Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create get_fgpp.py #65

Merged
merged 23 commits into from
Mar 18, 2024
Merged

Create get_fgpp.py #65

merged 23 commits into from
Mar 18, 2024

Conversation

sebrink
Copy link
Contributor

@sebrink sebrink commented Oct 10, 2023

Initial script written by n00py, https://github.com/n00py/GetFGPP

Some sample output from my lab:

# poetry run NetExec ldap 172.16.14.200 -u user -p password -M get_fgpp          
SMB         172.16.14.200   445    COLOR-DC01       [*] Windows 10.0 Build 14393 x64 (name:COLOR-DC01) (domain:fmradio.local) (signing:True) (SMBv1:False)
LDAP        172.16.14.200   389    COLOR-DC01       [+] fmradio.local\user:password (Pwn3d!)
GET_FGPP    172.16.14.200   389    COLOR-DC01       [+] Attempting to enumerate policies...
GET_FGPP    172.16.14.200   389    COLOR-DC01       2 FGPP Objects found!
GET_FGPP    172.16.14.200   389    COLOR-DC01       
GET_FGPP    172.16.14.200   389    COLOR-DC01       [+] Attempting to enumerate objects with an applied policy...
GET_FGPP    172.16.14.200   389    COLOR-DC01       Object: CN=macheson,CN=Users,DC=fmradio,DC=local
GET_FGPP    172.16.14.200   389    COLOR-DC01       Applied Policy: 
GET_FGPP    172.16.14.200   389    COLOR-DC01           CN=second policy,CN=Password Settings Container,CN=System,DC=fmradio,DC=local
GET_FGPP    172.16.14.200   389    COLOR-DC01       
GET_FGPP    172.16.14.200   389    COLOR-DC01       Object: CN=breakglass01,CN=Users,DC=fmradio,DC=local
GET_FGPP    172.16.14.200   389    COLOR-DC01       Applied Policy: 
GET_FGPP    172.16.14.200   389    COLOR-DC01           CN=second policy,CN=Password Settings Container,CN=System,DC=fmradio,DC=local
GET_FGPP    172.16.14.200   389    COLOR-DC01           CN=breakglass-fgpp,CN=Password Settings Container,CN=System,DC=fmradio,DC=local
GET_FGPP    172.16.14.200   389    COLOR-DC01       
GET_FGPP    172.16.14.200   389    COLOR-DC01       [+] Attempting to enumerate details...
GET_FGPP    172.16.14.200   389    COLOR-DC01       Policy Name: breakglass-fgpp
GET_FGPP    172.16.14.200   389    COLOR-DC01       Minimum Password Length: 24
GET_FGPP    172.16.14.200   389    COLOR-DC01       Minimum Password History Length: 
GET_FGPP    172.16.14.200   389    COLOR-DC01       Lockout Threshold: 0
GET_FGPP    172.16.14.200   389    COLOR-DC01       Observation Window: 0 days 0 hours 30 minutes 0 seconds
GET_FGPP    172.16.14.200   389    COLOR-DC01       Lockout Duration: 0 days 0 hours 30 minutes 0 seconds
GET_FGPP    172.16.14.200   389    COLOR-DC01       Complexity Enabled: TRUE
GET_FGPP    172.16.14.200   389    COLOR-DC01       Minimum Password Age 1 days 0 hours 0 minutes 0 seconds
GET_FGPP    172.16.14.200   389    COLOR-DC01       Maximum Password Age: 42 days 0 hours 0 minutes 0 seconds
GET_FGPP    172.16.14.200   389    COLOR-DC01       Reversible Encryption: FALSE
GET_FGPP    172.16.14.200   389    COLOR-DC01       Precedence: 1 (Lower is Higher Priority)
GET_FGPP    172.16.14.200   389    COLOR-DC01       Policy Applies to: 
GET_FGPP    172.16.14.200   389    COLOR-DC01           CN=breakglass01,CN=Users,DC=fmradio,DC=local
GET_FGPP    172.16.14.200   389    COLOR-DC01       
GET_FGPP    172.16.14.200   389    COLOR-DC01       Policy Name: second policy
GET_FGPP    172.16.14.200   389    COLOR-DC01       Description: this policy is more of a suggestion tbh
GET_FGPP    172.16.14.200   389    COLOR-DC01       Minimum Password Length: 0
GET_FGPP    172.16.14.200   389    COLOR-DC01       Minimum Password History Length: 
GET_FGPP    172.16.14.200   389    COLOR-DC01       Lockout Threshold: 23
GET_FGPP    172.16.14.200   389    COLOR-DC01       Observation Window: 0 days 0 hours 30 minutes 0 seconds
GET_FGPP    172.16.14.200   389    COLOR-DC01       Lockout Duration: 0 days 0 hours 30 minutes 0 seconds
GET_FGPP    172.16.14.200   389    COLOR-DC01       Complexity Enabled: TRUE
GET_FGPP    172.16.14.200   389    COLOR-DC01       Minimum Password Age 1 days 0 hours 0 minutes 0 seconds
GET_FGPP    172.16.14.200   389    COLOR-DC01       Maximum Password Age: 42 days 0 hours 0 minutes 0 seconds
GET_FGPP    172.16.14.200   389    COLOR-DC01       Reversible Encryption: TRUE
GET_FGPP    172.16.14.200   389    COLOR-DC01       Precedence: 2 (Lower is Higher Priority)
GET_FGPP    172.16.14.200   389    COLOR-DC01       Policy Applies to: 
GET_FGPP    172.16.14.200   389    COLOR-DC01           CN=breakglass01,CN=Users,DC=fmradio,DC=local
GET_FGPP    172.16.14.200   389    COLOR-DC01           CN=macheson,CN=Users,DC=fmradio,DC=local
GET_FGPP    172.16.14.200   389    COLOR-DC01

