From baceb06afd5111e64b7f1535a26adc6b8d8d77c7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julio=20Ure=C3=B1a?= <juliourena33@gmail.com>
Date: Wed, 16 Nov 2022 16:06:43 -0400
Subject: [PATCH 1/4] Add - Retrieve username when using Kerberos Auth

This change allows the program to return the name of the user being authenticated when using Kerberos.
---
 cme/protocols/smb.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/cme/protocols/smb.py b/cme/protocols/smb.py
index 036612d6..8c7d2924 100755
--- a/cme/protocols/smb.py
+++ b/cme/protocols/smb.py
@@ -357,7 +357,10 @@ class smb(connection):
         try:
             if not self.args.laps:
                 self.password = password
-                self.username = username
+                if username == '':
+                    self.username = self.conn.getCredentials()[0]
+                else:
+                    self.username = username
             #This checks to see if we didn't provide the LM Hash
             if ntlm_hash.find(':') != -1:
                 lmhash, nthash = ntlm_hash.split(':')

From bd5a3fe91dc62b75a6600a743d29a6987b67e835 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julio=20Ure=C3=B1a?= <juliourena33@gmail.com>
Date: Wed, 16 Nov 2022 16:15:30 -0400
Subject: [PATCH 2/4] Add - Retrieve username when using Kerberos Auth

This change allows the program to return the name of the user being authenticated when using Kerberos.
---
 cme/protocols/smb.py | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/cme/protocols/smb.py b/cme/protocols/smb.py
index 8c7d2924..ef13fa63 100755
--- a/cme/protocols/smb.py
+++ b/cme/protocols/smb.py
@@ -357,10 +357,7 @@ class smb(connection):
         try:
             if not self.args.laps:
                 self.password = password
-                if username == '':
-                    self.username = self.conn.getCredentials()[0]
-                else:
-                    self.username = username
+                self.username = username
             #This checks to see if we didn't provide the LM Hash
             if ntlm_hash.find(':') != -1:
                 lmhash, nthash = ntlm_hash.split(':')
@@ -372,6 +369,11 @@ class smb(connection):
             if nthash: self.nthash = nthash
             self.conn.kerberosLogin(username, password, domain, lmhash, nthash, aesKey, kdcHost, useCache=useCache)
             self.check_if_admin()
+            
+            if username == '':
+                self.username = self.conn.getCredentials()[0]
+            else:
+                self.username = username
 
             out = u'{}\\{}{} {}'.format(self.domain,
                                     self.username,

From 4a12e437faea698d619aac1685678a6e22fae76a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julio=20Ure=C3=B1a?= <juliourena33@gmail.com>
Date: Wed, 16 Nov 2022 16:39:44 -0400
Subject: [PATCH 3/4] mssql - Retrieve username when using Kerberos Auth

This change allows the program to return the name of the user being authenticated when using Kerberos with the protocol mssql.
---
 cme/protocols/mssql.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/cme/protocols/mssql.py b/cme/protocols/mssql.py
index ace89ea3..bc0de329 100755
--- a/cme/protocols/mssql.py
+++ b/cme/protocols/mssql.py
@@ -12,6 +12,7 @@ from cme.helpers.bloodhound import add_user_bh
 from cme.helpers.powershell import create_ps_command
 from impacket import tds
 import configparser
+from impacket.krb5.ccache import CCache
 from impacket.smbconnection import SMBConnection, SessionError
 from impacket.tds import SQLErrorException, TDS_LOGINACK_TOKEN, TDS_ERROR_TOKEN, TDS_ENVCHANGE_TOKEN, TDS_INFO_TOKEN, \
     TDS_ENVCHANGE_VARCHAR, TDS_ENVCHANGE_DATABASE, TDS_ENVCHANGE_LANGUAGE, TDS_ENVCHANGE_CHARSET, TDS_ENVCHANGE_PACKETSIZE
@@ -189,7 +190,13 @@ class mssql(connection):
                 return False
 
             self.password = password
-            self.username = username
+            if username == '' and useCache:
+                ccache = CCache.loadFile(os.getenv('KRB5CCNAME'))
+                principal = ccache.principal.toPrincipal()
+                self.username = principal.components[0]
+                username = principal.components[0]
+            else:
+                self.username = username
             self.domain = domain
             self.check_if_admin()
 

From 2c4be7b9e463bad257ca9fc2da4167736e5c1e31 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julio=20Ure=C3=B1a?= <juliourena33@gmail.com>
Date: Thu, 17 Nov 2022 09:27:01 -0400
Subject: [PATCH 4/4] Fix cmedb displayed credentials for mssql

The columns were not in the correct order, which caused them to be displayed incorrectly. This change properly orders the way CMEDB displays credentials in the mssql protocol.
---
 cme/protocols/mssql/db_navigator.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/cme/protocols/mssql/db_navigator.py b/cme/protocols/mssql/db_navigator.py
index fb25e45b..ca2d6466 100644
--- a/cme/protocols/mssql/db_navigator.py
+++ b/cme/protocols/mssql/db_navigator.py
@@ -14,10 +14,10 @@ class navigator(DatabaseNavigator):
         for cred in creds:
 
             credID = cred[0]
-            domain = cred[1]
-            username = cred[2]
-            password = cred[3]
-            credtype = cred[4]
+            credtype = cred[1]
+            domain = cred[2]
+            username = cred[3]
+            password = cred[4]
             # pillaged_from = cred[5]
 
             links = self.db.get_admin_relations(userID=credID)