search

the-useless-one / pywerview

A (partial) Python rewriting of PowerSploit's PowerView
GNU General Public License v3.0
924 stars 114 forks source link

Invoke-ACLScanner port #43

Closed clementsbr closed 2 years ago

clementsbr commented 3 years ago

Conversion of the function Invoke-ACLScanner

the-useless-one commented 3 years ago

Hi @clementsbr,

I can only guess from your message that you would like to see the Invoke-ACLScanner functionality implemented. If that's so, rejoice! I'm currently working on implementing the different PowerView ACL functionalities. You can see some of them in the get_objectacl branch.

If you use this branch for your tests and see any problems, wed' be grateful for your issues (hoping that they'll be more detailed than this one).

Cheers,

Y

clementsbr commented 3 years ago

Essentially, using the ACL scanner to identify GPOs which have overly permissive write rules. However since get-netgpo does not return a SID and we cannot query on the GPO name/GUID I cannot validate the permissions on GPOs effectively via your python script.

the-useless-one commented 2 years ago

Hi @clementsbr,

Sorry I took so long to answer. You can check the ACL on a GPO using its name attribute. Here's an example where I'm looking at the Default Domain Policy:

$ python3 pywerview.py get-objectacl -t srv-ad.contoso.com -u skywalker -p $PASSWORD --name '{31B2F340-016D-11D2-945F-00C04FB984F9}' --resolve-guids --resolve-sids
objectdn:              CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=contoso,DC=com
objectsid:             
acetype:               ACCESS_ALLOWED_ACE
binarysize:            36
aceflags:              
accessmask:            917693
activedirectoryrights: generic_read, create_child, list_children, self, read_property, write_property, list_object, 
                       read_control, write_dacl, write_owner
isinherited:           False
securityidentifier:    CN=Admins du domaine,CN=Users,DC=contoso,DC=com
iscallbak:             False

objectdn:              CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=contoso,DC=com
objectsid:             
acetype:               ACCESS_ALLOWED_ACE
binarysize:            36
aceflags:              container_inherit, inherit_only
accessmask:            983295
activedirectoryrights: generic_read, create_child, delete_child, list_children, self, read_property, write_property, 
                       delete_tree, list_object, delete, read_control, write_dacl, write_owner
isinherited:           False
securityidentifier:    CN=Admins du domaine,CN=Users,DC=contoso,DC=com
iscallbak:             False
[...]

Feel free to re-open the issue if this didn't answer your question.

Cheers,

Y