SharpHound3 icon indicating copy to clipboard operation
SharpHound3 copied to clipboard

Published 20 hours ago verified publisher icon BloodHoundAD

Add LmCompatibilityLevel information in GPO objects

Open Hackndo opened this issue 3 years ago • 1 comments

If GPO object forces LmCompatibilityLevel to be less than 3, then the computers it will be applied on will use NTLMv1 when authenticating.

This information seems very useful from an attacking perspective as authentication can be coerced and NTLMv1 hash cracked.

Hackndo avatar Nov 23 '21 15:11 Hackndo

Here are two queries that can be used with this PR. I'm not sure they are optimized but they work. :)

        {
            "name": "Find all hosts with NTLMv1",
            "queryList": [
                {
                    "final": true,
                    "query": "MATCH p=(n:GPO)-[r1:GpLink {enforced:true}]->(container1)-[r2:Contains*1..]->(c:Computer) WHERE n.ntlmv1 IS NOT NULL WITH n, length(p) AS len, c ORDER BY len ASC WITH HEAD(COLLECT(n.ntlmv1)) AS NTLMv1, HEAD(COLLECT(len)) AS lenHead, c WHERE NTLMv1 = true RETURN c AS computer UNION MATCH p=(n:GPO)-[r1:GpLink {enforced:false}]->(container1)-[r2:Contains*1..]->(c:Computer) WHERE NONE (x in NODES(p) WHERE x.blocksinheritance = true AND x:OU AND NOT (n)-->(x)) AND n.ntlmv1 IS NOT NULL WITH n, length(p) AS len, c ORDER BY len ASC WITH HEAD(COLLECT(n.ntlmv1)) AS NTLMv1, HEAD(COLLECT(len)) AS lenHead, c WHERE NTLMv1 = true RETURN c AS computer"
                }
            ]
        },
        {
            "name": "Find shortest paths from NTLMv1 to high value targets",
            "queryList": [
                {
                    "final": true,
                    "query": "MATCH p=(n:GPO)-[r1:GpLink {enforced:true}]->(container1)-[r2:Contains*1..]->(c:Computer) WHERE n.ntlmv1 IS NOT NULL WITH n, length(p) AS len, c ORDER BY len ASC WITH HEAD(COLLECT(n.ntlmv1)) AS NTLMv1, HEAD(COLLECT(len)) AS lenHead, c WHERE NTLMv1 = true WITH c MATCH p=allShortestPaths((c:Computer {name: c.name})-[]->(g:Group {highvalue:true})) RETURN p AS path  UNION MATCH p=(n:GPO)-[r1:GpLink {enforced:false}]->(container1)-[r2:Contains*1..]->(c:Computer) WHERE NONE (x in NODES(p) WHERE x.blocksinheritance = true AND x:OU AND NOT (n)-->(x)) AND n.ntlmv1 IS NOT NULL WITH n, length(p) AS len, c ORDER BY len ASC WITH HEAD(COLLECT(n.ntlmv1)) AS NTLMv1, HEAD(COLLECT(len)) AS lenHead, c WHERE NTLMv1 = true WITH c MATCH p=allShortestPaths((c:Computer {name: c.name})-[]->(g:Group {highvalue:true})) RETURN p AS path"
                }
            ]
        },

Hackndo avatar Nov 23 '21 19:11 Hackndo