Merge pull request Pennyw0rth#271 from Pennyw0rth/neff-asreproast

Marshall-Hallenbeck · web-flow · commit 9a054871c4e3 · 2024-04-27T15:57:36.000-05:00
Fixing Pennyw0rth#263
diff --git a/nxc/protocols/ldap.py b/nxc/protocols/ldap.py
@@ -330,7 +330,7 @@ def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="",
             if hash_tgt:
                 self.logger.highlight(f"{hash_tgt}")
                 with open(self.args.asreproast, "a+") as hash_asreproast:
-                    hash_asreproast.write(hash_tgt + "\n")
+                    hash_asreproast.write(f"{hash_tgt}\n")
             return False
 
         kerb_pass = next(s for s in [self.nthash, password, aesKey] if s) if not all(s == "" for s in [self.nthash, password, aesKey]) else ""
@@ -436,7 +436,7 @@ def plaintext_login(self, domain, username, password):
             if hash_tgt:
                 self.logger.highlight(f"{hash_tgt}")
                 with open(self.args.asreproast, "a+") as hash_asreproast:
-                    hash_asreproast.write(hash_tgt + "\n")
+                    hash_asreproast.write(f"{hash_tgt}\n")
             return False
 
         try:
@@ -525,7 +525,7 @@ def hash_login(self, domain, username, ntlm_hash):
             if hash_tgt:
                 self.logger.highlight(f"{hash_tgt}")
                 with open(self.args.asreproast, "a+") as hash_asreproast:
-                    hash_asreproast.write(hash_tgt + "\n")
+                    hash_asreproast.write(f"{hash_tgt}\n")
             return False
 
         try:
@@ -893,7 +893,7 @@ def asreproast(self):
             "lastLogon",
         ]
         resp = self.search(search_filter, attributes, 0)
-        if resp == []:
+        if resp is None:
             self.logger.highlight("No entries found!")
         elif resp:
             answers = []
@@ -937,10 +937,10 @@ def asreproast(self):
             if len(answers) > 0:
                 for user in answers:
                     hash_TGT = KerberosAttacks(self).get_tgt_asroast(user[0])
-                    hash_TGT = KerberosAttacks(self).get_tgt_asroast(user[0])
-                    self.logger.highlight(f"{hash_TGT}")
-                    with open(self.args.asreproast, "a+") as hash_asreproast:
-                        hash_asreproast.write(hash_TGT + "\n")
+                    if hash_TGT:
+                        self.logger.highlight(f"{hash_TGT}")
+                        with open(self.args.asreproast, "a+") as hash_asreproast:
+                            hash_asreproast.write(f"{hash_TGT}\n")
                 return True
             else:
                 self.logger.highlight("No entries found!")
diff --git a/nxc/protocols/ldap/kerberos.py b/nxc/protocols/ldap/kerberos.py
@@ -1,18 +1,18 @@
 import random
 from binascii import hexlify, unhexlify
 from datetime import datetime, timedelta
+import traceback
+try:
+    # This is only available in python >= 3.11
+    # if we are in a lower version, we will use the deprecated utcnow() method
+    from datetime import UTC
+    utc_failed = False
+except ImportError:
+    utc_failed = True
 from os import getenv
 
 from impacket.krb5 import constants
-from impacket.krb5.asn1 import (
-    TGS_REP,
-    AS_REQ,
-    KERB_PA_PAC_REQUEST,
-    KRB_ERROR,
-    AS_REP,
-    seq_set,
-    seq_set_iter,
-)
+from impacket.krb5.asn1 import TGS_REP, AS_REQ, AS_REP, KERB_PA_PAC_REQUEST, KRB_ERROR, seq_set, seq_set_iter
 from impacket.krb5.ccache import CCache
 from impacket.krb5.kerberosv5 import sendReceive, KerberosError, getKerberosTGT
 from impacket.krb5.types import KerberosTime, Principal
@@ -211,7 +211,8 @@ def get_tgt_asroast(self, userName, requestPAC=True):
             return None
 
         req_body["realm"] = domain
-        now = datetime.utcnow() + timedelta(days=1)
+        # When we drop python 3.10 support utcnow() can be removed, as it is deprecated
+        now = datetime.utcnow() + timedelta(days=1) if utc_failed else datetime.now(UTC) + timedelta(days=1)
         req_body["till"] = KerberosTime.to_asn1(now)
         req_body["rtime"] = KerberosTime.to_asn1(now)
         req_body["nonce"] = random.getrandbits(31)
@@ -235,10 +236,11 @@ def get_tgt_asroast(self, userName, requestPAC=True):
                 message = encoder.encode(as_req)
                 r = sendReceive(message, domain, self.kdcHost)
             elif e.getErrorCode() == constants.ErrorCodes.KDC_ERR_KEY_EXPIRED.value:
-                return "Password of user " + userName + " expired but user doesn't require pre-auth"
+                return f"Password of user {userName} expired but user doesn't require pre-auth"
             else:
-                nxc_logger.debug(e)
-                return False
+                nxc_logger.fail(e)
+                nxc_logger.debug(traceback.format_exc())
+                return None
 
         # This should be the PREAUTH_FAILED packet or the actual TGT if the target principal has the
         # 'Do not require Kerberos preauthentication' set
