Merge pull request #116 from franc-pentest/improve-gmsa

Improve gmsa (add filter on sAMAccountName)
franc-pentest · Nov 10, 2024 · 20a659c · 20a659c
2 parents 1454e36 + 5aa8bb5
commit 20a659c
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 7 deletions.
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.0.72
+1.0.73
diff --git a/ldeep/__main__.py b/ldeep/__main__.py
@@ -419,14 +419,18 @@ def list_computers(self, kwargs):
 
     def list_gmsa(self, kwargs):
         """
-        List the gmsa accounts and retrieve NT hash if possible.
+        List the gmsa accounts and retrieve secrets(NT + kerberos keys) if possible.
 
         Arguments:
             @verbose:bool
                 Results will contain full information
+            @target:string
+                Retrieve only the information regarding the specified target account
         """
         verbose = kwargs.get("verbose", False)
+        target = kwargs.get("target", "*")
         hidden_attributes = ["msDS-ManagedPassword"]
+
         if verbose:
             attributes = ALL + hidden_attributes
         else:
@@ -437,7 +441,7 @@ def list_gmsa(self, kwargs):
             ] + hidden_attributes
 
         try:
-            entries = self.engine.get_gmsa(attributes)
+            entries = self.engine.get_gmsa(attributes, target)
         except LDAPAttributeError as e:
             error(f"{e}. The domain's functional level may be too old")
             entries = []

diff --git a/ldeep/views/ldap_activedirectory.py b/ldeep/views/ldap_activedirectory.py
@@ -263,6 +263,9 @@ class LdapActiveDirectoryView(ActiveDirectoryView):
     LAPS2_FILTER = (
         lambda _, s: f"(&(objectCategory=computer)(msLAPS-PasswordExpirationTime=*)(cn={s}))"
     )
+    GMSA_FILTER = (
+        lambda _, s: f"(&(ObjectClass=msDS-GroupManagedServiceAccount)(sAMAccountName={s}))"
+    )
     SMSA_FILTER = lambda _: "(ObjectClass=msDS-ManagedServiceAccount)"
     BITLOCKERKEY_FILTER = lambda _: "(objectClass=msFVE-RecoveryInformation)"
     FSMO_DOMAIN_NAMING_FILTER = (
@@ -781,10 +784,8 @@ def get_sddl(self, ldapfilter, base=None, scope=None):
 
         return result_set
 
-    def get_gmsa(self, attributes):
-        entries = list(
-            self.query("(ObjectClass=msDS-GroupManagedServiceAccount)", attributes)
-        )
+    def get_gmsa(self, attributes, target):
+        entries = list(self.query(self.GMSA_FILTER(target), attributes))
 
         constants = GMSA_ENCRYPTION_CONSTANTS
         iv = b"\x00" * 16