Skip to content

Fix Issues with ACE type filtering and ObjectType GUID parsing in BadSuccessor.py search_ous() that causes False negatives #2170

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
alexisbalbachan merged 3 commits into from
May 5, 2026
+12 −6
Merged

Fix Issues with ACE type filtering and ObjectType GUID parsing in BadSuccessor.py search_ous() that causes False negatives #2170

Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e45fd83
Added processing to object specific ACEs in search_ous()
ThatTotallyRealMyth Apr 10, 2026
efef586
Fixed GUID parser for ObjectType handling for object-specific ACEs
ThatTotallyRealMyth Apr 10, 2026
9ca2d49
Apply suggestion from @alexisbalbachan
ThatTotallyRealMyth Apr 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 12 additions & 6 deletions examples/badsuccessor.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
from impacket.examples import logger
from impacket.examples.utils import parse_identity, parse_target, init_ldap_session
from impacket.ldap import ldaptypes

import uuid #needed for proper GUID conversion

class BADSUCCESSOR:
def __init__(self, username, password, domain, lmhash, nthash, cmdLineOptions):
Expand Down Expand Up @@ -281,20 +281,26 @@ def search_ous(self, ldapConnection):
dacl = sd['Dacl']
if dacl and hasattr(dacl, 'aces') and dacl.aces:
for ace in dacl.aces:
# Only process ALLOW ACEs
if ace['AceType'] != ldaptypes.ACCESS_ALLOWED_ACE.ACE_TYPE:
#Fix 1, Ensure we parse and process standard ACE and Object Specific ACE
allowed_types = [
ldaptypes.ACCESS_ALLOWED_ACE.ACE_TYPE,
ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_TYPE
]
if ace['AceType'] not in allowed_types:
continue

# Check if ACE has relevant rights
mask = int(ace['Ace']['Mask']['Mask'])
has_relevant_right = any(mask & right_value for right_value in relevant_rights.values())
if not has_relevant_right:
continue
#Fix two: The guid conversion was wrong and one actually reads the bytes correctly and converts them to real GUIDs for processing later
ace_data = ace['Ace']
object_type = ace_data['ObjectType']
Comment thread
ThatTotallyRealMyth marked this conversation as resolved.
Outdated

# Check object type (must match relevant object types)
object_type = getattr(ace['Ace'], 'ObjectType', None)
if object_type:
object_guid = str(object_type).lower()
object_guid = str(uuid.UUID(bytes_le=object_type)).lower()
logging.debug(object_guid)
if object_guid not in relevant_object_types:
continue

Expand Down