From 15eff8805116007cfb59332a64194a5b9c8bcf25 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20GASCOU=20=28Podalirius=29?=
 <podalirius@protonmail.com>
Date: Thu, 23 May 2024 12:55:07 +0200
Subject: [PATCH] [enhancement] Adding column to show if SPN exists in
 finddelegations.py (#1727)

* Added a SPN column to check for existence

* Created checkIfSPNExists() function
---
 examples/findDelegation.py | 32 ++++++++++++++++++++++++++++----
 1 file changed, 28 insertions(+), 4 deletions(-)

diff --git a/examples/findDelegation.py b/examples/findDelegation.py
index 1acd705a8..371e9cb31 100755
--- a/examples/findDelegation.py
+++ b/examples/findDelegation.py
@@ -35,6 +35,28 @@
 from impacket.smbconnection import SMBConnection, SessionError
 
 
+def checkIfSPNExists(ldapConnection, sAMAccountName, rights):
+    # Check if SPN exists
+    spnExists = "-"
+    if rights == "N/A":
+        query = "(servicePrincipalName=HOST/%s)" % sAMAccountName.rstrip("$")
+    else:
+        query = "(servicePrincipalName=%s)"%rights
+
+    respSpnExists = ldapConnection.search(
+        searchFilter=query, 
+        attributes=["servicePrincipalName", "distinguishedName"], 
+        sizeLimit=1
+    )
+    results = [item for item in respSpnExists if isinstance(item, ldapasn1.SearchResultEntry)]
+    if len(results) != 0:
+        spnExists = "Yes"
+    else:
+        spnExists = "No"
+    
+    return spnExists
+
+
 class FindDelegation:
     @staticmethod
     def printTable(items, header):
@@ -225,7 +247,8 @@ def run(self):
                                 logging.debug('Bypassing disabled account %s ' % sAMAccountName)
                             else:
                                 for rights, objType in zip(rbcdRights,rbcdObjType):
-                                    answers.append([rights, objType, 'Resource-Based Constrained', sAMAccountName])
+                                    spnExists = checkIfSPNExists(ldapConnection, sAMAccountName, rights)
+                                    answers.append([rights, objType, 'Resource-Based Constrained', sAMAccountName, str(spnExists)])
                         
                 #print unconstrained + constrained delegation relationships
                 if delegation in ['Unconstrained', 'Constrained', 'Constrained w/ Protocol Transition']:
@@ -234,13 +257,14 @@ def run(self):
                                 logging.debug('Bypassing disabled account %s ' % sAMAccountName)
                             else:
                                 for rights in rightsTo:
-                                    answers.append([sAMAccountName, objectType, delegation, rights])
+                                    spnExists = checkIfSPNExists(ldapConnection, sAMAccountName, rights)
+                                    answers.append([sAMAccountName, objectType, delegation, rights, str(spnExists)])
             except Exception as e:
                 logging.error('Skipping item, cannot process due to error %s' % str(e))
                 pass
 
-        if len(answers)>0:
-            self.printTable(answers, header=[ "AccountName", "AccountType", "DelegationType", "DelegationRightsTo"])
+        if len(answers) > 0:
+            self.printTable(answers, header=["AccountName", "AccountType", "DelegationType", "DelegationRightsTo", "SPN Exists"])
             print('\n\n')
         else:
             print("No entries found!")