From 2501e8e912764ef917be36fbe2f5792a6b88eeed Mon Sep 17 00:00:00 2001 From: Itamar Date: Thu, 4 May 2017 16:11:12 +0300 Subject: Get-GPODelegation Hi, I know you guys mentioned this before, but I've not this implemented. I wrote Get-GPODelegation that finds users with write permissions on Group Policy objects, for a potential privilege escalation path. As requested, moved into dev branch. --- Recon/PowerView.ps1 | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) (limited to 'Recon') diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index c6cb5ff..6d17aeb 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -18764,6 +18764,66 @@ Custom PSObject with translated domain API trust result fields. } } +function Get-GPODelegation +{ +<# + .SYNOPSIS + Finds users with write permissions on GPO objects which may allow privilege escalation within the domain. + + Author: Itamar Mizrahi (@MrAnde7son) + License: GNU v3 + Required Dependencies: None + Optional Dependencies: None + + .DESCRIPTION + + .PARAMETER GPOName + The GPO display name to query for, wildcards accepted. + + .PARAMETER PageSize + + .EXAMPLE + PS C:\> Get-GPODelegation + Returns all GPO delegations in current forest. + + .EXAMPLE + PS C:\> Get-GPODelegation -GPOName + Returns all GPO delegations on a given GPO. +#> + [CmdletBinding()] + Param ( + [String] + $GPOName = '*', + + [ValidateRange(1,10000)] + [Int] + $PageSize = 200 + ) + + $Exclusions = @("SYSTEM","Domain Admins","Enterprise Admins") + + $Forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() + $DomainList = @($Forest.Domains) + $Domains = $DomainList | foreach { $_.GetDirectoryEntry() } + foreach ($Domain in $Domains) { + $Filter = "(&(objectCategory=groupPolicyContainer)(displayname=$GPOName))" + $Searcher = New-Object System.DirectoryServices.DirectorySearcher + $Searcher.SearchRoot = $Domain + $Searcher.Filter = $Filter + $Searcher.PageSize = $PageSize + $Searcher.SearchScope = "Subtree" + $listGPO = $Searcher.FindAll() + foreach ($gpo in $listGPO){ + $ACL = (([ADSI]$gpo.path).ObjectSecurity).Access | ? {$_.ActiveDirectoryRights -match "Write" -and $_.AccessControlType -eq "Allow" -and $Exclusions -notcontains $_.IdentityReference.toString().split("\")[1] -and $_.IdentityReference -ne "CREATOR OWNER"} + $GpoACL = New-Object psobject + $GpoACL | Add-Member Noteproperty 'ADSPath' $gpo.Properties.adspath + $GpoACL | Add-Member Noteproperty 'GPODisplayName' $gpo.Properties.displayname + $GpoACL | Add-Member Noteproperty 'IdentityReference' $ACL.IdentityReference + $GpoACL | Add-Member Noteproperty 'ActiveDirectoryRights' $ACL.ActiveDirectoryRights + $GpoACL + } + } +} ######################################################## # -- cgit v1.2.3 From 6a71a6e52622c562a1e9c981052457da359ce6a9 Mon Sep 17 00:00:00 2001 From: Itamar Date: Sun, 7 May 2017 11:21:56 +0300 Subject: Update PowerView.ps1 Fixed null access control entry in results. --- Recon/PowerView.ps1 | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) (limited to 'Recon') diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index 6d17aeb..c50fdfc 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -18814,13 +18814,15 @@ function Get-GPODelegation $Searcher.SearchScope = "Subtree" $listGPO = $Searcher.FindAll() foreach ($gpo in $listGPO){ - $ACL = (([ADSI]$gpo.path).ObjectSecurity).Access | ? {$_.ActiveDirectoryRights -match "Write" -and $_.AccessControlType -eq "Allow" -and $Exclusions -notcontains $_.IdentityReference.toString().split("\")[1] -and $_.IdentityReference -ne "CREATOR OWNER"} - $GpoACL = New-Object psobject - $GpoACL | Add-Member Noteproperty 'ADSPath' $gpo.Properties.adspath - $GpoACL | Add-Member Noteproperty 'GPODisplayName' $gpo.Properties.displayname - $GpoACL | Add-Member Noteproperty 'IdentityReference' $ACL.IdentityReference - $GpoACL | Add-Member Noteproperty 'ActiveDirectoryRights' $ACL.ActiveDirectoryRights - $GpoACL + $ACL = ([ADSI]$gpo.path).ObjectSecurity.Access | ? {$_.ActiveDirectoryRights -match "Write" -and $_.AccessControlType -eq "Allow" -and $Exclusions -notcontains $_.IdentityReference.toString().split("\")[1] -and $_.IdentityReference -ne "CREATOR OWNER"} + if ($ACL -ne $null){ + $GpoACL = New-Object psobject + $GpoACL | Add-Member Noteproperty 'ADSPath' $gpo.Properties.adspath + $GpoACL | Add-Member Noteproperty 'GPODisplayName' $gpo.Properties.displayname + $GpoACL | Add-Member Noteproperty 'IdentityReference' $ACL.IdentityReference + $GpoACL | Add-Member Noteproperty 'ActiveDirectoryRights' $ACL.ActiveDirectoryRights + $GpoACL + } } } } -- cgit v1.2.3