SharpHoundCommon icon indicating copy to clipboard operation
SharpHoundCommon copied to clipboard

Published 20 hours ago verified publisher icon BloodHoundAD

Add NTLMv1 flag on GPO

Open Hackndo opened this issue 5 months ago • 3 comments

Similar to https://github.com/BloodHoundAD/SharpHound3/pull/47

If GPO object forces LmCompatibilityLevel to be less than 3, then the computers it will be applied on will use NTLMv1 when authenticating.

This information seems very useful from an attacking perspective as authentication can be coerced and NTLMv1 hash cracked or relayed without MIC

(Also https://github.com/BloodHoundAD/SharpHound/pull/87 on SharpHound)

image

Hackndo avatar Feb 03 '24 22:02 Hackndo

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

github-actions[bot] avatar Feb 03 '24 22:02 github-actions[bot]

I have read the CLA Document and I hereby sign the CLA

Hackndo avatar Feb 03 '24 22:02 Hackndo

The implementation seems fine, but I'm sort of debating if it makes more sense to just merge this in with the existing gpo object processor stuff. @definitelynotagoblin @ddlees do either of you have any feelings on this? It is doing a bit more than our normal object processor does, but generally our processors are loosely linked to a particular collection method, so I think this would probably fit in ObjectProps instead

rvazarkar avatar Mar 13 '24 18:03 rvazarkar