2023-09-17 20:20:40 +00:00
|
|
|
class NXCModule:
|
2023-04-07 16:40:48 +00:00
|
|
|
"""
|
2023-05-02 15:17:59 +00:00
|
|
|
Basic enumeration of provided user information and privileges
|
|
|
|
|
Module by spyr0 (@spyr0-sec)
|
2023-04-07 16:40:48 +00:00
|
|
|
"""
|
2023-05-02 15:17:59 +00:00
|
|
|
|
|
|
|
|
name = "whoami"
|
|
|
|
|
description = "Get details of provided user"
|
|
|
|
|
supported_protocols = ["ldap"]
|
|
|
|
|
opsec_safe = True # Does the module touch disk?
|
2023-05-08 18:39:36 +00:00
|
|
|
multiple_hosts = True # Does it make sense to run this module on multiple hosts at a time?
|
2022-08-08 15:47:57 +00:00
|
|
|
|
|
|
|
|
def options(self, context, module_options):
|
2023-10-12 19:13:16 +00:00
|
|
|
"""USER Enumerate information about a different SamAccountName"""
|
2022-08-11 09:54:05 +00:00
|
|
|
self.username = None
|
2023-05-02 15:17:59 +00:00
|
|
|
if "USER" in module_options:
|
|
|
|
|
self.username = module_options["USER"]
|
2022-08-08 15:47:57 +00:00
|
|
|
|
|
|
|
|
def on_login(self, context, connection):
|
2023-05-02 15:17:59 +00:00
|
|
|
searchBase = connection.ldapConnection._baseDN
|
2023-10-14 19:56:22 +00:00
|
|
|
searchFilter = f"(sAMAccountName={connection.username})" if self.username is None else f"(sAMAccountName={format(self.username)})"
|
2022-08-08 15:47:57 +00:00
|
|
|
|
2023-05-08 18:39:36 +00:00
|
|
|
context.log.debug(f"Using naming context: {searchBase} and {searchFilter} as search filter")
|
2022-08-11 11:10:19 +00:00
|
|
|
|
2023-05-02 15:17:59 +00:00
|
|
|
# Get attributes of provided user
|
|
|
|
|
r = connection.ldapConnection.search(
|
|
|
|
|
searchBase=searchBase,
|
|
|
|
|
searchFilter=searchFilter,
|
|
|
|
|
attributes=[
|
|
|
|
|
"name",
|
|
|
|
|
"sAmAccountName",
|
|
|
|
|
"description",
|
|
|
|
|
"distinguishedName",
|
|
|
|
|
"pwdLastSet",
|
|
|
|
|
"logonCount",
|
|
|
|
|
"lastLogon",
|
|
|
|
|
"userAccountControl",
|
|
|
|
|
"servicePrincipalName",
|
|
|
|
|
"memberOf",
|
|
|
|
|
],
|
|
|
|
|
sizeLimit=999,
|
|
|
|
|
)
|
|
|
|
|
for response in r[0]["attributes"]:
|
|
|
|
|
if "userAccountControl" in str(response["type"]):
|
|
|
|
|
if str(response["vals"][0]) == "512":
|
2023-09-20 15:59:16 +00:00
|
|
|
context.log.highlight("Enabled: Yes")
|
|
|
|
|
context.log.highlight("Password Never Expires: No")
|
2023-05-02 15:17:59 +00:00
|
|
|
elif str(response["vals"][0]) == "514":
|
2023-09-20 15:59:16 +00:00
|
|
|
context.log.highlight("Enabled: No")
|
|
|
|
|
context.log.highlight("Password Never Expires: No")
|
2023-05-02 15:17:59 +00:00
|
|
|
elif str(response["vals"][0]) == "66048":
|
2023-09-20 15:59:16 +00:00
|
|
|
context.log.highlight("Enabled: Yes")
|
|
|
|
|
context.log.highlight("Password Never Expires: Yes")
|
2023-05-02 15:17:59 +00:00
|
|
|
elif str(response["vals"][0]) == "66050":
|
2023-09-20 15:59:16 +00:00
|
|
|
context.log.highlight("Enabled: No")
|
|
|
|
|
context.log.highlight("Password Never Expires: Yes")
|
2023-05-02 15:17:59 +00:00
|
|
|
elif "lastLogon" in str(response["type"]):
|
|
|
|
|
if str(response["vals"][0]) == "1601":
|
2023-09-20 15:59:16 +00:00
|
|
|
context.log.highlight("Last logon: Never")
|
2022-09-08 19:04:04 +00:00
|
|
|
else:
|
2023-05-02 15:17:59 +00:00
|
|
|
context.log.highlight(f"Last logon: {response['vals'][0]}")
|
|
|
|
|
elif "memberOf" in str(response["type"]):
|
|
|
|
|
for group in response["vals"]:
|
|
|
|
|
context.log.highlight(f"Member of: {group}")
|
|
|
|
|
elif "servicePrincipalName" in str(response["type"]):
|
2023-09-20 15:59:16 +00:00
|
|
|
context.log.highlight("Service Account Name(s) found - Potentially Kerberoastable user!")
|
2023-05-02 15:17:59 +00:00
|
|
|
for spn in response["vals"]:
|
|
|
|
|
context.log.highlight(f"Service Account Name: {spn}")
|
|
|
|
|
else:
|
|
|
|
|
context.log.highlight(response["type"] + ": " + response["vals"][0])
|
