Merge pull request Pennyw0rth#798 from Pennyw0rth/pso

mpgn · web-flow · commit 95cd4f338314 · 2025-07-17T00:15:41.000+02:00
Switch pso module to core feature
diff --git a/nxc/modules/pso.py b/nxc/modules/pso.py
@@ -1,6 +1,3 @@
-from dateutil.relativedelta import relativedelta as rd
-from impacket.ldap import ldapasn1 as ldapasn1_impacket
-
 
 class NXCModule:
     """
@@ -21,90 +18,4 @@ def options(self, context, module_options):
         """No options available."""
 
     def on_login(self, context, connection):
-        # Are there even any FGPPs?
-        context.log.success("Attempting to enumerate policies...")
-        resp = connection.ldap_connection.search(searchBase=f"CN=Password Settings Container,CN=System,{''.join([f'DC={dc},' for dc in connection.domain.split('.')]).rstrip(',')}", searchFilter="(objectclass=*)")
-        if len(resp) > 1:
-            context.log.highlight(f"{len(resp) - 1} PSO Objects found!")
-            context.log.highlight("")
-            context.log.success("Attempting to enumerate objects with an applied policy...")
-
-        # Who do they apply to?
-        resp = connection.search(searchFilter="(objectclass=*)", attributes=["DistinguishedName", "msDS-PSOApplied"])
-        for attrs in resp:
-            if isinstance(attrs, ldapasn1_impacket.SearchResultEntry) is not True:
-                continue
-            for attr in attrs["attributes"]:
-                if str(attr["type"]) in "msDS-PSOApplied":
-                    context.log.highlight(f"Object: {attrs['objectName']}")
-                    context.log.highlight("Applied Policy: ")
-                    for value in attr["vals"]:
-                        context.log.highlight(f"\t{value}")
-                    context.log.highlight("")
-
-        # Let"s find out even more details!
-        context.log.success("Attempting to enumerate details...\n")
-        resp = connection.search(searchFilter="(objectclass=msDS-PasswordSettings)",
-                                 attributes=["name", "msds-lockoutthreshold", "msds-psoappliesto", "msds-minimumpasswordlength",
-                                             "msds-passwordhistorylength", "msds-lockoutobservationwindow", "msds-lockoutduration",
-                                             "msds-passwordsettingsprecedence", "msds-passwordcomplexityenabled", "Description",
-                                             "msds-passwordreversibleencryptionenabled", "msds-minimumpasswordage", "msds-maximumpasswordage"])
-        for attrs in resp:
-            if not isinstance(attrs, ldapasn1_impacket.SearchResultEntry):
-                continue
-            policyName, description, passwordLength, passwordhistorylength, lockoutThreshold, observationWindow, lockoutDuration, complexity, minPassAge, maxPassAge, reverseibleEncryption, precedence, policyApplies = ("",) * 13
-            for attr in attrs["attributes"]:
-                if str(attr["type"]) == "name":
-                    policyName = attr["vals"][0]
-                elif str(attr["type"]) == "msDS-LockoutThreshold":
-                    lockoutThreshold = attr["vals"][0]
-                elif str(attr["type"]) == "msDS-MinimumPasswordLength":
-                    passwordLength = attr["vals"][0]
-                elif str(attr["type"]) == "msDS-PasswordHistoryLength":
-                    passwordhistorylength = attr["vals"][0]
-                elif str(attr["type"]) == "msDS-LockoutObservationWindow":
-                    observationWindow = attr["vals"][0]
-                elif str(attr["type"]) == "msDS-LockoutDuration":
-                    lockoutDuration = attr["vals"][0]
-                elif str(attr["type"]) == "msDS-PasswordSettingsPrecedence":
-                    precedence = attr["vals"][0]
-                elif str(attr["type"]) == "msDS-PasswordComplexityEnabled":
-                    complexity = attr["vals"][0]
-                elif str(attr["type"]) == "msDS-PasswordReversibleEncryptionEnabled":
-                    reverseibleEncryption = attr["vals"][0]
-                elif str(attr["type"]) == "msDS-MinimumPasswordAge":
-                    minPassAge = attr["vals"][0]
-                elif str(attr["type"]) == "msDS-MaximumPasswordAge":
-                    maxPassAge = attr["vals"][0]
-                elif str(attr["type"]) == "description":
-                    description = attr["vals"][0]
-                elif str(attr["type"]) == "msDS-PSOAppliesTo":
-                    policyApplies = ""
-                    for value in attr["vals"]:
-                        policyApplies += f"{value};"
-            context.log.highlight(f"Policy Name: {policyName}")
-            if description:
-                context.log.highlight(f"Description: {description}")
-            context.log.highlight(f"Minimum Password Length: {passwordLength}")
-            context.log.highlight(f"Minimum Password History Length: {passwordhistorylength}")
-            context.log.highlight(f"Lockout Threshold: {lockoutThreshold}")
-            context.log.highlight(f"Observation Window: {mins(observationWindow)}")
-            context.log.highlight(f"Lockout Duration: {mins(lockoutDuration)}")
-            context.log.highlight(f"Complexity Enabled: {complexity}")
-            context.log.highlight(f"Minimum Password Age: {days(minPassAge)}")
-            context.log.highlight(f"Maximum Password Age: {days(maxPassAge)}")
-            context.log.highlight(f"Reversible Encryption: {reverseibleEncryption}")
-            context.log.highlight(f"Precedence: {precedence} (Lower is Higher Priority)")
-            context.log.highlight("Policy Applies to:")
-            for value in str(policyApplies)[:-1].split(";"):
-                if value:
-                    context.log.highlight(f"\t{value}")
-            context.log.highlight("")
-
-
-def days(ldap_time):
-    return f"{rd(seconds=int(abs(int(ldap_time)) / 10000000)).days} days"
-
-
-def mins(ldap_time):
-    return f"{rd(seconds=int(abs(int(ldap_time)) / 10000000)).minutes} minutes"
+        context.log.fail("[REMOVED] This module moved to the core option --pso")
diff --git a/nxc/protocols/ldap.py b/nxc/protocols/ldap.py
@@ -10,6 +10,7 @@
 from zipfile import ZipFile
 from termcolor import colored
 from dns import resolver
+from dateutil.relativedelta import relativedelta as rd
 
