Skip to content

Home

Jump to bottom
Mitchell Moser edited this page May 4, 2021 · 2 revisions

LACheck is a multithreaded C# .NET Assembly Local Administrative Privilege Enumeration

Required Arguments

hosts    (1 or more) _________________________________________________________________________________________________
protocol (1 or more) ____________________  |                                                                          |
                             |           | |                                                                          |
execute-assembly LACheck.exe smb rpc winrm /targets:host1,host2 /ldap:all /ou:"OU=Special Servers,DC=example,DC=local"

Hosts

Hosts may be provided in multiple ways:

  • targets - comma-separated list of explicit hosts
  • ldap - query hosts from the Global Catalog using the following LDAP filters:
    • all - All enabled computers with 'primary' group 'Domain Computers'
    • dc - All enabled Domain Controllers (not read-only DCs)
    • exclude-dc - All enabled computers that are not Domain Controllers or read-only DCs
    • servers - All enabled servers
    • servers-exclude-dc - All enabled servers excluding Domain Controllers or read-only DCs
    • these queries will return hosts from parent/child domains in current forest
  • ou - specify LDAP OU to query enabled computer objects from
    • useful for returning hosts across domain trusts

If no hosts are specified or returned from the ldap and ou filters, the program will exit.

Protocols

Multiple protocols are supported for enumerating Local Administrator access: smb, rpc, winrm

At least one protocol must be specified

  • smb - Attempts to access C$ share
  • rpc - Attempts WMI query of Win32_ComputerSystem Class provider over RPC
  • winrm - Attempts WMI query of Win32_ComputerSystem Class Provider over WinRM Session

Multiple Protocols

Multiple protocols may also be specified during a single collection

When multiple protocols are specified, if any protocol returns successful Administrative Access:

  • the host is added to a list that the current user had AdminTo privileges on
  • additional enumeration checks are then attempted
    • additional checks are never attempted unless initial admin check succeeds

Output

Protocol, host, and user are returned upon successful Local Admin check

Example of Admin Success ran as svcadmin user on the WEB01 host:

[SMB] Admin Success: WEB01 as svcadmin
[RPC] Admin Success: WEB01 as svcadmin
[WinRM] Admin Success: WEB01 as svcadmin
Clone this wiki locally