Find vulnerabilities in AD Group Policy
C# rewrite of Grouper - WAY better than the original.
Grouper2 is a tool for pentesters to help find security-related misconfigurations in Active Directory Group Policy.
It might also be useful for other people doing other stuff, but it is explicitly NOT meant to be an audit tool. If you want to check your policy configs against some particular standard, you probably want Microsoft's Security and Compliance Toolkit, not Grouper or Grouper2.
It dumps all the most interesting parts of group policy and then roots around in them for exploitable stuff.
Where Grouper required you to:
have GPMC/RSAT/whatever installed on a domain-joined computer
feed the report to Grouper
a bunch of gibberish falls out and hopefully there's some good stuff in there.
Grouper2 does like Mr Ed suggests and goes straight to the source, i.e. SYSVOL.
This means you don't have the horrible dependency on Get-GPOReport (hooray!) but it also means that it has to do a bunch of parsing of different file formats and so on (booo!).
Other cool new features:
Also, it's written in C# instead of PowerShell.
Literally just run the EXE on a domain joined machine in the context of a domain user, and magic JSON candy will fall out.
If the JSON burns your eyes, add
-gto make it real pretty.
If you love the prettiness so much you wanna take it with you, do
-f "$FILEPATH.html"to puke the candy into an HTML file.
If there's too much candy and you want to limit output to only the tastiest morsels, set the 'interest level' with
-i $INT, the bigger the number the tastier the candy, e.g.
-i 10will only give you stuff that will probably result in creds or shells.
If you don't want to dig around in old policy and want to limit yourself to only current stuff, do
If you want the candy to fall out faster, you can set the number of threads with
-t $INT- the default is 10.
If you want to see the other options, do
OK have a look at this:
In the screenshot above we can see an "Assigned Application" policy that is still being pushed to computers, but the MSI file to install is missing, and the directory it's being installed from is writable by the current user.
If you created a hacked up MSI (e.g. with msfvenom) and then modified it to match the UIDs at the bottom of the picture, it would get executed on machines targeted by the GPO. Sweet!
In this one you can see that someone's done something absolutely insane to the ACLS on the registry.
You get the picture.
Look at the dev branch, Sh3r4 has been working on a big refactor to make it easier to maintain and more efficient going forward.
A rough roadmap ATM is:
If you want to discuss via Slack you can ping me (@l0ss) on the BloodHound Slack, joinable at https://bloodhoundgang.herokuapp.com/, or chat with a group of contributors in the #Grouper channel.