the-useless-one / pywerview

A (partial) Python rewriting of PowerSploit's PowerView
GNU General Public License v3.0
924 stars 115 forks source link

List index out of range in the get-netlocalgroup function #4

Closed ThePirateWhoSmellsOfSunflowers closed 8 years ago

ThePirateWhoSmellsOfSunflowers commented 8 years ago

Hi dude ! An error occurs when I try to get local groups on a target, more precisely when a domain group is included in local group. Tested on Windows XP/7 target.

Pywerview

$ ./pywerview.py get-netlocalgroup -w DOMAIN.lan -u administrator -p p@ssw0rd --dc-ip 192.168.1.1 --groupname Administrateurs --computername COMPUTER05.domain.lan

192.168.1.1 Traceback (most recent call last): File "./pywerview.py", line 279, in results = args.func(**parsed_args) File "/home/x/tools/pywerview/pywerview/net.py", line 596, in get_netlocalgroup password, lmhash, nthash, queried_sid=member_sid)[0] IndexError: list index out of range

Powerview

PS C:\Users\administrator> Get-NetLocalGroup -ComputerName COMPUTER05.domain.lan -GroupName Administrateurs

Server : COMPUTER05.domain.lan AccountName : COMPUTER05/Administrateur SID : S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX Disabled : ERROR IsGroup : False IsDomain : False LastLogin :

Server : COMPUTER05.domain.lan AccountName : Tout le monde SID : S-1-1-0 Disabled : ERROR IsGroup : True IsDomain : False LastLogin :

Server : COMPUTER05.domain.lan AccountName : S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX SID : S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX Disabled : ERROR IsGroup : False IsDomain : False LastLogin :

Server : COMPUTER05.domain.lan AccountName : domain.lan/Domain Admins SID : S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX Disabled : False IsGroup : True IsDomain : True LastLogin :

(damn github markdown is sooooo lame)

Thanks for your tool by the way :+1:

"Joy and Volupted"

the-useless-one commented 8 years ago

Hey dude, thanks for the issue!

It's a shame your assignment ended this week cause I had a few questions regarding this issue. The problem does not come from the fact that there is a domain group inside the local "Administrateurs" group (this test case was covered ;). It comes from the second-to-last result, the one where PowerView did not resolve the SID.

PywerView works this way to get members of a local group:

Obviously, this last step failed in your execution of PywerView, which is what raised the exception. PowerView did not manage to resolve the SID either, but returned it raw instead. I just published a fix to imitate this behavior, instead of failing.

The remaining question is "why did this SID not resolve, either against the local machine or against the DC?" But since your assignment is done, we'll never know :'(

ThePirateWhoSmellsOfSunflowers commented 8 years ago

My assignment is done but I have uncensored screenshots/outputs for the report, maybe we'll find some answers...

:smile: