Skip to content

Commit

Permalink
More info on passwords exposed via GPO cPassword entries
Browse files Browse the repository at this point in the history
  • Loading branch information
lkarlslund committed Nov 10, 2023
1 parent 17451f8 commit 78768a6
Showing 1 changed file with 7 additions and 3 deletions.
10 changes: 7 additions & 3 deletions modules/integrations/activedirectory/analyze/gpoimport.go
Original file line number Diff line number Diff line change
Expand Up @@ -127,9 +127,7 @@ func ImportGPOInfo(ginfo activedirectory.GPOdump, ao *engine.Objects) error {

// FIXME: Handle other formats, adding something to catch this here
if strings.Contains(line, "cpassword=") && !strings.Contains(line, "cpassword=\"\"") {
ui.Debug().Msgf("Found cpassword in %s", item.RelativePath)
ui.Debug().Msgf("GPO Dump\n%s", item.Contents)
unhandledpass = true
unhandledpass = true // assume failure
}
for _, match := range cpasswordusername.FindAllStringSubmatch(line, -1) {
ui.Debug().Msgf("Found password in %s", item.RelativePath)
Expand All @@ -156,7 +154,11 @@ func ImportGPOInfo(ginfo activedirectory.GPOdump, ao *engine.Objects) error {
expobj := ao.AddNew(
engine.ObjectCategorySimple, "ExposedPassword",
engine.DisplayName, "Exposed password for "+e.Username,
engine.Description, "Password is exposed in GPO with GUID "+ginfo.GUID.String(),
engine.ObjectGUID, ginfo.GUID,
ExposedPassword, e.Password,
RelativePath, relativepath,
AbsolutePath, filepath.Join(ginfo.Path, relativepath),
)

// The account targeted
Expand Down Expand Up @@ -472,6 +474,8 @@ func GPOparseGptTmplInf(rawini string) []SIDpair {
groupsid = ""
translatedsid, err := TranslateLocalizedNameToSID(groupname)
if err != nil {
// Maybe it's "administrator"?

ui.Warn().Msgf("GPO GptTmplInf Memberof non-SID group %v translation failed (PLEASE CONTRIBUTE): %v", groupname, err)
} else {
groupsid = translatedsid.String()
Expand Down

0 comments on commit 78768a6

Please sign in to comment.