SubInACL
gives more detail but AccessChk is significantly friendlier to use. Let??™s start by looking at
how AccessChk works.
Chapter 16: Exploiting Windows Access Control Model for Local Elevation of Privilege
403
Figure 16-10 Windows debugger
Gray Hat Hacking: The Ethical Hacker??™s Handbook
404
Dumping ACLs with AccessChk
AccessChk will dump the DACL on files, registry keys, processes, or services. We??™ll also
be building our attack methodology in the next section around AccessChk??™s ability to
show the access a certain user or group has to a certain resource. Version 4 of AccessChk,
which should be released by the time this book is published, adds support for sections,
mutants, events, keyed events, named pipes, semaphores, and timers. Figure 16-12 demonstrates
how to dump theDACL of our C:\Program Files directory that we decomposed
earlier. A little faster this way??¦
Dumping ACLs with SubInACL
The output from SubInACL is not as clean as AccessChk??™s but you can use it to change
the ACEs within the DACL on-the-fly. It??™s quite handy for messing with DACLs. The
SubInACL display of the C:\Program Files DACL is shown in Figure 16-13. As you can
see, it??™s more verbose, with some handy additional data shown (DACL control flags,
object owner, inheritance flags, etc.
Pages:
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723