An Access Control List (ACL) is a fundamental security mechanism consisting of a set of rules that defines which users, systems, or processes are granted access to specific resources, and what operations (read, write, execute) they are allowed to perform. Pentesters examine ACLs to identify misconfigurations, excessive permissions, or weak rules that can be exploited to escalate privileges or move laterally through a network.
Tools for ACL-Related Pentesting
Active Directory ACL Enumeration & Abuse
- BloodHound / SharpHound — The go-to tool for visualizing AD ACL relationships. It maps out over-permissioned ACEs (Access Control Entries) like
GenericAll,WriteDACL,WriteOwner, and shows attack paths to Domain Admin. - PowerView (PowerSploit) — PowerShell module for enumerating ACLs on AD objects (
Get-ObjectAcl,Find-InterestingDomainAcl). Widely used for identifying exploitable permissions. - ADACLScanner — Dedicated tool for scanning and reporting on Active Directory ACLs.
- Impacket — Python toolkit with scripts like
dacledit.pyfor reading/writing DACL entries on AD objects, useful for ACL-based privilege escalation. - aclpwn.py — Automates ACL-based privilege escalation paths in Active Directory by chaining permission abuses.
Windows File System ACLs
- AccessChk (Sysinternals) — Checks effective permissions on files, directories, services, registry keys, and more. Essential for finding misconfigured ACLs on local Windows systems.
- PowerSploit / PowerUp — Includes modules for finding writable services and directories via weak ACL checks.
- icacls / cacls — Built-in Windows commands often used in pentests to enumerate file/folder ACLs.
Network ACLs
- Nmap — Can help identify network-level ACL gaps by probing for accessible ports/services that should be blocked.
- Scapy — Used for crafting packets to test network ACL rules on firewalls and routers.
- Netcat / Ncat — Used to test if specific ports are filtered by network ACLs.
Linux/Unix ACLs
- LinPEAS / LinEnum — Automated Linux privilege escalation scripts that check for misconfigured file ACLs (
getfacl). - getfacl — Native Linux tool used in pentests to enumerate extended ACLs on files. Types of ACLs in Pentesting Networking ACLs: Applied to routers, switches, or firewalls to filter traffic (packets) based on criteria like source/destination IP addresses, ports, and protocols. Standard ACLs: Filter based only on the source IP address. Extended ACLs: Filter based on source/destination IPs, ports, and protocols (more granular). Pentesting Use: Identifying allowed ports or bypassing restrictions to access restricted segments. Filesystem ACLs: Define permissions for files and directories (e.g., in Windows NTFS or Linux), specifying which users can access specific objects. Pentesting Use: Identifying files that should be restricted but are accessible, allowing privilege escalation or data theft. Active Directory (AD) ACLs: Control access to objects within a Windows domain (users, computers, groups). Pentesting Use: Discovering “GenericAll” or “GenericWrite” permissions that allow attackers to change passwords or manipulate group memberships to achieve Domain Admin status.
Key Concepts for Pentesters Implicit Deny: The rule that says if traffic or a user action does not explicitly match an “allow” rule in the ACL, it is denied by default. Sequence/Ordering: ACL rules are processed in order; the first match determines the action. A vulnerability exists if a broad “allow” rule sits above a specific “deny” rule. ACL Misconfigurations: A major target for testers, including overly permissive rules (e.g., Everyone:Full Control). Enumeration: Tools are used to enumerate ACLs to understand the security posture, such as Get-ACL in PowerShell for Windows or nmap scripts for network-level checks. How Pentesters Use ACLs Reconnaissance & Enumeration: Gathering information about what resources are protected and by whom. Privilege Escalation: Finding weak permissions on critical files, services, or AD objects to gain higher-level access. Lateral Movement: Utilizing allowed network paths to move from a compromised machine to another, bypassing network segmentation. Bypassing Restrictions: Identifying rules that can be bypassed (e.g., by spoofing IP addresses if the ACL only filters by source IP).
Key ACL Abuse Techniques (Common in AD Pentests)
| Permission | What an Attacker Can Do |
|---|---|
GenericAll | Full control — reset passwords, modify memberships |
WriteDACL | Modify the DACL to grant themselves more rights |
WriteOwner | Take ownership of an object |
GenericWrite | Modify object attributes (e.g., set SPN for Kerberoasting) |
ForceChangePassword | Reset a user’s password without knowing it |
| BloodHound + PowerView are the most commonly used combination for discovering and exploiting ACL misconfigurations in real-world engagements. | |
| vulnerability exploitable services security privlegeescalation |