Re: Bypassing NTFS ACL

• Previous message: John Galt: "Re: Traceroute"
• In reply to: chris_at_compucounts.com: "Bypassing NTFS ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <chris@compucounts.com>, <pen-test@securityfocus.com>
Date: Thu, 24 Feb 2005 23:46:48 -0300

Hi there Chris,

I don't know if this is what you're looking for...maybe this is not too
difficult... :-)

If I got the point, your situation is the same as trying to access a private
folder that's not yours...or not belong to your current user....if this is
the case, Microsoft has a paper on it...the link is:
http://support.microsoft.com/kb/810881/en-us

Anyway, I'll quote here Microsoft's solution for the problem...ahd below
that, is another solution that is not the microsoft way... :-P

-----------
1. Turn off Simple File Sharing:
a. Click Start, and then click My Computer.
b. On the Tools menu, click Folder Options, and then click the View tab.
c. Under Advanced Settings, click to clear the Use simple file sharing
(Recommended) check box, and then click OK.

2.Right-click the folder that you want to take ownership of, and then click
Properties.
3.Click the Security tab, and then click OK on the Security message, if one
appears
.4.Click Advanced, and then click the Owner tab.
5.In the Name list, click your user name, Administrator if you are logged in
as Administrator, or click the Administrators group.

If you want to take ownership of the contents of that folder, click to
select the Replace owner on subcontainers and objects check box.
6.Click OK.

You may receive the following error message, where Folder is the name of the
folder that you want to take ownership of:
You do not have permission to read the contents of directory Folder. Do you
want to replace the directory permissions with permissions granting you Full
Control? All permissions will be replaced if you press Yes.
7.Click Yes.
8.Click OK, and then reapply the permissions and security settings that you
want for the folder and the folder contents.
------------

Well, maybe this is not enough for you....maybe you want some way that is
not that "polite"...if this is your case...here it go:

Part 1: Putting Windows security down:

Control Pannel / Administrative tools / Local Security Policies / Local
Policies / "Users Rights" (or something like that...:-P )
Click on "Generate Security Auditing" -> Add User or Group / Advanced / Find
Now / Select your current user / Ok / Apply / OK

Go into the service "Manage auditing and the security log" (once
more....it's something like this...lol ) and do the same steps mentioned
above...

Part 2: Changing the permissions

reboot

- go into the safe mode
- log on as Administrator (as this is for personal purposing only, and not
meant to hack any users files, I'll assume that you are the local
administrator of the machine...)
- Go to the "blocked" folder..
- Right click / properties / Security / Advanced / in the auditing
section -> Add / Advanced / Select the Admin Account / OK / Apply / OK
- In the Owner section / Select the Admin account and mark the Replace
owner on subcontainers and objects / Apply / OK

DONE!!! Now you can access the folder...

Well, I hope this was enough... :-)

See yah, and sorry for the poor english!

Regards,

Everton
MCP

----- Original Message -----
From: <chris@compucounts.com>
To: <pen-test@securityfocus.com>
Sent: Friday, February 18, 2005 5:49 PM
Subject: Bypassing NTFS ACL

I've got domain admin access to a Windows 2003 server, and have
encountered a series of directories that are protected by custom ACLs
which do not include any group I am a member of and are not inheriting
the ACL of their parent directory.

I know there are plenty of simple solutions to this problem such as
joining the group, taking ownership of the directory, etc, however I'm
looking for a slightly more difficult solution that wouldn't be noticed.
I want to bypass the ACL.

I figured that if root can do it in UNIX, SYSTEM could do it in Windows,
but it looks like I'm wrong:

--
C:\> whoami
nt authority\system
C:\> cd somedir
Access is denied.
--
Is there any means of bypassing the ACL while the system is online
without rewriting it?
I'm going to reiterate: Yes there are plenty of other ways to do this,
but I want to be difficult :)  This could come in handy later on.
Thanks,
- Chris 

• Previous message: John Galt: "Re: Traceroute"
• In reply to: chris_at_compucounts.com: "Bypassing NTFS ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]