Merge pull request Pennyw0rth#877 from Pennyw0rth/passpool

mpgn · web-flow · commit 2f62843e41c5 · 2025-08-31T21:40:20.000+02:00
diff --git a/nxc/helpers/misc.py b/nxc/helpers/misc.py
@@ -7,6 +7,7 @@
 from termcolor import colored
 from ipaddress import ip_address
 from nxc.logger import nxc_logger
+from time import strftime, gmtime
 
 
 def identify_target_file(target_file):
@@ -149,6 +150,82 @@ def detect_if_ip(target):
         return False
 
 
+def d2b(a):
+    """
+    Function used to convert password property flags from decimal to binary
+    format for easier interpretation of individual flag bits.
+    """
+    tbin = []
+    while a:
+        tbin.append(a % 2)
+        a //= 2
+
+    t2bin = tbin[::-1]
+    if len(t2bin) != 8:
+        for _x in range(6 - len(t2bin)):
+            t2bin.insert(0, 0)
+    return "".join([str(g) for g in t2bin])
+
+
+def convert(low, high, lockout=False):
+    """
+    Convert Windows FILETIME (64-bit) values to human-readable time strings.
+
+    Windows stores time intervals as 64-bit values representing 100-nanosecond
+    intervals since January 1, 1601. This function converts these values to
+    readable format like "30 days 5 hours 15 minutes".
+
+    Args:
+        low (int): Low 32 bits of the FILETIME value
+        high (int): High 32 bits of the FILETIME value
+        lockout (bool): If True, treats the value as a lockout duration (simpler conversion)
+
+    Returns:
+        str: Human-readable time string (e.g., "42 days 5 hours 30 minutes") or
+             special values like "Not Set", "None", or "[-] Invalid TIME"
+    """
+    time = ""
+    tmp = 0
+
+    if (low == 0 and high == -0x8000_0000) or (low == 0 and high == -0x8000_0000_0000_0000):
+        return "Not Set"
+    if low == 0 and high == 0:
+        return "None"
+
+    if not lockout:
+        if low != 0:
+            high = abs(high + 1)
+        else:
+            high = abs(high)
+            low = abs(low)
+
+        tmp = low + (high << 32)  # convert to 64bit int
+        tmp *= 1e-7  # convert to seconds
+    else:
+        tmp = abs(high) * (1e-7)
+
+    try:
+        minutes = int(strftime("%M", gmtime(tmp)))
+        hours = int(strftime("%H", gmtime(tmp)))
+        days = int(strftime("%j", gmtime(tmp))) - 1
+    except ValueError:
+        return "[-] Invalid TIME"
+
+    if days > 1:
+        time += f"{days} days "
+    elif days == 1:
+        time += f"{days} day "
+    if hours > 1:
+        time += f"{hours} hours "
+    elif hours == 1:
+        time += f"{hours} hour "
+    if minutes > 1:
+        time += f"{minutes} minutes "
+    elif minutes == 1:
+        time += f"{minutes} minute "
+    return time
+
+
 def display_modules(args, modules):
     for category, color in {CATEGORY.ENUMERATION: "green", CATEGORY.CREDENTIAL_DUMPING: "cyan", CATEGORY.PRIVILEGE_ESCALATION: "magenta"}.items():
         # Add category filter for module listing
diff --git a/nxc/protocols/ldap.py b/nxc/protocols/ldap.py
@@ -38,13 +38,13 @@
 from nxc.config import process_secret, host_info_colors
 from nxc.connection import connection
 from nxc.helpers.bloodhound import add_user_bh
+from nxc.helpers.misc import get_bloodhound_info, convert, d2b
 from nxc.logger import NXCAdapter, nxc_logger
 from nxc.protocols.ldap.bloodhound import BloodHound
 from nxc.protocols.ldap.gmsa import MSDS_MANAGEDPASSWORD_BLOB
 from nxc.protocols.ldap.kerberos import KerberosAttacks
 from nxc.parsers.ldap_results import parse_result_attributes
 from nxc.helpers.ntlm_parser import parse_challenge
-from nxc.helpers.misc import get_bloodhound_info
 from nxc.paths import CONFIG_PATH, NXC_PATH
 
 ldap_error_status = {
@@ -1481,6 +1481,92 @@ def pso_mins(ldap_time):
                 self.logger.highlight(f"\t{policyApplies}")
             self.logger.highlight("")
 
