implement GetKerberoastableUsers in ldap module #4420
Conversation
There was a problem hiding this comment.
$ ./main -u 192.168.1.9 -var Username=victim -var Password=Trust_Me_Br0 -var Domain=LAB.LOCAL -var TargetUser=roastme -var SPN=DC01/cifs -t ldap.yaml -svd -v
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.1.0-dev
projectdiscovery.io
[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.1.0-dev (outdated)
[INF] Current nuclei-templates version: v9.7.2 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 61
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[DBG] Javascript Protocol request variables:
1. DN => 1
2. Domain => LAB.LOCAL
3. FQDN => 192.168.1.9
4. Host => 192.168.1.9
5. Hostname => 192.168.1.9
6. Password => Trust_Me_Br0
7. Port =>
8. RDN => 1.9
9. SD => 192.168
10. SPN => DC01/cifs
11. TLD => 9
12. TargetUser => roastme
13. Username => victim
[VER] [ldap-list-kerberoastable-users-test] Sent Javascript request to 192.168.1.9
[DBG] Javascript Protocol response variables:
1. DN => 1
2. Domain => LAB.LOCAL
3. FQDN => 192.168.1.9
4. Host => 192.168.1.9
5. Hostname => 192.168.1.9
6. Password => Trust_Me_Br0
7. Port =>
8. RDN => 1.9
9. SD => 192.168
10. SPN => DC01/cifs
11. TLD => 9
12. TargetUser => roastme
13. Username => victim
14. host => 192.168.1.9
15. interactsh-server =>
16. matched => 192.168.1.9
17. request => ldap = require("nuclei/ld .... assword); to_json(users);
18. response => [ { "SAMAccountName .... "LastLogon": "0" } ]
19. success => true
20. template-id => ldap-list-kerberoastable-users-test
21. template-info => {test 5amu <nil> {info} map[] <nil> }
22. template-path => /root/Desktop/nuclei-ldap .... oast/cmd/nuclei/ldap.yaml
23. type => javascript
[ldap-list-kerberoastable-users-test] [javascript] [info] 192.168.1.9 [{"LastLogon":"0","MemberOf":"","PWDLastSet":"133494763976954590","SAMAccountName":"pdtest2","ServicePrincipalName":"DC01/cifs","UserAccountControl":"512"},{"LastLogon":"0","MemberOf":"","PWDLastSet":"133494763897554325","SAMAccountName":"roastme","ServicePrincipalName":"DC01/ldap","UserAccountControl":"512"}] thanks for pr @5amu , apologies for time it took to review and merge your pr . i don't have a windows machine so it took some time to setup and validate it .
rest assured we are in process of iterating all added modules with new and basic features which might be missing starting from smb
|
Hi @tarunKoyalwar, you said:
I implemented many basic (and not so basic) functionalities for LDAP (the Active Directory one) in a personal project, would you be interested in adding those to nuclei? I can help. I implemented:
Let me know if you are interested please. I'd be glad to help. |
|
@5amu , sure we are interested and appreciate your contribution and help on this . I have created new issue #4645 for that , just create a draft PR in nuclei with proposed changes and we can improve/review/add capabilities of ldap module. since i have a setup now and i will try to keep up with changes and review it quickly Thanks |
Proposed changes
Closes #4419
With this change, a new method is exposed in the ldap module of the Javascript Protocol:
GetKerberoastableUsers(). This method will return a slice ofKerberoastableUser, containing important properties about the user in the context of Active Directory:The filter used to make the LDAP query is almost the same as the one used in the Impacket example script
GetUserSPNs.py, more precisely here:https://github.com/fortra/impacket/blob/4b56c18a10663a62e36dfd872bcebd30aa24fb91/examples/GetUserSPNs.py#L297-L314
To test the correct implementation of this feature I set up an Active Directory (Domain: LAB.LOCAL) environment with 3 users:
victim,roastmeandpdtest2:And assigned 1 SPN to
roastmeand 1 SPN topdtest2:Then, I used this template:
And executed nuclei like this:
Checklist