diff --git a/nxc/protocols/ldap.py b/nxc/protocols/ldap.py index 2f62ede8..a834a9e4 100644 --- a/nxc/protocols/ldap.py +++ b/nxc/protocols/ldap.py @@ -773,11 +773,9 @@ class ldap(connection): search_filter = "(sAMAccountType=805306368)" if self.username != "" else "(objectclass=*)" # default to these attributes to mirror the SMB --users functionality - default_attributes = ["sAMAccountName", "description", "pwdLastSet"] - request_attributes = default_attributes + self.args.ldap_attributes if self.args.ldap_attributes else default_attributes - self.logger.debug(f"{request_attributes=}") - + request_attributes = ["sAMAccountName", "description", "badPwdCount", "pwdLastSet"] resp = self.search(search_filter, request_attributes, sizeLimit=0) + if resp: # I think this was here for anonymous ldap bindings, so I kept it, but we might just want to remove it if self.username == "": @@ -791,16 +789,16 @@ class ldap(connection): users = parse_result_attributes(resp) # we print the total records after we parse the results since often SearchResultReferences are returned self.logger.display(f"Total records returned: {len(users):d}") - self.logger.highlight(f"{'Username':<30} {'Last PW Set':<20}\t{'Description':<60} " + " ".join(f"{a}" for a in self.args.ldap_attributes) if self.args.ldap_attributes else "") + self.logger.highlight(f"{'-Username-':<30}{'-Last PW Set-':<20}{'-BadPW-':<8}{'-Description-':<60}") for user in users: - self.logger.debug(f"{user=}") - # we default attributes to blank strings if they don't exist in the dict + # TODO: functionize this - we do this calculation in a bunch of places, different, including in the `pso` module timestamp_seconds = int(user.get("pwdLastSet", "")) / 10**7 start_date = datetime(1601, 1, 1) parsed_pw_last_set = (start_date + timedelta(seconds=timestamp_seconds)).replace(microsecond=0).strftime("%Y-%m-%d %H:%M:%S") if parsed_pw_last_set == "1601-01-01 00:00:00": parsed_pw_last_set = "" - self.logger.highlight(f"{user.get('sAMAccountName', ''):<30} {parsed_pw_last_set:<20}\t{user.get('description', ''):<60} " + " ".join(f"{user.get(a, '')}" for a in self.args.ldap_attributes) if self.args.ldap_attributes else "") + # we default attributes to blank strings if they don't exist in the dict + self.logger.highlight(f"{user.get('sAMAccountName', ''):<30}{parsed_pw_last_set:<20}{user.get('badPwdCount', ''):<8}{user.get('description', ''):<60}") def groups(self): # Building the search filter search_filter = "(objectCategory=group)" diff --git a/nxc/protocols/ldap/proto_args.py b/nxc/protocols/ldap/proto_args.py index 07af8697..6125ebb9 100644 --- a/nxc/protocols/ldap/proto_args.py +++ b/nxc/protocols/ldap/proto_args.py @@ -25,7 +25,6 @@ def proto_args(parser, std_parser, module_parser): vgroup.add_argument("--dc-list", action="store_true", help="Enumerate Domain Controllers") vgroup.add_argument("--get-sid", action="store_true", help="Get domain sid") vgroup.add_argument("--active-users", action="store_true", help="Get Active Domain Users Accounts") - vgroup.add_argument("--ldap-attributes", nargs="+", help="Additional attributes to search for (appends to default list)") ggroup = ldap_parser.add_argument_group("Retrevie gmsa on the remote DC", "Options to play with gmsa") ggroup.add_argument("--gmsa", action="store_true", help="Enumerate GMSA passwords")