synacktiv/gpoParser

# gpoParser **gpoParser** 是一款旨在提取和分析 Active Directory 环境中通过组策略对象 应用配置的工具。 由于枚举这些设置通常既繁琐又耗时，该工具可以帮助用户更清晰地了解已应用的策略，并协助识别可能导致横向移动或权限提升的危险配置。 该工具在 [leHack 2025](https://lehack.org/fr/2025/tracks/conferences/#gpoparser-automating-group-policies-extraction-to-reveal-security-gaps) 和 [DEFCON 33](https://defcon.org/html/defcon-33/dc-33-speakers.html#content_60387) 上进行过展示。 # 安装 注意：`gssapi` 包需要以下依赖：`libkrb5-dev`，可以通过 `sudo apt install libkrb5-dev` 安装（或使用相关的包管理器进行安装） ``` pipx install git+https://github.com/synacktiv/gpoParser ``` # 功能 ``` $ gpoParser -h usage: gpoParser [-h] {local,remote,display,query,enrich} ... GPO Analysis Tool positional arguments: {local,remote,display,query,enrich} Choose mode local Parse GPOs locally remote Parse GPOs via remote LDAP/SYSVOL display Display parsed GPO contents query Query GPO parser results in order to display affected computers enrich Enrich BloodHound with new edges options: -h, --help show this help message and exit ``` ## 在线或离线模式的 GPO 检索 **在线**：连接到 LDAP 目录以收集与 GPO 相关的信息及其属性（标志、gPLink、gPOptions 等）。它还会连接到 SYSVOL 共享以收集 GPO 配置文件。 ``` $ gpoParser remote -h usage: gpoParser remote [-h] [-s SERVER] [-d DOMAIN] [-u USER] [-p PASSWORD] [-H HASH] [-k] [-o OUTPUT] options: -h, --help show this help message and exit -s, --server SERVER LDAP server IP or FQDN (ex: ldap://192.168.57.5 or ldaps://dc.corp.local) -d, --domain DOMAIN Domain name tied to the user -u, --user USER Username -p, --password PASSWORD Password -H, --hash HASH NTLM authentication, format is [LM:]NT -k, --kerberos Use Kerberos authentication -o, --output OUTPUT Output filename and location (default ./cache_gpoParser_.json) $ gpoParser remote -u bob -p password -d corp -s 192.168.57.5 Retrieving \CORP.LOCAL\Policies\{008B0634-C0B9-443A-A06A-E2BAD875E27F}\Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf Retrieving \CORP.LOCAL\Policies\{008B0634-C0B9-443A-A06A-E2BAD875E27F}\Machine/Preferences/Groups/Groups.xml Retrieving \CORP.LOCAL\Policies\{008B0634-C0B9-443A-A06A-E2BAD875E27F}\Machine/Preferences/Registry/Registry.xml [...] Information saved to cache, now use display / query features ``` **离线**：需要 LDAP 目录的（部分）副本以及 SYSVOL 共享中 Policies 文件夹的内容。目前，LDAP 目录的收集支持以下工具： - [ldeep](https://github.com/franc-pentest/ldeep) - [ADExplorerSnapshot](https://github.com/c3c/ADExplorerSnapshot) `Objects` 输出格式 (NDJSON) ``` $ gpoParser local -h usage: gpoParser local [-h] [-f {ldeep,adexplorer}] [-o OUTPUT] sysvol_folder ldap_folder positional arguments: sysvol_folder SYSVOL folder containing the policies ldap_folder Folder with LDAP dump in ldeep format options: -h, --help show this help message and exit -f {ldeep,adexplorer}, --format {ldeep,adexplorer} JSON files input format (default ldeep) -o OUTPUT, --output OUTPUT Output filename and location (default ./cache_gpoParser_.json) $ mkdir sysvol && cd sysvol && echo -e 'prompt\nrecurse\nmget *' | smbclient -W CORP -U bob%password //192.168.57.5/SYSVOL $ mkdir ldap && ldeep ldap -u bob -p password -d corp.local -s 192.168.57.5 all ldap/corp $ gpoParser local sysvol/ ldap/ Information saved to cache, now use display / query features ``` ## 展示 此模式显示由 GPO 应用的所有配置更改，仅限于支持的格式和已解析的数据。您可以按 GPO 名称或 GUID 对结果进行过滤。 ``` $ gpoParser display -h usage: gpoParser display [-h] [-g GPO] [-c CACHE] options: -h, --help show this help message and exit -g GPO, --gpo GPO Filter by GPO name or GUID -c CACHE, --cache CACHE Cache file location (default: ./cache_gpoParser_.json) $ gpoParser display Cache file found, using it {6F3821B3-89B2-496D-82A5-58092D3EA588}: AddAdmin Computer configuration Groups The following principals are added to BUILTIN\Administrators CORP\admin {ADC96BD4-86D3-4516-BCF2-F7BDD5A76366}: AddRDP Computer configuration Groups The following principals are added to BUILTIN\Remote Desktop Users CORP\bob [...] $ gpoParser display -g work Cache file found, using it {474D47E2-2B77-4E37-9744-A3CF6AB04449}: Workstation admins Computer configuration Groups The following principals are added to BUILTIN\Administrators CORP\Admin - All Workstations ``` ## 查询 此视图显示 GPO 与计算机之间的关系。例如，您可以查看某个 GPO 应用到了哪些计算机，或者一台或多台计算机上应用了哪些更改。 ``` $ gpoParser query -h usage: gpoParser query [-h] [-g GPO] [-C COMPUTER] [-c CACHE] options: -h, --help show this help message and exit -g GPO, --gpo GPO Filter by GPO name or GUID -C COMPUTER, --computer COMPUTER Computer name or distinguishedName to filter on -c CACHE, --cache CACHE Cache file location (default: ./cache_gpoParser_.json) $ gpoParser query Cache file found, using it {6F3821B3-89B2-496D-82A5-58092D3EA588}: AddAdmin This GPO affects the following computers: CN=SRV55,OU=PROD,OU=Servers,DC=CORP,DC=LOCAL CN=SRV54,OU=PROD,OU=Servers,DC=CORP,DC=LOCAL CN=SRV53,OU=PROD,OU=Servers,DC=CORP,DC=LOCAL CN=SRV52,OU=PROD,OU=Servers,DC=CORP,DC=LOCAL {6AC1786C-016F-11D2-945F-00C04FB984F9}: Default Domain Controllers Policy This GPO affects the following computers: CN=DC01,OU=Domain Controllers,DC=CORP,DC=LOCAL {31B2F340-016D-11D2-945F-00C04FB984F9}: Default Domain Policy This GPO affects the following computers: CN=SRV51,OU=SUBSUB,OU=SUB,DC=CORP,DC=LOCAL CN=SRV49,OU=SUB,DC=CORP,DC=LOCAL CN=SRV50,OU=SUB,DC=CORP,DC=LOCAL CN=SRV55,OU=PROD,OU=Servers,DC=CORP,DC=LOCAL [...] $ gpoParser query -C wks Cache file found, using it CN=WKS01,OU=ADMIN,OU=WORKSTATIONS,DC=CORP,DC=LOCAL {31B2F340-016D-11D2-945F-00C04FB984F9}: Default Domain Policy Computer configuration Registry The following registry key changes have been made Action: Create Path: MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash Value: 4,1 The following registry key changes have been made Action: Update Hive: HKEY_LOCAL_MACHINE Path: SYSTEM\CurrentControlSet\Services\Dnscache\Parameters Name: EnableMDNS Value: 00000000 ``` ## BloodHound 扩充 解析 GPO 信息以创建额外的边 (edges)，如 **AdminTo**、**CanRDP** 和 **CanPSRemote**，从而识别出 BloodHound 原生可能无法检测到的横向移动机会。这些边通过直接连接到 Neo4j 数据库进行添加。 ``` $ gpoParser enrich -h usage: gpoParser enrich [-h] [-u USER] [-p PASSWORD] [-s SERVER] [-c CACHE] options: -h, --help show this help message and exit -u USER, --user USER Username for neo4j authentication (default: neo4j) -p PASSWORD, --password PASSWORD Password for neo4j authentication (default: bloodhoundcommunityedition) -s SERVER, --server SERVER Neo4j server URI (default: bolt://localhost:7687) -c CACHE, --cache CACHE Cache file location (default: ./cache_gpoParser_.json) ``` ## 限制 离线数据导入会带来一些限制：诸如继承状态、用户/计算机配置状态、安全过滤、WMI 过滤以及项目级目标定位等参数，可能无法总是被现有工具（BloodHound、PowerView、GPOHound）收集或解析。 随着开发的不断推进，**gpoParser** 将逐步考虑并支持所有这些参数。 随着工具生态的发展，将引入更多的数据收集器。

标签：AD安全, BloodHound, Checkov, CSV导出, DEFCON 33, GPO, HTTP, LDAP, leHack 2025, PE 加载器, Python, SYSVOL, 协议分析, 危险配置, 安全分析工具, 插件系统, 无后门, 权限提升, 横向移动, 活动目录, 漏洞分析, 组策略, 编程规范, 路径探测, 逆向工具