diff --git a/nxc/protocols/ldap.py b/nxc/protocols/ldap.py index ebc04e62..7766f87d 100644 --- a/nxc/protocols/ldap.py +++ b/nxc/protocols/ldap.py @@ -831,6 +831,34 @@ class ldap(connection): self.logger.fail("Exception:", exc_info=True) self.logger.fail(f"Skipping item, cannot process due to error {e}") + def active_users(self): + # Building the search filter + search_filter = "(sAMAccountType=805306368)" if self.username != "" else "(objectclass=*)" + attributes = ["sAMAccountName", "userAccountControl"] + + resp = self.search(search_filter, attributes, sizeLimit=0) + if resp: + for item in resp: + if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True: + continue + sAMAccountName = "" + userAccountControl = "" + try: + if self.username == "": + self.logger.highlight(f"{item['objectName']}") + else: + for attribute in item["attributes"]: + if str(attribute["type"]) == "sAMAccountName": + sAMAccountName = str(attribute["vals"][0]) + elif str(attribute["type"]) == "userAccountControl": + userAccountControl = int(attribute["vals"][0]) + account_disabled = userAccountControl & 2 + if not account_disabled: + self.logger.highlight(f"{sAMAccountName}") + except Exception as e: + self.logger.debug(f"Skipping item, cannot process due to error {e}") + return + def asreproast(self): if self.password == "" and self.nthash == "" and self.kerberos is False: return False diff --git a/nxc/protocols/ldap/proto_args.py b/nxc/protocols/ldap/proto_args.py index 0feacec3..ff5866e0 100644 --- a/nxc/protocols/ldap/proto_args.py +++ b/nxc/protocols/ldap/proto_args.py @@ -24,6 +24,7 @@ def proto_args(parser, std_parser, module_parser): vgroup.add_argument("--groups", action="store_true", help="Enumerate domain groups") vgroup.add_argument("--dc-list", action="store_true", help="Enumerate Domain Controllers") vgroup.add_argument("--get-sid", action="store_true", help="Get domain sid") + vgroup.add_argument("--active-users", action="store_true", help="Get Active Domain Users Accounts") ggroup = ldap_parser.add_argument_group("Retrevie gmsa on the remote DC", "Options to play with gmsa") ggroup.add_argument("--gmsa", action="store_true", help="Enumerate GMSA passwords")