-
Notifications
You must be signed in to change notification settings - Fork 391
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
--kerberoast Improvement #126
Conversation
Maybe change the filter to exclude the |
Another idea: What about we toggle if we want to include disabled accounts? Something like |
By defaullt, the option require a path to send all the hash found to hashcat. As to check if the account is active or locked, you can check the value of userAccountControl and add the info with the samaccountname, no need to convert into yet yet another option |
Yeah okay makes sense👍🏼 |
Just wanted to update after coming back around to this after sometime and playing around with it a bit more in my lab. This change does not include the ticket for disabled accounts, only adds locked accounts. However, the logging change will show the disabled accounts that are skipped. I tried my hand a bit to get this module to show the hashes for the disabled account but could not get to it for the bit I looked at it. Would like to return to this in the future. |
@Kahvi-0 Would you be able to take a look at this again and finish it up? We'd like to include it in the v1.2 release if you have time! |
@Marshall-Hallenbeck I have some time to circle around and take another look at this :) |
On a test where --kerberoast would not return a ticket for a user I knew was kerberoastable. After some digging I changed the LDAP query in ldap.py to be just "(&(servicePrincipalName=*)(!(objectCategory=computer)))". This removes the check for accounts locked out/inactive and this returned the ticket I was able to see with powerview. Personally would still like to get tickets for users that are disabled/locked out in order to attempt to crack their password and see if the password is reused. I also changed the error for Bypassing disabled account {sAMAccountName} to be highlight as I thought this is nice to have. Signed-off-by: Kahvi-0xFF <46513413+Kahvi-0@users.noreply.github.com>
2cff21a
to
68c197d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Kahvi-0 thanks for the effort! Finally merging this one :) |
On a test where --kerberoast would not return a ticket for a user I knew was kerberoastable.
After some digging I changed the LDAP query in ldap.py to be just "(&(servicePrincipalName=*)(!(objectCategory=computer)))". This removes the check if the account is normal and not disabled and returned the ticket I was expecting.
Personally would still like to get tickets for users that are disabled/locked out in order to attempt to crack their password and see if the password is reused.
I also changed the error for "Bypassing disabled account {sAMAccountName}" to be highlight as I thought this is nice to have.