 from Cryptodome.Hash import MD4
 from OpenSSL.SSL import SysCallError
@@ -1396,6 +1397,86 @@ def gmsa_decrypt_lsa(self):
         else:
             self.logger.fail("No string provided :'(")
 
+    def pso(self):
+        """
+        Get the Fine Grained Password Policy/PSOs
+        Initial FGPP/PSO script written by @n00py: https://github.com/n00py/GetFGPP
+        """
+        # Convert LDAP time to human readable format
+        def pso_days(ldap_time):
+            return f"{rd(seconds=int(abs(int(ldap_time)) / 10000000)).days} days"
+        
+        def pso_mins(ldap_time):
+            return f"{rd(seconds=int(abs(int(ldap_time)) / 10000000)).minutes} minutes"
+        
+        # Are there even any FGPPs?
+        self.logger.info("Attempting to enumerate policies...")
+        resp = self.search(searchFilter="(objectclass=*)", baseDN=f"CN=Password Settings Container,CN=System,{self.baseDN}", attributes=[])
+        if len(resp) > 1:
+            self.logger.highlight(f"{len(resp) - 1} PSO Objects found!")
+            self.logger.highlight("")
+            self.logger.success("Attempting to enumerate objects with an applied policy...")
+
+        # Who do they apply to?
+        resp = self.search(searchFilter="(objectclass=*)", attributes=["DistinguishedName", "msDS-PSOApplied"])
+        resp_parsed = parse_result_attributes(resp)
+        for attrs in resp_parsed:
+            if "msDS-PSOApplied" in attrs:
+                # Get the distinguished name from the original response for objectName
+                for orig_resp in resp:
+                    if isinstance(orig_resp, ldapasn1_impacket.SearchResultEntry):
+                        self.logger.highlight(f"Object: {orig_resp['objectName']}")
+                        break
+                self.logger.highlight("Applied Policy: ")
+                pso_applied = attrs["msDS-PSOApplied"]
+                self.logger.highlight(f"\t{pso_applied}")
+                self.logger.highlight("")
+
+        # Let's find out even more details!
+        self.logger.info("Attempting to enumerate details...\n")
+        resp = self.search(searchFilter="(objectclass=msDS-PasswordSettings)",
+                          attributes=["name", "msds-lockoutthreshold", "msds-psoappliesto", "msds-minimumpasswordlength",
+                                     "msds-passwordhistorylength", "msds-lockoutobservationwindow", "msds-lockoutduration",
+                                     "msds-passwordsettingsprecedence", "msds-passwordcomplexityenabled", "Description",
+                                     "msds-passwordreversibleencryptionenabled", "msds-minimumpasswordage", "msds-maximumpasswordage"])
+        resp_parsed = parse_result_attributes(resp)
+        for attrs in resp_parsed:
+            policyName = attrs.get("name", "")
+            description = attrs.get("description", "")
+            passwordLength = attrs.get("msDS-MinimumPasswordLength", "")
+            passwordhistorylength = attrs.get("msDS-PasswordHistoryLength", "")
+            lockoutThreshold = attrs.get("msDS-LockoutThreshold", "")
+            observationWindow = attrs.get("msDS-LockoutObservationWindow", "")
+            lockoutDuration = attrs.get("msDS-LockoutDuration", "")
+            complexity = attrs.get("msDS-PasswordComplexityEnabled", "")
+            minPassAge = attrs.get("msDS-MinimumPasswordAge", "")
+            maxPassAge = attrs.get("msDS-MaximumPasswordAge", "")
+            reverseibleEncryption = attrs.get("msDS-PasswordReversibleEncryptionEnabled", "")
+            precedence = attrs.get("msDS-PasswordSettingsPrecedence", "")
+            policyApplies = attrs.get("msDS-PSOAppliesTo", "")
+
+            self.logger.highlight(f"Policy Name: {policyName}")
+            if description:
+                self.logger.highlight(f"Description: {description}")
+            self.logger.highlight(f"Minimum Password Length: {passwordLength}")
+            self.logger.highlight(f"Minimum Password History Length: {passwordhistorylength}")
+            self.logger.highlight(f"Lockout Threshold: {lockoutThreshold}")
+            self.logger.highlight(f"Observation Window: {pso_mins(observationWindow)}")
+            self.logger.highlight(f"Lockout Duration: {pso_mins(lockoutDuration)}")
+            self.logger.highlight(f"Complexity Enabled: {complexity}")
+            self.logger.highlight(f"Minimum Password Age: {pso_days(minPassAge)}")
+            self.logger.highlight(f"Maximum Password Age: {pso_days(maxPassAge)}")
+            self.logger.highlight(f"Reversible Encryption: {reverseibleEncryption}")
+            self.logger.highlight(f"Precedence: {precedence} (Lower is Higher Priority)")
+            self.logger.highlight("Policy Applies to:")
+            if isinstance(policyApplies, list):
+                for value in policyApplies:
+                    if value:
+                        self.logger.highlight(f"\t{value}")
+            elif policyApplies:
+                self.logger.highlight(f"\t{policyApplies}")
+            self.logger.highlight("")
+
     def bloodhound(self):
         # Check which version is desired
         use_bhce = self.config.getboolean("BloodHound-CE", "bhce_enabled", fallback=False)
diff --git a/nxc/protocols/ldap/proto_args.py b/nxc/protocols/ldap/proto_args.py
@@ -29,6 +29,7 @@ def proto_args(parser, parents):
     vgroup.add_argument("--dc-list", action="store_true", help="Enumerate Domain Controllers")
     vgroup.add_argument("--get-sid", action="store_true", help="Get domain sid")
     vgroup.add_argument("--active-users", nargs="*", help="Get Active Domain Users Accounts")
+    vgroup.add_argument("--pso", action="store_true", help="Get Fine Grained Password Policy/PSOs")
 
     ggroup = ldap_parser.add_argument_group("Retrieve gmsa on the remote DC", "Options to play with gmsa")
     ggroup.add_argument("--gmsa", action="store_true", help="Enumerate GMSA passwords")
diff --git a/tests/e2e_commands.txt b/tests/e2e_commands.txt
@@ -196,6 +196,7 @@ netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --kerberoa
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --trusted-for-delegation
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --admin-count
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --gmsa
+netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --pso
 ##### LDAP Modules
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -L
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M adcs
@@ -209,7 +210,6 @@ netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M maq
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M subnets
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M user-desc
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M whoami
-netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M pso
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M dump-computers
 ##### WINRM
 netexec winrm TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS # need an extra space after this command due to regex
