Skip to content

Add get-info-users module#769

Merged
NeffIsBack merged 6 commits into
Pennyw0rth:mainfrom
sepauli:add-info-field
Jul 10, 2025
Merged

Add get-info-users module#769
NeffIsBack merged 6 commits into
Pennyw0rth:mainfrom
sepauli:add-info-field

Conversation

@sepauli

@sepauli sepauli commented Jul 1, 2025

Copy link
Copy Markdown
Contributor

Description

Similar to the "get-desc-users" which outputs the description field of domain users, this module is used to output the info field of domain users.

Similar to the description fields, users/admins can also write sensitive data in to the "info" fields.
An example is the "Support" box from hackthebox - " A user called support is identified in the users list, and the info field is found to contain his password"

This module was also tested with the help of the manchine
user_info_field

The corresponding ldapsearch

$ ldapsearch -LLL -H ldap://support.htb -D 'ldap@support.htb' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b 'dc=support,dc=htb' "(objectclass=user)" info
dn: CN=Administrator,CN=Users,DC=support,DC=htb

dn: CN=Guest,CN=Users,DC=support,DC=htb

dn: CN=DC,OU=Domain Controllers,DC=support,DC=htb

dn: CN=krbtgt,CN=Users,DC=support,DC=htb

dn: CN=ldap,CN=Users,DC=support,DC=htb

dn: CN=support,CN=Users,DC=support,DC=htb
info: Ironside47pleasure40Watchful

dn: CN=smith.rosario,CN=Users,DC=support,DC=htb

dn: CN=hernandez.stanley,CN=Users,DC=support,DC=htb

dn: CN=wilson.shelby,CN=Users,DC=support,DC=htb

dn: CN=anderson.damian,CN=Users,DC=support,DC=htb

dn: CN=thomas.raphael,CN=Users,DC=support,DC=htb

dn: CN=levine.leopoldo,CN=Users,DC=support,DC=htb

dn: CN=raven.clifton,CN=Users,DC=support,DC=htb

dn: CN=bardot.mary,CN=Users,DC=support,DC=htb

dn: CN=cromwell.gerard,CN=Users,DC=support,DC=htb

dn: CN=monroe.david,CN=Users,DC=support,DC=htb

dn: CN=west.laura,CN=Users,DC=support,DC=htb

dn: CN=langley.lucy,CN=Users,DC=support,DC=htb

dn: CN=daughtler.mabel,CN=Users,DC=support,DC=htb

dn: CN=stoll.rachelle,CN=Users,DC=support,DC=htb

dn: CN=ford.victoria,CN=Users,DC=support,DC=htb

Type of change

  • New feature (non-breaking change which adds functionality)

Setup guide for the review

  • Users with the "info" field set

Checklist:

  • I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
  • I have added or updated the tests/e2e_commands.txt file if necessary
  • New and existing e2e tests pass locally with my changes
  • If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

sepauli added 2 commits July 1, 2025 18:53
Signed-off-by: Sebastian Pauli <sebastian.pauli@protonmail.com>
Signed-off-by: Sebastian Pauli <sebastian.pauli@protonmail.com>
@sepauli sepauli changed the title Add info field Add get-info-users module Jul 1, 2025
@NeffIsBack

Copy link
Copy Markdown
Member

Hi, thanks for the PR!

Do you have any references if this is an attribute that is in LDAP per default? Maybe in the MS documentation or the LDAP rfc?
As far as i can tell this is not part of the default set of attributes of an User object in Active Directory LDAP (if i am not missing anything):
image

Which would lead to the problem, that of course we could add modules for querying custom attributes, but finding these in actual production environments is probably near zero.

@sepauli

sepauli commented Jul 3, 2025

Copy link
Copy Markdown
Contributor Author

Hi @NeffIsBack ,
Sorry, I should have explained this in more detail.
The info field is not an LDAP RFC, but an official Microsoft extension which is described here: https://learn.microsoft.com/en-us/windows/win32/adschema/a-info

You can set this field with the following command (Windows Server 2022)

Set-ADUser -Identity "test" -Replace @{info="Super Secret"}

The field then affects the "Notes" field in the UI
ad_info_field

I came across this because I have the box from HTB, which is why I initially thought that this might be a good field to query.
But maybe you're right and it's a bit overkill to write an extra module for this

@NeffIsBack

Copy link
Copy Markdown
Member

No worries! If that's a thing that is being used by companies (and not a custom attribute) i am happy to integrate it as a module. I will take a deeper look at this tomorrow

@NeffIsBack NeffIsBack left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would recommend using a searchFilter such as (info=*), because then you definitely only get objects that have this attribute set:
image

Comment thread nxc/modules/get-info-users.py Outdated
Comment thread nxc/modules/get-info-users.py Outdated
Comment thread nxc/modules/get-info-users.py Outdated

@NeffIsBack NeffIsBack left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fyi, applied some formatting for better readability.

Thanks for your work! LGTM:
image

@NeffIsBack NeffIsBack merged commit 68e36dc into Pennyw0rth:main Jul 10, 2025
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants