Update laps.py to work with the new Windows LAPS (#16)

2023-07-03 11:00:43 +02:00 · 2023-07-03 11:00:43 +02:00 · e1345d4b1e
parent 575c9a5c68
commit e1345d4b1e
1 changed files with 25 additions and 11 deletions
--- a/cme/modules/laps.py
+++ b/cme/modules/laps.py
@ -3,7 +3,7 @@
 import json

 from impacket.ldap import ldapasn1 as ldapasn1_impacket
-
+from cme.protocols.ldap.laps import LDAPConnect, LAPSv2Extract

 class CMEModule:
    """
@ -49,21 +49,35 @@ class CMEModule:
            for computer in results:
                msMCSAdmPwd = ""
                sAMAccountName = ""
-                values = {str(attr["type"]).lower(): str(attr["vals"][0]) for attr in computer["attributes"]}
+                values = {str(attr["type"]).lower(): attr["vals"][0] for attr in computer["attributes"]}
                if "mslaps-encryptedpassword" in values:
-                    context.log.fail("LAPS password is encrypted and currently CrackMapExec doesn't" " support the decryption...")
-
-                    return
+                    msMCSAdmPwd = values["mslaps-encryptedpassword"]
+                    d = LAPSv2Extract(
+                        bytes(msMCSAdmPwd),
+                        connection.username if connection.username else "",
+                        connection.password if connection.password else "",
+                        connection.domain,
+                        connection.nthash if connection.nthash else "",
+                        connection.kerberos,
+                        connection.kdcHost,
+                        339)
+                    try:
+                        data = d.run()
+                    except Exception as e:
+                        self.logger.fail(str(e))
+                        return
+                    r = json.loads(data)
+                    laps_computers.append((str(values["samaccountname"]), r["n"], str(r["p"])))
                elif "mslaps-password" in values:
-                    r = json.loads(values["mslaps-password"])
-                    laps_computers.append((values["samaccountname"], r["n"], r["p"]))
+                    r = json.loads(str(values["mslaps-password"]))
+                    laps_computers.append((str(values["samaccountname"]), r["n"], str(r["p"])))
                elif "ms-mcs-admpwd" in values:
-                    laps_computers.append((values["samaccountname"], "", values["ms-mcs-admpwd"]))
+                    laps_computers.append((str(values["samaccountname"]), "", str(values["ms-mcs-admpwd"])))
                else:
-                    context.log.fail("No result found with attribute ms-MCS-AdmPwd or" " msLAPS-Password")
+                    context.log.fail("No result found with attribute ms-MCS-AdmPwd or msLAPS-Password")

            laps_computers = sorted(laps_computers, key=lambda x: x[0])
-            for sAMAccountName, user, msMCSAdmPwd in laps_computers:
-                context.log.highlight("Computer: {:<20} User: {:<15} Password: {}".format(sAMAccountName, user, msMCSAdmPwd))
+            for sAMAccountName, user, password in laps_computers:
+                context.log.highlight("Computer:{} User:{:<15} Password:{}".format(sAMAccountName, user, password))
        else:
            context.log.fail("No result found with attribute ms-MCS-AdmPwd or msLAPS-Password !")