https://github.com/Group3r/Group3r
Group3r is a tool for pentesters and red teamers to rapidly enumerate relevant settings in AD Group Policy, and to identify exploitable misconfigurations in same. It does this by talking LDAP to Domain Controllers, parsing GPO config files off the domain SYSVOL share, and also by looking at other files (usually on file shares) that are referenced within GPOs, like scripts, MSI packages, exes, etc.
Ideally, run it on a domain joined machine as a domain user.
If you want, you can use it with runas /netonly on a non-domain-joined computer, but you'll need to (at least) tell it where to find a DC with -c $dcIpAddress
, and you'll probably also want to tell it what domain to enumerate with -d domain.tld
. If you do this but don't have your machine's DNS pointed at a DC or some other appropriate DNS server for the environment, a bunch of the checks probably won't work properly.
-u domain\user
will make Group3r try to perform file permission checks as though it was running as that user. Should also accept group names in the same format.
-w
will limit output to only show settings with an associated 'finding', i.e. something significant enough that I wrote code to go looking for it.
-a
4 will limit output to only the highest severity findings. You could probably also use some smaller numbers too I guess. Like 1, or 3. Probably not 0, that would be weird. 2 would be fine.
-e
will only display GPOs, policy types, and settings that are enabled. For example, if a GPO has 'Computer' policy disabled, this will not display any of those policy settings. WARNING: even disabled settings can have creds or other goodies in them. By using this option you will possibly miss them.
-r
will not display any settings found in "morphed" files/folders. These files/folders are created when file replication between DCs fails, and can often provide an interesting/useful insight into how things were configured at some point in the past. They also often contain old GPP passwords, even in orgs that think they have cleaned up all their GPP passwords.