Merge pull request Pennyw0rth#677 from Pennyw0rth/neff-fix-ldap-kerb-dom-trust

NeffIsBack · web-flow · commit 3209e523a552 · 2025-05-07T17:12:20.000+02:00
Fix domain trust with kerberos in ldap
diff --git a/nxc/protocols/ldap.py b/nxc/protocols/ldap.py
@@ -25,6 +25,7 @@
 )
 from impacket.krb5 import constants
 from impacket.krb5.kerberosv5 import getKerberosTGS, SessionKeyDecryptionError
+from impacket.krb5.ccache import CCache
 from impacket.krb5.types import Principal, KerberosException
 from impacket.ldap import ldap as ldap_impacket
 from impacket.ldap import ldaptypes
@@ -232,7 +233,6 @@ def get_ldap_username(self):
     def enum_host_info(self):
         self.hostname = self.target.split(".")[0].upper() if "." in self.target else self.target
         self.remoteName = self.target
-        self.domain = self.targetDomain
 
         ntlm_challenge = None
         bindRequest = ldapasn1_impacket.BindRequest()
@@ -250,6 +250,14 @@ def enum_host_info(self):
             ntlm_info = parse_challenge(ntlm_challenge)
             self.server_os = ntlm_info["os_version"]
 
+        if self.args.domain:
+            self.domain = self.args.domain
+        elif self.args.use_kcache:  # Fixing domain trust, just pull the auth domain out of the ticket
+            self.domain = CCache.parseFile()[0]
+            self.username = CCache.parseFile()[1]
+        else:
+            self.domain = self.targetDomain
+
         # using kdcHost is buggy on impacket when using trust relation between ad so we kdcHost must stay to none if targetdomain is not equal to domain
         if not self.kdcHost and self.domain and self.domain == self.targetDomain:
             result = self.resolver(self.domain)
@@ -276,15 +284,15 @@ def print_host_info(self):
         self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.domain})")
 
     def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="", kdcHost="", useCache=False):
-        self.username = username
+        self.username = username if not self.username else self.username    # With ccache we get the username from the ticket
         self.password = password
         self.domain = domain
         self.kdcHost = kdcHost
         self.aesKey = aesKey
 
         lmhash = ""
         nthash = ""
-        self.username = username
+
         # This checks to see if we didn't provide the LM Hash
         if ntlm_hash.find(":") != -1:
             lmhash, nthash = ntlm_hash.split(":")