@sebrink
Create get_fgpp.py
e898c25 
Signed-off-by: sandw1ch <se.brink15@gmail.com>
@sebrink
Update pyproject.toml to include dateutil
cbefc31 
Signed-off-by: sandw1ch <se.brink15@gmail.com>
@sebrink
Update e2e_commands.txt to include get_fgpp
cdced86 
Signed-off-by: sandw1ch <se.brink15@gmail.com>
@sebrink
Update poetry.lock
0d5030b 
Signed-off-by: sandw1ch <se.brink15@gmail.com>
@sebrink
Update get_fgpp.py
2915a54 
Signed-off-by: sandw1ch <se.brink15@gmail.com>
@mpgn
Copy link
Collaborator

mpgn commented Oct 10, 2023

Hello @sebrink what's the diff with the module PSO ? https://github.com/Pennyw0rth/NetExec/blob/72e42e9b75c9885573eecfc3888252eb93dfba9d/nxc/modules/pso.py

@sebrink
Update get_fgpp.py
6f81431 
Signed-off-by: sandw1ch <se.brink15@gmail.com>
@sebrink
Copy link
Contributor Author

sebrink commented Oct 10, 2023
edited
Loading

@mpgn I actually was not aware of the PSO module, so these currently do the exact same thing. There appears to be a bug in the PSO module though that it can't display if there is a policy that applies to multiple objects, see the sample output below: (see the policy titled second policy)

get_fgpp:

