Finish SCCM string enumeration

NeffIsBack · NeffIsBack · commit f18c442a10c3 · 2024-07-26T13:12:06.000-04:00
diff --git a/nxc/modules/sccm.py b/nxc/modules/sccm.py
@@ -3,8 +3,10 @@
 from ldap3.protocol.microsoft import security_descriptor_control
 from nxc.parsers.ldap_results import parse_result_attributes
 
+SAM_USER_OBJECT = 0x30000000
 SAM_MACHINE_ACCOUNT = 0x30000001
 SAM_GROUP_OBJECT = 0x10000000
+LDAP_MATCHING_RULE_IN_CHAIN = "1.2.840.113556.1.4.1941"
 
 
 class NXCModule:
@@ -25,11 +27,21 @@ def __init__(self):
         self.sccm_site_servers = []     # List of dns host names of the SCCM site servers
         self.sccm_sites = {}            # List of SCCM sites with their management points (Sorted by site code)
         self.base_dn = ""
+        self.recursive_resolve = False
+
+        self.user_objects = []
+        self.computer_objects = []
+        self.group_objects = {}
 
     def options(self, context, module_options):
-        """BASE_DN            The base domain name for the LDAP query"""
+        """
+        BASE_DN            The base domain name for the LDAP query
+        REC_RESOLVE        Resolve members of groups recursively. Default: False
+        """
         if module_options and "BASE_DN" in module_options:
             self.base_dn = module_options["BASE_DN"]
+        if module_options and "REC_RESOLVE" in module_options:
+            self.recursive_resolve = bool(module_options["REC_RESOLVE"])
 
     def on_login(self, context, connection):
         """On a successful LDAP login we perform a search for all PKI Enrollment Server or Certificate Templates Names."""
@@ -76,30 +88,89 @@ def on_login(self, context, connection):
                             self.context.log.highlight(f"  CAS: {' ':<17}{False}")
                             self.context.log.highlight("  Management Points:")
                             for mp in self.sccm_sites[site]["ManagementPoints"]:
-                                self.context.log.highlight(f"\t  CN:{' ':<12}{mp['cn']}")
-                                self.context.log.highlight(f"\t  DNS Hostname:{' ':<2}{mp['dNSHostName']}")
-                                self.context.log.highlight(f"\t  IP Address:{' ':<4}{mp['IPAddress']}")
-                                self.context.log.highlight(f"\t  Default MP:{' ':<4}{mp['mSSMSDefaultMP']}")
+                                self.context.log.highlight(f"    CN:{' ':<12}{mp['cn']}")
+                                self.context.log.highlight(f"    DNS Hostname:{' ':<2}{mp['dNSHostName']}")
+                                self.context.log.highlight(f"    IP Address:{' ':<4}{mp['IPAddress']}")
+                                self.context.log.highlight(f"    Default MP:{' ':<4}{mp['mSSMSDefaultMP']}")
                         else:
                             self.context.log.highlight(f"  CAS: {' ':<17}{True}")
                     self.context.log.highlight("")
         except LDAPSearchError as e:
             context.log.fail(f"Got unexpected exception: {e}")
 
-        # Enumerate users/groups/computers with "SCCM" in their name
+        # SCCM named objects enumeration
+        self.get_sccm_named_objects(context, connection)
+        if self.user_objects:
+            context.log.success(f"Found {len(self.user_objects)} SCCM related user objects:")
+            for user in self.user_objects:
+                context.log.highlight(user)
+        if self.computer_objects:
+            context.log.success(f"Found {len(self.computer_objects)} SCCM related computer objects:")
+            for computer in self.computer_objects:
+                context.log.highlight(computer)
+        if self.group_objects:
+            context.log.success(f"Found {len(self.group_objects)} SCCM related group objects:")
+            for group in self.group_objects:
+                context.log.highlight(self.group_objects[group]["sAMAccountName"])
+                for child in self.group_objects[group]["children"]:
+                    if int(child["sAMAccountType"]) == SAM_USER_OBJECT:
+                        context.log.highlight(f"  {child['sAMAccountName']} -> User")
+                    elif int(child["sAMAccountType"]) == SAM_MACHINE_ACCOUNT:
+                        context.log.highlight(f"  {child['sAMAccountName']} -> Computer")
+                    elif int(child["sAMAccountType"]) == SAM_GROUP_OBJECT:
+                        context.log.highlight(f"  {child['sAMAccountName']} -> Group")
+
+    def get_sccm_named_objects(self, context, connection):
+        """Enumerate users/groups/computers with "SCCM" in their name"""
         # hippity hoppity your code is now my property, filter stolen from the awesome sccmhunter repository
         # https://github.com/garrettfoster13/sccmhunter
         try:
-            yoinkers = '(|(samaccountname=*sccm*)(samaccountname=*mecm*)(description=*sccm*)(description=*mecm*)(name=*sccm*)(name=*mecm*))'
+            yoinkers = "(|(samaccountname=*sccm*)(samaccountname=*mecm*)(description=*sccm*)(description=*mecm*)(name=*sccm*)(name=*mecm*))"
             context.log.display("Searching for SCCM related objects")
             result = connection.ldapConnection.search(
                 searchFilter=yoinkers,
                 searchBase=self.base_dn,
-                attributes=["sAMAccountName", "distinguishedName"],
+                attributes=["sAMAccountName", "distinguishedName", "sAMAccountType"],
             )
+
+            result = parse_result_attributes(result)
+            for res in result:
+                if "sAMAccountType" in res and int(res["sAMAccountType"]) == SAM_USER_OBJECT:
+                    self.user_objects.append(res["sAMAccountName"])
+                elif "sAMAccountType" in res and int(res["sAMAccountType"]) == SAM_MACHINE_ACCOUNT:
+                    self.computer_objects.append(res["sAMAccountName"])
+                elif "sAMAccountType" in res and int(res["sAMAccountType"]) == SAM_GROUP_OBJECT:
+                    self.group_objects[res["distinguishedName"]] = {
+                        "sAMAccountName": res["sAMAccountName"],
+                        "children": [],
+                    }
+                    if self.recursive_resolve:
+                        self.resolve_recursive(res["distinguishedName"])
+
         except LDAPSearchError as e:
             context.log.fail(f"Got unexpected exception: {e}")
 
+    def resolve_recursive(self, dn):
+        """Recursively resolve members of a group."""
+        try:
+            self.context.log.debug(f"Resolving group members recursively for {dn}")
+            # Somehow BaseDN is not working together with the LDAP_MATCHING_RULE_IN_CHAIN
+            result = self.connection.ldapConnection.search(
+                searchFilter=f"(memberOf:{LDAP_MATCHING_RULE_IN_CHAIN}:={dn})",
+                attributes=["sAMAccountName", "distinguishedName", "sAMAccountType"],
+            )
+
+            result = parse_result_attributes(result)
+            for res in result:
+                self.group_objects[dn]["children"].append({
+                    "sAMAccountName": res["sAMAccountName"],
+                    "distinguishedName": res["distinguishedName"],
+                    "sAMAccountType": res["sAMAccountType"],
+                })
+
+        except LDAPSearchError as e:
+            self.context.log.error(f"Error resolving group members: {e}")
+
     def get_management_points(self):
         """Searches for all SCCM management points in the Active Directory and maps them to their SCCM site via the site code."""
         try:
