Merge pull request #65 from sebrink/main

2024-03-18 19:25:06 +01:00 · 2024-03-18 19:25:06 +01:00 · b62c315440
parent 5d777547ed dff88cb345
commit b62c315440
4 changed files with 108 additions and 72 deletions
--- a/nxc/modules/pso.py
+++ b/nxc/modules/pso.py
@ -1,92 +1,111 @@
+from dateutil.relativedelta import relativedelta as rd
 from impacket.ldap import ldapasn1 as ldapasn1_impacket
-from impacket.ldap import ldap as ldap_impacket
-from math import fabs


 class NXCModule:
    """
-    Created by fplazar and wanetty
-    Module by @gm_eduard and @ferranplaza
-    Based on: https://github.com/juliourena/CrackMapExec/blob/master/cme/modules/get_description.py
-    """
+    Initial FGPP/PSO script written by @n00py: https://github.com/n00py/GetFGPP

+    Module by @_sandw1ch
+    """
    name = "pso"
-    description = "Query to get PSO from LDAP"
+    description = "Module to get the Fine Grained Password Policy/PSOs"
    supported_protocols = ["ldap"]
    opsec_safe = True
-    multiple_hosts = True
+    multiple_hosts = False

-    pso_fields = [
-        "cn",
-        "msDS-PasswordReversibleEncryptionEnabled",
-        "msDS-PasswordSettingsPrecedence",
-        "msDS-MinimumPasswordLength",
-        "msDS-PasswordHistoryLength",
-        "msDS-PasswordComplexityEnabled",
-        "msDS-LockoutObservationWindow",
-        "msDS-LockoutDuration",
-        "msDS-LockoutThreshold",
-        "msDS-MinimumPasswordAge",
-        "msDS-MaximumPasswordAge",
-        "msDS-PSOAppliesTo",
-    ]
+    def __init__(self, context=None, module_options=None):
+        self.context = context
+        self.module_options = module_options

    def options(self, context, module_options):
        """No options available."""

-    def convert_time_field(self, field, value):
-        time_fields = {"msDS-LockoutObservationWindow": (60, "mins"), "msDS-MinimumPasswordAge": (86400, "days"), "msDS-MaximumPasswordAge": (86400, "days"), "msDS-LockoutDuration": (60, "mins")}
-
-        if field in time_fields:
-            value = f"{int(fabs(float(value)) / (10000000 * time_fields[field][0]))} {time_fields[field][1]}"
-
-        return value
-
    def on_login(self, context, connection):
-        """Concurrent. Required if on_admin_login is not present. This gets called on each authenticated connection"""
-        # Building the search filter
-        search_filter = "(objectClass=msDS-PasswordSettings)"
+        # Are there even any FGPPs?
+        context.log.success("Attempting to enumerate policies...")
+        resp = connection.ldapConnection.search(searchBase=f"CN=Password Settings Container,CN=System,{''.join([f'DC={dc},' for dc in connection.domain.split('.')]).rstrip(',')}", searchFilter="(objectclass=*)")
+        if len(resp) > 1:
+            context.log.highlight(f"{len(resp) - 1} PSO Objects found!")
+            context.log.highlight("")
+            context.log.success("Attempting to enumerate objects with an applied policy...")

-        try:
-            context.log.debug(f"Search Filter={search_filter}")
-            resp = connection.ldapConnection.search(searchFilter=search_filter, attributes=self.pso_fields, sizeLimit=0)
-        except ldap_impacket.LDAPSearchError as e:
-            if e.getErrorString().find("sizeLimitExceeded") >= 0:
-                context.log.debug("sizeLimitExceeded exception caught, giving up and processing the data received")
-                # We reached the sizeLimit, process the answers we have already and that's it. Until we implement
-                # paged queries
-                resp = e.getAnswers()
-            else:
-                context.log.debug(e)
-                return False
-
-        pso_list = []
-
-        context.log.debug(f"Total of records returned {len(resp)}")
-        for item in resp:
-            if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:
+        # Who do they apply to?
+        resp = connection.search(searchFilter="(objectclass=*)", attributes=["DistinguishedName", "msDS-PSOApplied"])
+        for attrs in resp:
+            if isinstance(attrs, ldapasn1_impacket.SearchResultEntry) is not True:
                continue
+            for attr in attrs["attributes"]:
+                if str(attr["type"]) in "msDS-PSOApplied":
+                    context.log.highlight(f"Object: {attrs['objectName']}")
+                    context.log.highlight("Applied Policy: ")
+                    for value in attr["vals"]:
+                        context.log.highlight(f"\t{value}")
+                    context.log.highlight("")