# poetry run NetExec ldap 172.16.14.200 -u username -p password -M get_fgpp
SMB         172.16.14.200   445    COLOR-DC01       [*] Windows 10.0 Build 14393 x64 (name:COLOR-DC01) (domain:fmradio.local) (signing:True) (SMBv1:False)
LDAP        172.16.14.200   389    COLOR-DC01       [+] fmradio.local\username:password (Pwn3d!)
GET_FGPP    172.16.14.200   389    COLOR-DC01       [+] Attempting to enumerate policies...
GET_FGPP    172.16.14.200   389    COLOR-DC01       2 FGPP Objects found!
GET_FGPP    172.16.14.200   389    COLOR-DC01
GET_FGPP    172.16.14.200   389    COLOR-DC01       [+] Attempting to enumerate objects with an applied policy...
GET_FGPP    172.16.14.200   389    COLOR-DC01       Object: CN=macheson,CN=Users,DC=fmradio,DC=local
GET_FGPP    172.16.14.200   389    COLOR-DC01       Applied Policy:
GET_FGPP    172.16.14.200   389    COLOR-DC01           CN=second policy,CN=Password Settings Container,CN=System,DC=fmradio,DC=local
GET_FGPP    172.16.14.200   389    COLOR-DC01
GET_FGPP    172.16.14.200   389    COLOR-DC01       Object: CN=breakglass01,CN=Users,DC=fmradio,DC=local
GET_FGPP    172.16.14.200   389    COLOR-DC01       Applied Policy:
GET_FGPP    172.16.14.200   389    COLOR-DC01           CN=second policy,CN=Password Settings Container,CN=System,DC=fmradio,DC=local
GET_FGPP    172.16.14.200   389    COLOR-DC01           CN=breakglass-fgpp,CN=Password Settings Container,CN=System,DC=fmradio,DC=local
GET_FGPP    172.16.14.200   389    COLOR-DC01
GET_FGPP    172.16.14.200   389    COLOR-DC01       [+] Attempting to enumerate details...
GET_FGPP    172.16.14.200   389    COLOR-DC01       Policy Name: breakglass-fgpp
GET_FGPP    172.16.14.200   389    COLOR-DC01       Minimum Password Length: 15
GET_FGPP    172.16.14.200   389    COLOR-DC01       Minimum Password History Length: 24
GET_FGPP    172.16.14.200   389    COLOR-DC01       Lockout Threshold: 0
GET_FGPP    172.16.14.200   389    COLOR-DC01       Observation Window: 0 days 0 hours 30 minutes 0 seconds
GET_FGPP    172.16.14.200   389    COLOR-DC01       Lockout Duration: 0 days 0 hours 30 minutes 0 seconds
GET_FGPP    172.16.14.200   389    COLOR-DC01       Complexity Enabled: TRUE
GET_FGPP    172.16.14.200   389    COLOR-DC01       Minimum Password Age 1 days 0 hours 0 minutes 0 seconds
GET_FGPP    172.16.14.200   389    COLOR-DC01       Maximum Password Age: 42 days 0 hours 0 minutes 0 seconds
GET_FGPP    172.16.14.200   389    COLOR-DC01       Reversible Encryption: FALSE
GET_FGPP    172.16.14.200   389    COLOR-DC01       Precedence: 1 (Lower is Higher Priority)
GET_FGPP    172.16.14.200   389    COLOR-DC01       Policy Applies to:
GET_FGPP    172.16.14.200   389    COLOR-DC01           CN=breakglass01,CN=Users,DC=fmradio,DC=local
GET_FGPP    172.16.14.200   389    COLOR-DC01
GET_FGPP    172.16.14.200   389    COLOR-DC01       Policy Name: second policy
GET_FGPP    172.16.14.200   389    COLOR-DC01       Description: this policy is more of a suggestion tbh
GET_FGPP    172.16.14.200   389    COLOR-DC01       Minimum Password Length: 7
GET_FGPP    172.16.14.200   389    COLOR-DC01       Minimum Password History Length: 0
GET_FGPP    172.16.14.200   389    COLOR-DC01       Lockout Threshold: 23
GET_FGPP    172.16.14.200   389    COLOR-DC01       Observation Window: 0 days 0 hours 30 minutes 0 seconds
GET_FGPP    172.16.14.200   389    COLOR-DC01       Lockout Duration: 0 days 0 hours 30 minutes 0 seconds
GET_FGPP    172.16.14.200   389    COLOR-DC01       Complexity Enabled: TRUE
GET_FGPP    172.16.14.200   389    COLOR-DC01       Minimum Password Age 1 days 0 hours 0 minutes 0 seconds
GET_FGPP    172.16.14.200   389    COLOR-DC01       Maximum Password Age: 42 days 0 hours 0 minutes 0 seconds
GET_FGPP    172.16.14.200   389    COLOR-DC01       Reversible Encryption: TRUE
GET_FGPP    172.16.14.200   389    COLOR-DC01       Precedence: 2 (Lower is Higher Priority)
GET_FGPP    172.16.14.200   389    COLOR-DC01       Policy Applies to:
GET_FGPP    172.16.14.200   389    COLOR-DC01           CN=breakglass01,CN=Users,DC=fmradio,DC=local
GET_FGPP    172.16.14.200   389    COLOR-DC01           CN=macheson,CN=Users,DC=fmradio,DC=local
GET_FGPP    172.16.14.200   389    COLOR-DC01

pso:

# poetry run NetExec ldap 172.16.14.200 -u username -p password -M pso
SMB         172.16.14.200   445    COLOR-DC01       [*] Windows 10.0 Build 14393 x64 (name:COLOR-DC01) (domain:fmradio.local) (signing:True) (SMBv1:False)
LDAP        172.16.14.200   389    COLOR-DC01       [+] fmradio.local\username:password (Pwn3d!)
PSO         172.16.14.200   389    COLOR-DC01       [+] Password Settings Objects (PSO) found:
PSO         172.16.14.200   389    COLOR-DC01       cn: breakglass-fgpp
PSO         172.16.14.200   389    COLOR-DC01       msDS-PasswordReversibleEncryptionEnabled: FALSE
PSO         172.16.14.200   389    COLOR-DC01       msDS-PasswordSettingsPrecedence: 1
PSO         172.16.14.200   389    COLOR-DC01       msDS-MinimumPasswordLength: 15
PSO         172.16.14.200   389    COLOR-DC01       msDS-PasswordHistoryLength: 24
PSO         172.16.14.200   389    COLOR-DC01       msDS-PasswordComplexityEnabled: TRUE
PSO         172.16.14.200   389    COLOR-DC01       msDS-LockoutObservationWindow: 30 mins
PSO         172.16.14.200   389    COLOR-DC01       msDS-LockoutDuration: 30 mins
PSO         172.16.14.200   389    COLOR-DC01       msDS-LockoutThreshold: 0
PSO         172.16.14.200   389    COLOR-DC01       msDS-MinimumPasswordAge: 1 days
PSO         172.16.14.200   389    COLOR-DC01       msDS-MaximumPasswordAge: 42 days
PSO         172.16.14.200   389    COLOR-DC01       msDS-PSOAppliesTo: CN=breakglass01,CN=Users,DC=fmradio,DC=local
PSO         172.16.14.200   389    COLOR-DC01       -----
PSO         172.16.14.200   389    COLOR-DC01       cn: second policy
PSO         172.16.14.200   389    COLOR-DC01       msDS-PasswordReversibleEncryptionEnabled: TRUE
PSO         172.16.14.200   389    COLOR-DC01       msDS-PasswordSettingsPrecedence: 2
PSO         172.16.14.200   389    COLOR-DC01       msDS-MinimumPasswordLength: 7
PSO         172.16.14.200   389    COLOR-DC01       msDS-PasswordHistoryLength: 0
PSO         172.16.14.200   389    COLOR-DC01       msDS-PasswordComplexityEnabled: TRUE
PSO         172.16.14.200   389    COLOR-DC01       msDS-LockoutObservationWindow: 30 mins
PSO         172.16.14.200   389    COLOR-DC01       msDS-LockoutDuration: 30 mins
PSO         172.16.14.200   389    COLOR-DC01       msDS-LockoutThreshold: 23
PSO         172.16.14.200   389    COLOR-DC01       msDS-MinimumPasswordAge: 1 days
PSO         172.16.14.200   389    COLOR-DC01       msDS-MaximumPasswordAge: 42 days
PSO         172.16.14.200   389    COLOR-DC01       msDS-PSOAppliesTo: CN=breakglass01,CN=Users,DC=fmradio,DC=local
PSO         172.16.14.200   389    COLOR-DC01       -----

If you'd like, I can make an update to the PSO module to fix the bug sometime tomorrow or it can potentially be replaced with the get_fgpp module, up to ya'll.

@sebrink
Update get_fgpp.py
9a4594e 
Signed-off-by: sandw1ch <se.brink15@gmail.com>
@mpgn
Copy link
Collaborator

mpgn commented Oct 10, 2023

Your output is better imo

@mpgn
Copy link
Collaborator

mpgn commented Oct 10, 2023

Maybe name your module pso and delete the old one since bugged anyway

@sebrink
Delete nxc/modules/pso.py
bab6377 
Signed-off-by: sandw1ch <se.brink15@gmail.com>
@sebrink
Update and rename get_fgpp.py to pso.py
2e0a73c 
Signed-off-by: sandw1ch <se.brink15@gmail.com>
@NeffIsBack
Copy link
Contributor

Agreed, looks better.

@mpgn glad to see you here:)

@sebrink
Update e2e_commands.txt
47a158f 
Signed-off-by: sandw1ch <se.brink15@gmail.com>
@sebrink
Copy link
Contributor Author

sebrink commented Oct 10, 2023

Alright it's updated to pso, modified the description and the output to say PSO rather than fgpp. As a note, the original pso module wasn't listed in the e2e_commands.txt.

