Commit cd1760889dce9b3c2b1a8625883c2cbc54371d3b - pywerview

Created find_gpolocation Yannick Méheut 7 years ago

4 changed file(s) with 115 addition(s) and 3 deletion(s). Raw diff Collapse all Expand all

+14

-3

pywerview/cli/helpers.py less more

216	216	resolve_sids=resolve_sids)
217	217
218	218	def find_gpocomputeradmin(domain_controller, domain, user, password=str(), lmhash=str(),
219		nthash=str(), queried_computername=str(),
220		queried_ouname=str(), queried_domain=str(),
221		recurse=False):
	219	nthash=str(), queried_computername=str(),
	220	queried_ouname=str(), queried_domain=str(),
	221	recurse=False):
222	222	requester = GPORequester(domain_controller, domain, user, password,
223	223	lmhash, nthash)
224	224

226	226	queried_ouname=queried_ouname,
227	227	queried_domain=queried_domain,
228	228	recurse=recurse)
	229
	230	def find_gpolocation(domain_controller, domain, user, password=str(), lmhash=str(),
	231	nthash=str(), queried_username=str(), queried_groupname=str(),
	232	queried_localgroup=str(), queried_domain=str()):
	233	requester = GPORequester(domain_controller, domain, user, password,
	234	lmhash, nthash)
	235
	236	return requester.find_gpolocation(queried_username=queried_username,
	237	queried_groupname=queried_groupname,
	238	queried_localgroup=queried_localgroup,
	239	queried_domain=queried_domain)
229	240
230	241	def invoke_checklocaladminaccess(target_computername, domain, user, password=str(),
231	242	lmhash=str(), nthash=str()):

+14

-0

pywerview/cli/main.py less more

283	283	'recurse and get all members')
284	284	find_gpocomputeradmin_parser.set_defaults(func=find_gpocomputeradmin)
285	285
	286	# Parser for the find-gpolocation command
	287	find_gpolocation_parser = subparsers.add_parser('find-gpolocation', help='Takes a username or a group name and determine'\
	288	'the computers it has administrative access to via GPO', parents=[ad_parser])
	289	find_gpolocation_parser.add_argument('--username', dest='queried_username',
	290	default=str(), help='The username to query for access (no wildcard)')
	291	find_gpolocation_parser.add_argument('--groupname', dest='queried_groupname',
	292	default=str(), help='The group name to query for access (no wildcard)')
	293	find_gpolocation_parser.add_argument('-d', '--domain', dest='queried_domain',
	294	help='Domain to query')
	295	find_gpolocation_parser.add_argument('--local-group', dest='queried_localgroup',
	296	default='S-1-5-32-544', help='The local group to check access against. It can be ' \
	297	'\'Administrators\', \'RDP\', or a \'S-1-5-X\' SID type')
	298	find_gpolocation_parser.set_defaults(func=find_gpolocation)
	299
286	300	# Parser for the get-netgroup command
287	301	get_netgroupmember_parser = subparsers.add_parser('get-netgroupmember', help='Return a list of members of a domain groups', parents=[ad_parser])
288	302	get_netgroupmember_parser.add_argument('--groupname', dest='queried_groupname',

+84

-0

pywerview/functions/gpo.py less more

369	369
370	370	return results
371	371
	372	def find_gpolocation(self, queried_username=str(), queried_groupname=str(),
	373	queried_localgroup=str(), queried_domain=str()):
	374	results = list()
	375	net_requester = NetRequester(self._domain_controller, self._domain, self._user,
	376	self._password, self._lmhash, self._nthash)
	377	if queried_username:
	378	try:
	379	user = net_requester.get_netuser(queried_username=queried_username,
	380	queried_domain=queried_domain)[0]
	381	except IndexError:
	382	raise ValueError('Username \'{}\' was not found'.format(queried_username))
	383	else:
	384	target_sid = [user.objectsid]
	385	object_sam_account_name = user.samaccountname
	386	object_distinguished_name = user.distinguishedname
	387	elif queried_groupname:
	388	try:
	389	group = net_requester.get_netgroup(queried_groupname=queried_groupname,
	390	queried_domain=queried_domain,
	391	full_data=True)[0]
	392	except IndexError:
	393	raise ValueError('Group name \'{}\' was not found'.format(queried_groupname))
	394	else:
	395	target_sid = [group.objectsid]
	396	object_sam_account_name = group.samaccountname
	397	object_distinguished_name = group.distinguishedname
	398	else:
	399	raise ValueError('You must specify either a username or a group name')
	400
	401	if 'admin' in queried_localgroup.lower():
	402	local_sid = 'S-1-5-32-544'
	403	elif 'rdp' in queried_localgroup.lower():
	404	local_sid = 'S-1-5-32-555'
	405	elif queried_localgroup.upper().startswith('S-1-5'):
	406	local_sid = queried_localgroup
	407	else:
	408	raise ValueError('The queried local group must be in \'Administrators\', ' \
	409	'\'RDP\', or a \'S-1-5\' type SID')
	410
	411	object_groups = net_requester.get_netgroup(queried_username=object_sam_account_name,
	412	queried_domain=queried_domain)
	413	for object_group in object_groups:
	414	object_group_sid = net_requester.get_adobject(queried_sam_account_name=object_group.samaccountname,
	415	queried_domain=queried_domain)[0].objectsid
	416	target_sid.append(object_group_sid)
	417
	418	gpo_groups = list()
	419	for gpo_group in self.get_netgpogroup():
	420	try:
	421	for member in gpo_group.members:
	422	if not member.upper().startswith('S-1-5'):
	423	try:
	424	member = net_requester.get_adobject(queried_sam_account_name=member,
	425	queried_domain=queried_domain)[0].objectsid
	426	except IndexError, AttributeError:
	427	continue
	428	if (member.upper() in target_sid) or (member.lower() in target_sid):
	429	if (local_sid.upper() in gpo_group.memberof) or \
	430	(local_sid.lower() in gpo_group.memberof):
	431	gpo_groups.append(gpo_group)
	432	break
	433	except AttributeError:
	434	continue
	435
	436	for gpo_group in gpo_groups:
	437	gpo_guid = gpo_group.gponame
	438	ous = net_requester.get_netou(queried_domain=queried_domain,
	439	queried_guid=gpo_guid, full_data=True)
	440	for ou in ous:
	441	# TODO: support filters for GPO
	442	ou_computers = [x.dnshostname for x in \
	443	net_requester.get_netcomputer(queried_domain=queried_domain,
	444	ads_path=ou.distinguishedname)]
	445	gpo_location = GPOLocation(list())
	446	setattr(gpo_location, 'objectname', object_distinguished_name)
	447	setattr(gpo_location, 'gponame', gpo_group.gpodisplayname)
	448	setattr(gpo_location, 'gpoguid', gpo_guid)
	449	setattr(gpo_location, 'containername', ou.distinguishedname)
	450	setattr(gpo_location, 'computers', ou_computers)
	451
	452	results.append(gpo_location)
	453
	454	return results
	455

-0

pywerview/objects/adobjects.py less more

160	160	class GPOComputerAdmin(ADObject):
161	161	pass
162	162
	163	class GPOLocation(ADObject):
	164	pass
	165