search

the-useless-one / pywerview

A (partial) Python rewriting of PowerSploit's PowerView
GNU General Public License v3.0
909 stars 113 forks source link

Filter "get-netgroup" for RIDs 1000 or higher and output related information based on that #57

Closed jsdhasfedssad closed 1 year ago

jsdhasfedssad commented 1 year ago

Thank you for last reply. I have another request :)

In cross-forest (inter-realm) attacks, forging golden tickets or trust tickets requires the use of a custom group in the target forest which has RID 1000 or higher. While I can use the command get-netgroup to identify groups and see their RIDs as part of their SIDs, it is cumbersome to use. Even if I grep out RIDs.

Typically the information I am primarily looking for is a group's objectsid, memberof, members and name but the information is only relevant if a group's RID is 1000 or higher. Is there any way you could implement some sort of functionalty to filter on RID and if that is 1000 or higher, output the rest (complete) of the information you output today? Thanks!

ThePirateWhoSmellsOfSunflowers commented 1 year ago

Hello,

Unfortunately, we don't think that the goal of pywerview (used as a tool) is to perform "heavy" modifications/filtering on the returned results. Complex handling must be implemented in a separate script with pywerview used as a library. However, as pywerview can return json results, you can use powerful (but not so friendly :disappointed:) tools such as jq:

Filter: jq '.results | .[] | {rid: (.objectsid | split("-") | .[-1]), dn: .distinguishedname, objectsid: .objectsid, name: .name} | select((.rid | tonumber)>1000)

Example: 

$ python pywerview.py get-netgroup -w domain.org -u user -p Password123 -t 172.16.0.120 --json --full-data  | jq '.results | .[] | {rid: (.objectsid | split("-") | .[-1]), dn: .distinguishedname, objectsid: .objectsid, name: .name} | select((.rid | tonumber)>1000)' 
{
  "rid": "1143",
  "dn": "CN=TestGroup,CN=Users,DC=domain,DC=org",
  "objectsid": "S-1-5-21-507154964-1282889071-1089825736-1143",
  "name": "TestGroup"
}
{
  "rid": "1128",
  "dn": "CN=a,CN=Users,DC=domain,DC=org",
  "objectsid": "S-1-5-21-507154964-1282889071-1089825736-1128",
  "name": "a"
}
{
  "rid": "1126",
  "dn": "CN=ATA_TEST,CN=Users,DC=domain,DC=org",
  "objectsid": "S-1-5-21-507154964-1282889071-1089825736-1126",
  "name": "ATA_TEST"
}
{
  "rid": "1103",
  "dn": "CN=DnsUpdateProxy,CN=Users,DC=domain,DC=org",
  "objectsid": "S-1-5-21-507154964-1282889071-1089825736-1103",
  "name": "DnsUpdateProxy"
}
{
  "rid": "1102",
  "dn": "CN=DnsAdmins,CN=Users,DC=domain,DC=org",
  "objectsid": "S-1-5-21-507154964-1282889071-1089825736-1102",
  "name": "DnsAdmins"
}

(full disclosure: I'm not yet a jq ninja, so there is maybe a more efficient way to do that)

Let me know if it helps you. Closing your issue now.

:sunflower: