1 The computer must be joined to the domain with GPMC and RSAT installed
2 User must use Get-GPOReport with PowerShell to generate XML report
3 The report is required by Grouper
4 Users must manually filter out useful data
Grouper2 does not rely on Get-GPOReport, it still needs to parse different types of files format.
1 More accurate file permission detection, no read/write of storage required
2 Won’t ignore GPP password
3 Provide HTML format output
4 Multi-thread support
5 Supports offline mode
What is it for?
Grouper2 is a tool for pentesters to help find security-related misconfigurations in Active Directory Group Policy.
It might also be useful for other people doing other stuff, but it is explicitly NOT meant to be an audit tool. If you want to check your policy configs against some particular standard, you probably want Microsoft’s Security and Compliance Toolkit, not Grouper or Grouper2.
What does it do?
It dumps all the most interesting parts of group policy and then roots around in them for exploitable stuff.
How is it different from Grouper?
Where Grouper required you to:
have GPMC/RSAT/whatever installed on a domain-joined computer
generate an xml report with the Get-GPOReport PowerShell cmdlet
feed the report to Grouper
a bunch of gibberish falls out and hopefully there’s some good stuff in there.
Grouper2 does like Mr Ed suggests and goes straight to the source, i.e. SYSVOL.
This means you don’t have the horrible dependency on Get-GPOReport (hooray!) but it also means that it has to do a bunch of parsing of different file formats and so on (booo!).
Other cool new features:
better file permission checks that don’t involve writing to disk.
doesn’t miss those GPP passwords that Grouper 1 did.
HTML output option so you can preserve those sexy console colours and take them with you.
aim Grouper2 at an offline copy of SYSVOL if you want.
a bunch of other great stuff but it’s late and I’m tired.
Also, it’s written in C# instead of PowerShell.
How do I use it?
Literally just run the EXE on a domain joined machine in the context of a domain user, and magic JSON candy will fall out.
If the JSON burns your eyes, add -g to make it real pretty.
If you love the prettiness so much you wanna take it with you, do -f "$FILEPATH.html" to puke the candy into an HTML file.
If there’s too much candy and you want to limit output to only the tastiest morsels, set the ‘interest level’ with -i $INT, the bigger the number the tastier the candy, e.g. -i 10 will only give you stuff that will probably result in creds or shells.
If you don’t want to dig around in old policy and want to limit yourself to only current stuff, do -c.
If you want the candy to fall out faster, you can set the number of threads with -t $INT – the default is 10.
If you want to see the other options, do -h.
I don’t get it.
OK have a look at this:
In the screenshot above we can see an “Assigned Application” policy that is still being pushed to computers, but the MSI file to install is missing, and the directory it’s being installed from is writable by the current user.
If you created a hacked up MSI (e.g. with msfvenom) and then modified it to match the UIDs at the bottom of the picture, it would get executed on machines targeted by the GPO. Sweet!
In this one you can see that someone’s done something absolutely insane to the ACLS on the registry.
Sometimes, we want to find largest files or folders from our computer, especially when we are running out of space on hard drive. Because spending time to find different small useless files and then delete them can be very time consuming and after all it’s possible that we have only deleted couple MB of files which won’t help much. Remove one or two huge files or folders may help a lot.
Here is a list of software which can be used just for this purpose and for free, even better, some are open source.
Easy to use
Free, Open Source
Can be installed
Portable version available (via portableapps)
Easy to use
Portable version available
Easy to use
Can be installed
Portable version available
Out of three, WinDirStat is the only open source one, Space Sniffer and WinTree are both freeware only.
WinDirStat does not provide official portable version, but portable version can be downloaded from portableapps. Both SpaceSniffer and WizTree provide official portable version.
All of them are very easy to use, the user interface of WinDirStat and WizTree are very similar, you click on the tile or block to reveal the file name, while SpaceSniffer displays the file and folder name directly on the tile/block.
Bottom line, choose whichever you like to use or give all of them a try and decide which one to go with, or even keep all of them in your bag, backup plan will not hurt 😉
1 Save following text to ResetPrinterJob.cmd or ResetPrinterJob.bat
net stop spooler
del /q /s c:\windows\system32\spool\printers*.*
net start spooler
NET SESSION >nul 2>&1
IF %ERRORLEVEL% EQU 0 (
ECHO Administrator PRIVILEGES Detected!
) ELSE (
ECHO This script has to be run with Administrator PRIVILEGES!
ECHO The script will now terminate.
net stop spooler
del /q /s c:\windows\system32\spool\printers.
net start spoolerA
if %ERRORLEVEL% == 0 goto :successful
echo "Errors encountered during execution. Exited with status: %errorlevel%"
echo The printer is ready for use again!
echo "Script completed with error"
2 Run ResetPrinterJob.cmd or ResetPrinterJob.bat in Admin mode.
3 Now the printer is ready to be used again.
1 Open “Task Manager” by using Ctrl + Alt + Delete key combination or right click on task bar then click on “Task Manager”
2 Click on “Services” tab
3 Find “Spooler”
4 Right click on it then click on “Stop”
5 Open file explorer navigate to “C:\Windows\system32\spool\PRINTERS”
6 Delete all files within the folder (Do not delete the “C:\Windows\system32\spool\PRINTERS” folder)
7 Bring back the Task Manager, start the Spooler service
1.1 ping 127.0.0.1: Check if the Network interface controller (NIC), TCP/IP protocol, subnet mask works.
1.2 ping the current host’s IP address: Check if local configuration/installation are correct. (If not, we can check network equipment and cables.)
1.3 ping IP within the current subnet: Check if the NIC works in local area network (LAN), if there is no reply, it means that the subnet mask may be incorrect, network cable issue, configuration issue etc.
1.4 ping default gateway: Check if the gateway works.
1.5 ping remote IP address: Check if the default gateway works, if the device can get on to internet.
1.6 ping localhost: localhost is an operating system (OS) reserved host name. It resolves to 127.0.0.1. Usually, devices should be able to resolve this to such address, otherwise there can be something wrong with the host file (/Window/host for Windows) (/etc/host for Linux)
1.7 ping www.google.com: It will be resolved to IP address first via querying DNS server, if not resolved, it can be the DNS server is not configured correctly or DNS server is not working. Sometimes it can be the domain is blocked by firewall in local area network. (ping can be blocked completely by firewall as well.) Or simply, the domain does not exist.
ping IP -t: ping the IP address continuously until Ctrl + C is pressed.
ping IP -l 1000: ping with specified length (1000 bytes) (default is 32 byte)
ping IP -f -l 1492: ping with specified length without fragmenting the packet.
ping IP -n 10: execute the ping command 10 times.
ping IP -a: Resolve the hostname and NetBIOS name via the pingable IP address.
for /L %D in (1,1,254) do ping 10.0.0.%D: ping from 10.0.0.1 to 10.0.0.254
for /L %D in (1,1,254) do ping 10.0.0.%D
Note: Ping command can be blocked by firewall deployed in the LAN, while it is a useful and helpful command for troubleshooting the network issues most of the time, but do not rely on it entirely and draw conclusion completely from ping command. Better to use it as a reference.
Used for checking TCP/IP configuration. Release, Renew DHCP leasse. Flush DNS cache etc.
2.1 ipconfig: Show IP address, Subnet Mask, Default Gateway of the interface
2.2 ipconfig /all: Show all details including DNS, WINS and extra information, MAC address, DHCP server IP address, DHCP lease obtained time, expire time etc.
2.3 ipconfig /release: Release all IP addresses obtained from DHCP server
2.4 ipconfig /renew: Renew the IP address from DHCP server, usually it will be the same IP address before “ipconfig /release”
2.5 ipconfig /flushdns: Flush DNS cache in Windows
2.6 ipconfig /displaydns: Print DNS cache from local machine on screen. (We can use ipconfig /displaydns > C:\dns-cache.txt to save output to text file for easier diagnostic)
3 tracert (traceroute)
Used for checking routing condition/path and latency etc.
If any packet loss happen, “*” will be used instead of time in “ms”
4 arp (Address Resolution Protocol)
Used to check the corresponding Media Access Control Address (MAC address) of the IP address.
