From c4671a2c1720bc7af848839cd3f230d72465de70 Mon Sep 17 00:00:00 2001 From: Alexander Neff Date: Tue, 10 Dec 2024 18:27:12 -0500 Subject: [PATCH 1/2] Add base-dn options for ldap to fix stuff like #500 --- nxc/protocols/ldap.py | 2 ++ nxc/protocols/ldap/proto_args.py | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/nxc/protocols/ldap.py b/nxc/protocols/ldap.py index acc058460..082b34bf2 100644 --- a/nxc/protocols/ldap.py +++ b/nxc/protocols/ldap.py @@ -255,6 +255,7 @@ def get_ldap_username(self): def enum_host_info(self): self.target, self.targetDomain, self.baseDN = self.get_ldap_info(self.host) + self.baseDN = self.args.base_dn if self.args.base_dn else self.baseDN # Allow overwriting baseDN from args self.hostname = self.target self.remoteName = self.target self.domain = self.targetDomain @@ -697,6 +698,7 @@ def search(self, searchFilter, attributes, sizeLimit=0) -> list: # Microsoft Active Directory set an hard limit of 1000 entries returned by any search paged_search_control = ldapasn1_impacket.SimplePagedResultsControl(criticality=True, size=1000) return self.ldapConnection.search( + searchBase=self.baseDN, searchFilter=searchFilter, attributes=attributes, sizeLimit=sizeLimit, diff --git a/nxc/protocols/ldap/proto_args.py b/nxc/protocols/ldap/proto_args.py index 47314a39c..5c74089f8 100644 --- a/nxc/protocols/ldap/proto_args.py +++ b/nxc/protocols/ldap/proto_args.py @@ -15,7 +15,8 @@ def proto_args(parser, parents): egroup.add_argument("--asreproast", help="Output AS_REP response to crack with hashcat to file") egroup.add_argument("--kerberoasting", help="Output TGS ticket to crack with hashcat to file") - vgroup = ldap_parser.add_argument_group("Retrieve useful information on the domain", "Options to to play with Kerberos") + vgroup = ldap_parser.add_argument_group("Retrieve useful information on the domain") + vgroup.add_argument("--base-dn", metavar="BASE_DN", dest="base_dn", type=str, default=None, help="base DN for search queries") vgroup.add_argument("--query", nargs=2, help="Query LDAP with a custom filter and attributes") vgroup.add_argument("--find-delegation", action="store_true", help="Finds delegation relationships within an Active Directory domain. (Enabled Accounts only)") vgroup.add_argument("--trusted-for-delegation", action="store_true", help="Get the list of users and computers with flag TRUSTED_FOR_DELEGATION") From 99970919803156f2a92bc9c7ddc088e4a44a29f5 Mon Sep 17 00:00:00 2001 From: Alexander Neff Date: Tue, 10 Dec 2024 18:29:14 -0500 Subject: [PATCH 2/2] Add baseDN option for other search queries --- nxc/protocols/ldap.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/nxc/protocols/ldap.py b/nxc/protocols/ldap.py index 082b34bf2..19b877fb0 100644 --- a/nxc/protocols/ldap.py +++ b/nxc/protocols/ldap.py @@ -1246,6 +1246,7 @@ def password_not_required(self): try: self.logger.debug(f"Search Filter={searchFilter}") resp = self.ldapConnection.search( + searchBase=self.baseDN, searchFilter=searchFilter, attributes=[ "sAMAccountName", @@ -1373,6 +1374,7 @@ def gmsa(self): self.logger.display("Getting GMSA Passwords") search_filter = "(objectClass=msDS-GroupManagedServiceAccount)" gmsa_accounts = self.ldapConnection.search( + searchBase=self.baseDN, searchFilter=search_filter, attributes=[ "sAMAccountName", @@ -1380,7 +1382,6 @@ def gmsa(self): "msDS-GroupMSAMembership", ], sizeLimit=0, - searchBase=self.baseDN, ) if gmsa_accounts: self.logger.debug(f"Total of records returned {len(gmsa_accounts):d}") @@ -1426,10 +1427,10 @@ def gmsa_convert_id(self): # getting the gmsa account search_filter = "(objectClass=msDS-GroupManagedServiceAccount)" gmsa_accounts = self.ldapConnection.search( + searchBase=self.baseDN, searchFilter=search_filter, attributes=["sAMAccountName"], sizeLimit=0, - searchBase=self.baseDN, ) if gmsa_accounts: self.logger.debug(f"Total of records returned {len(gmsa_accounts):d}") @@ -1456,10 +1457,10 @@ def gmsa_decrypt_lsa(self): # getting the gmsa account search_filter = "(objectClass=msDS-GroupManagedServiceAccount)" gmsa_accounts = self.ldapConnection.search( + searchBase=self.baseDN, searchFilter=search_filter, attributes=["sAMAccountName"], sizeLimit=0, - searchBase=self.baseDN, ) if gmsa_accounts: self.logger.debug(f"Total of records returned {len(gmsa_accounts):d}")