l0ss / grouper2 Goto Github PK

then show it if interest level is high enough, even if there are no findings.

There's basically only one category of settings that fall under this that are worth looking at IMO and that's the 802.1x/wifi config stuff that might have some creds in.

GetAssessedNetworkOptions() in AssessGpp.cs is the placeholder for this.

Will require the investigatestring function to be working better.

This one should be reasonably straightforward although it will require writing/stealing some code to parse the SDDL data.

Placeholder is in AssessInf.cs, named AssessServiceGenSetting().

For some reason we've got 3 different ways of setting stuff in the registry, coming from 3 different file types. It seems on the face of it that it would be smart to find a way to assess all 3 with the one function.

At this stage the plan is to have data in the JankyDB that has like...

1. Reg Key
2. Human-readable name
3. Default value
4. Known 'safe' values
5. Known 'vulnerable' values

Then foreach key, see if it's in jankyDB, see how the settings match up. If it's not in JankyDB and it's a custom registry path/key, look for key words in the strings.

The current placeholders are:
AssessRegValues() in AssessInf.cs (which I've kind of made a start on)
AssessRegKeys() in AssessInf.cs
GetAssessedRegistrySettings() in AssessGpp.cs

Example output:

Findings in Machine Policy                                                      
##########################                                                      
Windows Services                                                                
~~~~~~~~~~~~~~~~                                                                
┌────────────┬─────────────────────────────────┐                                
│Service     │RedactedBuiltinMicrosoftService  │                                
├────────────┼─────────────────────────────────┤                                
│2           │┌──────┬────────────────────────┐│                                
│            ││SID   │IU                      ││                                
│            │├──────┼────────────────────────┤│                                
│            ││Name  │NT AUTHORITY\INTERACTIVE││                                
│            │├──────┼────────────────────────┤│                                
│            ││Type  │Allow                   ││                                
│            │├──────┼────────────────────────┤│                                
│            ││Rights│┌──────────────┐        ││                                
│            ││      ││CREATE_CHILD  │        ││                                
│            ││      │├──────────────┤        ││                                
│            ││      ││LIST_CHILDREN │        ││                                
│            ││      │├──────────────┤        ││                                
│            ││      ││SELF_WRITE    │        ││                                
│            ││      │├──────────────┤        ││                                
│            ││      ││LIST_OBJECT   │        ││                                
│            ││      │├──────────────┤        ││                                
│            ││      ││CONTROL_ACCESS│        ││                                
│            ││      │├──────────────┤        ││                                
│            ││      ││READ_CONTROL  │        ││                                
│            ││      │└──────────────┘        ││                                
│            │└──────┴────────────────────────┘│                                
├────────────┼─────────────────────────────────┤                                
│Startup Type│Disabled                         │                                
└────────────┴─────────────────────────────────┘  

Per BloodHoundGang conversation with @l0ss , I think this doesn't have an abuse path, so it shouldn't be returned by Grouper2, especially with -i 10 or above.

This should be a nice easy one, it's mostly just password policy stuff if I remember correctly. Mostly just going to be a matter of puking the data back out in a slightly nicer/more human-readable way.

AssessSysAccess() in AssessInf.cs is the placeholder for this one.

This one is real simple. Literally just need to regurgitate the data in a more legible way. If we're feeling sexy maybe use the InvestigatePath method to see if a path being mapped to the drive letter is user-writable or something?

GetAssessedDrives() is the placeholder for this, in AssessGpp.cs.

Interest level system needs some love - it's kind of inconsistent in where it's applied, how values are applied, etc.

Should be able to assign one thread per GPO from a worker pool type deal and then crank through them.

foreach (var gpoPath in gpoPaths) in Grouper2.cs is where the threads should all be split off.

The trick is going to be getting the path for them programmatically because the policies simply list the file names, not the path. This may point to an architectural fuckup on my part.

Another real simple one. Should mostly be a matter of grepping each line for the usual 'interesting' key words.

GetAssessedIniFiles() in AssessGpp.cs is the placeholder method for this.

Specifically we are missing:

Policy Owner
Is the GPO Linked? Where?
IS the GPO Enabled?

Related stuff currently happens in GetDomainGpos() in LDAPStuff.cs.

In big domains G2 is very very slow, and provides no output to the user on how it's going unless it breaks real bad.

Another simple one. Should mostly be a matter of looking for interesting substrings and then puking out the data in a human-readable format.

Placeholder is GetAssessedEnvironmentVariables() in AssessGpp.cs.

This one kind of has a bunch of pain points because you've essentially got 4x different types of scheduled tasks (Task, Taskv2, ImmediateTask, and ImmediateTaskv2) that need to be handled, there's a bunch of very interesting stuff that can turn up in there (cmd line arguments, file paths, cpassword style passwords, etc) and the v2 variants have a bajillion sub-sub-sub options in each.

GetAssessedScheduledTasks() and GetAssessedScheduledTask() in AssessGpp.cs are the skeleton/placeholder files for this.

These are literally just comments as far as I can tell. Need to find more sample data before I can really do this.

This is meant to be a general purpose method for assessing stuff like cmdline parameters for scheduled tasks or shortcuts etc to see if they're passing passwords or passing scripts as arguments. If file paths are found in a string being investigated I'd like to pass them off to Utility.InvestigatePath.

This will require some thought as we'll need to look at the default value for a given thing and then work from there.

for use in a bunch of things

another bloody thing

I think this is an easy one but I'll fill out the detail on this issue more once I've had a proper look at it.

AssessKerbPolicy() in AssessInf.cs is the placeholder for this one.

Need to write something to parse registry.pol files. Unlike all the other files G2 parses, these are not just flat text.

From what I can tell the contents include stuff like the windows firewall policy but there's probably other goodies in there too.

Like most of the others it'll need the data regurgitated in human-readable form, plus some parsing of the rights being assigned to users/groups to see if any canonically low-priv groups are being given high-priv access.

GetAssessedNTServices() in AssessGpp.cs is the placeholder.

This one should be extremely easy. Should basically just need to puke the input back out but cleaner/more legible.

GetAssessedFolders() in AssessGpp.cs is the placeholder.

I can't parse DACLs predictably enough to check through those, and I don't like the way I'm doing it right now because it risks leaving files all over the network.

Have a look at Utility.InvestigatePath() and Utility.CanIWrite() to see how I'm doing this at the moment.

Just to alert the user that something interesting might be happening.

If you see horrible mistakes or clangers in the code please just tell me, I have no background in development and G2 is my first proper project in C#.

WHAT? WHAT?

"Assigned applications"?

I think maybe these have entire MSI files baked into them or something? Still haven't had a good look at them.

need to iterate over all domains, sites, and OUs in domain, find gpLinks.

Right now Grouper2 literally just pukes out a massive Json blob.

If you load it up in a text editor with syntax highlighting it's kind of OK but I'd really like something a little friendlier.

I'm really open to suggestions on this one.

think it's a sid resolution issue

around line 115?

what it says on the tin.

probs just need to add another globalvar and then in the "CanIWrite" method and "InvestigatePath" method, check it and skip write operations?

you get these where there has been a domain replication failure in the past. they often have goodies in them that have been cleaned up from the newest GPOs.

Ideally we want this to only run a subset of checks because the data isn't current. This means we only really want to dig out creds etc.