-            pso_info = {}
+        # Let"s find out even more details!
+        context.log.success("Attempting to enumerate details...\n")
+        resp = connection.search(searchFilter="(objectclass=msDS-PasswordSettings)",
+                                 attributes=["name", "msds-lockoutthreshold", "msds-psoappliesto", "msds-minimumpasswordlength",
+                                             "msds-passwordhistorylength", "msds-lockoutobservationwindow", "msds-lockoutduration",
+                                             "msds-passwordsettingsprecedence", "msds-passwordcomplexityenabled", "Description",
+                                             "msds-passwordreversibleencryptionenabled", "msds-minimumpasswordage", "msds-maximumpasswordage"])
+        for attrs in resp:
+            if not isinstance(attrs, ldapasn1_impacket.SearchResultEntry):
+                continue
+            policyName, description, passwordLength, passwordhistorylength, lockoutThreshold, obersationWindow, lockoutDuration, complexity, minPassAge, maxPassAge, reverseibleEncryption, precedence, policyApplies = ("",) * 13
+            for attr in attrs["attributes"]:
+                if str(attr["type"]) == "name":
+                    policyName = attr["vals"][0]
+                elif str(attr["type"]) == "msDS-LockoutThreshold":
+                    lockoutThreshold = attr["vals"][0]
+                elif str(attr["type"]) == "msDS-MinimumPasswordLength":
+                    passwordLength = attr["vals"][0]
+                elif str(attr["type"]) == "msDS-PasswordHistoryLength":
+                    passwordhistorylength = attr["vals"][0]
+                elif str(attr["type"]) == "msDS-LockoutObservationWindow":
+                    observationWindow = attr["vals"][0]
+                elif str(attr["type"]) == "msDS-LockoutDuration":
+                    lockoutDuration = attr["vals"][0]
+                elif str(attr["type"]) == "msDS-PasswordSettingsPrecedence":
+                    precedence = attr["vals"][0]
+                elif str(attr["type"]) == "msDS-PasswordComplexityEnabled":
+                    complexity = attr["vals"][0]
+                elif str(attr["type"]) == "msDS-PasswordReversibleEncryptionEnabled":
+                    reverseibleEncryption = attr["vals"][0]
+                elif str(attr["type"]) == "msDS-MinimumPasswordAge":
+                    minPassAge = attr["vals"][0]
+                elif str(attr["type"]) == "msDS-MaximumPasswordAge":
+                    maxPassAge = attr["vals"][0]
+                elif str(attr["type"]) == "description":
+                    description = attr["vals"][0]
+                elif str(attr["type"]) == "msDS-PSOAppliesTo":
+                    policyApplies = ""
+                    for value in attr["vals"]:
+                        policyApplies += f"{value};"
+            context.log.highlight(f"Policy Name: {policyName}")
+            if description:
+                context.log.highlight(f"Description: {description}")
+            context.log.highlight(f"Minimum Password Length: {passwordLength}")
+            context.log.highlight(f"Minimum Password History Length: {passwordhistorylength}")
+            context.log.highlight(f"Lockout Threshold: {lockoutThreshold}")
+            context.log.highlight(f"Observation Window: {mins(observationWindow)}")
+            context.log.highlight(f"Lockout Duration: {mins(lockoutDuration)}")
+            context.log.highlight(f"Complexity Enabled: {complexity}")
+            context.log.highlight(f"Minimum Password Age: {days(minPassAge)}")
+            context.log.highlight(f"Maximum Password Age: {days(maxPassAge)}")
+            context.log.highlight(f"Reversible Encryption: {reverseibleEncryption}")
+            context.log.highlight(f"Precedence: {precedence} (Lower is Higher Priority)")
+            context.log.highlight("Policy Applies to:")
+            for value in str(policyApplies)[:-1].split(";"):
+                if value:
+                    context.log.highlight(f"\t{value}")
+            context.log.highlight("")

