From 9df91ae0b97509b913a3ba8ff14edcabb29453c1 Mon Sep 17 00:00:00 2001 From: Shutdown Date: Mon, 2 Aug 2021 14:52:13 +0200 Subject: [PATCH] Improved searchFilter Previous searchFilter resulted in a list of accounts missing vulnerable users --- examples/GetUserSPNs.py | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/examples/GetUserSPNs.py b/examples/GetUserSPNs.py index 1c7dd8417..c08ca697c 100755 --- a/examples/GetUserSPNs.py +++ b/examples/GetUserSPNs.py @@ -26,8 +26,6 @@ # # ToDo: # [X] Add the capability for requesting TGS and output them in JtR/hashcat format -# [X] Improve the search filter, we have to specify we don't want machine accounts in the answer -# (play with userAccountControl) # from __future__ import division @@ -285,13 +283,17 @@ def run(self): raise # Building the search filter - searchFilter = "(&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512)" \ - "(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(objectCategory=computer))" + filter_person = "objectCategory=person" + filter_not_disabled = "!(userAccountControl:1.2.840.113556.1.4.803:=2)" + + searchFilter = "(&" + searchFilter += "(" + filter_person + ")" + searchFilter += "(" + filter_not_disabled + ")" if self.__requestUser is not None: - searchFilter += '(sAMAccountName:=%s))' % self.__requestUser - else: - searchFilter += ')' + searchFilter += '(sAMAccountName:=%s)' % self.__requestUser + + searchFilter += ')' try: resp = ldapConnection.search(searchFilter=searchFilter, @@ -310,7 +312,6 @@ def run(self): answers = [] logging.debug('Total of records returned %d' % len(resp)) - for item in resp: if isinstance(item, ldapasn1.SearchResultEntry) is not True: continue