Checking Net-NTLMv1 without admin rights and without coercion

[s3nn]

Was doing an engagement recently and was playing around with a new tool called GPOHound, which analyzes GPOs after you download them from the SYSVOL folder of a DC. One of the things it shows is the LmCompatibilityLevel from the Default Domain Controller Policy.

After reading #260 and #173, and seeing the new functionality added in #320 and #493, this might be an interesting feature to add, which would allow a low-privileged user to enumerate this setting without admin privileges and without attempting any coercion.

I'm not sure if the value in the GPO is the actual value for all DCs, but it was for this engagement. Just wanted to bring it up.

Edit: Actually just saw that GPOHunter does this (albeit, misses cases which are vulnerable due to LmCompatiblityLevel = 2):

[NeffIsBack]

Good idea to check which GPOs exist! Might be a bit hard to find which GPOs apply to your target, but still worth a try.

I have also done something similar in wsuks which parses GPOs to find the WSUS registry setting.

If you craft something similar feel free to open up a PR

[s3nn]

Regarding a potential PR, what would you recommend?

1. Update the ntlmv1 SMB module
2. Add functionality to the new get_gpo module
3. Add functionality to the new gpp_privileges module
4. Make something new

Regarding what GPOs apply to what target, I think some tools do this (GPOHound and GPOwned), but I'm not 100% sure. I think though you could get this setting for Domain Controllers from the Default Domain Controller Policy

[NeffIsBack]

Depends on what you are trying to do. If you want to implement coercing and the smb server to check for NTLMv1 i would probably just update the nvlmv1 smb module as this is the most reliable way, because you will only see that it is vulnerable to NTLMv1 when it is (my prefered way).

If you want to parse GPOs for potential NTLMv1 GPOs you will probably need smb so a new smb module would be best, but you will also need to establish an ldap connection for the information about the GPO.

[lodos2005]

also pingcastle applies a similar method. https://github.com/netwrix/pingcastle/blob/master/Healthcheck/Rules/HeatlcheckRuleStaledOldNtlm.cs