update passpol

Author: mpgn

nxc/helpers/misc.py

@@ -5,6 +5,7 @@
 import os
 
 from ipaddress import ip_address
+from time import strftime, gmtime
 
 
 def identify_target_file(target_file):
@@ -145,3 +146,59 @@ def detect_if_ip(target):
         return True
     except Exception:
         return False
+
+
+def d2b(a):
+    tbin = []
+    while a:
+        tbin.append(a % 2)
+        a //= 2
+
+    t2bin = tbin[::-1]
+    if len(t2bin) != 8:
+        for _x in range(6 - len(t2bin)):
+            t2bin.insert(0, 0)
+    return "".join([str(g) for g in t2bin])
+
+
+def convert(low, high, lockout=False):
+    time = ""
+    tmp = 0
+
+    if (low == 0 and high == -0x8000_0000) or (low == 0 and high == -0x8000_0000_0000_0000):
+        return "Not Set"
+    if low == 0 and high == 0:
+        return "None"
+
+    if not lockout:
+        if low != 0:
+            high = abs(high + 1)
+        else:
+            high = abs(high)
+            low = abs(low)
+
+        tmp = low + (high << 32)  # convert to 64bit int
+        tmp *= 1e-7  # convert to seconds
+    else:
+        tmp = abs(high) * (1e-7)
+
+    try:
+        minutes = int(strftime("%M", gmtime(tmp)))
+        hours = int(strftime("%H", gmtime(tmp)))
+        days = int(strftime("%j", gmtime(tmp))) - 1
+    except ValueError:
+        return "[-] Invalid TIME"
+
+    if days > 1:
+        time += f"{days} days "
+    elif days == 1:
+        time += f"{days} day "
+    if hours > 1:
+        time += f"{hours} hours "
+    elif hours == 1:
+        time += f"{hours} hour "
+    if minutes > 1:
+        time += f"{minutes} minutes "
+    elif minutes == 1:
+        time += f"{minutes} minute "
+    return time

nxc/protocols/ldap.py

@@ -38,13 +38,13 @@
 from nxc.config import process_secret, host_info_colors
 from nxc.connection import connection
 from nxc.helpers.bloodhound import add_user_bh
+from nxc.helpers.misc import get_bloodhound_info, convert, d2b
 from nxc.logger import NXCAdapter, nxc_logger
 from nxc.protocols.ldap.bloodhound import BloodHound
 from nxc.protocols.ldap.gmsa import MSDS_MANAGEDPASSWORD_BLOB
 from nxc.protocols.ldap.kerberos import KerberosAttacks
 from nxc.parsers.ldap_results import parse_result_attributes
 from nxc.helpers.ntlm_parser import parse_challenge
-from nxc.helpers.misc import get_bloodhound_info
 from nxc.paths import CONFIG_PATH, NXC_PATH
 
 ldap_error_status = {
@@ -1498,75 +1498,70 @@ def pass_pol(self):
             self.logger.fail("No domain password policy found!")
             return
 
