Closed JeffTheDev00 closed 8 months ago
aniqfakhrul
commented
8 months ago Thanks for pointing this out. This us because powerview checks current user admin status by querying adminCount attribute which is not the case for computer accounts. We'll fix this. Thanks again
JeffTheDev00
commented
8 months ago Happy to help!
JeffTheDev00
commented
8 months ago Btw, it seems like this code from last week's commit fixes it(I was using an older commit myself) :
try:
curUserDetails = self.get_domainuser(identity=self.username, properties=["adminCount","memberOf"])[0]
userGroup = curUserDetails.get("attributes").get("memberOf")
if isinstance(userGroup, str):
groups.append(userGroup)
elif isinstance(userGroup, list):
groups = userGroup
for group in groups:
if "CN=Domain Admins".casefold() in group.casefold():
self.is_domainadmin = True
break
if self.is_domainadmin:
logging.info(f"User {self.username} is a Domain Admin")
else:
self.is_admincount = bool(curUserDetails["attributes"]["adminCount"])
if self.is_admincount:
logging.info(f"User {self.username} has adminCount attribute set to 1. Might be admin somewhere somehow :)")
except:
logging.debug("Failed to check user admin status")Have you tried if it works with computer account?
JeffTheDev00
commented
8 months ago Nope haven't tried it yet, will give it a shot in a bit! Gonna have to spin up a dc real quick
JeffTheDev00
commented
8 months ago Just tested it and yep, can confirm that it does indeed work :
┌─[parrot@parrot]─[~/dev/powerview.py]
└──╼ [★]$ python3 powerview.py 'test-domain/client01$@ip' --use-ldap --dc-ip someip -H somehash
[2024-01-08 18:12:08] LDAP Signing NOT Enforced!
(LDAP)-[someip]-[test-domain\client01$]
PV > get-domain
objectClass : top
domain
domainDNS Thats good to know. I'll do some code cleaning to handle the errors.
Problem: Powerview fails when attempting to connect with a computer accountOutput:Explanation: It seems that that theadminCountattribute cannot be found in ldap when connecting with a computer account. Likely because computer accounts do not have this attribute set which causes the script to fail as its not able to find the value and can't proceed without it.Temporary Resolution: It seems that removing the following lines fixes the issue for now.