Remove ntlm hash for laps (as not compatible with py10) + add dns_server option to laps

Author: mpgn

nxc/connection.py

@@ -148,6 +148,7 @@ def __init__(self, args, db, target):
         self.kdcHost = self.args.kdcHost
         self.port = self.args.port
         self.local_ip = None
+        self.dns_server = self.args.dns_server
 
         # DNS resolution
         dns_result = self.resolver(target)
@@ -481,7 +482,7 @@ def try_credentials(self, domain, username, owned, secret, cred_type, data=None)
 
         with sem:
             if cred_type == "plaintext":
-                if self.args.kerberos:
+                if self.args.kerberos and not hasattr(self.args, "laps"):
                     self.logger.debug("Trying to authenticate using Kerberos")
                     return self.kerberos_login(domain, username, secret, "", "", self.kdcHost, False)
                 elif hasattr(self.args, "domain"):  # Some protocols don't use domain for login
@@ -543,7 +544,7 @@ def login(self):
 
         if hasattr(self.args, "laps") and self.args.laps:
             self.logger.debug("Trying to authenticate using LAPS")
-            username[0], secret[0], domain[0], ntlm_hash = laps_search(self, username, secret, cred_type, domain)
+            username[0], secret[0], domain[0] = laps_search(self, username, secret, cred_type, domain, self.dns_server)
             cred_type = ["plaintext"]
             if not (username[0] or secret[0] or domain[0]):
                 return False

nxc/modules/laps.py

@@ -45,7 +45,7 @@ def on_login(self, context, connection):
                 values = {str(attr["type"]).lower(): attr["vals"][0] for attr in computer["attributes"]}
                 if "mslaps-encryptedpassword" in values:
                     msMCSAdmPwd = values["mslaps-encryptedpassword"]
-                    d = LAPSv2Extract(bytes(msMCSAdmPwd), connection.username if connection.username else "", connection.password if connection.password else "", connection.domain, connection.nthash if connection.nthash else "", connection.kerberos, connection.kdcHost, 339)
+                    d = LAPSv2Extract(bytes(msMCSAdmPwd), connection.username if connection.username else "", connection.password if connection.password else "", connection.domain, connection.nthash if connection.nthash else "", connection.kerberos, connection.kdcHost, 339, connection.dns_server)
                     try:
                         data = d.run()
                     except Exception as e:

nxc/protocols/ldap/laps.py

@@ -37,7 +37,7 @@ def __init__(self, host, port, hostname):
     def proto_logger(self, host, port, hostname):
         self.logger = NXCAdapter(extra={"protocol": "LDAP", "host": host, "port": port, "hostname": hostname})
 
-    def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="", kdcHost="", useCache=False):
+    def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="", kdcHost="", useCache=False, dns_server=""):
         lmhash = ""
         nthash = ""
 
@@ -59,7 +59,7 @@ def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="",
         baseDN = baseDN[:-1]
 
         try:
-            ldap_connection = ldap_impacket.LDAPConnection(f"ldap://{kdcHost}", baseDN)
+            ldap_connection = ldap_impacket.LDAPConnection(f"ldap://{kdcHost}", baseDN, domain if not dns_server else dns_server)
             ldap_connection.kerberosLogin(
                 username,
                 password,
@@ -78,7 +78,7 @@ def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="",
             if str(e).find("strongerAuthRequired") >= 0:
                 # We need to try SSL
                 try:
-                    ldap_connection = ldap_impacket.LDAPConnection(f"ldaps://{kdcHost}", baseDN)
+                    ldap_connection = ldap_impacket.LDAPConnection(f"ldaps://{kdcHost}", baseDN, domain if not dns_server else dns_server)
                     ldap_connection.login(
                         username,
                         password,
@@ -116,7 +116,7 @@ def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="",
             )
             return False
 
-    def auth_login(self, domain, username, password, ntlm_hash):
+    def auth_login(self, domain, username, password, ntlm_hash, dns_server):
         lmhash = ""
         nthash = ""
 
@@ -135,7 +135,7 @@ def auth_login(self, domain, username, password, ntlm_hash):
         base_dn = base_dn[:-1]
 
         try:
-            ldap_connection = ldap_impacket.LDAPConnection(f"ldap://{domain}", base_dn, domain)
+            ldap_connection = ldap_impacket.LDAPConnection(f"ldap://{domain}", base_dn, domain if not dns_server else dns_server)
             ldap_connection.login(username, password, domain, lmhash, nthash)
 
