Infrastructure penetration testing notes
  • Initial page
  • Table Of Content
  • Infrastructure testing
    • Enumeration
      • Packet Capture
      • Host Discovery
      • Services / Ports
        • 21 - FTP
        • 22 - SSH
        • 25 - SMTP
        • 53 - DNS
        • 67 - DHCP
        • 69 - TFTP
        • 79 - Finger
        • 88 - Kerberos
        • 111 - RPC
        • 113 - ident
        • 135 - MSRPC
        • 137 - Netbios
        • 139/445 - SMB
        • 161 - SNMP
        • 177 - XDMCP
        • 363 - LDAP
        • 443 - HTTPS
        • 500 - IKE (IPSEC)
        • 512/513/514 - R Services
        • 623 - IPMI
        • 873 - RSYNC
        • 1099 - Java RMI
        • 1433 - Microsoft SQL
        • 1521 - Oracle DB
        • 2049 - NFS
        • 3306 - MySQL
        • 3389 - RDP
        • 5432 - PostgresSQL
        • 5900 - VNC
        • 5985 - WinRM
        • 6000 - X11
        • 6379 - Redis
        • 8080 - Jenkins
        • 11211 - Memcached
        • RDS
        • SQLite
        • Docker
      • IPV6
        • Scanning
        • Enumeration
        • Transfering files
        • Pivoting and routes
        • THC IPv6
    • Gaining Access
      • IP Forwarding
      • VLAN Information
      • Psexec
      • Upgrading shell
      • Reverse Shells One-Liners
      • Bruteforce
      • MITM cleartext protocols
      • Null session
      • LLMNR / NBT NS Spoofing
      • Port knocking
      • Downloading/Transfer files
      • Remote Desktop
      • NAC Bypass
      • Pass-The-Hash
    • Exploitation
      • Solaris
      • IPv6
      • Windows
        • Compiling Code
        • SMB Vulnerabilities
        • Kerberos Attacks
    • Privilege Escalation
      • Situational Awareness
        • Linux
        • Windows
          • Registry
          • PowerView
          • FSMO Roles
      • Windows
        • Disable Apps and Firewall
        • Add user script
        • UAC Bypass
        • icacls
        • Running services
        • Common Exploits
      • Linux
        • SUID Shell script
        • CVE-2019-14287
        • Kernel exploit
      • Solaris
      • FreeBSD
      • Automated tools
      • Metasploit Modules
      • Password Dumping
    • Breakout
      • LOLBas
      • powershell constrained language byass
      • Alternatives to command prompt
      • Windows utilities
      • Applocker
      • Restricted shells
      • Environmental Variables / Bypassing Path Restrictions
      • Docker escape
      • Just Enough Administration (JEA)
    • Presistance
      • Windows
    • Pivoting
      • Adding routes
    • Password Cracking
      • Hashcat
      • John
      • Cisco Passwords
      • Passwords Lists
      • Generating wordlist
    • Tools
      • Nishang
      • UACME
      • Bypass-UAC
      • MSBuildAPICaller
      • Impacket
      • SharpPersist
      • Terminals
      • IP Calculation
      • pwsh
      • psTools / Sysinternals
      • Unlock applocker
      • enum4linux
      • Bloodhound
        • aclpwn
      • mitm6
      • Enyx
      • nfsshell
      • PowerUpSQL
      • Metasploit
        • msfvenom
    • Others
Powered by GitBook
On this page

Was this helpful?

  1. Infrastructure testing
  2. Privilege Escalation
  3. Windows

icacls

icacls is a command-line utility that can be used to modify NTFS file system permissions in Windows.

icacls is a command-line utility that can be used to modify NTFS file system permissions in Windows Server 2003 SP2, Windows Server 2008, Windows Vista and Windows 7. It builds on the functionality of similar previous utilities, including cacls, Xcacls.exe, Cacls.exe, and Xcacls.vbs.  

example:

PS htb\amanda@SIZZLE documents> icacls clean.bat 
clean.bat NT AUTHORITY\SYSTEM:(I)(F) 
          BUILTIN\Administrators:(I)(F) 
          HTB\Administrator:(I)(F) 
          HTB\amanda:(I)(F) 

Change permissions:

icacls C:\PS /grant John:M

Remove permissions:

icacls C:\PS /remove John

Opposed to each group and the user’s access level is specified. Access rights are indicated using abbreviations. Consider the permissions for the user CORP\someusername. The following permissions are assigned to this user:

  • (OI) — object inherit

  • (CI) — container inherit

  • (M) —  modify access

This means that this user has the rights to write and modify data in this directory. These rights are inherited to all child objects in this directory.

Below is a complete list of permissions that can be set using the icacls utility:

iCACLS inheritance settings:

  • (OI)  —  object inherit

  • (CI)  —  container inherit

  • (IO)  —  inherit only

  • (NP)  —  don’t propagate inherit

  • (I)  — permission inherited from parent container

List of basic access permissions:

  • D  —  delete access

  • F  —  full access

  • N  —  no access

  • M  —  modify access

  • RX  —  read and eXecute access

  • R  —  read-only access

  • W  —  write-only access

Detailed permissions:

  • DE  —  delete

  • RC  —  read control

  • WDAC  —  write DAC

  • WO  — write owner

  • S  —  synchronize

  • AS  —  access system security

  • MA  —  maximum allowed permissions

  • GR  —  generic read

  • GW  —  generic write

  • GE  —  generic execute

  • GA  —  generic all

  • RD  —  read data/list directory

  • WD  —  write data/add file

  • AD  — append data/add subdirectory

  • REA  —  read extended attributes

  • WEA  —  write extended attributes

  • X  —  execute/traverse

  • DC  —  delete child

  • RA  —  read attributes

  • WA  —  write attributes

PreviousUAC BypassNextRunning services

Last updated 5 years ago

Was this helpful?