nTSecurityDescriptor

created: "2025-10-24 10:48"
tags:
  - ACL
  - windows
aliases:
Type:
title:
updated: "2025-10-24 10:53"

nTSecurityDescriptor 是 Active Directory（AD）中每个对象（如用户、组、组织单元 OU 等）的一个属性，用于存储对象的安全描述符（Security Descriptor）。这个属性定义了对象的访问控制信息，即谁可以对该对象执行哪些操作（例如读取、写入、删除等）。它是 Windows 和 Active Directory 安全模型的核心部分，用于管理权限和访问控制列表（ACL）。

使用 bloodyAD 的 get object 就是获取目标对象的 ntSecurityDescriptor

┌──(root㉿kali)-[~/Desktop/htb/Hercules]
└─# bloodyAD --host dc.hercules.htb  -d hercules.htb  -k  get object 'OU=WEB Department,OU=DCHERCULES,DC=HERCULES,DC=HTB' --resolve-sd   

#--resolve-sd参数 可以解析获取到的 ACE（访问控制条目）

distinguishedName: OU=Web Department,OU=DCHERCULES,DC=hercules,DC=htb
dSCorePropagationData: 2024-12-04 01:45:07+00:00
instanceType: 4
nTSecurityDescriptor.Owner: Domain Admins
nTSecurityDescriptor.Control: DACL_AUTO_INHERITED|DACL_PRESENT|SACL_AUTO_INHERITED|SELF_RELATIVE
nTSecurityDescriptor.ACL.0.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.0.Trustee: Recruitment Managers
nTSecurityDescriptor.ACL.0.Right: WRITE_PROP
nTSecurityDescriptor.ACL.0.ObjectType: RDN; Common-Name
nTSecurityDescriptor.ACL.0.Flags: CONTAINER_INHERIT
nTSecurityDescriptor.ACL.1.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.1.Trustee: ACCOUNT_OPERATORS
nTSecurityDescriptor.ACL.1.Right: DELETE_CHILD|CREATE_CHILD
nTSecurityDescriptor.ACL.1.ObjectType: inetOrgPerson; User; Computer; Group
nTSecurityDescriptor.ACL.2.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.2.Trustee: PRINTER_OPERATORS
nTSecurityDescriptor.ACL.2.Right: DELETE_CHILD|CREATE_CHILD
nTSecurityDescriptor.ACL.2.ObjectType: Print-Queue
nTSecurityDescriptor.ACL.3.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.3.Trustee: Recruitment Managers
nTSecurityDescriptor.ACL.3.Right: DELETE_CHILD|CREATE_CHILD
nTSecurityDescriptor.ACL.3.ObjectType: Self

<SNIP>

objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=hercules,DC=htb
objectClass: top; organizationalUnit
objectGUID: a70221be-052e-4a88-baab-ea80c6154a65
ou: Web Department
uSNChanged: 13469
uSNCreated: 12855
whenChanged: 2024-12-04 01:45:07+00:00
whenCreated: 2024-12-04 01:44:31+00:00

如果没有 --resolve-sd

┌──(root㉿kali)-[~/Desktop/htb/Hercules]
└─# bloodyAD --host dc.hercules.htb  -d hercules.htb  -k  get object 'OU=Security Department,OU=DCHERCULES,DC=HERCULES,DC=HTB'

distinguishedName: OU=Security Department,OU=DCHERCULES,DC=hercules,DC=htb
dSCorePropagationData: 2024-12-04 01:45:07+00:00
instanceType: 4
nTSecurityDescriptor: O:S-1-5-21-1889966460-2597381952-958560702-512G:S-1-5-21-1889966460-2597381952-958560702-512D:AI(OA;CI;CR;00299570-246d-11d0-a768-00aa006e0529;;S-1-5-21-1889966460-2597381952-958560702-1110)(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;S-1-5-21-1889966460-2597381952-958560702-1106)(OA;CI;WP;bf96793f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-1889966460-2597381952-958560702-1106)(OA;;0x3;4828cc14-1437-45bc-9b07-ad6f015e5f28;;S-1-5-32-548)(OA;;0x3;bf967a86-0de6-11d0-a285-00aa003049e2;;S-1-5-32-548)(OA;;0x3;bf967a9c-0de6-11d0-a285-00aa003049e2;;S-1-5-32-548)(OA;;0x3;bf967aa8-0de6-11d0-a285-00aa003049e2;;S-1-5-32-550)(OA;;0x3;bf967aba-0de6-11d0-a285-00aa003049e2;;S-1-5-32-548)(A;;0x3;;;S-1-5-21-1889966460-2597381952-958560702-1106)(A;;0xf01ff;;;S-1-5-21-1889966460-2597381952-958560702-512)(A;;0x20094;;;S-1-5-9)(A;;0x20094;;;S-1-5-11)(A;;0xf01ff;;;S-1-5-18)(OA;CIID;CR;00299570-246d-11d0-a768-00aa006e0529;;S-1-5-21-1889966460-2597381952-958560702-1112)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIID;0x30;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-1889966460-2597381952-958560702-526)(OA;CIID;0x30;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-1889966460-2597381952-958560702-527)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-3-0)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-10)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIIOID;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-10)(OA;CIIOID;0x20094;;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;0x20094;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;0x20094;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;OICIID;0x30;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;S-1-5-10)(OA;CIID;0x130;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;S-1-5-10)(A;CIID;0xf01ff;;;S-1-5-21-1889966460-2597381952-958560702-519)(A;CIID;LC;;;S-1-5-32-554)(A;CIID;0xf01bd;;;S-1-5-32-544)
name: Security Department
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=hercules,DC=htb
objectClass: top; organizationalUnit
objectGUID: f3d4ae35-3363-4c88-8f51-2d570ece5191
ou: Security Department
uSNChanged: 13470
uSNCreated: 12854
whenChanged: 2024-12-04 01:45:07+00:00
whenCreated: 2024-12-04 01:44:31+00:00