Add -machine-only and -request-machine flags to GetUserSPNs.py
#2011
Conversation
anadrianmanrique
added
the
in review
There was a problem hiding this comment.
The code looks really good, almost ready to merge! I just requested a couple of changes to:
- Prevent users from using
-request-userand-request-machineat the same time - Keep the code consistent (
-request-userdoes not set the-requestflag but-request-machinedoes, both implementations are fine by themselves but we should keep them aligned)
| parser.add_argument('-request-user', action='store', metavar='username', help='Requests TGS for the SPN associated ' | ||
| 'to the user specified (just the username, no domain needed)') | ||
|
|
||
| parser.add_argument('-request-machine', metavar='machinename', help='Requests TGS for the SPN associated to the machine specified. Example: `workstation01$`') |
There was a problem hiding this comment.
Now that we have the flags to request a single user or a single machine we should not allow both of them at the same time. The suggestion below will create that restriction, otherwise it could be manually checked after parsing the arguments (if options.request_machine is not None and options.request_user is not None: .... error and exit here)
| parser.add_argument('-request-user', action='store', metavar='username', help='Requests TGS for the SPN associated ' | |
| 'to the user specified (just the username, no domain needed)') | |
| parser.add_argument('-request-machine', metavar='machinename', help='Requests TGS for the SPN associated to the machine specified. Example: `workstation01$`') | |
| exclusive_request_group = parser.add_mutually_exclusive_group() | |
| exclusive_request_group.add_argument('-request-user', action='store', metavar='username', help='Requests TGS for the SPN associated ' | |
| 'to the user specified (just the username, no domain needed)') | |
| exclusive_request_group.add_argument('-request-machine', metavar='machinename', help='Requests TGS for the SPN associated to the machine specified. Example: `workstation01$`') |
| # auto enable machineonly, and request flag on -request-machine | ||
| if options.request_machine is not None: | ||
| options.machine_only = True | ||
| options.request = True | ||
|
|
There was a problem hiding this comment.
Just to make this consistent with request_user: Setting the flag options.request when requesting a machine is not necessary, just check for the flag in line 352 (by adding "or self.__requestMachine is not None"):
impacket/examples/GetUserSPNs.py
Line 352 in c1ccbbf
With that change, setting options.request is not needed anymore
| # auto enable machineonly, and request flag on -request-machine | |
| if options.request_machine is not None: | |
| options.machine_only = True | |
| options.request = True | |
| # auto enable machineonly, and request flag on -request-machine | |
| if options.request_machine is not None: | |
| options.machine_only = True | |
alexisbalbachan
added
waiting for response
Add 2 flags to GetUserSPNs.py, which may be useful for machine account based cracking attempts (Pre2k, timeroasting, etc.)
-machine-onlyupdates the LDAP filter to useobjectCategory=computerinstead ofobjectCategory=person-request-machinefunctions the same as-request-user, but for machine accounts. It also auto-enables-request, and-machine-only