+    def pass_pol(self):
+        search_filter = "(objectClass=domainDNS)"
+        attributes = [
+            "minPwdLength",
+            "pwdHistoryLength",
+            "maxPwdAge",
+            "minPwdAge",
+            "lockoutThreshold",
+            "lockoutDuration",
+            "lockOutObservationWindow",
+            "forceLogoff",
+            "pwdProperties"
+        ]
+
+        resp = self.search(search_filter, attributes, sizeLimit=0, baseDN=self.baseDN)
+        resp_parsed = parse_result_attributes(resp)
+
+        if not resp_parsed:
+            self.logger.fail("No domain password policy found!")
+            return
+
+        for policy in resp_parsed:
+            def ldap_to_filetime(ldap_time):
+                """Convert LDAP time to FILETIME format for convert function"""
+                if not ldap_time or ldap_time == "0":
+                    return 0, 0
+
+                time_int = int(ldap_time)
+                if time_int < 0:
+                    time_int = abs(time_int)
+
+                low = time_int & 0xFFFFFFFF
+                high = (time_int >> 32) & 0xFFFFFFFF
+                if ldap_time.startswith("-") or int(ldap_time) < 0:
+                    high = -high
+
+                return low, high
+
+            min_pass_len = policy.get("minPwdLength", "None")
+            pass_hist_len = policy.get("pwdHistoryLength", "None")
+            max_pwd_age_low, max_pwd_age_high = ldap_to_filetime(policy.get("maxPwdAge", "0"))
+            max_pass_age = convert(max_pwd_age_low, max_pwd_age_high)
+            min_pwd_age_low, min_pwd_age_high = ldap_to_filetime(policy.get("minPwdAge", "0"))
+            min_pass_age = convert(min_pwd_age_low, min_pwd_age_high)
+            accnt_lock_thres = policy.get("lockoutThreshold", "None")
+            lockout_duration_val = policy.get("lockoutDuration", "0")
+            lock_accnt_dur = convert(0, int(lockout_duration_val) if lockout_duration_val != "0" else 0, lockout=True)
+            lockout_obs_val = policy.get("lockOutObservationWindow", "0")
+            rst_accnt_lock_counter = convert(0, int(lockout_obs_val) if lockout_obs_val != "0" else 0, lockout=True)
+            force_logoff_low, force_logoff_high = ldap_to_filetime(policy.get("forceLogoff", "0"))
+            force_logoff_time = convert(force_logoff_low, force_logoff_high)
+
+            # Convert password properties using existing d2b function
+            pwd_properties = policy.get("pwdProperties", "0")
+            pass_prop = d2b(int(pwd_properties)) if pwd_properties != "0" else "000000"
+
+            # Use the same formatting and constants as SMB passpol
+            PASSCOMPLEX = {
+                5: "Domain Password Complex:",
+                4: "Domain Password No Anon Change:",
+                3: "Domain Password No Clear Change:",
+                2: "Domain Password Lockout Admins:",
+                1: "Domain Password Store Cleartext:",
+                0: "Domain Refuse Password Change:",
+            }
+
+            # Pretty print using same format as SMB
+            self.logger.success(f"Dumping password info for domain: {self.domain}")
+            self.logger.highlight(f"Minimum password length: {min_pass_len}")
+            self.logger.highlight(f"Password history length: {pass_hist_len}")
+            self.logger.highlight(f"Maximum password age: {max_pass_age}")
+            self.logger.highlight("")
+            self.logger.highlight(f"Password Complexity Flags: {pass_prop or 'None'}")
+
+            for i, a in enumerate(pass_prop):
+                self.logger.highlight(f"\t{PASSCOMPLEX[i]} {a!s}")
+
+            self.logger.highlight("")
+            self.logger.highlight(f"Minimum password age: {min_pass_age}")
+            self.logger.highlight(f"Reset Account Lockout Counter: {rst_accnt_lock_counter}")
+            self.logger.highlight(f"Locked Account Duration: {lock_accnt_dur}")
+            self.logger.highlight(f"Account Lockout Threshold: {accnt_lock_thres}")
+            self.logger.highlight(f"Forced Log off Time: {force_logoff_time}")
+
+            break  # Only process first policy result
+
     def bloodhound(self):
         # Check which version is desired
         use_bhce = self.config.getboolean("BloodHound-CE", "bhce_enabled", fallback=False)
diff --git a/nxc/protocols/ldap/proto_args.py b/nxc/protocols/ldap/proto_args.py
@@ -30,6 +30,7 @@ def proto_args(parser, parents):
     vgroup.add_argument("--get-sid", action="store_true", help="Get domain sid")
     vgroup.add_argument("--active-users", nargs="*", help="Get Active Domain Users Accounts")
     vgroup.add_argument("--pso", action="store_true", help="Get Fine Grained Password Policy/PSOs")
+    vgroup.add_argument("--pass-pol", action="store_true", help="Dump password policy")
 
     ggroup = ldap_parser.add_argument_group("Retrieve gmsa on the remote DC", "Options to play with gmsa")
     ggroup.add_argument("--gmsa", action="store_true", help="Enumerate GMSA passwords")
diff --git a/nxc/protocols/smb/passpol.py b/nxc/protocols/smb/passpol.py
@@ -2,64 +2,8 @@
 
 from impacket.dcerpc.v5.rpcrt import DCERPC_v5
 from impacket.dcerpc.v5 import transport, samr
-from time import strftime, gmtime
 from nxc.logger import nxc_logger
-
-
-def d2b(a):
-    tbin = []
-    while a:
-        tbin.append(a % 2)
-        a //= 2
-
-    t2bin = tbin[::-1]
-    if len(t2bin) != 8:
-        for _x in range(6 - len(t2bin)):
-            t2bin.insert(0, 0)
-    return "".join([str(g) for g in t2bin])
-
-
-def convert(low, high, lockout=False):
-    time = ""
-    tmp = 0
-
-    if (low == 0 and high == -0x8000_0000) or (low == 0 and high == -0x8000_0000_0000_0000):
-        return "Not Set"
-    if low == 0 and high == 0:
-        return "None"
-
-    if not lockout:
-        if low != 0:
-            high = abs(high + 1)
-        else:
-            high = abs(high)
-            low = abs(low)
-
-        tmp = low + (high << 32)  # convert to 64bit int
-        tmp *= 1e-7  # convert to seconds
-    else:
-        tmp = abs(high) * (1e-7)
-
-    try:
-        minutes = int(strftime("%M", gmtime(tmp)))
-        hours = int(strftime("%H", gmtime(tmp)))
-        days = int(strftime("%j", gmtime(tmp))) - 1
-    except ValueError:
-        return "[-] Invalid TIME"
-
-    if days > 1:
-        time += f"{days} days "
-    elif days == 1:
-        time += f"{days} day "
-    if hours > 1:
-        time += f"{hours} hours "
-    elif hours == 1:
-        time += f"{hours} hour "
-    if minutes > 1:
-        time += f"{minutes} minutes "
-    elif minutes == 1:
-        time += f"{minutes} minute "
-    return time
+from nxc.helpers.misc import convert, d2b
 
 
 class PassPolDump:
@@ -233,7 +177,6 @@ def pretty_print(self):
             nxc_logger.debug(f"{domain['Name']}")
 
         self.logger.success(f"Dumping password info for domain: {self.__domains[0]['Name']}")
-
         self.logger.highlight(f"Minimum password length: {self.__min_pass_len}")
         self.logger.highlight(f"Password history length: {self.__pass_hist_len}")
         self.logger.highlight(f"Maximum password age: {self.__max_pass_age}")
diff --git a/tests/e2e_commands.txt b/tests/e2e_commands.txt
@@ -203,6 +203,7 @@ netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --trusted-
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --admin-count
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --gmsa
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --pso
+netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --pass-pol
 ##### LDAP Modules
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -L
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M adcs
