NetExec
NetExec copied to clipboard
Pennyw0rth
NetExec LDAP is using System's DNS
Describe the bug When using NetExec with ldap protocol, netexec is doing some dns resolutions that uses system's DNS and will cause failure. There's numerous case where we should be able to :
- Specify DNS server manually
- Or automatically dectect it (assume Domain Conntroller is doing DNS)
Also, the error is misleading. In my particular case, the target IP (172.16.230.10) can be used for LDAP, but because netexec resolved this to a different IP using public DNS, connection failed.
To Reproduce
Command: netexec --debug ldap 172.16.230.10 -u myuser -p 'mypass'
Resulted in:
$ netexec --debug ldap 172.16.230.10 -u myuser -p 'mypass'
[16:59:18] DEBUG PYTHON VERSION: 3.11.7 (main, Dec 8 2023, 14:22:46) [GCC 13.2.0] netexec.py:89
DEBUG RUNNING ON: Linux Release: 6.6.9-amd64 netexec.py:90
DEBUG Passed args: Namespace(threads=100, timeout=None, jitter=None, no_progress=False, verbose=False, debug=True, version=False, netexec.py:91
protocol='ldap', target=['172.16.230.10'], cred_id=[], username=['myuser'], password=['mypass'],
ignore_pw_decoding=False, kerberos=False, no_bruteforce=False, continue_on_success=False, use_kcache=False, log=None,
aesKey=None, kdcHost=None, gfail_limit=None, ufail_limit=None, fail_limit=None, module=None, module_options=[],
list_modules=False, show_module_options=False, server='https', server_host='0.0.0.0', server_port=None,
connectback_host=None, hash=[], port=389, no_smb=False, domain=None, local_auth=False, asreproast=None, kerberoasting=None,
trusted_for_delegation=False, password_not_required=False, admin_count=False, users=False, groups=False, dc_list=False,
get_sid=False, active_users=False, gmsa=False, gmsa_convert_id=None, gmsa_decrypt_lsa=None, bloodhound=False,
nameserver='172.16.230.10', collection=None)
DEBUG Protocol: ldap netexec.py:145
DEBUG Protocol Path: /home/babadmin/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/ldap.py netexec.py:148
DEBUG Protocol DB Path: /home/babadmin/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/ldap/database.py netexec.py:150
[16:59:19] DEBUG Protocol Object: <class 'protocol.ldap'> netexec.py:153
DEBUG Protocol DB Object: <class 'protocol.database'> netexec.py:155
DEBUG DB Path: /home/babadmin/.nxc/workspaces/default/ldap.db netexec.py:158
DEBUG Using selector: EpollSelector selector_events.py:54
DEBUG Creating ThreadPoolExecutor netexec.py:47
DEBUG Creating thread for <class 'protocol.ldap'> netexec.py:50
INFO Socket info: host=172.16.230.10, hostname=172.16.230.10, kerberos=False, ipv6=False, link-local ipv6=False connection.py:103
DEBUG Kicking off proto_flow connection.py:163
DEBUG Creating smbv1 connection object ldap.py:637
DEBUG Error creating SMBv1 connection to 172.16.230.10: Error while reading from remote ldap.py:648
DEBUG Creating smbv3 connection object ldap.py:653
DEBUG SMBv3 Connection successful ldap.py:658
DEBUG Created connection object connection.py:166
INFO Connecting to ldap://172.16.230.10 with no baseDN ldap.py:166
DEBUG Connecting to 172.16.230.10, port 389, SSL False ldap.py:107
DEBUG ldap_connection: <impacket.ldap.ldap.LDAPConnection object at 0x7f8904022910> ldap.py:170
DEBUG Target: DC01.mydomain.com; target_domain: mydomain.com; base_dn: DC=mydomain,DC=com ldap.py:208
DEBUG Creating smbv1 connection object ldap.py:637
DEBUG Error creating SMBv1 connection to 172.16.230.10: Error while reading from remote ldap.py:648
DEBUG Creating smbv3 connection object ldap.py:653
DEBUG SMBv3 Connection successful ldap.py:658
DEBUG Printing host info for LDAP ldap.py:295
SMB 172.16.230.10 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:mydomain.com) (signing:True) (SMBv1:False)
INFO SMB 172.16.230.10 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) logger.py:145
(domain:mydomain.com) (signing:True) (SMBv1:False)
DEBUG Trying to authenticate using plaintext with domain connection.py:406
DEBUG Connecting to ldap://DC01.mydomain.com - DC=mydomain,DC=com [3] ldap.py:481
DEBUG Connecting to DC01.mydomain.com, port 389, SSL False ldap.py:107
LDAP 172.16.230.10 445 DC01 [-] mydomain.com\myuser:mypass Error connecting to the domain, are you sure LDAP service is running on the target?
Error: [Errno 111] Connection refused
INFO LDAP 172.16.230.10 445 DC01 [-] mydomain.com\myuser:mypass Error connecting to the domain, are you logger.py:145
sure LDAP service is running on the target?
Error: [Errno 111] Connection refused
Expected behavior DNS resolution should use a custom server (like the -ns option for bloodhound), or find the domain DNS automatically. Using System's DNS assume everytime we do a ldap test we need to adjust system's DNS.
Lastly, in the above example, the domain was resolved by public DNS to a public IP that was filtered. The logs never showed any attempt to connect to this public IP and I had to do a TCPDump capture to understand what's going on.
NetExec info
- OS: Kali Linux
- Version of nxc: 1.1.0 - nxc4u
- Installed from: pipx
Additional context None
Unfortunately impacket does not support using a custom name server (atleast the last time checked). That's the reason it hasn't been done yet, although many people already run into the problem. We should take care of changing the impacket code tho at some point to support it.
Thanks for your prompt response :) I'll update here if I can find a suitable workaround (apart changing my system's dns)
Adding the ip/host to you hosts file is not an option ?
That would work indeed, but needs root privileges (or change permissions on the /etc/host file), which I try to avoid when not necessary. Especially because i'm automating this.
That's what i'm going to do :)
┌──(user㉿kali) - 18:48:20 - [/tmp/NetExec]
└─$ firejail --dns=172.16.230.10 netexec ldap 172.16.230.10 -u xxx -p 'yyyy'
@XiaoliChanis this a new option ? Could not find it in the doc
No, but I can try to add it
@XiaoliChan would definitely be useful but it was mentionned above that it's a limitation from impacket lib, so not sure how easy / feasible it would be :)
@mpgn works for me thanks a lot !! Added the comments in the pull request.