From 5ca86fc1d79705307080f660f79e0842606883b1 Mon Sep 17 00:00:00 2001 From: termanix <50464194+termanix@users.noreply.github.com> Date: Tue, 28 Nov 2023 13:40:57 +0300 Subject: [PATCH 1/2] Add New Ldap Flag Listing Active Domain Users --- nxc/protocols/ldap.py | 28 ++++++++++++++++++++++++++++ nxc/protocols/ldap/proto_args.py | 1 + 2 files changed, 29 insertions(+) diff --git a/nxc/protocols/ldap.py b/nxc/protocols/ldap.py index ebc04e62..3d3e6038 100644 --- a/nxc/protocols/ldap.py +++ b/nxc/protocols/ldap.py @@ -831,6 +831,34 @@ class ldap(connection): self.logger.fail("Exception:", exc_info=True) self.logger.fail(f"Skipping item, cannot process due to error {e}") + def active_users(self): + # Building the search filter + search_filter = "(sAMAccountType=805306368)" if self.username != "" else "(objectclass=*)" + attributes = ["sAMAccountName","userAccountControl"] + + resp = self.search(search_filter, attributes, sizeLimit=0) + if resp: + for item in resp: + if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True: + continue + sAMAccountName = "" + userAccountControl = "" + try: + if self.username == "": + self.logger.highlight(f"{item['objectName']}") + else: + for attribute in item["attributes"]: + if str(attribute["type"]) == "sAMAccountName": + sAMAccountName = str(attribute["vals"][0]) + elif str(attribute["type"]) == "userAccountControl": + userAccountControl = int(attribute["vals"][0]) + account_disabled = userAccountControl & 2 + if not account_disabled: + self.logger.highlight(f"{sAMAccountName}") + except Exception as e: + self.logger.debug(f"Skipping item, cannot process due to error {e}") + return + def asreproast(self): if self.password == "" and self.nthash == "" and self.kerberos is False: return False diff --git a/nxc/protocols/ldap/proto_args.py b/nxc/protocols/ldap/proto_args.py index 0feacec3..ff5866e0 100644 --- a/nxc/protocols/ldap/proto_args.py +++ b/nxc/protocols/ldap/proto_args.py @@ -24,6 +24,7 @@ def proto_args(parser, std_parser, module_parser): vgroup.add_argument("--groups", action="store_true", help="Enumerate domain groups") vgroup.add_argument("--dc-list", action="store_true", help="Enumerate Domain Controllers") vgroup.add_argument("--get-sid", action="store_true", help="Get domain sid") + vgroup.add_argument("--active-users", action="store_true", help="Get Active Domain Users Accounts") ggroup = ldap_parser.add_argument_group("Retrevie gmsa on the remote DC", "Options to play with gmsa") ggroup.add_argument("--gmsa", action="store_true", help="Enumerate GMSA passwords") From d29bb7cf189eba70d1613845caaaa3c340293ebc Mon Sep 17 00:00:00 2001 From: termanix <50464194+termanix@users.noreply.github.com> Date: Tue, 28 Nov 2023 19:00:44 +0300 Subject: [PATCH 2/2] Update ldap.py Try to fix Ruff error Signed-off-by: termanix <50464194+termanix@users.noreply.github.com> --- nxc/protocols/ldap.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nxc/protocols/ldap.py b/nxc/protocols/ldap.py index 3d3e6038..7766f87d 100644 --- a/nxc/protocols/ldap.py +++ b/nxc/protocols/ldap.py @@ -834,7 +834,7 @@ class ldap(connection): def active_users(self): # Building the search filter search_filter = "(sAMAccountType=805306368)" if self.username != "" else "(objectclass=*)" - attributes = ["sAMAccountName","userAccountControl"] + attributes = ["sAMAccountName", "userAccountControl"] resp = self.search(search_filter, attributes, sizeLimit=0) if resp: