Describe the bug
Hello,
Netexec apparently doesnt properly handle 64 bit signed integers in the convert() function, leading someone to believe it was safe to perform password spraying and accidentally locking out hundreds of accounts.
When run, netexec returned that the AD password policy's lockout duration was "256 days 2 hours 48 minutes". Turns out it was actually set to 0. The discrepency appears to be that ldap actually stores the 0 not as a 0 but as the minimum value of a 64 bit signed integer. Below is the value pulled directly using ldapsearch.
lockoutDuration: -9223372036854775808
Take this value and plug it into the convert() function here:
|
def convert(low, high, lockout=False): |
And you get the weird lockout duration timer:
In [5]: convert(0,-9223372036854775808,lockout=True)
Out[5]: '256 days 2 hours 48 minutes '
I see in the function that there is already a check for signed 32bit integers:
if low == 0 and hex(high) == "-0x80000000":
return "Not Set"
But nothing for 64 bit:
In [6]: hex(-9223372036854775808)
Out[6]: '-0x8000000000000000'
To Reproduce
They told me the Lockout Duration came from netexec's password policy output. I don't have the exact command they ran.
Expected behavior
The value returned should have been a zero
Screenshots
None
NetExec info
I don't have it, but I pulled the convert function from the current main branch
Additional context
None, seems like a simple software bug.
Describe the bug
Hello,
Netexec apparently doesnt properly handle 64 bit signed integers in the convert() function, leading someone to believe it was safe to perform password spraying and accidentally locking out hundreds of accounts.
When run, netexec returned that the AD password policy's lockout duration was "256 days 2 hours 48 minutes". Turns out it was actually set to 0. The discrepency appears to be that ldap actually stores the 0 not as a 0 but as the minimum value of a 64 bit signed integer. Below is the value pulled directly using ldapsearch.
Take this value and plug it into the convert() function here:
NetExec/nxc/protocols/smb/passpol.py
Line 22 in 8046495
And you get the weird lockout duration timer:
I see in the function that there is already a check for signed 32bit integers:
But nothing for 64 bit:
To Reproduce
They told me the Lockout Duration came from netexec's password policy output. I don't have the exact command they ran.
Expected behavior
The value returned should have been a zero
Screenshots
None
NetExec info
I don't have it, but I pulled the convert function from the current main branch
Additional context
None, seems like a simple software bug.