RE: Bypassing NTFS ACL

From: Steve Fletcher (safletcher_at_insightbb.com)
Date: 02/22/05

Next message: Yvan Boily: "SAP Pen Testing"

Previous message: James Riden: "Re: TR: Mapping Class A network ( any easy trick?)"
In reply to: chris_at_compucounts.com: "Bypassing NTFS ACL"
Next in thread: James S. Ringold III: "Re: FW: Bypassing NTFS ACL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <chris@compucounts.com>, <pen-test@securityfocus.com>
Date: Mon, 21 Feb 2005 22:40:16 -0600

Actually, that's quite easy to do. There is a piece of freeware called
FILEACL that will exactly what you want. Here is an excerpt from the web
page:

Uses Backup and Restore Rights to view/change ACL/ownership on non
accessible files/dir

To download the program or get more details, go to
http://www.gbordier.com/gbtools/fileacl.htm.

Hope this helps.

Steve Fletcher
MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, CCNA, Security+
safletcher@insightbb.com

-----Original Message-----
From: chris@compucounts.com [mailto:chris@compucounts.com]
Sent: Friday, February 18, 2005 2:49 PM
To: pen-test@securityfocus.com
Subject: Bypassing NTFS ACL

I've got domain admin access to a Windows 2003 server, and have
encountered a series of directories that are protected by custom ACLs
which do not include any group I am a member of and are not inheriting
the ACL of their parent directory.

I know there are plenty of simple solutions to this problem such as
joining the group, taking ownership of the directory, etc, however I'm
looking for a slightly more difficult solution that wouldn't be noticed.
I want to bypass the ACL.

I figured that if root can do it in UNIX, SYSTEM could do it in Windows,
but it looks like I'm wrong:

--
C:\> whoami
nt authority\system
C:\> cd somedir
Access is denied.
--
Is there any means of bypassing the ACL while the system is online
without rewriting it?
I'm going to reiterate: Yes there are plenty of other ways to do this,
but I want to be difficult :)  This could come in handy later on.
Thanks,
- Chris

Next message: Yvan Boily: "SAP Pen Testing"

Previous message: James Riden: "Re: TR: Mapping Class A network ( any easy trick?)"
In reply to: chris_at_compucounts.com: "Bypassing NTFS ACL"
Next in thread: James S. Ringold III: "Re: FW: Bypassing NTFS ACL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Minimum NTFS Permissions on the SystemDrive
... File system and registry access control list modifications ... Microsoft Windows XP and Microsoft Windows Server 2003 have considerably ... You can no longer use the Anonymous security ... Additional ACL changes may invalidate all or most of the application ...
(microsoft.public.windows.server.security)
Bypassing NTFS ACL
... I've got domain admin access to a Windows 2003 server, ... I want to bypass the ACL. ... I figured that if root can do it in UNIX, SYSTEM could do it in Windows, ... Yes there are plenty of other ways to do this, ...
(Pen-Test)
Re: Newbie security programming questions
... > I am trying to get to the GUI described in this page to change the ACL ... > Is GUI ACL viewer not available with all versions of Windows? ... How to disable simplified sharing and set permissions on a shared folder ...
(microsoft.public.platformsdk.security)
Re: Pricing ACL / 2 royalties?
... > YOu could price your Allegro Lisp application as, ... If my company sells product X, built with ACL then a customer Z who buy ... X would have to pay: ... > $500 for Windows XX + Adobe ...
(comp.lang.lisp)
Re: More Before-The-Fact-Isms II, blocking viruses and spyware through NTFS
... > When you manually specify all of the ACL flags, it seems to work as though ... >> Do you only support english versions of Windows? ... > specify it in a template. ... I'd also rip off USB connectors. ...
(microsoft.public.security)