-        self.logger.highlight("Domain Password Policy:")
-        self.logger.highlight("")
-
         for policy in resp_parsed:
-            # Helper function to convert LDAP time to human readable format
-            def ldap_time_to_days(ldap_time):
-                if not ldap_time or ldap_time == "0":
-                    return "Never"
-                # LDAP time is in 100-nanosecond intervals, negative for time intervals
-                seconds = abs(int(ldap_time)) / 10000000
-                days = int(seconds / 86400)  # 86400 seconds in a day
-                return f"{days} days"
-
-            def ldap_time_to_minutes(ldap_time):
+            def ldap_to_filetime(ldap_time):
+                """Convert LDAP time to FILETIME format for convert function"""
                 if not ldap_time or ldap_time == "0":
-                    return "Never"
-                # LDAP time is in 100-nanosecond intervals
-                seconds = abs(int(ldap_time)) / 10000000
-                minutes = int(seconds / 60)
-                return f"{minutes} minutes"
-
-            # Display password policy information
-            min_pwd_length = policy.get("minPwdLength", "Not set")
-            pwd_history_length = policy.get("pwdHistoryLength", "Not set")
-            max_pwd_age = ldap_time_to_days(policy.get("maxPwdAge", "0"))
-            min_pwd_age = ldap_time_to_days(policy.get("minPwdAge", "0"))
-            lockout_threshold = policy.get("lockoutThreshold", "Not set")
-            lockout_duration = ldap_time_to_minutes(policy.get("lockoutDuration", "0"))
-            lockout_observation_window = ldap_time_to_minutes(policy.get("lockOutObservationWindow", "0"))
-            force_logoff = ldap_time_to_minutes(policy.get("forceLogoff", "0"))
+                    return 0, 0
+
+                time_int = int(ldap_time)
+                if time_int < 0:
+                    time_int = abs(time_int)
+
+                low = time_int & 0xFFFFFFFF
+                high = (time_int >> 32) & 0xFFFFFFFF
+                if ldap_time.startswith("-") or int(ldap_time) < 0:
+                    high = -high
+
+                return low, high
+
+            min_pass_len = policy.get("minPwdLength", "None")
+            pass_hist_len = policy.get("pwdHistoryLength", "None")
+            max_pwd_age_low, max_pwd_age_high = ldap_to_filetime(policy.get("maxPwdAge", "0"))
+            max_pass_age = convert(max_pwd_age_low, max_pwd_age_high)
+            min_pwd_age_low, min_pwd_age_high = ldap_to_filetime(policy.get("minPwdAge", "0"))
+            min_pass_age = convert(min_pwd_age_low, min_pwd_age_high)
+            accnt_lock_thres = policy.get("lockoutThreshold", "None")
+            lockout_duration_val = policy.get("lockoutDuration", "0")
+            lock_accnt_dur = convert(0, int(lockout_duration_val) if lockout_duration_val != "0" else 0, lockout=True)
+            lockout_obs_val = policy.get("lockOutObservationWindow", "0")
+            rst_accnt_lock_counter = convert(0, int(lockout_obs_val) if lockout_obs_val != "0" else 0, lockout=True)
+            force_logoff_low, force_logoff_high = ldap_to_filetime(policy.get("forceLogoff", "0"))
+            force_logoff_time = convert(force_logoff_low, force_logoff_high)
+
+            # Convert password properties using existing d2b function
             pwd_properties = policy.get("pwdProperties", "0")
+            pass_prop = d2b(int(pwd_properties)) if pwd_properties != "0" else "None"
+
+            # Use the same formatting and constants as SMB passpol
+            PASSCOMPLEX = {
+                5: "Domain Password Complex:",
+                4: "Domain Password No Anon Change:",
+                3: "Domain Password No Clear Change:",
+                2: "Domain Password Lockout Admins:",
+                1: "Domain Password Store Cleartext:",
+                0: "Domain Refuse Password Change:",
+            }
 
-            self.logger.highlight(f"Minimum Password Length: {min_pwd_length}")
-            self.logger.highlight(f"Password History Length: {pwd_history_length}")
-            self.logger.highlight(f"Maximum Password Age: {max_pwd_age}")
-            self.logger.highlight(f"Minimum Password Age: {min_pwd_age}")
-            self.logger.highlight(f"Account Lockout Threshold: {lockout_threshold}")
-            self.logger.highlight(f"Account Lockout Duration: {lockout_duration}")
-            self.logger.highlight(f"Account Lockout Observation Window: {lockout_observation_window}")
-            self.logger.highlight(f"Force Logoff: {force_logoff}")
-
-            # Decode password properties flags
-            if pwd_properties and pwd_properties != "0":
-                pwd_props_int = int(pwd_properties)
-                properties = []
-
-                if pwd_props_int & 0x1:
-                    properties.append("Password complexity enabled")
-                if pwd_props_int & 0x2:
-                    properties.append("Store passwords using reversible encryption")
-                if pwd_props_int & 0x4:
-                    properties.append("No anonymous password changes")
-                if pwd_props_int & 0x8:
-                    properties.append("No clear change password")
-                if pwd_props_int & 0x10:
-                    properties.append("Lockout admins")
-                if pwd_props_int & 0x20:
-                    properties.append("Store password with weaker obfuscation")
-                if pwd_props_int & 0x40:
-                    properties.append("Refuse password change")
-
-                if properties:
-                    self.logger.highlight("Password Properties:")
-                    for prop in properties:
-                        self.logger.highlight(f"  - {prop}")
-                else:
-                    self.logger.highlight(f"Password Properties: {pwd_properties} (Unknown flags)")
-            else:
-                self.logger.highlight("Password Properties: None")
+            # Pretty print using same format as SMB
+            self.logger.success(f"Dumping password info for domain: {self.domain}")
+            self.logger.highlight(f"Minimum password length: {min_pass_len}")
+            self.logger.highlight(f"Password history length: {pass_hist_len}")
+            self.logger.highlight(f"Maximum password age: {max_pass_age}")
+            self.logger.highlight("")
+            self.logger.highlight(f"Password Complexity Flags: {pass_prop or 'None'}")
+
+            for i, a in enumerate(pass_prop):
+                self.logger.highlight(f"\t{PASSCOMPLEX[i]} {a!s}")
+
+            self.logger.highlight("")
+            self.logger.highlight(f"Minimum password age: {min_pass_age}")
+            self.logger.highlight(f"Reset Account Lockout Counter: {rst_accnt_lock_counter}")
+            self.logger.highlight(f"Locked Account Duration: {lock_accnt_dur}")
+            self.logger.highlight(f"Account Lockout Threshold: {accnt_lock_thres}")
+            self.logger.highlight(f"Forced Log off Time: {force_logoff_time}")
+
+            break  # Only process first policy result
 
     def bloodhound(self):
         # Check which version is desired