Skip to content

Commit f1e5339

Browse files
ShutdownRepoShutdownRepo
authored
Merge pull request #83 from rtpt-romankarwacik/add-SAN-field-by-default
add SAN with UPN by default when doing shadow credentials
2 parents a3966a1 + e2978a8 commit f1e5339

File tree

2 files changed

+10
-3
lines changed

2 files changed

+10
-3
lines changed

impacket/examples/ntlmrelayx/attacks/ldapattack.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -351,7 +351,7 @@ def shadowCredentialsAttack(self, domainDumper):
351351
LOG.info("Target user found: %s" % target_dn)
352352

353353
LOG.info("Generating certificate")
354-
key,certificate = shadow_credentials.createSelfSignedX509Certificate(subject=currentShadowCredentialsTarget, nBefore=(-40 * 365), nAfter=(40 * 365))
354+
key,certificate = shadow_credentials.createSelfSignedX509Certificate(subject=currentShadowCredentialsTarget, nBefore=(-40 * 365), nAfter=(40 * 365), domain=domain)
355355
LOG.info("Certificate generated")
356356
LOG.info("Generating KeyCredential")
357357
keyCredential = shadow_credentials.KeyCredential(certificate,key,deviceId=shadow_credentials.getDeviceId(),currentTime=shadow_credentials.getTicksNow())

impacket/examples/ntlmrelayx/utils/shadow_credentials.py

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
from struct import pack
22
from Cryptodome.Util.number import long_to_bytes
33
from Cryptodome.PublicKey import RSA
4-
from OpenSSL.crypto import PKey, X509, TYPE_RSA
4+
from OpenSSL.crypto import PKey, X509, TYPE_RSA, X509Extension
55
import OpenSSL
66
import base64
77
import uuid
@@ -28,13 +28,20 @@ def getTicksNow():
2828
def getDeviceId():
2929
return uuid.uuid4().bytes
3030

31-
def createSelfSignedX509Certificate(subject,nBefore,nAfter,kSize=2048):
31+
def createSelfSignedX509Certificate(subject,nBefore,nAfter,kSize=2048, domain=""):
3232
key = PKey()
3333
key.generate_key(TYPE_RSA,kSize)
3434

3535
certificate = X509()
3636

3737
certificate.get_subject().CN = subject
38+
39+
if domain != "":
40+
certificate.set_version(2)
41+
upn_extension = f"otherName:1.3.6.1.4.1.311.20.2.3;UTF8:{subject}@{domain}".encode('utf-8')
42+
subjectAltName = X509Extension(b"subjectAltName", False, upn_extension)
43+
certificate.add_extensions([subjectAltName])
44+
3845
certificate.set_issuer(certificate.get_subject())
3946
certificate.gmtime_adj_notBefore(nBefore)
4047
certificate.gmtime_adj_notAfter(nAfter)

0 commit comments

Comments
 (0)