enum4linux-ng icon indicating copy to clipboard operation
enum4linux-ng copied to clipboard
verified publisher icon cddmp

use datetime.timedelta to parse duration

Open 4elta opened this issue 6 months ago • 7 comments

  • use timedelta's built in string formatter to print the value in a human-readable format
  • return the number of (calculated) seconds in case the parsing results in an exception

WARNING: i have not yet tested the code

i stumbled upon this bug (?) while trying to understand the results of a scan of one of the GOAD machines (provided by @ikstream):

....
    "policy": {
        "Domain password information": {
            "Password history length": 24,
            "Minimum password length": 5,
            "Maximum password age": "37201 days (101 years) 2 minutes",
            "Password properties": [
                ...

the maximum password age for this machine is in fact 10675199 days (29247 years). see GOAD/ansible/roles/password_policy/tasks/main.yaml

4elta avatar Jul 31 '25 12:07 4elta

Thank you, I will need more time to test this code. I can probably test it next week!

cddmp avatar Aug 01 '25 07:08 cddmp

awesome! i'm looking forward to your review comments.

have a pleasant weekend :wave:

4elta avatar Aug 01 '25 08:08 4elta

the formatting code works correctly, as can be seen below:

% python3        
Python 3.13.5 (main, Jun 25 2025, 18:55:22) [GCC 14.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import datetime
>>> s = ((((10675199 * 24) + 2) * 60) + 48 ) * 60 + 5.4775807
>>> duration = datetime.timedelta(seconds=s)
>>> str(duration)
'10675199 days, 2:48:05.477539'

the value for s is TimeSpan.MaxValue, the largest timespan the max/min password age and other related properties can be set to.

unfortunately, the same (incorrect) max. password age is reported:

37201 days, 0:02:37.001318 (hours:minutes:seconds)

so either the conversion from the two 32-bit values, low and high, to a 64-bit integer, or one or both of these values are incorrect.

4elta avatar Aug 01 '25 11:08 4elta

so either the conversion from the two 32-bit values, low and high, to a 64-bit integer, or one or both of these values are incorrect.

... or maximum password age is in fact set to the above value and there's something wrong with the ansible script

4elta avatar Aug 01 '25 19:08 4elta

... or maximum password age is in fact set to the above value and there's something wrong with the ansible script

The maximum password age is indeed set to the detected value (minus the minutes). Looks like it is just a windows feature.

does-not-expire

Looks like the value translate (at least in the GUI) to "does not expire". As the maximum age is limited in the GUI to 999 as written in documentation.

not-flipped not-flipped-2

Looks like the value can go above the 37201, but if the maximum value for Set-ADDefaultDomainPasswordPolicy is used for days, the value of 37201 will be set instead

flipped

I am not sure yet, where this value comes from, but it looks like enum4linux-ng indeed detects the maximum password age correctly

ikstream avatar Aug 03 '25 07:08 ikstream

thank you @ikstream :pray:

i am really confused: why does microsoft specify a maximum when the real maximum is lower?

4elta avatar Aug 03 '25 12:08 4elta

I have not forgotten this pull request. Since it doesn't bring any benefit at the moment, I leave it open for now. I actually like your implementation, I just want to test this a bit more.

cddmp avatar Sep 22 '25 13:09 cddmp