NetExec/nxc/modules/pso.py

#!/usr/bin/env python3

from impacket.ldap import ldapasn1 as ldapasn1_impacket
from impacket.ldap import ldap as ldap_impacket
from math import fabs


class NXCModule:
    """
    Created by fplazar and wanetty
    Module by @gm_eduard and @ferranplaza
    Based on: https://github.com/juliourena/CrackMapExec/blob/master/cme/modules/get_description.py
    """

    name = "pso"
    description = "Query to get PSO from LDAP"
    supported_protocols = ["ldap"]
    opsec_safe = True
    multiple_hosts = True

    pso_fields = [
        "cn",
        "msDS-PasswordReversibleEncryptionEnabled",
        "msDS-PasswordSettingsPrecedence",
        "msDS-MinimumPasswordLength",
        "msDS-PasswordHistoryLength",
        "msDS-PasswordComplexityEnabled",
        "msDS-LockoutObservationWindow",
        "msDS-LockoutDuration",
        "msDS-LockoutThreshold",
        "msDS-MinimumPasswordAge",
        "msDS-MaximumPasswordAge",
        "msDS-PSOAppliesTo",
    ]

    def options(self, context, module_options):
        """No options available."""
        pass

    def convert_time_field(self, field, value):
        time_fields = {"msDS-LockoutObservationWindow": (60, "mins"), "msDS-MinimumPasswordAge": (86400, "days"), "msDS-MaximumPasswordAge": (86400, "days"), "msDS-LockoutDuration": (60, "mins")}

        if field in time_fields.keys():
            value = f"{int((fabs(float(value)) / (10000000 * time_fields[field][0])))} {time_fields[field][1]}"

        return value

    def on_login(self, context, connection):
        """Concurrent. Required if on_admin_login is not present. This gets called on each authenticated connection"""
        # Building the search filter
        search_filter = "(objectClass=msDS-PasswordSettings)"

        try:
            context.log.debug(f"Search Filter={search_filter}")
            resp = connection.ldapConnection.search(searchFilter=search_filter, attributes=self.pso_fields, sizeLimit=0)
        except ldap_impacket.LDAPSearchError as e:
            if e.getErrorString().find("sizeLimitExceeded") >= 0:
                context.log.debug("sizeLimitExceeded exception caught, giving up and processing the data received")
                # We reached the sizeLimit, process the answers we have already and that's it. Until we implement
                # paged queries
                resp = e.getAnswers()
                pass
            else:
                context.log.debug(e)
                return False

        pso_list = []

        context.log.debug(f"Total of records returned {len(resp)}")
        for item in resp:
            if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:
                continue

            pso_info = {}

            try:
                for attribute in item["attributes"]:
                    attr_name = str(attribute["type"])
                    if attr_name in self.pso_fields:
                        pso_info[attr_name] = attribute["vals"][0]._value.decode("utf-8")

                pso_list.append(pso_info)

            except Exception as e:
                context.log.debug("Exception:", exc_info=True)
                context.log.debug(f"Skipping item, cannot process due to error {e}")
                pass
        if len(pso_list) > 0:
            context.log.success("Password Settings Objects (PSO) found:")
            for pso in pso_list:
                for field in self.pso_fields:
                    if field in pso:
                        value = self.convert_time_field(field, pso[field])
                        context.log.highlight(f"{field}: {value}")
                context.log.highlight("-----")

        else:
            context.log.info("No Password Settings Objects (PSO) found.")
Add new module PSO 2023-06-27 12:23:43 +00:00			`#!/usr/bin/env python3`

			`from impacket.ldap import ldapasn1 as ldapasn1_impacket`
			`from impacket.ldap import ldap as ldap_impacket`
			`from math import fabs`


Rename Module Classname to match python convention 2023-09-17 20:20:40 +00:00			`class NXCModule:`
more cleanup 2023-09-22 03:42:54 +00:00			`"""`
ruff autoformat to clean up all the single quotes and other bad formatting 2023-09-23 01:10:21 +00:00			`Created by fplazar and wanetty`
			`Module by @gm_eduard and @ferranplaza`
			`Based on: https://github.com/juliourena/CrackMapExec/blob/master/cme/modules/get_description.py`
more cleanup 2023-09-22 03:42:54 +00:00			`"""`
Add new module PSO 2023-06-27 12:23:43 +00:00
more cleanup 2023-09-22 03:42:54 +00:00			`name = "pso"`
Add new module PSO 2023-06-27 12:23:43 +00:00			`description = "Query to get PSO from LDAP"`
more cleanup 2023-09-22 03:42:54 +00:00			`supported_protocols = ["ldap"]`
Add new module PSO 2023-06-27 12:23:43 +00:00			`opsec_safe = True`
			`multiple_hosts = True`
ruff autoformat to clean up all the single quotes and other bad formatting 2023-09-23 01:10:21 +00:00
Add new module PSO 2023-06-27 12:23:43 +00:00			`pso_fields = [`
			`"cn",`
			`"msDS-PasswordReversibleEncryptionEnabled",`
			`"msDS-PasswordSettingsPrecedence",`
			`"msDS-MinimumPasswordLength",`
			`"msDS-PasswordHistoryLength",`
			`"msDS-PasswordComplexityEnabled",`
			`"msDS-LockoutObservationWindow",`
			`"msDS-LockoutDuration",`
			`"msDS-LockoutThreshold",`
			`"msDS-MinimumPasswordAge",`
			`"msDS-MaximumPasswordAge",`
			`"msDS-PSOAppliesTo",`
			`]`