-            try:
-                for attribute in item["attributes"]:
-                    attr_name = str(attribute["type"])
-                    if attr_name in self.pso_fields:
-                        pso_info[attr_name] = attribute["vals"][0]._value.decode("utf-8")

-                pso_list.append(pso_info)
+def days(ldap_time):
+    return f"{rd(seconds=int(abs(int(ldap_time)) / 10000000)).days} days"

-            except Exception as e:
-                context.log.debug("Exception:", exc_info=True)
-                context.log.debug(f"Skipping item, cannot process due to error {e}")
-        if len(pso_list) > 0:
-            context.log.success("Password Settings Objects (PSO) found:")
-            for pso in pso_list:
-                for field in self.pso_fields:
-                    if field in pso:
-                        value = self.convert_time_field(field, pso[field])
-                        context.log.highlight(f"{field}: {value}")
-                context.log.highlight("-----")
-        else:
-            context.log.info("No Password Settings Objects (PSO) found.")
+
+def mins(ldap_time):
+    return f"{rd(seconds=int(abs(int(ldap_time)) / 10000000)).minutes} minutes"
--- a/poetry.lock
+++ b/poetry.lock
@ -1826,6 +1826,20 @@ tomli = {version = ">=1.0.0", markers = "python_version < \"3.11\""}
 [package.extras]
 testing = ["argcomplete", "attrs (>=19.2.0)", "hypothesis (>=3.56)", "mock", "nose", "pygments (>=2.7.2)", "requests", "setuptools", "xmlschema"]

+[[package]]
+name = "python-dateutil"
+version = "2.9.0.post0"
+description = "Extensions to the standard Python datetime module"
+optional = false
+python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,>=2.7"
+files = [
+    {file = "python-dateutil-2.9.0.post0.tar.gz", hash = "sha256:37dd54208da7e1cd875388217d5e00ebd4179249f90fb72437e91a35459a0ad3"},
+    {file = "python_dateutil-2.9.0.post0-py2.py3-none-any.whl", hash = "sha256:a8b2bc7bffae282281c8140a97d3aa9c14da0b136dfe83f850eea9a5f7470427"},
+]
+
+[package.dependencies]
+six = ">=1.5"
+
 [[package]]
 name = "python-libnmap"
 version = "0.7.3"
@ -2293,4 +2307,4 @@ testing = ["big-O", "jaraco.functools", "jaraco.itertools", "more-itertools", "p
 [metadata]
 lock-version = "2.0"
 python-versions = "^3.8.0"
-content-hash = "19dfeaa2fa332997fb149a591b147061c8da77e2f69b8734d7f988562231a4e7"
+content-hash = "0bbd6a14b3478776b71e58b674942a5053c24fd2f802cc45ccd968f205a80167"
--- a/pyproject.toml
+++ b/pyproject.toml
@ -63,6 +63,7 @@ rich = "^13.3.5"
 python-libnmap = "^0.7.3"
 oscrypto = { git = "https://github.com/Pennyw0rth/oscrypto" } # Pypi version currently broken, see: https://github.com/wbond/oscrypto/issues/78 (as of 9/23)
 argcomplete = "^3.1.4"
+python-dateutil = ">=2.8.2"

 [tool.poetry.group.dev.dependencies]
 flake8 = "*"
--- a/tests/e2e_commands.txt
+++ b/tests/e2e_commands.txt
@ -183,6 +183,8 @@ netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M user-de
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M user-desc --options
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M whoami
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M whoami --options
+netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M pso
+netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M pso --options
 ##### WINRM
 netexec winrm TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS # need an extra space after this command due to regex
 netexec winrm TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X whoami