@@ -1127,7 +1127,7 @@ def printTable(items, header):
11271127 f"(!(UserAccountControl:1.2.840.113556.1.4.803:={ UF_ACCOUNTDISABLE }
11281128 f"(!(UserAccountControl:1.2.840.113556.1.4.803:={ SERVER_TRUST_ACCOUNT } )
11291129
1130- attributes = ["sAMAccountName" , "pwdLastSet" , "userAccountControl" , "objectCategory" ,
1130+ attributes = ["sAMAccountName" , "pwdLastSet" , "userAccountControl" , "objectCategory" ,
11311131 "msDS-AllowedToActOnBehalfOfOtherIdentity" , "msDS-AllowedToDelegateTo" ]
11321132
11331133 resp = self .search (search_filter , attributes , 0 )
@@ -1143,7 +1143,7 @@ def printTable(items, header):
11431143 objectType = ""
11441144 rightsTo = []
11451145 protocolTransition = 0
1146-
1146+
11471147 try :
11481148 sAMAccountName = item .get ("sAMAccountName" )
11491149 mustCommit = sAMAccountName is not None
@@ -1165,27 +1165,28 @@ def printTable(items, header):
11651165
11661166 # Not an elif as an object could both have RBCD and another type of delegation
11671167 if item .get ("msDS-AllowedToActOnBehalfOfOtherIdentity" ) is not None :
1168- databyte = AttributeValue ( item .get ("msDS-AllowedToActOnBehalfOfOtherIdentity" )) # STR to impacket.ldap.ldapasn1.AttributeValue
1168+ databyte = item .get ("msDS-AllowedToActOnBehalfOfOtherIdentity" )
11691169 rbcdRights = []
11701170 rbcdObjType = []
11711171 sd = ldaptypes .SR_SECURITY_DESCRIPTOR (data = bytes (databyte ))
1172- search_filter = "(&(|"
1173- for ace in sd ["Dacl" ].aces :
1174- search_filter += "(objectSid=" + ace ["Ace" ]["Sid" ].formatCanonical () + ")"
1175- search_filter += ")(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
1176- delegUserResp = self .search (search_filter , attributes = ["sAMAccountName" , "objectCategory" ], sizeLimit = 999 )
1177- delegUserResp_parse = parse_result_attributes (delegUserResp )
1178-
1179- for rbcd in delegUserResp_parse :
1180- rbcdRights .append (str (rbcd .get ("sAMAccountName" )))
1181- rbcdObjType .append (str (rbcd .get ("objectCategory" )))
1182-
1183- if mustCommit :
1184- if int (userAccountControl ) & UF_ACCOUNTDISABLE :
1185- self .logger .debug (f"Bypassing disabled account { sAMAccountName } )
1186- else :
1187- for rights , objType in zip (rbcdRights , rbcdObjType ):
1188- answers .append ([rights , objType , "Resource-Based Constrained" , sAMAccountName ])
1172+ if len (sd ["Dacl" ].aces ) > 0 :
1173+ search_filter = "(&(|"
1174+ for ace in sd ["Dacl" ].aces :
1175+ search_filter += "(objectSid=" + ace ["Ace" ]["Sid" ].formatCanonical () + ")"
1176+ search_filter += ")(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
1177+ delegUserResp = self .search (search_filter , attributes = ["sAMAccountName" , "objectCategory" ], sizeLimit = 999 )
1178+ delegUserResp_parse = parse_result_attributes (delegUserResp )
1179+
1180+ for rbcd in delegUserResp_parse :
1181+ rbcdRights .append (str (rbcd .get ("sAMAccountName" )))
1182+ rbcdObjType .append (str (rbcd .get ("objectCategory" )))
1183+
1184+ if mustCommit :
1185+ if int (userAccountControl ) & UF_ACCOUNTDISABLE :
1186+ self .logger .debug (f"Bypassing disabled account { sAMAccountName } )
1187+ else :
1188+ for rights , objType in zip (rbcdRights , rbcdObjType ):
1189+ answers .append ([rights , objType , "Resource-Based Constrained" , sAMAccountName ])
11891190
11901191 if delegation in ["Unconstrained" , "Constrained" , "Constrained w/ Protocol Transition" ] and mustCommit :
11911192 if int (userAccountControl ) & UF_ACCOUNTDISABLE :
@@ -1200,7 +1201,7 @@ def printTable(items, header):
12001201 printTable (answers , header = ["AccountName" , "AccountType" , "DelegationType" , "DelegationRightsTo" ])
12011202 else :
12021203 self .logger .fail ("No entries found!" )
1203-
1204+
12041205 def trusted_for_delegation (self ):
12051206 # Building the search filter
12061207 searchFilter = "(userAccountControl:1.2.840.113556.1.4.803:=524288)"
0 commit comments