pywerview icon indicating copy to clipboard operation
pywerview copied to clipboard

Published 20 hours ago verified publisher icon the-useless-one

Get-NetGroupMember does not work against "Domain Users" group

Open byt3bl33d3r opened this issue 7 years ago • 4 comments

Hey man, Here's another issue I ran into recently, seems that get-netgroupmember fails to pull down the group members of anything accept the domain admins group:

(CME) λ pwnb0x modules → λ git v4.0* → pywerview get-netgroupmember -t 192.168.10.12 -u user -p pass --groupname 'Domain Admins' -r
groupdomain:  lab.local
groupname:    Domain Admins
isgroup:      False
memberdn:     CN=Administrator,CN=Users,DC=lab,DC=local
memberdomain: lab.local
membername:   Administrator
membersid:    S-1-5-21-1049426096-2728124650-4150323340-500

(CME) λ pwnb0x modules → λ git v4.0* → pywerview get-netgroupmember -t 192.168.10.12 -u user -p pass --groupname 'Domain Users' -r
(CME) λ pwnb0x modules → λ git v4.0* → pywerview get-netgroupmember -t 192.168.10.12 -u user -p pass --groupname 'Users' -r
groupdomain:  lab.local
groupname:    Users
isgroup:      True
memberdn:     CN=Domain Users,CN=Users,DC=lab,DC=local
memberdomain: lab.local
membername:   Domain Users
membersid:    S-1-5-21-1049426096-2728124650-4150323340-513

Let me know if I'm missing something, posting this at 3 AM so my brain might be fried lol

Cheers

byt3bl33d3r avatar Mar 24 '17 09:03 byt3bl33d3r

Hey @byt3bl33d3r!

I actually have the same problem, I don't know why, but I can't list members of the "Domain Users" group. But I can list any other group. Could you test with any other group, besides "Domain Admins" and "Domain Users"? Thanks.

Cheers,

Y

the-useless-one avatar Mar 24 '17 09:03 the-useless-one

Huh, yup that seems to be the case:

(CME) λ pwnb0x modules → λ git v4.0* → pywerview get-netgroupmember -t 192.168.10.11 -u user -p pass --groupname 'dabestgroup'      
groupdomain:  lab.local
groupname:    dabestgroup
isgroup:      False
memberdn:     CN=yomama5,OU=Users,OU=Lab,DC=lab,DC=local
memberdomain: lab.local
membername:   yomama5
membersid:    S-1-5-21-1049426096-2728124650-4150323340-1113

groupdomain:  lab.local
groupname:    dabestgroup
isgroup:      False
memberdn:     CN=yomama3,OU=Users,OU=Lab,DC=lab,DC=local
memberdomain: lab.local
membername:   yomama3
membersid:    S-1-5-21-1049426096-2728124650-4150323340-1111

groupdomain:  lab.local
groupname:    dabestgroup
isgroup:      False
memberdn:     CN=yomama1,OU=Users,OU=Lab,DC=lab,DC=local
memberdomain: lab.local
membername:   yomama1
membersid:    S-1-5-21-1049426096-2728124650-4150323340-1109

Weird.

byt3bl33d3r avatar Mar 24 '17 09:03 byt3bl33d3r

I'll see If I can help figure this out tomorrow. Could this be a side affect of the pyasn1 changes made to impacket?

byt3bl33d3r avatar Mar 24 '17 09:03 byt3bl33d3r

I don't think so, this was a problem I had way before this change. I'll edit the title of your issue, and try to figure this out.

[Edit] You can still use get-netuser if you want to list the domain users in the meantime :)

the-useless-one avatar Mar 24 '17 09:03 the-useless-one

Hi!

As far as I understand, users are member of the "Domain Users" group only through their primarygroupid and not via the memberof LDAP attribut (ctrl+f "513" here). Thus, I think the best way extract members of this group it's to use get-netuser with a custom filter:

$ ./pywerview.py get-netuser -w domain.lan  -u administrator -p 'password123' -t 10.0.0.1 --attributes samaccountname primarygroupid --custom-filter '(&(primarygroupid=513))' 
primarygroupid: 513
samaccountname: j.doe

primarygroupid: 513
samaccountname: test.doe

[...]

I think I can close this issue now (6 years...whoa).

:sunflower:

ThePirateWhoSmellsOfSunflowers avatar Nov 21 '23 14:11 ThePirateWhoSmellsOfSunflowers