DC01,OU=Domain Controllers,DC=sentinel,DC=local'

[gabrielg5]

Hi, thanks!

yeah, related to second bullet agree with you! Thinking better may lead to unwanted scenarios...

Last tiny detail and merging... if target or grantee are not found the error message is wrong. Now it is showing something like
Could not find user: success:
Could not find target: success:

Thank you!

[dadevel]

Hi, I improved the error handling now.

[gabrielg5]

Thank you!
Merging now

[dadevel]

Thank you! :)