Merge pull request #89 from tiyeuse/master

PSO Enum as low priv user
franc-pentest · Jul 3, 2024 · 18fd1e8 · 18fd1e8
2 parents 1810f23 + c433861
commit 18fd1e8
Showing 1 changed file with 50 additions and 9 deletions.
diff --git a/ldeep/__main__.py b/ldeep/__main__.py
@@ -586,6 +586,44 @@ def list_pso(self, _):
                     )
                 print("{field}: {val}".format(field=field, val=val))
 
+        # enum principals affected by PSO if unpriv
+        results = []
+        # users
+        attributes = ["objectClass", "cn", "sAMAccountName", "msDS-PSOApplied"]
+        entries = self.engine.query(self.engine.USER_ALL_FILTER(), attributes)
+        for entry in entries:
+            psos = entry.get("msDS-PSOApplied")
+            if psos:
+                for pso in psos:
+                    pso = next(
+                        map(
+                            lambda x: x.replace("CN=", ""),
+                            filter(lambda x: x.startswith("CN="), pso.split(",")),
+                        )
+                    )
+                    name = entry.get("sAMAccountName")
+                    results.append(f"{name}:{pso}")
+
+        # groups
+        entries = self.engine.query(self.engine.GROUPS_FILTER(), attributes)
+        for entry in entries:
+            psos = entry.get("msDS-PSOApplied")
+            if psos:
+                for pso in psos:
+                    pso = next(
+                        map(
+                            lambda x: x.replace("CN=", ""),
+                            filter(lambda x: x.startswith("CN="), pso.split(",")),
+                        )
+                    )
+                    name = entry.get("sAMAccountName")
+                    results.append(f"{name}:{pso}")
+
+        if results:
+            print("Unprivileged enumeration:")
+            print("principal:pso_name")
+            print(*results, sep="\n")
+
     def list_trusts(self, kwargs):
         """
         List the domain's trust relationships.
@@ -656,16 +694,19 @@ def list_zones(self, kwargs):
         else:
             attributes = ALL
 
-        self.display(
-            self.engine.query(
-                self.engine.ZONES_FILTER(),
-                attributes,
-                base=",".join(
-                    ["CN=MicrosoftDNS,DC=DomainDNSZones", self.engine.base_dn]
+        try:
+            self.display(
+                self.engine.query(
+                    self.engine.ZONES_FILTER(),
+                    attributes,
+                    base=",".join(
+                        ["CN=MicrosoftDNS,DC=DomainDNSZones", self.engine.base_dn]
+                    ),
                 ),
-            ),
-            verbose,
-        )
+                verbose,
+            )
+        except:
+            error(f"Can't list zones", close_array=verbose)
 
     def list_pkis(self, kwargs):
         """