Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Additional LDAP Interactive Shell Features #1076

Merged
merged 9 commits into from
May 19, 2021
Merged

Additional LDAP Interactive Shell Features #1076

merged 9 commits into from
May 19, 2021

Conversation

UNC1739
Copy link
Contributor

@UNC1739 UNC1739 commented May 10, 2021
edited
Loading

I've added some additional features to the LDAP Interactive Shell to facilitate exploitation of Active Directory ACL attack paths from an LDAP relaying attack. To facilitate this I've added the following new commands:

  • add_computer - Introduces the ability to add a new computer to the domain.
  • change_password - Introduces the ability to change the password associated with a user or computer account.
  • clear_rbcd - Ability to clear the "msDS-AllowedToActOnBehalfOfOtherIdentity" attribute post-exploitation.
  • disable_account - Ability to disable a previously enabled user-account.
  • enable_account - Ability to enable a previously disabled user-account.
  • get_laps_password - Attempts to read the LAPS password associated with a given computer account.
  • grant_control - Writes to the DACL associated with an object to grant control of the object to another object within Active Directory. The grant_control primitive is often useful when exploiting ACL attack paths with the “WriteDACL” or “Owns” edge.
  • set_dontreqpreauth - The ability to enable or disable the "do not require Kerberos pre-authentication" setting for an arbitrary user account.
  • set_rbcd - Configure resource-based constrained delegation (RBCD) to permit a grantee to impersonate arbitrary users to the target host.

Here are some examples of the new commands. Below we leverage the set_rbcd command to configure resource-based constrained delegation:

Screen Shot 2021-05-07 at 5 23 17 PM

@0xdeaddood 0xdeaddood added the in review This issue or pull request is being analyzed label May 18, 2021
@0xdeaddood 0xdeaddood requested a review from martingalloar May 19, 2021 14:52
@martingalloar
Copy link
Contributor

LGTM, tested almost all of the new commands (don't have LAPS configured in my env). At some point I think we might want to review and make our error and print messages more consistent across tools/commands.

This are great and helpful additions! Thanks @adamcrosser!

@UNC1739
Copy link
Contributor Author

UNC1739 commented May 19, 2021

Thanks for the review @martingalloar! Now that the pull request is approved, do you know when this might be merged into the master branch?

@0xdeaddood
Copy link
Collaborator

Thanks for the review @martingalloar! Now that the pull request is approved, do you know when this might be merged into the master branch?

Right now 😃. Thanks for the PR @adamcrosser, this is great!
Thanks for checking @martingalloar, merging...

@0xdeaddood 0xdeaddood merged commit 2f5c247 into fortra:master May 19, 2021
@0xdeaddood 0xdeaddood removed the in review This issue or pull request is being analyzed label May 19, 2021
@dirkjanm
Copy link
Contributor

this is great work!

@joshdodger197 joshdodger197 mentioned this pull request Mar 23, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@martingalloar martingalloar martingalloar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@UNC1739 @martingalloar @0xdeaddood @dirkjanm