Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Module 'get-desc-users' regex does not work to find potential passwords #201

Closed
Marshall-Hallenbeck opened this issue Mar 12, 2024 · 3 comments
Closed

Module 'get-desc-users' regex does not work to find potential passwords #201

Marshall-Hallenbeck opened this issue Mar 12, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@Marshall-Hallenbeck
Copy link
Collaborator

Describe the bug
Testing the get-desc-users module, I came across an issue where even though one of my user's descriptions is a poor password (Passw0rd! specifically), it doesn't properly report it if setting the option to check for passwords.

To Reproduce
Steps to reproduce the behavior i.e.:
First, set up a user with their password in the description (or something that appears to be a password, such as Passw0rd!)
Then run the command: netexec smb -u username -p password -M get-desc-users -o PASSWORDPOLICY=True MINLENGTH=8

Resulted in:

poetry run netexec ldap 192.168.1.5 -u 'Administrator' -p $password -M get-desc-users -o PASSWORDPOLICY=True MINLENGTH=8      
SMB         192.168.1.5   445    DC         [*] Windows Server 2016 Datacenter Evaluation 14393 x64 (name:DC) (domain:domain) (signing:True) (SMBv1:True)
LDAP        192.168.1.5    389    DC         [+] domain\Administrator:$password (Pwn3d!)

Expected behavior
I expect that user to be included in the output. When not setting the PASSWORDPOLICY option, it properly outputs users and their descriptions.

NetExec info

  • OS: Kali & Server 2016 running LDAP
  • Version of nxc: up to date main branch
  • Installed from: pipx

Additional context
It appears like the only reason for this module is this password searching functionality, so we should either fix this, or implement what it's supposed to do alongside the --users command.
@Marshall-Hallenbeck Marshall-Hallenbeck added the bug Something isn't working label Mar 12, 2024
@termanix
Copy link
Contributor

termanix commented Mar 25, 2024
edited
Loading

Hello @Marshall-Hallenbeck , I re-edited it and here is my outputs. I can PR it if it's okay to you.

NetExec ldap 192.168.37.101 -u userd1 -p '$Password' -M get-desc-users              
SMB         192.168.37.101  445    DC2              [*] Windows Server 2022 Datacenter Evaluation 20348 x64 (name:DC2) (domain:test.local) (signing:True) (SMBv1:True)
LDAP        192.168.37.101  389    DC2              [+] test.local\userd1:$Password 
GET-DESC... 192.168.37.101  389    DC2              [+] Found following users: 
GET-DESC... 192.168.37.101  389    DC2              User: Administrator description: Built-in account for administering the computer/domain
GET-DESC... 192.168.37.101  389    DC2              User: Guest description: Built-in account for guest access to the computer/domain
GET-DESC... 192.168.37.101  389    DC2              User: krbtgt description: Key Distribution Center Service Account
GET-DESC... 192.168.37.101  389    DC2              User: UserD1 description: Password!
                                                                                                                                                                            
NetExec ldap 192.168.37.101 -u userd1 -p '$Password' -M get-desc-users -o PASSWORDPOLICY=True MINLENGTH=8 
SMB         192.168.37.101  445    DC2              [*] Windows Server 2022 Datacenter Evaluation 20348 x64 (name:DC2) (domain:test.local) (signing:True) (SMBv1:True)
LDAP        192.168.37.101  389    DC2              [+] test.local\userd1:$Password 
GET-DESC... 192.168.37.101  389    DC2              [+] Found following users: 
GET-DESC... 192.168.37.101  389    DC2              User: UserD1 description: Password!
                                                                                                                                                                            
NetExec ldap 192.168.37.101 -u userd1 -p '$Password' -M get-desc-users -o PASSWORDPOLICY=True MINLENGTH=8 FILTER='!'
SMB         192.168.37.101  445    DC2              [*] Windows Server 2022 Datacenter Evaluation 20348 x64 (name:DC2) (domain:test.local) (signing:True) (SMBv1:True)
LDAP        192.168.37.101  389    DC2              [+] test.local\userd1:$Password 
GET-DESC... 192.168.37.101  389    DC2              '!' found in user: 'UserD1' description: 'Password!'
                                                                                                                                                                            
NetExec ldap 192.168.37.101 -u userd1 -p '$Password' -M get-desc-users -o FILTER='!'                   
SMB         192.168.37.101  445    DC2              [*] Windows Server 2022 Datacenter Evaluation 20348 x64 (name:DC2) (domain:test.local) (signing:True) (SMBv1:True)
LDAP        192.168.37.101  389    DC2              [+] test.local\userd1:$Password 
GET-DESC... 192.168.37.101  389    DC2              '!' found in description: 'Password!'
                                                                                                                                                                            
NetExec ldap 192.168.37.101 -u userd1 -p '$Password' -M get-desc-users -o FILTER='$'
SMB         192.168.37.101  445    DC2              [*] Windows Server 2022 Datacenter Evaluation 20348 x64 (name:DC2) (domain:test.local) (signing:True) (SMBv1:True)
LDAP        192.168.37.101  389    DC2              [+] test.local\userd1:$Password

termanix added a commit to termanix/NetExec that referenced this issue Mar 25, 2024
@termanix
Marshall's Pennyw0rth#201 Bug Fix
41ed36d 
reges edited and output lines added.

Signed-off-by: termanix <50464194+termanix@users.noreply.github.com>
Marshall-Hallenbeck added a commit that referenced this issue Mar 26, 2024
@Marshall-Hallenbeck
Merge pull request #228 from termanix/patch-1
5bd6891 
Module 'get-desc-users' Update - Marshall's #201 Issue Bug Fix
@NeffIsBack
Copy link
Contributor

@Marshall-Hallenbeck this was fixed with #228 right?

@Marshall-Hallenbeck
Copy link
Collaborator Author

@Marshall-Hallenbeck this was fixed with #228 right?

Yes!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Marshall-Hallenbeck @termanix @NeffIsBack