Can be used to output ARP cached information from current device or other devices. Manually set the MAC/IP pair.
arp -a <IP>
arp -s <IP>
arp -d <IP>
4.1 arp -a: Show all data in ARP cache
4.2 arp -a IP: Only show all ARP cache from one of the NIC associated with the specified IP address
4.3 arp -s IP MAC: Manually add the IP MAC pair as static ARP cache to the system (Persistent across reboots)
4.4 arp -d IP: Manually delete a static ARP cache
Used for checking and configuring routing information.
5.1 route print: Show current routing table
5.2 route add:
e.g. To configure a routing table for reaching 192.168.1.11, through 5 networks, via one of the route on local network which is 192.168.2.22, where the subnet is 255.255.255.224, then the following command will be used
Keywords: Windows command prompt, command line, cmd, Add Users, Create Users, Delete Users, Remove Users, List Users, Add local groups, Create local groups, Delete local groups, List local groups, net command
Launch the Command Prompt (In Admin mode)
We should launch the Command Prompt in Administrator mode.
Use Win + X key combination -> “Windows PowerShell (Admin)”
Open start menu -> Type “cmd” -> Right click on “Command Prompt” -> Run as administrator
Specifies the name of the remote server on which the service is located. The name must use the Universal Naming Convention (UNC) format (for example, \\myserver). To run SC.exe locally, omit this parameter.
Specifies the service name returned by the getkeyname operation.
Specifies the service descriptor in SDDL.
Displays help at the command prompt.
Security Descriptor Definition Language (SDDL)
The security descriptor, as displayed by sc sdshow, is formatted according the Security Descriptor Definition Language (SDDL).
The descriptor will usually be divided into two parts:
Prefix of S: – System Access Control List (SACL),controls auditing (not covered in this post)
Prefix of D: – Discretionary ACL (DACL),controls permissions
Each section, inside the parenthesis, represent a specific entry (security/auditing). Inside the parenthesis, the user account and the correct permissions are specified.
The first letter represents Allow (A) the opposite of Deny which would be represented by a (D). Each pair of letters represents a specific permission: CC – SERVICE_QUERY_CONFIG – ask the SCM for the service’s current configuration LC – SERVICE_QUERY_STATUS – ask the SCM for the service’s current status SW – SERVICE_ENUMERATE_DEPENDENTS – list dependent services LO – SERVICE_INTERROGATE – ask the service its current status CR – SERVICE_USER_DEFINED_CONTROL – send a service control defined by the service’s authors RC – READ_CONTROL – read the security descriptor on this service.
Additional permissions: RP – SERVICE_START – start the service WP – SERVICE_STOP – stop the service DT – SERVICE_PAUSE_CONTINUE – pause / continue the service
The last two letters define the security principal assigned with these permissions (a SID or well known aliases: AU – Authenticated Users
“AO” Account operators “RU” Alias to allow previous Windows 2000 “AN” Anonymous logon “AU” Authenticated users “BA” Built-in administrators “BG” Built-in guests “BO” Backup operators “BU” Built-in users “CA” Certificate server administrators “CG” Creator group “CO” Creator owner “DA” Domain administrators “DC” Domain computers “DD” Domain controllers “DG” Domain guests “DU” Domain users “EA” Enterprise administrators “ED” Enterprise domain controllers “WD” Everyone “PA” Group Policy administrators “IU” Interactively logged-on user “LA” Local administrator “LG” Local guest “LS” Local service account “SY” Local system “NU” Network logon user “NO” Network configuration operators “NS” Network service account “PO” Printer operators “PS” Personal self “PU” Power users “RS” RAS servers group “RD” Terminal server users “RE” Replicator “RC” Restricted code “SA” Schema administrators “SO” Server operators “SU” Service logon user
Lets look at another example: (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
A – Allow CC – SERVICE_QUERY_CONFIG – ask the SCM for the service’s current configuration DC – Delete All Child Objects LC – SERVICE_QUERY_STATUS – ask the SCM for the service’s current status SW – SERVICE_ENUMERATE_DEPENDENTS – list dependent services RP – Read all properites WP – SERVICE_STOP – stop the service DT – SERVICE_PAUSE_CONTINUE – pause / continue the service LO – SERVICE_INTERROGATE – ask the service its current status CR – SERVICE_USER_DEFINED_CONTROL – send a service control defined by the service’s authors SD – Delete RC – READ_CONTROL – read the security descriptor on this service. WD – Modify permissions WO – Modify owner BA- Built-in administrators