impacket icon indicating copy to clipboard operation
impacket copied to clipboard

Published 20 hours ago verified publisher icon fortra

Add socksAdmin function to quickly parse current socks tunnels for admin access

Open Parrishjm opened this issue 4 years ago • 9 comments

Added the do_socksAdmin function which sorts socks connections and only returns admin TRUE. Great when you have dozens of socks tunnels being opened.

Parrishjm avatar Jul 04 '21 07:07 Parrishjm

A pretty basic change but something I find myself wishing I had here and there. Code was pulled and tested on a local machine but I am happy to make any changes if it doesn't match coding patterns or better code could be used.

Parrishjm avatar Jul 04 '21 08:07 Parrishjm

A much needed feature ! But I think the socks connection should be closed if not ADMIN=TRUE, currently all connections are still open in this code if i'm reading correctly

mpgn avatar Jul 04 '21 08:07 mpgn

Closing the socks connections didnt ever occur to me before but I cant think of any reason we need them to stay open. While I am not attached to the idea I wonder if the function name should be changed to reflect it also closing the non admin tunnels.

Either way I will do some testing and try to get it to close out as well.

Parrishjm avatar Jul 05 '21 20:07 Parrishjm

@mpgn Let me know what you think of these changes. I am not convinced this is the right way to do it but seem a good starting ground if its not.

Parrishjm avatar Jul 06 '21 03:07 Parrishjm

hey @mpgn, I am pretty new to doing pull requests. Is there anything else on my end that's needed here or are we just waiting?

Parrishjm avatar Aug 21 '21 22:08 Parrishjm

Waiting 😆

mpgn avatar Aug 22 '21 06:08 mpgn

@mpgn: Personally, I'd rather be able to kill sessions by something like a (regex/hostname/ip addr/username) than just have them automatically die if they're not admin sessions... There are a lot of situations where it's possible to recover sensitive information from low-priv SMB relays when targeting centralized file servers and things like that. 😉 Perhaps sessions could be sorted with admin = True at the top, and then have an optional flag (or different command) to kill non-admin sessions for folks who just want the shells and secretsdumps? 😄

ad0nis avatar Nov 03 '21 14:11 ad0nis

Indeed, it should be an option to pass to ntlmrelayx and this is why the PR was never accepted probably :)

mpgn avatar Nov 03 '21 14:11 mpgn

@ad0nis Good points. This was primarily to help with having to many tunnels all at once but I don't see any reason it cant or shouldn't be split up into a sort and more well rounded kill command.

I will try to make some changes and send them along soon.

Parrishjm avatar Nov 03 '21 16:11 Parrishjm

this is being resolved in #1353, so I'm closing this PR. Feel free to reopen if needed

anadrianmanrique avatar Jul 12 '23 17:07 anadrianmanrique