Open Sq00ky opened 3 months ago
@Sq00ky hello, when i use cross-forest request from child domain to parent with NTLM auth, all fine.
When i use kerberos auth, ticket request from -dc-ip but ticket need request first from child domain.
192.168.0.3 is dc.contoso.local
Hello Impacket team!
Overview
Recently our team identified a small oddity in GetNPUsers.py && GetADUsers.py where you couldn't ASREP-Roast or query users in other domains. To remedy this, I modified the logic that both scripts use to create the LDAP search scope
Changes
The original code is something like so:
Which essentially retrieves the LDAP search scope from self.__domain (which is directly passed into the init function from the main function's provided credentials). It now checks and sees if the user provided a target domain flag:
The full change in the init function now checks if the supplied value is None/Null, if so, it'll then parse from the domain. If not, it'll first prefer the users set target domain through a simple if statement:
Both of the code is shared within GetNPUsers.py && GetADUsers.py. The only other code change is within GetNPUsers.py within the getTGT function where a similar check (if target domain != None, set this, else, that):
Testing
This was tested in both a lab environment as well as a production active directory domain to ensure functionality wasn't broken. An example screenshot can be found here:
In the above example, the Administrator lives in the NANAISU domain, which has a bidirectional trust with the MSP domain as seen in the following screenshot:
Within the MSP domain there is two users, sqlUser and Ronnie. sqlUser has "Do not require Kerberos Pre-Auth" checked to allow for GetNPUsers.py testing.
Testing the inverse also works. Users on the MSP domain can query the NANAISU domain:
![image](https://github.com/fortra/impacket/assets/44957111/8371b8c8-3c66-4c27-b17c-7ec9f6e373dd)
If there's any questions or concerns, please let me know! I hope this helps!