Features

• new function: get-objectowner. You can use this function to retrieve owner of any Active Directory object.
• new attribute: _well_known_rids in ADObject. A (partial) list of well known RIDs.

Modifications

• better SPN patching: the realm part is ignored
• hunting functions are fixed
• hunting functions implement json output
• More well known SIDs

Features

• pywerview falls back to simple authentication if Channel Binding and LDAP Signing patches are not installed. This fallback only works if:
  • Authentication is done with a password
  • LDAPS (TCP port 636) is open

Modifications

• you can use impacket's pth syntax with pywerview (e.g. --hashes :deadbeefdeadbeefdeadbeef)
• adding possibility to change namespace and rpc auth level for wmi
• Docker file no longer manually installs dsinternals

Features

• pywerview can now use ldap3 special branch to work against hardened DCs. Thus, if the targeted DC enforces LDAP Signing and/or Channel Binding, please use this custom ldap3 version. S/O @CravateRouge

Modifications

• Fixed get-objectacl when used with --resolve-guid
• Two new functions are available : get-netsmsa and get-netgmsa (by @pbalmelle)
• get-adservices no longer exists, use get-netgmsa to retrieve gMSA

Features

• SChannel authentication is now supported (see README for details)

Modifications

• Fixed get_adserviceaccount to works with kerberos authentication
• Adding command line custom filter attributes to several functions
• get-netdomaintrust no longer tries to interpret results
• Adding --full-data flag to get-netdomaintrust
• fixed performance issues, no more multiple LDAP connections with some functions

Features

• Added a --laps-passwords option to get-netcomputer to query only computers for which the user can read LAPS passwords (thanks @SAERXCIT).
• Added allowed-to-authenticate in the right filter list for get-objectacl. This can be useful when Selective Authentication is set (see https://twitter.com/AlmondOffSec/status/1577958969523535873).
• Added a --pre-created option to get-netcomputer to return potentially vulnerable computer accounts (see https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/). Caution: This option is prone to false positives and negatives.
• Added a Dockerfile based on a Ubuntu image (thanks @sdcampbell and @p1gp1g).

Modifications

• useraccountcontrol attribute is now returned when using get-netgroupmember function. This can be useful to detect disabled admin accounts or accounts that are not allowed for delegation.
• The project now uses beautifulsoup4 instead of bs4 package (thanks @fabaff).
• ms-Mcs-AdmPwdExpirationTime is now formatted as a timestamp.
• get-netcomputer now returns all computer accounts even those without dnshostname.
• samaccountype attribute is now formatted as a string.
• The project now falls back to pycryptodome if pycryptodomex is not installed (thanks @thesamesam).
• get-netgroupmember now returns also computer accounts
• Better exception handling to detect Channel Binding and LDAP Signing

Features

• Kerberos authentication is now supported (see README for details)
• Added a get-adserviceaccount functionality
• Added a --logging option to get different debug levels and messages
• Results can be dumped as JSON using --json
• TLS connection can be forced using --tls

Modifications

• Fixed find-gpocomputeradmin: there was a bug when setting isgroup attribute in GPOComputerAdmin object
• Fixed get-domainpolicy: fixed a bug in SID resolving
• Fixed dependencies and setup script (merged #46 and #47)

Features

• get-objectacl: can be used to list ACL on a domain object
• get-netpso: lists Password Settings Objects (fine-grained password policies)

Modifications

• ADObject was simplified, both in its management by the code and its pretty-printing.
• Usage of formatters combined with ldap3 to better manage custom types in LDAP attributes.

Bug fix

• TLS fallback is properly handled
• StringsIO changed to BytesIO in GPO parsing functions

Modifications

• Requirements were simplified: only impacket, bs4, and lxml are needed

Bug fix

• Calls to close() were changed to unbind() (due to the change of LDAP library)
• Better handling of timestamp attributes for 32 bit systems
• Fixed get-netgroup when group names have parenthesis (this will have to be done for other functions, and maybe at another place of the code)
• Fixed get-netfileserver when file server attributes are absent

Rewriting

• LDAP interrogation is now done with the ldap3 library instead of impacket, since ldap3 is a "perfect" implementation of LDAP RFCs.

Features

• :tada: Python 3 support :tada:, thanks a lot for @mpgn and @ThePirateWhoSmellsOfSunflowers for their work on this!
• Custom --attributes for certain get-* functions, thanks to @99red!

Bug fix

• get-netsite is functioning again.