Add DCSync rights check to LDAP admin detection (check_if_admin)

[kathan3009]

Please Describe The Problem To Be Solved

LDAP admin detection (check_if_admin) only treats users as admins if they are in privileged groups (Domain Admins, Enterprise Admins, Administrators, etc.). Users who only have DCSync rights (e.g. via delegation or custom ACLs) are not detected as admins, so modules that require admin (e.g. raisechild) never run for them, even though they can perform DCSync.

In scope:

• Detect users with DCSync rights on the domain object via ACL inspection
• Set admin_privs = True for these users so they can run admin-only modules
• Support both direct ACEs and rights granted via group membership

Out of scope:

• Changes to other protocols’ admin detection
• Changes to DCSync execution logic

Solution

Add _check_dcsync_rights() to the LDAP protocol and call it from check_if_admin when the user is not in privileged groups.

Technical implementation:

• User SIDs: Fetch the user’s objectSid, distinguishedName, and primaryGroupID. Build principal_sids = user SID + primary group SID + all group SIDs (via member:1.2.840.113556.1.4.1941).
• Domain DACL: Fetch the domain root’s nTSecurityDescriptor with security_descriptor_control(sdflags=0x04) and parse the DACL.
• DCSync ACEs: For each ACE whose trustee is in principal_sids, check:
• ACCESS_ALLOWED_ACE with GenericAll (0x10000000) → DCSync
• ACCESS_ALLOWED_OBJECT_ACE with object type:
• 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (Replicating Directory Changes)
• 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 (Replicating Directory Changes All)

Result: If any such ACE is found, return True and set admin_privs = True in check_if_admin.

Tradeoffs:

• Adds LDAP searches and DACL parsing; cost is acceptable for the admin check path.
• Group membership is transitive via member:1.2.840.113556.1.4.1941.

Caveats:

• Requires LDAP read access to the domain root and user objects.
• Does not validate actual DRS replication; it only checks ACLs.

[NeffIsBack]

Hi and thanks for the bug report/solution suggestion, but this is AI generated right?

[kathan3009]

Hey,

Thank you for writing back, I did use use AI to write the issue ticket in to a particular format but the feature request I made was identified while I was testing out AD misconfiguration on GOAD.

I realized that a user in GOAD called robb stark is part of a group that has DCSync rights but is not consider as admin to be able to run the raisechild module.

So I made a change that worked for me where I did a check if the group has relevant rights and if that are passed on to user then it should work successfully.

It is one of my first time submitting a major change, do let me know if you want me to re submit the issue.

[NeffIsBack]

Please don't use AI for generating tickets. A few hand written sentences is most often better than the bloat that AI produces (including their most often incorrect suggested solutions). Also, in this case (and issue #1108) this should be a bug report because something is (supposably) not working as intended).

Two thoughts on the actual issue (ignoring the AI bs):

• The user is not marked as Domain Admin because he is not Domain Admin. He has implicit privileges over the domain and can perform powerful actions, but is not part of the Tier 0 architecture. NetExec simply can't detect all implicitly granted privileges that could get you domain admin, for which you should probably check out bloodhound.
• The raisechild module is intended to be used as domain admin to escalate to a parent/other domain. Yes, in this case you would be able to execute that module even without admin privs because you have DC sync privs, but usually you would first DCsync an actual admin and then escalate to the other domain. You could argue that sometimes you would like to skip that step (for reasons), which could be solved by allowing execution of the module with a low priv user (but not by parsing arbitrary DACLs and checking if the user somehow has privileges over the domain or T0 infra).

[NeffIsBack]

Closing for now as this is out of scope imo. Feel free to resubmit if you disagree, but please don't generate issues with AI.