Add -dc-host option

[rmaksimov]

There is a situation when the SMB protocol (in particular 445/TCP port) is blocked/filtered, so these scripts don't work properly in conjunction with Kerberos (doesn't matter which Python version is used)

root@kali:~# GetADUsers.py -debug -k -no-pass -user contoso_admin contoso.com/
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[+] Impacket Library Installation Path: /usr/local/lib/python3.8/site-packages/impacket
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/impacket/nmb.py", line 901, in _setup_connection
    sock.connect(sa)
socket.timeout: timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/GetADUsers.py", line 238, in <module>
    executer.run()
  File "/usr/local/bin/GetADUsers.py", line 124, in run
    self.__target = self.getMachineName()
  File "/usr/local/bin/GetADUsers.py", line 74, in getMachineName
    s = SMBConnection(self.__domain, self.__domain)
  File "/usr/local/lib/python3.8/site-packages/impacket/smbconnection.py", line 78, in __init__
    self.negotiateSession(preferredDialect)
  File "/usr/local/lib/python3.8/site-packages/impacket/smbconnection.py", line 114, in negotiateSession
    packet = self.negotiateSessionWildcard(self._myName, self._remoteName, self._remoteHost, self._sess_port,
  File "/usr/local/lib/python3.8/site-packages/impacket/smbconnection.py", line 163, in negotiateSessionWildcard
    self._nmbSession = nmb.NetBIOSTCPSession(myName, remoteName, remoteHost, nmb.TYPE_SERVER, sess_port,
  File "/usr/local/lib/python3.8/site-packages/impacket/nmb.py", line 892, in __init__
    NetBIOSSession.__init__(self, myname, remote_name, remote_host, remote_type=remote_type, sess_port=sess_port,
  File "/usr/local/lib/python3.8/site-packages/impacket/nmb.py", line 752, in __init__
    self._sock = self._setup_connection((remote_host, sess_port), timeout)
  File "/usr/local/lib/python3.8/site-packages/impacket/nmb.py", line 904, in _setup_connection
    raise socket.error("Connection error (%s:%s)" % (peer[0], peer[1]), e)
OSError: [Errno Connection error (contoso.com:445)] timed out
[Errno Connection error (contoso.com:445)] timed out

Specifying the -dc-ip option won't help either (expected behaviour)

root@kali:~# GetADUsers.py -debug -k -no-pass -user contoso_admin -dc-ip 10.10.10.10 contoso.com/
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[+] Impacket Library Installation Path: /usr/local/lib/python3.8/site-packages/impacket
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/impacket/nmb.py", line 901, in _setup_connection
    sock.connect(sa)
socket.timeout: timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/GetADUsers.py", line 238, in <module>
    executer.run()
  File "/usr/local/bin/GetADUsers.py", line 124, in run
    self.__target = self.getMachineName()
  File "/usr/local/bin/GetADUsers.py", line 72, in getMachineName
    s = SMBConnection(self.__kdcHost, self.__kdcHost)
  File "/usr/local/lib/python3.8/site-packages/impacket/smbconnection.py", line 78, in __init__
    self.negotiateSession(preferredDialect)
  File "/usr/local/lib/python3.8/site-packages/impacket/smbconnection.py", line 114, in negotiateSession
    packet = self.negotiateSessionWildcard(self._myName, self._remoteName, self._remoteHost, self._sess_port,
  File "/usr/local/lib/python3.8/site-packages/impacket/smbconnection.py", line 163, in negotiateSessionWildcard
    self._nmbSession = nmb.NetBIOSTCPSession(myName, remoteName, remoteHost, nmb.TYPE_SERVER, sess_port,
  File "/usr/local/lib/python3.8/site-packages/impacket/nmb.py", line 892, in __init__
    NetBIOSSession.__init__(self, myname, remote_name, remote_host, remote_type=remote_type, sess_port=sess_port,
  File "/usr/local/lib/python3.8/site-packages/impacket/nmb.py", line 752, in __init__
    self._sock = self._setup_connection((remote_host, sess_port), timeout)
  File "/usr/local/lib/python3.8/site-packages/impacket/nmb.py", line 904, in _setup_connection
    raise socket.error("Connection error (%s:%s)" % (peer[0], peer[1]), e)
OSError: [Errno Connection error (10.10.10.10:445)] timed out
[Errno Connection error (10.10.10.10:445)] timed out

What if I have the corresponding FQDN (or NetBIOS name)? There should be an option to specify it. I have changed conditions in run() and have added the -dc-host parameter
Now it is possible to connect to specific KDC using its FQDN (or NetBIOS name) without initiating an SMB connection with it. So the first issue is solved

The second one is related to the -dc-ip option. Why not just reuse the -dc-ip option (maybe rename it to -kdc) and allow to specify FQDN (or NetBIOS name) in it and check it in those conditions? This is due to DNS name resolution issue. If the DNS protocol is also blocked/filtered, both FQDN (or NetBIOS name) and IP address should be specified. It is possible to add an entry to /etc/hosts for sure, but if there is an option, why not to use it?

root@kali:~# GetADUsers.py -debug -k -no-pass -user contoso_admin -dc-ip dc01 contoso.com/
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[+] Impacket Library Installation Path: /usr/local/lib/python3.8/site-packages/impacket
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/impacket/nmb.py", line 897, in _setup_connection
    af, socktype, proto, canonname, sa = socket.getaddrinfo(peer[0], peer[1], 0, socket.SOCK_STREAM)[0]
  File "/usr/lib/python3.8/socket.py", line 918, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Temporary failure in name resolution

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/GetADUsers.py", line 238, in <module>
    executer.run()
  File "/usr/local/bin/GetADUsers.py", line 124, in run
    self.__target = self.getMachineName()
  File "/usr/local/bin/GetADUsers.py", line 72, in getMachineName
    s = SMBConnection(self.__kdcHost, self.__kdcHost)
  File "/usr/local/lib/python3.8/site-packages/impacket/smbconnection.py", line 78, in __init__
    self.negotiateSession(preferredDialect)
  File "/usr/local/lib/python3.8/site-packages/impacket/smbconnection.py", line 114, in negotiateSession
    packet = self.negotiateSessionWildcard(self._myName, self._remoteName, self._remoteHost, self._sess_port,
  File "/usr/local/lib/python3.8/site-packages/impacket/smbconnection.py", line 163, in negotiateSessionWildcard
    self._nmbSession = nmb.NetBIOSTCPSession(myName, remoteName, remoteHost, nmb.TYPE_SERVER, sess_port,
  File "/usr/local/lib/python3.8/site-packages/impacket/nmb.py", line 892, in __init__
    NetBIOSSession.__init__(self, myname, remote_name, remote_host, remote_type=remote_type, sess_port=sess_port,
  File "/usr/local/lib/python3.8/site-packages/impacket/nmb.py", line 752, in __init__
    self._sock = self._setup_connection((remote_host, sess_port), timeout)
  File "/usr/local/lib/python3.8/site-packages/impacket/nmb.py", line 904, in _setup_connection
    raise socket.error("Connection error (%s:%s)" % (peer[0], peer[1]), e)
OSError: [Errno Connection error (dc01:445)] [Errno -3] Temporary failure in name resolution
[Errno Connection error (dc01:445)] [Errno -3] Temporary failure in name resolution

From now in the worst situation the syntax will be the following:

root@kali:~# GetADUsers.py -k -no-pass -user contoso_admin -dc-ip 10.10.10.10 -dc-host dc01 contoso.com/

[Meatballs1]

+1 for this. Can't perform Kerberos attacks on NTLM disabled domains as it currently stands :D