Skip to content
This repository was archived by the owner on Sep 2, 2022. It is now read-only.

Add LmCompatibilityLevel information in GPO objects #47

Open
Hackndo wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Add LmCompatibilityLevel information in GPO objects #47

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3cae2ab
Add LmCompatibilityLevel information in GPO objects
Hackndo Nov 23, 2021
177da9d
Update regex to take spaces into account
Hackndo Nov 24, 2021
fea75c8
Case Insensitive
Hackndo Nov 24, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 26 additions & 1 deletion SharpHound3/Tasks/ObjectPropertyTasks.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@
using SharpHound3.Enums;
using SharpHound3.JSON;
using SharpHound3.LdapWrappers;
using System.IO;
using System.Text.RegularExpressions;
using LdapGroup = SharpHound3.LdapWrappers.Group;

namespace SharpHound3.Tasks
{
Expand Down Expand Up @@ -58,7 +61,7 @@ internal static async Task<LdapWrapper> ResolveObjectProperties(LdapWrapper wrap
{
ParseOUProperties(ou);
}
else if (wrapper is Group group)
else if (wrapper is LdapGroup group)
{
ParseGroupProperties(group);
}
Expand Down Expand Up @@ -183,6 +186,27 @@ private static void ParseGPOProperties(GPO wrapper)
{
var result = wrapper.SearchResult;

// Look for LmCompatibilityLevel. LmCompatibilityLevel < 3 means NTLMv1 authentication
var gpoDomain = Helpers.DistinguishedNameToDomain(wrapper.DistinguishedName);
Regex NTLMv1Regex = new Regex(@"\\LmCompatibilityLevel *= *\d+ *, *(\d)", RegexOptions.Compiled | RegexOptions.Singleline | RegexOptions.IgnoreCase);
var templatePath = $"{result.GetProperty("gpcfilesyspath")}\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf";
//Check the file exists
if (File.Exists(templatePath))
{
using (var reader = new StreamReader(new FileStream(templatePath, FileMode.Open, FileAccess.Read)))
{
//Read the file, and read it to the end
var content = reader.ReadToEnd();
var NTLMv1Match = NTLMv1Regex.Match(content);

if (NTLMv1Match.Success)
{
int value = int.Parse(NTLMv1Match.Groups[1].Value);
// LmCompatibilityLevel < 3 means NTLMv1 will be used by the target when authenticating
wrapper.Properties.Add("ntlmv1", value < 3);
}
}
}
wrapper.Properties.Add("gpcpath", result.GetProperty("gpcfilesyspath"));
}

Expand Down Expand Up @@ -423,6 +447,7 @@ private static async Task ParseUserProperties(User wrapper)
wrapper.Properties.Add("sidhistory", sidHistoryList.ToArray());
}


/// <summary>
/// Converts a windows timestamp into unix epoch time
/// </summary>
Expand Down