Merge pull request #63 from termanix/Add-New-Flag

Add New ldap Flag --dc-list
2023-08-29 21:57:49 +02:00 · 2023-08-29 21:57:49 +02:00 · f7db13608f
parent cb423d9f0e 63749ea29b
commit f7db13608f
2 changed files with 26 additions and 0 deletions
--- a/cme/protocols/ldap.py
+++ b/cme/protocols/ldap.py
@ -5,6 +5,7 @@
 import hashlib
 import hmac
 import os
+import socket
 from binascii import hexlify
 from datetime import datetime
 from re import sub, I
@ -822,6 +823,30 @@ class ldap(connection):
                    self.logger.debug(f"Skipping item, cannot process due to error {e}")
                    pass
            return
+    
+    def dc_list(self):
+        
+        # Building the search filter
+        search_filter = "(&(objectCategory=computer)(primaryGroupId=516))"
+        attributes = ["dNSHostName"]
+        resp = self.search(search_filter, attributes, 0)
+        for item in resp:              
+            if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:
+                continue
+            name = ""
+            try:           	    
+            	for attribute in item["attributes"]:     
+            	    if str(attribute["type"]) == "dNSHostName":
+            	        name = str(attribute["vals"][0])
+            	try:
+            	    ip_address = socket.gethostbyname(name.split(".")[0])
+            	    if ip_address != True and name != "":
+            	        self.logger.highlight(f"{name} =", ip_address) 	    
+            	except socket.gaierror:
+            	    self.logger.fail(f"{name} = Connection timeout")
+            except Exception as e:
+                self.logger.fail("Exception:", exc_info=True)
+                self.logger.fail(f"Skipping item, cannot process due to error {e}")

    def asreproast(self):
        if self.password == "" and self.nthash == "" and self.kerberos is False:
--- a/cme/protocols/ldap/proto_args.py
+++ b/cme/protocols/ldap/proto_args.py
@ -21,6 +21,7 @@ def proto_args(parser, std_parser, module_parser):
    vgroup.add_argument("--admin-count", action="store_true", help="Get objets that had the value adminCount=1")
    vgroup.add_argument("--users", action="store_true", help="Enumerate enabled domain users")
    vgroup.add_argument("--groups", action="store_true", help="Enumerate domain groups")
+    vgroup.add_argument("--dc-list", action="store_true", help="Enumerate Domain Controllers")
    vgroup.add_argument("--get-sid", action="store_true", help="Get domain sid")

    ggroup = ldap_parser.add_argument_group("Retrevie gmsa on the remote DC", "Options to play with gmsa")