GetUserSPNs.py is broken in the latest release

[0xGreen]

GerUserSPN.py seems to be broken after the merge of pull request #1135.

Same command ran on the latest release of GerUserSPN.py and the one from Jan 19, 2023 commit (b7f0e65). The latest one says "No entries found" and the old one gives the correct results.

python3 GetUserSPNs.py -request -dc-ip 10.200.79.101 za.tryhackme.loc/barbara.reid:'Password1'

[ThePirateWhoSmellsOfSunflowers]

Hello,

It seems that the new LDAP filter is less restrictive than the previous one ((&(servicePrincipalName=*) is no longer send), so there is a possibility that the result set that will be returned will contain more than 1000 items. According to MS Documentation:

Searches of Active Directory performed without paging are limited to returning a maximum of the first 1000 records.

Thus, as GetUserSPNs.py does not use paged search, if the account svcIIS is the 1001 item, GetUserSPN will no display it (I don't know how many user the domain tryhackme.loc has).

First of all, can you try the same command with -debug flag ? If sizeLimitExceeded exception caught, giving up and processing the data received is displayed, then I think there is indeed a problem with the 1k items limit.

Then, you can try to hotfix it by changing (line 306 in GetUserSPNs.py)

try:
  resp = ldapConnection.search(searchFilter=searchFilter,
              attributes=['servicePrincipalName', 'sAMAccountName',
              'pwdLastSet', 'MemberOf', 'userAccountControl', 'lastLogon'],
               sizeLimit=100000)

to

try:
  # Microsoft Active Directory set an hard limit of 1000 entries returned by any search
  paged_search_control = ldapasn1.SimplePagedResultsControl(criticality=True, size=1000)
  resp = ldapConnection.search(searchFilter=searchFilter,
              attributes=['servicePrincipalName', 'sAMAccountName',
              'pwdLastSet', 'MemberOf', 'userAccountControl', 'lastLogon'],
               searchControls=[paged_search_control])

Anyway, even if it don't resolve your issue, I think a PR must be done to use paged search within GetUserSPN.

🌻

[0xGreen]

Hi,

Absolutely correct, there are few thousand users in this domain.

Yes, with -debug it did give sizeLimitExceeded exception caught, giving up and processing the data received.

GetUserSPNs.py -request -dc-ip 10.200.79.101 za.tryhackme.loc/phillip.wilkins:'Developmental1971' -debug
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[+] Connecting to 10.200.79.101, port 389, SSL False
[+] sizeLimitExceeded exception caught, giving up and processing the data received
[+] Total of records returned 1001

The hotfix you provided worked and identified svcIIS user!!

[0xdeaddood]

Hi guys!

Thanks @0xGreen for pointing this out, and thanks @ThePirateWhoSmellsOfSunflowers for the hotfix. WeI'll check the issue & hotfix ,and we'll analyze what is the best solution for this.

[ThePirateWhoSmellsOfSunflowers]

We also discovered that, this PR consumes a huge amount of RAM on huge domain (3.5Go for 20k users domain, VM crashes 😢) because the new filter gets all the user accounts and then searches for those with SPN. In the one hand this filter is stealthier but on the other hand huge domains may crash python and/or the attackers's VM). Maybe we can add a --stealth flag for GetUserSPNs?

🌻

[anadrianmanrique]

Hi, I have a question: why the current version is considered stealthier than the previous one ?

[SAERXCIT]

PR #1135 has removed filter (servicePrincipalName=*) which could be detected by software monitoring LDAP queries as reconnaissance for Kerberoastable accounts. The PR instead filters for accounts having a servicePrincipalName attribute locally, which can be considered stealthier (at least in terms of LDAP querying, the Kerberos TGS-REQ are still the same and debatably not stealthy, see TrustedSec's research on this subject https://www.trustedsec.com/blog/the-art-of-bypassing-kerberoast-detections-with-orpheus/).

[anadrianmanrique]

fixed in #1498, thank you all!