Skip to content

GetUserSPNs: you can now specify another base DN #330

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2 commits into from
+31 −10
Closed

GetUserSPNs: you can now specify another base DN #330

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6cc200f
GetUserSPNs: you can now specify another base DN
the-useless-one Sep 26, 2017
99ae5ef
Added possibility to request TGS cross-domain
the-useless-one Sep 27, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 28 additions & 9 deletions examples/GetUserSPNs.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,23 +79,30 @@ def __init__(self, username, password, domain, cmdLineOptions):
self.__doKerberos = cmdLineOptions.k
self.__target = None
self.__requestTGS = options.request
self.__kdcHost = cmdLineOptions.dc_ip
self.__saveTGS = cmdLineOptions.save
self.__requestUser = cmdLineOptions.request_user
if cmdLineOptions.kdc_ip is not None:
self.__kdcHost = cmdLineOptions.kdc_ip
else:
self.__kdcHost = cmdLineOptions.dc_ip
self.__dcIp = cmdLineOptions.dc_ip
if cmdLineOptions.hashes is not None:
self.__lmhash, self.__nthash = cmdLineOptions.hashes.split(':')

# Create the baseDN
domainParts = self.__domain.split('.')
if cmdLineOptions.base_dn is not None:
domainParts = cmdLineOptions.base_dn.split('.')
else:
domainParts = self.__domain.split('.')
self.baseDN = ''
for i in domainParts:
self.baseDN += 'dc=%s,' % i
# Remove last ','
self.baseDN = self.baseDN[:-1]

def getMachineName(self):
if self.__kdcHost is not None:
s = SMBConnection(self.__kdcHost, self.__kdcHost)
if self.__dcIp is not None:
s = SMBConnection(self.__dcIp, self.__dcIp)
else:
s = SMBConnection(self.__domain, self.__domain)
try:
Expand All @@ -104,7 +111,13 @@ def getMachineName(self):
logging.debug('Error while anonymous logging into %s' % self.__domain)

s.logoff()
return s.getServerName()

if self.options.base_dn is not None:
machineDomain = self.options.base_dn
else:
machineDomaine = self.__domain

return '{}.{}'.format(s.getServerName(), machineDomain)

@staticmethod
def getUnixTime(t):
Expand Down Expand Up @@ -189,14 +202,14 @@ def run(self):
if self.__doKerberos:
self.__target = self.getMachineName()
else:
if self.__kdcHost is not None:
self.__target = self.__kdcHost
if self.__dcIp is not None:
self.__target = self.__dcIp
else:
self.__target = self.__domain

# Connect to LDAP
try:
ldapConnection = ldap.LDAPConnection('ldap://%s'%self.__target, self.baseDN, self.__kdcHost)
ldapConnection = ldap.LDAPConnection('ldap://%s'%self.__target, self.baseDN, self.__target)
if self.__doKerberos is not True:
ldapConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
else:
Expand All @@ -205,7 +218,7 @@ def run(self):
except ldap.LDAPSessionError, e:
if str(e).find('strongerAuthRequired') >= 0:
# We need to try SSL
ldapConnection = ldap.LDAPConnection('ldaps://%s' % self.__target, self.baseDN, self.__kdcHost)
ldapConnection = ldap.LDAPConnection('ldaps://%s' % self.__target, self.baseDN, self.__target)
if self.__doKerberos is not True:
ldapConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
else:
Expand Down Expand Up @@ -350,6 +363,12 @@ def run(self):
group.add_argument('-dc-ip', action='store',metavar = "ip address", help='IP Address of the domain controller. If '
'ommited it use the domain part (FQDN) '
'specified in the target parameter')
group.add_argument('-kdc-ip', action='store',metavar = "ip address", help='IP Address of the key distribution center. '
'Useful if the KDC and the DC are in different domains. '
'If ommited, the DC IP is used')
group.add_argument('-base-dn', action='store',metavar = "base dn", help='Base DN of the interogated DC '
'(if different from the one used to authenticate)')


if len(sys.argv)==1:
parser.print_help()
Expand Down
4 changes: 3 additions & 1 deletion impacket/krb5/kerberosv5.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -392,8 +392,10 @@ def getKerberosTGS(serverName, domain, kdcHost, tgt, cipher, sessionKey):
return r, cipher, sessionKey, newSessionKey
else:
# Let's extract the Ticket, change the domain and keep asking
# We also interrogate a new KDC. TODO: how to find the KDC associated
# with the new domain. For now, we just try to resolve the new domain.
domain = spn.components[1]
return getKerberosTGS(serverName, domain, kdcHost, r, cipher, newSessionKey)
return getKerberosTGS(serverName, domain, domain, r, cipher, newSessionKey)

return r, cipher, sessionKey, newSessionKey

Expand Down