search

BloodHoundAD / SharpHoundCommon

Common library used by SharpHound.
GNU General Public License v3.0
73 stars 47 forks source link

Add NTLMv1 flag on GPO #101

Open Hackndo opened 6 months ago

Hackndo commented 6 months ago

Similar to https://github.com/BloodHoundAD/SharpHound3/pull/47

If GPO object forces LmCompatibilityLevel to be less than 3, then the computers it will be applied on will use NTLMv1 when authenticating.

This information seems very useful from an attacking perspective as authentication can be coerced and NTLMv1 hash cracked or relayed without MIC

(Also https://github.com/BloodHoundAD/SharpHound/pull/87 on SharpHound)

image

github-actions[bot] commented 6 months ago

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

Hackndo commented 6 months ago

I have read the CLA Document and I hereby sign the CLA

rvazarkar commented 4 months ago

The implementation seems fine, but I'm sort of debating if it makes more sense to just merge this in with the existing gpo object processor stuff. @definitelynotagoblin @ddlees do either of you have any feelings on this? It is doing a bit more than our normal object processor does, but generally our processors are loosely linked to a particular collection method, so I think this would probably fit in ObjectProps instead

JonasBK commented 5 days ago

Hi @Hackndo,

Thank you for the two PRs - awesome work! 🙌

We have discussed internally and reached the conclusion that we would like to have two properties for this setting you collect:

The raw property should hold the int value of the registry setting. The other one should hold a string with corresponding setting value i.e. one of these:

Are you interested in updating your PR to create those properties? If not, then we will merge your PRs in and we will make the changes on top such that your commits still end up in the git history.

Let me know what you think and thanks again for contributing!

Hackndo commented 4 days ago

Hello, I'll update my PR in a few days. Thank you for your feedback Edit (2nd of August): There were major changes in LDAPUtils in v4. I'll need some time to wrap my head around this. :)