Shulou(Shulou.com)05/31 Report--

In this issue, Xiaobian will bring you about how to use Grouper2 to find vulnerabilities in the Active Directory Group Policy. The article is rich in content and analyzes and narrates from a professional perspective. After reading this article, I hope you can gain something.

Grouper2 is a penetration testing tool for AD Group Policy security. The tool is developed in C#. With the help of Grouper2, penetration testers can easily find security-related misconfigurations in Active Directory Group Policy.

Of course, you can also use Grouper2 for other things, but Grouper2 is not strictly a professional auditing tool. If you want to check that your Group Policy configuration security meets certain standards, you may also need to use Microsoft's Security Compliance Toolkit.

In short, Grouper2 can export all the data you're interested in from Group Policy to you, and then try to exploit any security issues that might exist.

Grouper2 compares Grouper to Grouper in the following ways:

Require users to install components such as GPMC or RSAT on a computer that has joined the domain.

2. Users need to generate XML reports through the Get-GPOReport PowerShell command line tool.

3. Reports need to be provided to Grouper.

4, will generate a lot of data, users need to filter and filter out valuable content.

Grouper2 doesn't need to rely on Get-GPOReport, but it still needs to parse a variety of file formats. The characteristics of Grouper2 are as follows:

1, more accurate file permissions detection, do not need disk disk read and write.

GPP passwords are not ignored.

3. Provide HTML output options.

4. Multi-thread support

5. Support offline operation.

tool download

Users can clone the project source code locally using the following command:

git clone https://github.com/l0ss/Grouper2.git tool usage

The tool is also very simple to use, users only need to join a domain device, as a domain user to run Grouper2 executable program, the program will output JSON format report by default. Users can also optimize the output using the-g option if there is a problem with the generated JSON report format.

Of course, if you need a more "formatted" report, you can also use-f "$FILEPATH.html" to generate HTML reports.

If the amount of data generated in the report is too large, you can also set a "level of interest" by using the-i $INT option, such as-i 10.

If you don't want to analyze the old strategies, you can skip them directly with the-c option.

If you want to speed up the tool, you can also set the number of threads the tool runs on via the-t $INT option, which defaults to 10.

If you need to know more about the tool's other operating options, you can use the-h parameter.

Sample tool usage

First, let's take a look at the screenshot below:

In the above image, we can see that there is a policy named "Assigned Application", which has been applied to computers in the domain, but the MSI file is missing, and the permissions of the installation directory are writable by the current user.

If you create a malicious MSI, say via msfvenom, then you can modify it to match the UID at the bottom of the image, and it can be executed directly on the target device.

In the above image we can see that it is obvious that a user has done something to ACLS in the registry...

The above is how to use Grouper2 to find vulnerabilities in the Active Directory Group Policy shared by Xiaobian. If there is a similar doubt, please refer to the above analysis for understanding. If you want to know more about it, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.