Target Domain Flags for GetNPUsers & GetADUser #1717
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello Impacket team!
Overview
Recently our team identified a small oddity in GetNPUsers.py && GetADUsers.py where you couldn't ASREP-Roast or query users in other domains. To remedy this, I modified the logic that both scripts use to create the LDAP search scope
Changes
The original code is something like so:
Which essentially retrieves the LDAP search scope from self.__domain (which is directly passed into the init function from the main function's provided credentials). It now checks and sees if the user provided a target domain flag:
The full change in the init function now checks if the supplied value is None/Null, if so, it'll then parse from the domain. If not, it'll first prefer the users set target domain through a simple if statement:
Both of the code is shared within GetNPUsers.py && GetADUsers.py. The only other code change is within GetNPUsers.py within the getTGT function where a similar check (if target domain != None, set this, else, that):
Testing
This was tested in both a lab environment as well as a production active directory domain to ensure functionality wasn't broken. An example screenshot can be found here:
![image](https://private-user-images.githubusercontent.com/44957111/313854644-aedd0836-7133-4aab-b47c-33a6c5b8efdb.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA4ODgyODksIm5iZiI6MTcyMDg4Nzk4OSwicGF0aCI6Ii80NDk1NzExMS8zMTM4NTQ2NDQtYWVkZDA4MzYtNzEzMy00YWFiLWI0N2MtMzNhNmM1YjhlZmRiLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTMlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzEzVDE2MjYyOVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTk2MWE4ZjAxYzY0YmE5OTU0YjYwMzdhNTczMjBhMWI4MTQ5MDJjZGI2ZTEyOTAzZTMzZmZiZDQ0NGQzZmVhOTMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.DiudEF5XmjmTJluYjeYE2nZIZddMZHpBXqweH7uxnWg)
![image](https://private-user-images.githubusercontent.com/44957111/313854875-6348201c-6527-4267-83e0-68615b859804.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA4ODgyODksIm5iZiI6MTcyMDg4Nzk4OSwicGF0aCI6Ii80NDk1NzExMS8zMTM4NTQ4NzUtNjM0ODIwMWMtNjUyNy00MjY3LTgzZTAtNjg2MTViODU5ODA0LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTMlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzEzVDE2MjYyOVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWRmZTI4ODMwNDNjYzk1YjBmOGEwMDIxMTIyMjlmMDQ3NmNlYzg1MzI2MGI0YmY2YzY3MTc2MDllZjBmMmZlZTgmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.YEM_D4W5oBgWt_vj3gKu4m1OdxPJ-U5o6MB6Q3GRnAo)
![image](https://private-user-images.githubusercontent.com/44957111/313855226-8371b8c8-3c66-4c27-b17c-7ec9f6e373dd.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA4ODgyODksIm5iZiI6MTcyMDg4Nzk4OSwicGF0aCI6Ii80NDk1NzExMS8zMTM4NTUyMjYtODM3MWI4YzgtM2M2Ni00YzI3LWIxN2MtN2VjOWY2ZTM3M2RkLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTMlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzEzVDE2MjYyOVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTA5NGVkMTAwYzVhOGJmNmZhZDRlZGVhNGQ5NmI0ZWM4NDRhNWVlNjJlNmZhYmM4ZmQyMWZiZDc2MjVhMWEwMWImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.ps31jDXCG2am_VAp7vsLxTLOpzk4eejMm2ie5585Jzo)
In the above example, the Administrator lives in the NANAISU domain, which has a bidirectional trust with the MSP domain as seen in the following screenshot:
Within the MSP domain there is two users, sqlUser and Ronnie. sqlUser has "Do not require Kerberos Pre-Auth" checked to allow for GetNPUsers.py testing.
Testing the inverse also works. Users on the MSP domain can query the NANAISU domain:
If there's any questions or concerns, please let me know!
I hope this helps!