-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GetUserSPNs.py is broken in the latest release #1485
Comments
Hello, It seems that the new LDAP filter is less restrictive than the previous one (
Thus, as GetUserSPNs.py does not use paged search, if the account svcIIS is the 1001 item, GetUserSPN will no display it (I don't know how many user the domain tryhackme.loc has). First of all, can you try the same command with Then, you can try to hotfix it by changing (line 306 in GetUserSPNs.py) try:
resp = ldapConnection.search(searchFilter=searchFilter,
attributes=['servicePrincipalName', 'sAMAccountName',
'pwdLastSet', 'MemberOf', 'userAccountControl', 'lastLogon'],
sizeLimit=100000) to try:
# Microsoft Active Directory set an hard limit of 1000 entries returned by any search
paged_search_control = ldapasn1.SimplePagedResultsControl(criticality=True, size=1000)
resp = ldapConnection.search(searchFilter=searchFilter,
attributes=['servicePrincipalName', 'sAMAccountName',
'pwdLastSet', 'MemberOf', 'userAccountControl', 'lastLogon'],
searchControls=[paged_search_control]) Anyway, even if it don't resolve your issue, I think a PR must be done to use paged search within GetUserSPN. 🌻 |
Hi, Absolutely correct, there are few thousand users in this domain. Yes, with GetUserSPNs.py -request -dc-ip 10.200.79.101 za.tryhackme.loc/phillip.wilkins:'Developmental1971' -debug
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[+] Connecting to 10.200.79.101, port 389, SSL False
[+] sizeLimitExceeded exception caught, giving up and processing the data received
[+] Total of records returned 1001 The hotfix you provided worked and identified |
Hi guys! Thanks @0xGreen for pointing this out, and thanks @ThePirateWhoSmellsOfSunflowers for the hotfix. WeI'll check the issue & hotfix ,and we'll analyze what is the best solution for this. |
We also discovered that, this PR consumes a huge amount of RAM on huge domain (3.5Go for 20k users domain, VM crashes 😢) because the new filter gets all the user accounts and then searches for those with SPN. In the one hand this filter is stealthier but on the other hand huge domains may crash python and/or the attackers's VM). Maybe we can add a 🌻 |
Hi, I have a question: why the current version is considered stealthier than the previous one ? |
PR #1135 has removed filter |
fixed in #1498, thank you all! |
GerUserSPN.py seems to be broken after the merge of pull request #1135.
Same command ran on the latest release of GerUserSPN.py and the one from Jan 19, 2023 commit (b7f0e65). The latest one says "No entries found" and the old one gives the correct results.
The text was updated successfully, but these errors were encountered: