Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Target Domain Flags for GetNPUsers & GetADUser #1717

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Target Domain Flags for GetNPUsers & GetADUser #1717

wants to merge 5 commits into from

Conversation

Sq00ky
Copy link
Contributor

@Sq00ky Sq00ky commented Mar 18, 2024
edited
Loading

Hello Impacket team!

Overview

Recently our team identified a small oddity in GetNPUsers.py && GetADUsers.py where you couldn't ASREP-Roast or query users in other domains. To remedy this, I modified the logic that both scripts use to create the LDAP search scope

Changes

The original code is something like so:

            domainParts = self.__domain.split('.')
            self.baseDN = ''
            for i in domainParts:
                self.baseDN += 'dc=%s,' % i
            # Remove last ','
            self.baseDN = self.baseDN[:-1]

Which essentially retrieves the LDAP search scope from self.__domain (which is directly passed into the init function from the main function's provided credentials). It now checks and sees if the user provided a target domain flag:

    group.add_argument('-targetdomain', action='store',metavar='targetdomain', help='The domain you would like to target in case of a domain trust.')

The full change in the init function now checks if the supplied value is None/Null, if so, it'll then parse from the domain. If not, it'll first prefer the users set target domain through a simple if statement:

        if(self.__targetdomain == None):
            domainParts = self.__domain.split('.')
            self.baseDN = ''
            for i in domainParts:
                self.baseDN += 'dc=%s,' % i
            # Remove last ','
            self.baseDN = self.baseDN[:-1]
        else:
            domainParts = self.__targetdomain.split('.')
            self.baseDN = ''
            for i in domainParts:
                self.baseDN += 'dc=%s,' % i
            # Remove last ','
            self.baseDN = self.baseDN[:-1]

Both of the code is shared within GetNPUsers.py && GetADUsers.py. The only other code change is within GetNPUsers.py within the getTGT function where a similar check (if target domain != None, set this, else, that):

        if self.__targetdomain != None:
            domain = self.__targetdomain.upper()
        else:
            domain = self.__domain.upper()

Testing

This was tested in both a lab environment as well as a production active directory domain to ensure functionality wasn't broken. An example screenshot can be found here:
image
In the above example, the Administrator lives in the NANAISU domain, which has a bidirectional trust with the MSP domain as seen in the following screenshot:
image
Within the MSP domain there is two users, sqlUser and Ronnie. sqlUser has "Do not require Kerberos Pre-Auth" checked to allow for GetNPUsers.py testing.
Testing the inverse also works. Users on the MSP domain can query the NANAISU domain:
image

If there's any questions or concerns, please let me know!
I hope this helps!

@Sq00ky
Added Cross-Domain Trust Capabilities
ff1332b 
Fixed a logic bug that originally retrieved the LDAP domain search scope from the specified user credentials. 
A new flag now exists called -targetdomain, which can be used to ASREP-Roast in a targeted domain of your choice. 

The Argument Parsing function was modified to allow for this new functionality as well as the getTGT function to check if a target domain is specified. If so, it will use that instead of the domain. Lastly, the init function for declaring the LDAP search scope.
@Sq00ky
Update GetNPUsers.py
b82a9f1 
Fixed line length to align with coding standards.
@Sq00ky
Update GetADUsers.py
564d2dc 
Fixed previously mentioned domain restriction issue (in GetNPUsers.py commit) for GetADUsers.py.
New -targetdomain flag has been added to specify a separate domain in case of a domain trust; the argument parsing, and init functions have been modified to support the target domain flag.
@Sq00ky
Update GetNPUsers.py
bc8c633 
Switched back to "/usr/bin/env python"
@Sq00ky
Update GetADUsers.py
591ba44
@anadrianmanrique anadrianmanrique added the in review This issue or pull request is being analyzed label Apr 11, 2024
@enj5oy
Copy link

enj5oy commented May 15, 2024
edited
Loading

@Sq00ky hello, when i use cross-forest request from child domain to parent with NTLM auth, all fine.
When i use kerberos auth, ticket request from -dc-ip but ticket need request first from child domain.
192.168.0.3 is dc.contoso.local
2024-05-15_22-42

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
in review This issue or pull request is being analyzed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Sq00ky @enj5oy @anadrianmanrique