search

the-useless-one / pywerview

A (partial) Python rewriting of PowerSploit's PowerView
GNU General Public License v3.0
890 stars 113 forks source link

Get-NetGroupMember does not work against "Domain Users" group #23

Closed byt3bl33d3r closed 10 months ago

byt3bl33d3r commented 7 years ago

Hey man, Here's another issue I ran into recently, seems that get-netgroupmember fails to pull down the group members of anything accept the domain admins group:

(CME) λ pwnb0x modules → λ git v4.0* → pywerview get-netgroupmember -t 192.168.10.12 -u user -p pass --groupname 'Domain Admins' -r
groupdomain:  lab.local
groupname:    Domain Admins
isgroup:      False
memberdn:     CN=Administrator,CN=Users,DC=lab,DC=local
memberdomain: lab.local
membername:   Administrator
membersid:    S-1-5-21-1049426096-2728124650-4150323340-500

(CME) λ pwnb0x modules → λ git v4.0* → pywerview get-netgroupmember -t 192.168.10.12 -u user -p pass --groupname 'Domain Users' -r
(CME) λ pwnb0x modules → λ git v4.0* → pywerview get-netgroupmember -t 192.168.10.12 -u user -p pass --groupname 'Users' -r
groupdomain:  lab.local
groupname:    Users
isgroup:      True
memberdn:     CN=Domain Users,CN=Users,DC=lab,DC=local
memberdomain: lab.local
membername:   Domain Users
membersid:    S-1-5-21-1049426096-2728124650-4150323340-513

Let me know if I'm missing something, posting this at 3 AM so my brain might be fried lol

Cheers

the-useless-one commented 7 years ago

Hey @byt3bl33d3r!

I actually have the same problem, I don't know why, but I can't list members of the "Domain Users" group. But I can list any other group. Could you test with any other group, besides "Domain Admins" and "Domain Users"? Thanks.

Cheers,

Y

byt3bl33d3r commented 7 years ago

Huh, yup that seems to be the case:

(CME) λ pwnb0x modules → λ git v4.0* → pywerview get-netgroupmember -t 192.168.10.11 -u user -p pass --groupname 'dabestgroup'      
groupdomain:  lab.local
groupname:    dabestgroup
isgroup:      False
memberdn:     CN=yomama5,OU=Users,OU=Lab,DC=lab,DC=local
memberdomain: lab.local
membername:   yomama5
membersid:    S-1-5-21-1049426096-2728124650-4150323340-1113

groupdomain:  lab.local
groupname:    dabestgroup
isgroup:      False
memberdn:     CN=yomama3,OU=Users,OU=Lab,DC=lab,DC=local
memberdomain: lab.local
membername:   yomama3
membersid:    S-1-5-21-1049426096-2728124650-4150323340-1111

groupdomain:  lab.local
groupname:    dabestgroup
isgroup:      False
memberdn:     CN=yomama1,OU=Users,OU=Lab,DC=lab,DC=local
memberdomain: lab.local
membername:   yomama1
membersid:    S-1-5-21-1049426096-2728124650-4150323340-1109

Weird.

byt3bl33d3r commented 7 years ago

I'll see If I can help figure this out tomorrow. Could this be a side affect of the pyasn1 changes made to impacket?

the-useless-one commented 7 years ago

I don't think so, this was a problem I had way before this change. I'll edit the title of your issue, and try to figure this out.

[Edit] You can still use get-netuser if you want to list the domain users in the meantime :)

ThePirateWhoSmellsOfSunflowers commented 10 months ago

Hi!

As far as I understand, users are member of the "Domain Users" group only through their primarygroupid and not via the memberof LDAP attribut (ctrl+f "513" here). Thus, I think the best way extract members of this group it's to use get-netuser with a custom filter:

$ ./pywerview.py get-netuser -w domain.lan  -u administrator -p 'password123' -t 10.0.0.1 --attributes samaccountname primarygroupid --custom-filter '(&(primarygroupid=513))' 
primarygroupid: 513
samaccountname: j.doe

primarygroupid: 513
samaccountname: test.doe

[...]

I think I can close this issue now (6 years...whoa).

:sunflower: