Merge pull request Pennyw0rth#642 from Pennyw0rth/neff-parse-uuids

Add sid parsing directly to the ldap attribute parser

Author: NeffIsBack

nxc/parsers/ldap_results.py

@@ -1,4 +1,5 @@
 from impacket.ldap import ldapasn1 as ldapasn1_impacket
+from uuid import UUID
 
 
 def parse_result_attributes(ldap_response):
@@ -11,16 +12,43 @@ def parse_result_attributes(ldap_response):
         for attribute in entry["attributes"]:
             val_list = []
             for val in attribute["vals"].components:
-                try:
-                    encoding = val.encoding
-                    val_decoded = str(val).encode(encoding).decode("utf-8")
-                except UnicodeDecodeError:
-                    # If we can't decode the value, we'll just return the bytes
-                    val_decoded = val.__bytes__()
+                # Typical Byte objects we know how to decode
+                if str(attribute["type"]) == "objectGUID":
+                    val_decoded = UUID(bytes=val.__bytes__())
+                elif str(attribute["type"]) == "objectSid":
+                    val_decoded = sid_to_str(val.__bytes__())
+                else:
+                    # For the rest we try to decode the value with its encoding
+                    try:
+                        encoding = val.encoding
+                        val_decoded = str(val).encode(encoding).decode("utf-8")
+                    except UnicodeDecodeError:
+                        # If we can't decode the value, we'll just return the bytes
+                        val_decoded = val.__bytes__()
                 val_list.append(val_decoded)
             if len(val_list) == 1:
                 attribute_map[str(attribute["type"])] = val_list[0]
             else:
                 attribute_map[str(attribute["type"])] = val_list
         parsed_response.append(attribute_map)
     return parsed_response
+
+
+def sid_to_str(sid):
+    try:
+        # revision
+        revision = int(sid[0])
+        # count of sub authorities
+        sub_authorities = int(sid[1])
+        # big endian
+        identifier_authority = int.from_bytes(sid[2:8], byteorder="big")
+        # If true then it is represented in hex
+        if identifier_authority >= 2**32:
+            identifier_authority = hex(identifier_authority)
+
+        # loop over the count of small endians
+        sub_authority = "-" + "-".join([str(int.from_bytes(sid[8 + (i * 4): 12 + (i * 4)], byteorder="little")) for i in range(sub_authorities)])
+        return "S-" + str(revision) + "-" + str(identifier_authority) + sub_authority
+    except Exception:
+        pass
+    return sid

nxc/protocols/ldap.py

@@ -578,25 +578,6 @@ def hash_login(self, domain, username, ntlm_hash):
     def get_sid(self):
         self.logger.highlight(f"Domain SID {self.sid_domain}")
 
-    def sid_to_str(self, sid):
-        try:
-            # revision
-            revision = int(sid[0])
-            # count of sub authorities
-            sub_authorities = int(sid[1])
-            # big endian
-            identifier_authority = int.from_bytes(sid[2:8], byteorder="big")
-            # If true then it is represented in hex
-            if identifier_authority >= 2**32:
-                identifier_authority = hex(identifier_authority)
-
-            # loop over the count of small endians
-            sub_authority = "-" + "-".join([str(int.from_bytes(sid[8 + (i * 4): 12 + (i * 4)], byteorder="little")) for i in range(sub_authorities)])
-            return "S-" + str(revision) + "-" + str(identifier_authority) + sub_authority
-        except Exception:
-            pass
-        return sid
-
     def check_if_admin(self):
         # 1. get SID of the domaine
         search_filter = "(userAccountControl:1.2.840.113556.1.4.803:=8192)"
@@ -606,8 +587,7 @@ def check_if_admin(self):
         answers = []
         if resp and (self.password != "" or self.lmhash != "" or self.nthash != "" or self.aesKey != "") and self.username != "":
             for item in resp_parsed:
-                sid = self.sid_to_str(item["objectSid"])
-                self.sid_domain = "-".join(sid.split("-")[:-1])
+                self.sid_domain = "-".join(item["objectSid"].split("-")[:-1])
 
             # 2. get all group cn name
             search_filter = f"(|(objectSid={self.sid_domain}-512)(objectSid={self.sid_domain}-544)(objectSid={self.sid_domain}-519)(objectSid=S-1-5-32-549)(objectSid=S-1-5-32-551))"