Added --pass-pol option to LDAP protocol

Mercury0 · Mercury0 · commit 74ff6fa38563 · 2025-08-21T10:16:51.000-07:00
diff --git a/nxc/protocols/ldap.py b/nxc/protocols/ldap.py
@@ -1477,6 +1477,97 @@ def pso_mins(ldap_time):
                 self.logger.highlight(f"\t{policyApplies}")
             self.logger.highlight("")
 
+    def pass_pol(self):
+        search_filter = "(objectClass=domainDNS)"
+        attributes = [
+            "minPwdLength",
+            "pwdHistoryLength",
+            "maxPwdAge",
+            "minPwdAge",
+            "lockoutThreshold",
+            "lockoutDuration",
+            "lockOutObservationWindow",
+            "forceLogoff",
+            "pwdProperties"
+        ]
+
+        resp = self.search(search_filter, attributes, sizeLimit=0, baseDN=self.baseDN)
+        resp_parsed = parse_result_attributes(resp)
+
+        if not resp_parsed:
+            self.logger.fail("No domain password policy found!")
+            return
+
+        self.logger.highlight("Domain Password Policy:")
+        self.logger.highlight("")
+
+        for policy in resp_parsed:
+            # Helper function to convert LDAP time to human readable format
+            def ldap_time_to_days(ldap_time):
+                if not ldap_time or ldap_time == "0":
+                    return "Never"
+                # LDAP time is in 100-nanosecond intervals, negative for time intervals
+                seconds = abs(int(ldap_time)) / 10000000
+                days = int(seconds / 86400)  # 86400 seconds in a day
+                return f"{days} days"
+
+            def ldap_time_to_minutes(ldap_time):
+                if not ldap_time or ldap_time == "0":
+                    return "Never"
+                # LDAP time is in 100-nanosecond intervals
+                seconds = abs(int(ldap_time)) / 10000000
+                minutes = int(seconds / 60)
+                return f"{minutes} minutes"
+
+            # Display password policy information
+            min_pwd_length = policy.get("minPwdLength", "Not set")
+            pwd_history_length = policy.get("pwdHistoryLength", "Not set")
+            max_pwd_age = ldap_time_to_days(policy.get("maxPwdAge", "0"))
+            min_pwd_age = ldap_time_to_days(policy.get("minPwdAge", "0"))
+            lockout_threshold = policy.get("lockoutThreshold", "Not set")
+            lockout_duration = ldap_time_to_minutes(policy.get("lockoutDuration", "0"))
+            lockout_observation_window = ldap_time_to_minutes(policy.get("lockOutObservationWindow", "0"))
+            force_logoff = ldap_time_to_minutes(policy.get("forceLogoff", "0"))
+            pwd_properties = policy.get("pwdProperties", "0")
+
+            self.logger.highlight(f"Minimum Password Length: {min_pwd_length}")
+            self.logger.highlight(f"Password History Length: {pwd_history_length}")
+            self.logger.highlight(f"Maximum Password Age: {max_pwd_age}")
+            self.logger.highlight(f"Minimum Password Age: {min_pwd_age}")
+            self.logger.highlight(f"Account Lockout Threshold: {lockout_threshold}")
+            self.logger.highlight(f"Account Lockout Duration: {lockout_duration}")
+            self.logger.highlight(f"Account Lockout Observation Window: {lockout_observation_window}")
+            self.logger.highlight(f"Force Logoff: {force_logoff}")
+
+            # Decode password properties flags
+            if pwd_properties and pwd_properties != "0":
+                pwd_props_int = int(pwd_properties)
+                properties = []
+
+                if pwd_props_int & 0x1:
+                    properties.append("Password complexity enabled")
+                if pwd_props_int & 0x2:
+                    properties.append("Store passwords using reversible encryption")
+                if pwd_props_int & 0x4:
+                    properties.append("No anonymous password changes")
+                if pwd_props_int & 0x8:
+                    properties.append("No clear change password")
+                if pwd_props_int & 0x10:
+                    properties.append("Lockout admins")
+                if pwd_props_int & 0x20:
+                    properties.append("Store password with weaker obfuscation")
+                if pwd_props_int & 0x40:
+                    properties.append("Refuse password change")
+
+                if properties:
+                    self.logger.highlight("Password Properties:")
+                    for prop in properties:
+                        self.logger.highlight(f"  - {prop}")
+                else:
+                    self.logger.highlight(f"Password Properties: {pwd_properties} (Unknown flags)")
+            else:
+                self.logger.highlight("Password Properties: None")
+
     def bloodhound(self):
         # Check which version is desired
         use_bhce = self.config.getboolean("BloodHound-CE", "bhce_enabled", fallback=False)
diff --git a/nxc/protocols/ldap/proto_args.py b/nxc/protocols/ldap/proto_args.py
@@ -30,6 +30,7 @@ def proto_args(parser, parents):
     vgroup.add_argument("--get-sid", action="store_true", help="Get domain sid")
     vgroup.add_argument("--active-users", nargs="*", help="Get Active Domain Users Accounts")
     vgroup.add_argument("--pso", action="store_true", help="Get Fine Grained Password Policy/PSOs")
+    vgroup.add_argument("--pass-pol", action="store_true", help="Dump password policy")
 
     ggroup = ldap_parser.add_argument_group("Retrieve gmsa on the remote DC", "Options to play with gmsa")
     ggroup.add_argument("--gmsa", action="store_true", help="Enumerate GMSA passwords")