             # Connect to LDAP
@@ -148,7 +148,7 @@ def auth_login(self, domain, username, password, ntlm_hash):
             if str(e).find("strongerAuthRequired") >= 0:
                 # We need to try SSL
                 try:
-                    ldap_connection = ldap_impacket.LDAPConnection(f"ldaps://{domain}", base_dn, domain)
+                    ldap_connection = ldap_impacket.LDAPConnection(f"ldaps://{domain}", base_dn, domain if not dns_server else dns_server)
                     ldap_connection.login(username, password, domain, lmhash, nthash)
                     self.logger.extra["protocol"] = "LDAPS"
                     self.logger.extra["port"] = "636"
@@ -173,7 +173,7 @@ def auth_login(self, domain, username, password, ntlm_hash):
 
 
 class LAPSv2Extract:
-    def __init__(self, data, username, password, domain, ntlm_hash, do_kerberos, kdcHost, port):
+    def __init__(self, data, username, password, domain, ntlm_hash, do_kerberos, kdcHost, port, dns_server):
         if ntlm_hash.find(":") != -1:
             self.lmhash, self.nthash = ntlm_hash.split(":")
         else:
@@ -187,6 +187,7 @@ def __init__(self, data, username, password, domain, ntlm_hash, do_kerberos, kdc
         self.do_kerberos = do_kerberos
         self.kdcHost = kdcHost
         self.logger = None
+        self.dns_server = dns_server
         self.proto_logger(self.domain, port, self.domain)
 
     def proto_logger(self, host, port, hostname):
@@ -218,7 +219,7 @@ def run(self):
             gke = kds_cache[key_id["RootKeyId"]]
         else:
             # Connect on RPC over TCP to MS-GKDI to call opnum 0 GetKey
-            string_binding = hept_map(destHost=self.domain, remoteIf=MSRPC_UUID_GKDI, protocol="ncacn_ip_tcp")
+            string_binding = hept_map(destHost=self.domain if not self.dns_server else self.dns_server, remoteIf=MSRPC_UUID_GKDI, protocol="ncacn_ip_tcp")
             rpc_transport = transport.DCERPCTransportFactory(string_binding)
             if hasattr(rpc_transport, "set_credentials"):
                 rpc_transport.set_credentials(username=self.username, password=self.password, domain=self.domain, lmhash=self.lmhash, nthash=self.nthash)
@@ -263,7 +264,7 @@ def run(self):
         return plaintext[:-18].decode("utf-16le")
 
 
-def laps_search(self, username, password, cred_type, domain):
+def laps_search(self, username, password, cred_type, domain, dns_server):
     prev_protocol = self.logger.extra["protocol"]
     prev_port = self.logger.extra["port"]
     self.logger.extra["protocol"] = "LDAP"
@@ -283,18 +284,20 @@ def laps_search(self, username, password, cred_type, domain):
             password[0] if cred_type[0] == "hash" else "",
             kdcHost=self.kdcHost,
             aesKey=self.aesKey,
+            dns_server=dns_server
         )
     else:
         connection = ldapco.auth_login(
             domain[0],
             username[0] if username else "",
             password[0] if cred_type[0] == "plaintext" else "",
             password[0] if cred_type[0] == "hash" else "",
+            dns_server
         )
     if not connection:
         self.logger.fail(f"LDAP connection failed with account {username[0]}")
 
-        return None, None, None, None
+        return None, None, None
 
     search_filter = "(&(objectCategory=computer)(|(msLAPS-EncryptedPassword=*)(ms-MCS-AdmPwd=*)(msLAPS-Password=*))(name=" + self.hostname + "))"
     attributes = [
@@ -325,13 +328,14 @@ def laps_search(self, username, password, cred_type, domain):
                     password[0] if cred_type[0] == "hash" else "",
                     self.kerberos,
                     self.kdcHost,
-                    339
+                    339,
+                    dns_server
                 )
                 try:
                     data = d.run()
                 except Exception as e:
                     self.logger.fail(str(e))
-                    return None, None, None, None
+                    return None, None, None
                 r = loads(data)
                 msMCSAdmPwd = r["p"]
                 username_laps = r["n"]
@@ -346,21 +350,16 @@ def laps_search(self, username, password, cred_type, domain):
         self.logger.debug(f"Host: {sAMAccountName:<20} Password: {msMCSAdmPwd} {self.hostname}")
     else:
         self.logger.fail(f"msMCSAdmPwd or msLAPS-Password is empty or account cannot read LAPS property for {self.hostname}")
-        return None, None, None, None
+        return None, None, None
 
     if msMCSAdmPwd == "":
         self.logger.fail(f"msMCSAdmPwd or msLAPS-Password is empty or account cannot read LAPS property for {self.hostname}")
-        return None, None, None, None
-
-    hash_ntlm = None
-    if cred_type[0] == "hash":
-        hash_ntlm = hashlib.new("md4", msMCSAdmPwd.encode("utf-16le")).digest()
-        hash_ntlm = binascii.hexlify(hash_ntlm).decode()
+        return None, None, None
 
     username = username_laps if username_laps else self.args.laps
     password = msMCSAdmPwd
     domain = self.hostname
     self.args.local_auth = True
     self.logger.extra["protocol"] = prev_protocol
     self.logger.extra["port"] = prev_port
-    return username, password, domain, hash_ntlm
+    return username, password, domain