Implement MS-GKDI and LAPSv2 password extraction #1556
Conversation
…packet#1556 fork of impacket as it contains an implementation of MS-GKDI. Shout out to @zblurx for 99.9999% of the code I used.
* Added GetLAPSPassword to examples. * update GetLapsPassword * Add LAPSv2 column --------- Co-authored-by: dru1d <tyler.booth@cdw.com> Co-authored-by: zblurx <seigneuret.thomas@pm.me>
|
Thanks to @dru1d-foofus we added LAPSv1 support to the example script |
|
Updated script output looks like this. It should be noted that LAPSv1 shows password expiration, but LAPSv2 currently does not have it implemented and therefore it will always return N/A.
|
fortra/impacket#1556 fork of impacket as it contains an implementation of MS-GKDI. Shout out to @zblurx for 99.9999% of the code I used." This reverts commit 5c22d10 as it was added to the fork to impacket and I want this to be available for folks who don't have that version yet.
|
After some modifications: The LAPSv2 column store True if the account use LAPSv2, False if not. |
Co-authored-by: dru1d <tyler.booth@cdw.com>
anadrianmanrique
added
the
in review
|
@anadrianmanrique Can we get this merged by now? |
|
@CaledoniaProject of course not. First conflicts needs to be solved in setup.py, also new dependence should be added in requirements.txt . Then it will be ready to review and then testing if review is ok. Thanks |
|
Hey @anadrianmanrique, just resolved the merge conflicts and updated the requirements file, can you start reviewing the PR please ? |
|
Hi, we've just merged readLAPS.py example. Do you think that your changes could be integrated in that example instead? |
|
Sad, we created GetLAPSPasswords.py example script like 10 months ago... |
|
Yes I understand. readLAPS.py got merged within the 3 months period where we had no visibility on how and when this PR was going to be fixed. Bad timing :/ |
|
I'll try to do it before may. Thanks |
|
Can we merge this ASAP so NetExec can use upstream Impacket and be packaged into Kali? If there needs to be example scripts updated later that can be another PR, but we need the core functionality merged. |
|
hi @zblurx, I'll be checking your PR as is now. Will keep you updated how it goes thank you! |
|
Today will be merging this PR Just a few notes for us in the future @anadrianmanrique :
thank you!! |
|
sure, ill try this script and see if its better than my one. and update here. |
I appreciate this finally getting looked at. It is really unfortunate that we weren't really provided any feedback between August of 2023 (when this was assigned) and December of 2023 when another user (@CaledoniaProject) asked about the status of our initial PR. When this was initially submitted for review, we were extremely active and would've been able to address any concerns in a timely manner and prevent anyone from doing extraneous/duplicate work. All around it seems like everyone's schedules just didn't line up here. Everyone is busy and has their own stuff going on. I believe that rolling back
It really doesn't make sense to rewrite the most recent example to support all of this functionality when it already exists in this PR. I am admittedly biased here because I was a contributor, but I'll state my case anyway. |
|
@dru1d-foofus agree, this |
If you think there are changes that can be made to improve GetLAPSPassword, I think we should take those into account. That way we can make sure it meets your needs. |
|
Awesome, merging! Will rollback the other example later on Thank you all!! |
Removed `readLAPS` example as talked in #1556
This code implements MS-GKDI.
I added a script to extract every LAPSv2 passwords.
There is also a fix on Endpoint Mapper on max_tower value