Merge branch 'main' into marshall-db-ip-fix

Author: Marshall-Hallenbeck

nxc/protocols/ldap.py

@@ -259,7 +259,8 @@ def enum_host_info(self):
             ntlm_info = parse_challenge(ntlm_challenge)
             self.server_os = ntlm_info["os_version"]
 
-        if not self.kdcHost and self.domain and self.domain == self.remoteName:
+        # using kdcHost is buggy on impacket when using trust relation between ad so we kdcHost must stay to none if targetdomain is not equal to domain
+        if not self.kdcHost and self.domain and self.domain == self.targetDomain:
             result = self.resolver(self.domain)
             self.kdcHost = result["host"] if result else None
             self.logger.info(f"Resolved domain: {self.domain} with dns, kdcHost: {self.kdcHost}")
@@ -805,6 +806,7 @@ def active_users(self):
     def asreproast(self):
         if self.password == "" and self.nthash == "" and self.kerberos is False:
             return False
+
         # Building the search filter
         search_filter = "(&(UserAccountControl:1.2.840.113556.1.4.803:=%d)(!(UserAccountControl:1.2.840.113556.1.4.803:=%d))(!(objectCategory=computer)))" % (UF_DONT_REQUIRE_PREAUTH, UF_ACCOUNTDISABLE)
         attributes = [

nxc/protocols/ldap/kerberos.py

@@ -28,6 +28,7 @@ def __init__(self, connection):
         self.username = connection.username
         self.password = connection.password
         self.domain = connection.domain
+        self.host = connection.host
         self.targetDomain = connection.targetDomain
         self.hash = connection.hash
         self.lmhash = ""
@@ -223,6 +224,10 @@ def get_tgt_asroast(self, userName, requestPAC=True):
 
         message = encoder.encode(as_req)
 
+        # If kdcHost isn't set, use the target IP for DNS resolution
+        if not self.kdcHost:
+            self.kdcHost = self.host
+
         try:
             r = sendReceive(message, domain, self.kdcHost)
         except KerberosError as e: