search

p0dalirius / pyFindUncommonShares

FindUncommonShares is a Python script allowing to quickly find uncommon shares in vast Windows Domains, and filter by READ or WRITE accesses.
https://podalirius.net/
392 stars 47 forks source link

Fix kerberos and AES auth #25

Closed lefayjey closed 1 year ago

lefayjey commented 1 year ago

Hello,

Please refer to: https://github.com/p0dalirius/sectools/pull/5 The updated tool depends on the update of sectools.

Thanks!

lefayjey commented 1 year ago

Before updates (ccache and AES)

python3 /opt/old/FindUncommonShares.py -d essos.local -u daenerys.targaryen --dc-ip 192.168.56.12 -k --no-pass
FindUncommonShares v3.0 - by @podalirius_

Traceback (most recent call last):
  File "/opt/old/FindUncommonShares.py", line 657, in <module>
    mdns.check_wildcard_dns()
  File "/opt/old/FindUncommonShares.py", line 115, in check_wildcard_dns
    ldap_server, ldap_session = init_ldap_session(
                                ^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/sectools/windows/ldap.py", line 65, in init_ldap_session
    return __init_ldap_connection(
           ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/sectools/windows/ldap.py", line 33, in __init_ldap_connection
    ldap_session = ldap3.Connection(ldap_server, user=user, password=password, authentication=ldap3.NTLM, auto_bind=True)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/ldap3/core/connection.py", line 363, in __init__
    self._do_auto_bind()
  File "/usr/local/lib/python3.11/dist-packages/ldap3/core/connection.py", line 389, in _do_auto_bind
    self.bind(read_server_info=True)
  File "/usr/local/lib/python3.11/dist-packages/ldap3/core/connection.py", line 635, in bind
    raise LDAPUnknownAuthenticationMethodError(self.last_error)
ldap3.core.exceptions.LDAPUnknownAuthenticationMethodError: NTLM needs domain\username and a password
python3 /opt/old/FindUncommonShares.py -d essos.local -u daenerys.targaryen --aes-key cf091fbd07f729567ac448ba96c08b12fa67c1372f439ae093f67c6e2cf82378 --dc-ip 192.168.56.12 
FindUncommonShares v3.0 - by @podalirius_

Password:
Traceback (most recent call last):
  File "/opt/old/FindUncommonShares.py", line 657, in <module>
    mdns.check_wildcard_dns()
  File "/opt/old/FindUncommonShares.py", line 115, in check_wildcard_dns
    ldap_server, ldap_session = init_ldap_session(
                                ^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/sectools/windows/ldap.py", line 65, in init_ldap_session
    return __init_ldap_connection(
           ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/sectools/windows/ldap.py", line 33, in __init_ldap_connection
    ldap_session = ldap3.Connection(ldap_server, user=user, password=password, authentication=ldap3.NTLM, auto_bind=True)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/ldap3/core/connection.py", line 363, in __init__
    self._do_auto_bind()
  File "/usr/local/lib/python3.11/dist-packages/ldap3/core/connection.py", line 389, in _do_auto_bind
    self.bind(read_server_info=True)
  File "/usr/local/lib/python3.11/dist-packages/ldap3/core/connection.py", line 635, in bind
    raise LDAPUnknownAuthenticationMethodError(self.last_error)
ldap3.core.exceptions.LDAPUnknownAuthenticationMethodError: NTLM needs domain\username and a password

After updates

python3 /opt/new/FindUncommonShares.py -d essos.local -u daenerys.targaryen -k --dc-ip 192.168.56.12 --kdcHost MEEREEN --no-pass
FindUncommonShares v3.0 - by @podalirius_

[>] Extracting all computers ...
[+] Found 2 computers in the domain. 

[>] Enumerating shares ...
[>] Found 'all' on 'braavos.essos.local' (comment: 'Basic RW share for all') 
[>] Found 'CertEnroll' on 'braavos.essos.local' (comment: 'Active Directory Certificate Services share') 
[>] Found 'public' on 'braavos.essos.local' (comment: 'Basic Read share for all domain users') 
[+] Bye Bye!
python3 /opt/new/FindUncommonShares.py -d essos.local -u daenerys.targaryen --aes-key cf091fbd07f729567ac448ba96c08b12fa67c1372f439ae093f67c6e2cf82378 --dc-ip 192.168.56.12 --kdcHost MEEREEN
FindUncommonShares v3.0 - by @podalirius_

[>] Extracting all computers ...
[+] Found 2 computers in the domain. 

[>] Enumerating shares ...
[>] Found 'all' on 'braavos.essos.local' (comment: 'Basic RW share for all') 
[>] Found 'CertEnroll' on 'braavos.essos.local' (comment: 'Active Directory Certificate Services share') 
[>] Found 'public' on 'braavos.essos.local' (comment: 'Basic Read share for all domain users') 
[+] Bye Bye!