			`def options(self, context, module_options):`
ruff: fix pydocstyle via ruff 2023-10-12 19:13:16 +00:00			`"""No options available."""`
Add new module PSO 2023-06-27 12:23:43 +00:00			`pass`
ruff autoformat to clean up all the single quotes and other bad formatting 2023-09-23 01:10:21 +00:00
Add new module PSO 2023-06-27 12:23:43 +00:00			`def convert_time_field(self, field, value):`
ruff autoformat to clean up all the single quotes and other bad formatting 2023-09-23 01:10:21 +00:00			`time_fields = {"msDS-LockoutObservationWindow": (60, "mins"), "msDS-MinimumPasswordAge": (86400, "days"), "msDS-MaximumPasswordAge": (86400, "days"), "msDS-LockoutDuration": (60, "mins")}`
Add new module PSO 2023-06-27 12:23:43 +00:00
			`if field in time_fields.keys():`
			`value = f"{int((fabs(float(value)) / (10000000 * time_fields[field][0])))} {time_fields[field][1]}"`
ruff autoformat to clean up all the single quotes and other bad formatting 2023-09-23 01:10:21 +00:00
Add new module PSO 2023-06-27 12:23:43 +00:00			`return value`
ruff autoformat to clean up all the single quotes and other bad formatting 2023-09-23 01:10:21 +00:00
Add new module PSO 2023-06-27 12:23:43 +00:00			`def on_login(self, context, connection):`
more cleanup 2023-09-22 03:42:54 +00:00			`"""Concurrent. Required if on_admin_login is not present. This gets called on each authenticated connection"""`
Add new module PSO 2023-06-27 12:23:43 +00:00			`# Building the search filter`
more cleanup 2023-09-22 03:42:54 +00:00			`search_filter = "(objectClass=msDS-PasswordSettings)"`
Add new module PSO 2023-06-27 12:23:43 +00:00
			`try:`
more cleanup 2023-09-22 03:42:54 +00:00			`context.log.debug(f"Search Filter={search_filter}")`
ruff autoformat to clean up all the single quotes and other bad formatting 2023-09-23 01:10:21 +00:00			`resp = connection.ldapConnection.search(searchFilter=search_filter, attributes=self.pso_fields, sizeLimit=0)`
Add new module PSO 2023-06-27 12:23:43 +00:00			`except ldap_impacket.LDAPSearchError as e:`
more cleanup 2023-09-22 03:42:54 +00:00			`if e.getErrorString().find("sizeLimitExceeded") >= 0:`
			`context.log.debug("sizeLimitExceeded exception caught, giving up and processing the data received")`
Add new module PSO 2023-06-27 12:23:43 +00:00			`# We reached the sizeLimit, process the answers we have already and that's it. Until we implement`
			`# paged queries`
			`resp = e.getAnswers()`
			`pass`
			`else:`
more cleanup 2023-09-22 03:42:54 +00:00			`context.log.debug(e)`
Add new module PSO 2023-06-27 12:23:43 +00:00			`return False`

			`pso_list = []`

more cleanup 2023-09-22 03:42:54 +00:00			`context.log.debug(f"Total of records returned {len(resp)}")`
Add new module PSO 2023-06-27 12:23:43 +00:00			`for item in resp:`
			`if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:`
			`continue`

			`pso_info = {}`

			`try:`
more cleanup 2023-09-22 03:42:54 +00:00			`for attribute in item["attributes"]:`
			`attr_name = str(attribute["type"])`
Add new module PSO 2023-06-27 12:23:43 +00:00			`if attr_name in self.pso_fields:`
more cleanup 2023-09-22 03:42:54 +00:00			`pso_info[attr_name] = attribute["vals"][0]._value.decode("utf-8")`
Add new module PSO 2023-06-27 12:23:43 +00:00
			`pso_list.append(pso_info)`

			`except Exception as e:`
			`context.log.debug("Exception:", exc_info=True)`
more cleanup 2023-09-22 03:42:54 +00:00			`context.log.debug(f"Skipping item, cannot process due to error {e}")`
Add new module PSO 2023-06-27 12:23:43 +00:00			`pass`
			`if len(pso_list) > 0:`
more cleanup 2023-09-22 03:42:54 +00:00			`context.log.success("Password Settings Objects (PSO) found:")`
Add new module PSO 2023-06-27 12:23:43 +00:00			`for pso in pso_list:`
			`for field in self.pso_fields:`
			`if field in pso:`
			`value = self.convert_time_field(field, pso[field])`
more cleanup 2023-09-22 03:42:54 +00:00			`context.log.highlight(f"{field}: {value}")`
			`context.log.highlight("-----")`
Add new module PSO 2023-06-27 12:23:43 +00:00
			`else:`
more cleanup 2023-09-22 03:42:54 +00:00			`context.log.info("No Password Settings Objects (PSO) found.")`