{"id":91,"date":"2009-03-06T07:13:30","date_gmt":"2009-03-06T13:13:30","guid":{"rendered":"http:\/\/www.jedge.com\/wordpress\/?p=91"},"modified":"2018-12-29T00:46:17","modified_gmt":"2018-12-29T06:46:17","slug":"auditing-folder-and-subfolder-permissions-using-cacls","status":"publish","type":"post","link":"https:\/\/www.jedge.com\/wordpress\/2009\/03\/auditing-folder-and-subfolder-permissions-using-cacls\/","title":{"rendered":"Auditing Folder (and subfolder) Permissions using CACLS"},"content":{"rendered":"

Updated 7\/2\/2016 – yeah, I haven’t needed to parse the shitty output from this tool in 7 years. I never accounted for “special access” permissions not including the account with the access.
\nUpdated 12\/28\/2018 – link to the code didn’t work so I’ve fixed that. Also updated if you receive a specific error message. <\/p>\n

CACLS.exe is a great builtin Windows utility that allows you to list the permissions on a file or folder.\u00a0 This command has been used in an audit to get the permissions of the folders on an agency file server that served the “private” shares to each Domain user.\u00a0 The findings we would be looking for when examining the results are improper access to the “private” shares by other Domain users.<\/p>\n

For CACLS options and how to interpret the results see this site<\/a>.
\n
\nThe commands that I run are as follows:
\nDirectories and Files in the folder your run CACLS
\nc:\\>for \/f \"delims=\" %a in ('dir \/b') do @cacls \"%a\" >> savefile.txt<\/kbd>
\nAll directories, recursive, from the folder your run CACLS
\nc:\\>for \/f \"delims=\" %a in ('dir \/b \/S \/A:D') do @cacls \"%a\" >> savefile.txt<\/kbd><\/p>\n

Once results are obtained they need to be parsed so they can be analyzed.\u00a0 I have written a perl script to add the correct folder name to each permission.\u00a0 This is so they can be sorted by permission in your spreadsheet application of choice.<\/p>\n

 <\/p>\n

Save the code and run it as follows (also download here<\/a>):<\/p>\n

\n#!\/usr\/bin\/perl\n\n$numArgs = $#ARGV +1;\nif($numArgs < 2){\n  print "Invalid Number of Arguments\\n";\n  print "caclsparse.pl <filename> <foldername>\\n";\n  print "The foldername is the root folder you ran CACLS.exe from.\\n\\n";\n  print "foldername example:  \\"C\\\\:\\\\\\\\Documents and Settings\\\\\\\\jedge\\"\\n";\n  print "Folder names with spaces need to be encapsulated in quotes.\\n";\n  print "You need to escape the backslash twice.\\n";\n  print "You need to escape the colon with a backslash as well.\\n";\n  exit;\n}\n\n#open the file\n$infile = "$ARGV[0]";\nopen(DAT, $infile) || die("Something did not work.  You can email me at james.edge(at)jedge.com\\n");\n\n#save file contents into an array\n@raw_data=<DAT>;\nclose(DAT);\n\nopen (OUTPUT, '>cacls_parse_output.csv');\n#Cycle through the entire array\nfor($count=0;$count<=$#raw_data;$count++){\n  #pull folder name, split it, and print it\n  #the first record in each grouping is the only record with the folder name\n  if(@raw_data[$count] =~ \/($ARGV[1])\/){\n    chomp(@raw_data[$count]);\n    $x = 0;\n    while(substr(@raw_data[$count+1],$x,1) eq " "){\n      $x++;\n    }\n    $folder = substr(@raw_data[$count],0,$x-1);\n    $permissions = substr(@raw_data[$count],$x,length(@raw_data[$count]) - $x);\n    print OUTPUT "\\"$folder\\",\\"$permissions\\"\\n";\n  \n    #cycle through the permissions listed below the folder name\n    for($c=$count+1;$c<=$#raw_data;$c++){\n      $permissions = substr(@raw_data[$c],$x,length(@raw_data[$c]) - $x);\n      chomp($permissions);chomp($permissions);\n\n      #print until you get to the next folder item\n      if(@raw_data[$c] =~ \/($ARGV[1])\/){last;}\n    #another problem is "special access" permissions\n    #cycle through including the folder AND the account with access\n      if($permissions =~ \/special access\/){\n        $c++;\n        while(@raw_data[$c] =~ \/. \/){\n          $special_permissions = substr(@raw_data[$c],$x,length(@raw_data[$c]) - $x);\n          $special_permissions =~ s\/\\s+\/\/g;\n          print OUTPUT "\\"$folder\\",\\"$permissions $special_permissions\\"\\n";\n          $c++;\n        }\n      } else { print OUTPUT "\\"$folder\\",\\"$permissions\\"\\n";} #not "special access" so just print to file\n    }\n  }\n}\nclose(OUTPUT);\n<\/code><\/pre><\/p>\n
$perl caclsparse.pl savefile.txt \"C\\\\:\\\\Documents and Settings\\\\jedge\"<\/kbd><\/p>\n
NOTE: I run it from Linux but ActivePerl for Windows will work as well. Installing perl is outside the scope of this posting.<\/p>\n
Open parseresults.csv in Excel\/OO Calcs\/Gnumeric and begin analyzing the results!<\/p>\n
I’ve noticed that if you use double-quotes you will get the following error (cacls run on Windows 10 and output parsed on Kali 2017-04-04).
\n
\nUnmatched ( in regex; marked by <-- HERE in m\/( <-- HERE C:\\Users\\us315622\\)\/ at caclsparse.pl line 28.\n<\/code><\/pre>You need to use single-quotes.
\n$perl caclsparse.pl savefile.txt 'C\\\\:\\\\Users\\\\edge'<\/kbd><\/p>\n","protected":false},"excerpt":{"rendered":"
Updated 7\/2\/2016 – yeah, I haven’t needed to parse the shitty output from this tool in 7 years. I never accounted for “special access” permissions not including the account with the access. Updated 12\/28\/2018 – link to the code didn’t work so I’ve fixed that. Also updated if you receive a specific error message. CACLS.exe […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[7,10],"tags":[16,94,87,69,92,93,33,26],"class_list":["post-91","post","type-post","status-publish","format-standard","hentry","category-scripts","category-using-the-tools","tag-audit","tag-cacls","tag-command","tag-command-line","tag-file-permissions","tag-folders","tag-perl","tag-windows"],"_links":{"self":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/91","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/comments?post=91"}],"version-history":[{"count":34,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/91\/revisions"}],"predecessor-version":[{"id":1196,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/91\/revisions\/1196"}],"wp:attachment":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/media?parent=91"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/categories?post=91"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/tags?post=91"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}