Skip to content

Netexec incorrectly handles 64 bit signed integers in convert function, leading to account lockouts #564

Description

@jmotu

Describe the bug
Hello,
Netexec apparently doesnt properly handle 64 bit signed integers in the convert() function, leading someone to believe it was safe to perform password spraying and accidentally locking out hundreds of accounts.

When run, netexec returned that the AD password policy's lockout duration was "256 days 2 hours 48 minutes". Turns out it was actually set to 0. The discrepency appears to be that ldap actually stores the 0 not as a 0 but as the minimum value of a 64 bit signed integer. Below is the value pulled directly using ldapsearch.

lockoutDuration: -9223372036854775808

Take this value and plug it into the convert() function here:

def convert(low, high, lockout=False):

And you get the weird lockout duration timer:

In [5]: convert(0,-9223372036854775808,lockout=True)
Out[5]: '256 days 2 hours 48 minutes '

I see in the function that there is already a check for signed 32bit integers:

    if low == 0 and hex(high) == "-0x80000000":
        return "Not Set"

But nothing for 64 bit:

In [6]: hex(-9223372036854775808)
Out[6]: '-0x8000000000000000'

To Reproduce
They told me the Lockout Duration came from netexec's password policy output. I don't have the exact command they ran.

Expected behavior
The value returned should have been a zero

Screenshots
None

NetExec info
I don't have it, but I pulled the convert function from the current main branch

Additional context
None, seems like a simple software bug.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions