Update Kerberos tests

login-securite · Mar 29, 2020 · 6491a89 · 6491a89
1 parent fb0127c
commit 6491a89
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 27 deletions.
diff --git a/tests/tests.py b/tests/tests.py
@@ -33,8 +33,9 @@ def test_login_dns_error(self):
         self.assertIsInstance(ret, RetCode)
         self.assertEqual(ERROR_DNS_ERROR[1], ret.error_msg)
 
+    @unittest.skipUnless(kerberos, "Skipping Kerberos (Set kerberos=True to incude Kerberos tests)")
     def test_login_kerberos_success(self):
-        self.conn = ImpacketConnection(ImpacketConnection.Options(ip_address, domain, da_login, da_password, '', '', kerberos, ''))
+        self.conn = ImpacketConnection(ImpacketConnection.Options(target, domain, da_login, da_password, '', '', kerberos, domain_controller))
         self.conn.set_logger(self.log)
         ret = self.conn.login()
         self.assertIsInstance(ret, RetCode)
@@ -48,21 +49,21 @@ def test_login_connection_error(self):
         self.assertEqual(ERROR_CONNECTION_ERROR[1], ret.error_msg)
 
     def test_login_login_error(self):
-        self.conn = ImpacketConnection(ImpacketConnection.Options(ip_address, domain, da_login, "wrong_password"))
+        self.conn = ImpacketConnection(ImpacketConnection.Options(target, domain, da_login, "wrong_password"))
         self.conn.set_logger(self.log)
         ret = self.conn.login()
         self.assertIsInstance(ret, RetCode)
         self.assertEqual(ERROR_LOGIN_FAILURE[1], ret.error_msg)
 
     def test_login_login_success(self):
-        self.conn = ImpacketConnection(ImpacketConnection.Options(ip_address, domain, da_login, da_password))
+        self.conn = ImpacketConnection(ImpacketConnection.Options(target, domain, da_login, da_password))
         self.conn.set_logger(self.log)
         ret = self.conn.login()
         self.assertIsInstance(ret, RetCode)
         self.assertEqual(ERROR_SUCCESS[1], ret.error_msg)
 
     def test_is_admin(self):
-        self.conn = ImpacketConnection(ImpacketConnection.Options(ip_address, domain, da_login, da_password))
+        self.conn = ImpacketConnection(ImpacketConnection.Options(target, domain, da_login, da_password))
         self.conn.set_logger(self.log)
         self.conn.login()
         ret = self.conn.isadmin()
@@ -71,7 +72,7 @@ def test_is_admin(self):
 
     @unittest.skipUnless(usr_login and usr_password, "No low privileged user credential provided")
     def test_is_admin_error(self):
-        self.conn = ImpacketConnection(ImpacketConnection.Options(ip_address, domain, usr_login, usr_password))
+        self.conn = ImpacketConnection(ImpacketConnection.Options(target, domain, usr_login, usr_password))
         self.conn.set_logger(self.log)
         self.conn.login()
         ret = self.conn.isadmin()
@@ -82,7 +83,7 @@ def test_is_admin_error(self):
 class test_impacketfile(unittest.TestCase):
     def setUp(self):
         self.log = Logger(Logger.Options(verbosity=0, quiet=True))
-        self.conn = ImpacketConnection(ImpacketConnection.Options(ip_address, domain, da_login, da_password))
+        self.conn = ImpacketConnection(ImpacketConnection.Options(target, domain, da_login, da_password))
         self.conn.set_logger(self.log)
         self.conn.login()
         self.ifile = ImpacketFile(self.conn, self.log)
@@ -115,7 +116,7 @@ def test_file_success(self):
 class test_dumper(unittest.TestCase):
     def setUp(self):
         self.log = Logger(Logger.Options(verbosity=0, quiet=True))
-        self.conn = ImpacketConnection(ImpacketConnection.Options(ip_address, domain, da_login, da_password))
+        self.conn = ImpacketConnection(ImpacketConnection.Options(target, domain, da_login, da_password))
         self.conn.set_logger(self.log)
         self.conn.login()
 
@@ -229,11 +230,11 @@ def test_dump_success(self):
 
 
 @unittest.skipUnless(procdump_path, "Procdump path wasn't provided")
-@unittest.skipUnless(ip_address_protected, "No IP address with protected LSASS was provided")
+@unittest.skipUnless(protected_target, "No IP address with protected LSASS was provided")
 class test_dumper_protected(unittest.TestCase):
     def setUp(self):
         self.log = Logger(Logger.Options(verbosity=0, quiet=True))
-        self.conn = ImpacketConnection(ImpacketConnection.Options(ip_address_protected, domain, da_login, da_password))
+        self.conn = ImpacketConnection(ImpacketConnection.Options(protected_target, domain, da_login, da_password))
         self.conn.set_logger(self.log)
         self.conn.login()
 
@@ -254,7 +255,7 @@ class test_lsassy(unittest.TestCase):
     def setUp(self):
         log_options = Logger.Options(verbosity=0, quiet=True)
         write_options = Writer.Options(format="none")
-        self.lsassy = Lsassy(ip_address, da_login, domain, da_password, log_options=log_options, write_options=write_options)
+        self.lsassy = Lsassy(target, da_login, domain, da_password, log_options=log_options, write_options=write_options)
 
     def tearDown(self):
         self.lsassy.clean()

diff --git a/tests/tests_config.py.template b/tests/tests_config.py.template
@@ -4,29 +4,34 @@
 #  https://beta.hackndo.com
 
 """
-# RENAME THIS FILE TO tests_config.py
+RENAME THIS FILE TO tests_config.py
 """
 
-# IP address where LSASS can be dumped
-ip_address = "192.168.1.101"
+# Include Kerberos authentication tests
+# This test requires to have a valid TGT for a local admin set in KRB5CCNAME
+# See https://github.com/Hackndo/lsassy/wiki/Lsassy-Advanced-Usage#kerberos
+kerberos = False
 
-# IP address where LSASS is protected (empty to skip tests)
-ip_address_protected = "192.168.1.112"
+# Domain controller FQDN or IP, only needed if kerberos set to True
+domain_controller = "192.168.1.101"
+
+# If kerberos is set to True, FQDN of a valid target. IP address otherwise.
+target = "dc01.adsec.local"
+
+# If kerberos is set to True, FQDN of target where LSASS is protected. IP address otherwise. (empty to skip tests)
+protected_target = "protected_server.adsec.local"
 
 # Domain Name
-domain = "lion.king"
+domain = "adsec.local"
 
-# User with admin rights on ip_address and ip_address_protected
-da_login = "simba"
-da_password = "Imtheking!"
+# User with admin rights on target and protected_target
+da_login = "jdoe"
+da_password = "p4ssw0rd"
 
-# User without admin rights on ip_address (empty to skip tests)
-usr_login = "skar"
-usr_password = "YouDontWannaMessWithMe"
+# User without admin rights on target (empty to skip tests)
+usr_login = "msmith"
+usr_password = "n0rights4U"
 
 # Local tools for dumping methods (empty to skip tests)
-procdump_path = "/home/pixis/Tools/Windows/Sysinternals/procdump.exe"
-dumpert_path = "/home/pixis/Tools/Windows/Dumpert/Outflank-Dumpert.exe"
-
-# Include kerberos tests
-kerberos = True
+procdump_path = "/opt/procdump.exe"
+dumpert_path = "/opt/dumpert.exe"