@Marshall-Hallenbeck
Copy link
Collaborator

Alright it's updated to pso, modified the description and the output to say PSO rather than fgpp. As a note, the original pso module wasn't listed in the e2e_commands.txt.

Thank you for adding it to the e2e tests :)
Could you update the single quotes to double to match our style? Thanks for the PR!

@sebrink
sed "s/'/\"/g"
50f2e5d 
Signed-off-by: sandw1ch <se.brink15@gmail.com>
@sebrink
Copy link
Contributor Author

sebrink commented Oct 10, 2023

@Marshall-Hallenbeck done!

@Marshall-Hallenbeck Marshall-Hallenbeck changed the base branch from main to develop October 12, 2023 20:34
@Marshall-Hallenbeck
Copy link
Collaborator

Changed to merge into develop
@sebrink there's a conflict with the poetry.lock if you can fix that

@sebrink
Merge branch 'develop' into main
0b7756f 
Signed-off-by: sandw1ch <se.brink15@gmail.com>
@sebrink
Copy link
Contributor Author

sebrink commented Oct 12, 2023

Resolved the conflict, looks like running poetry lock installs greenlet v3.0.0 rather than greenlet v2.0.2 now using poetry 1.6.1. Happens with the pyproject.toml in main right now as well.

@mpgn
Copy link
Collaborator

mpgn commented Oct 17, 2023

I got this error on my side

image

@sebrink
Copy link
Contributor Author

sebrink commented Oct 17, 2023

That's almost definitely due to the LDAP query limit of 1000 objects. My lab has less than 1000 so I didn't test for that. I'll put some logic in to catch that. Need to figure out a good way to do it without just capping the module at the first 1000 entries, but nice catch @mpgn !

@mpgn
Copy link
Collaborator

mpgn commented Oct 18, 2023

Hum looking at the module, if a client has a pso on 7k user, the module will be unreadable

@mpgn mpgn self-requested a review as a code owner October 19, 2023 19:32
@mpgn
Copy link
Collaborator

mpgn commented Oct 19, 2023

Fixed the code for you @sebrink
image

@mpgn mpgn added the tested label Oct 19, 2023
Marshall-Hallenbeck
Marshall-Hallenbeck requested changes Oct 20, 2023
View reviewed changes
nxc/modules/pso.py Outdated Show resolved Hide resolved
nxc/modules/pso.py Outdated Show resolved Hide resolved
nxc/modules/pso.py Outdated Show resolved Hide resolved
@sebrink
use fstring, delete testing comment
c6e5fdb 
Signed-off-by: sandw1ch <se.brink15@gmail.com>
@sebrink
Copy link
Contributor Author

sebrink commented Oct 24, 2023

Thanks for the fix @mpgn!

@Marshall-Hallenbeck
Copy link
Collaborator

@sebrink my big refactor got merged in. Would you mind taking a look at the few conflicts?

@NeffIsBack NeffIsBack added this to the v1.2.0 milestone Nov 4, 2023
@Marshall-Hallenbeck Marshall-Hallenbeck changed the base branch from develop to main November 13, 2023 15:18
@mpgn
Copy link
Collaborator

mpgn commented Mar 4, 2024

@sebrink any chance to fix the conflict to merge the pr ?

@Marshall-Hallenbeck Marshall-Hallenbeck removed this from the v1.2.0 milestone Mar 12, 2024
@NeffIsBack
Copy link
Contributor

@mpgn fixed everything, could you give this another review?

@mpgn
Copy link
Collaborator

mpgn commented Mar 16, 2024

image

mpgn
mpgn previously approved these changes Mar 16, 2024
View reviewed changes
@NeffIsBack
Copy link
Contributor

@Marshall-Hallenbeck here are your format strings :)

@NeffIsBack NeffIsBack merged commit b62c315 into Pennyw0rth:main Mar 18, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Marshall-Hallenbeck Marshall-Hallenbeck Marshall-Hallenbeck approved these changes

@mpgn mpgn mpgn left review comments

@zblurx zblurx Awaiting requested review from zblurx zblurx is a code owner

@NeffIsBack NeffIsBack Awaiting requested review from NeffIsBack NeffIsBack is a code owner

Assignees
No one assigned
Labels
new module tested
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sebrink @mpgn @NeffIsBack @Marshall-Hallenbeck