Pennyw0rth
ldap-checker module fails on LDAP signing
Describe the bug The ldap-checker module fails to determine if LDAP signing is enabled.
To Reproduce Enable LDAP signing with the registry key:
PS C:\> reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /v ldapserverintegrity
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
ldapserverintegrity REG_DWORD 0x2
Install nxc from the git repo:
# which nxc
# pipx install git+https://github.com/Pennyw0rth/NetExec
[...]
done! ✨ 🌟 ✨
# nxc --version
1.1.0 - nxc4u - 1f8a0ef
Check if signing is enabled:
# nxc ldap 192.168.57.5 -u bob -p pass -d corp.local -M ldap-checker -k
SMB 192.168.57.5 445 DC01 [*] Windows Server 2016 Standard 14393 x64 (name:DC01) (domain:CORP.LOCAL) (signing:True) (SMBv1:True)
LDAPS 192.168.57.5 636 DC01 [+] corp.local\bob
LDAP-CHE... 192.168.57.5 389 DC01 LDAP Signing NOT Enforced!
LDAP-CHE... 192.168.57.5 389 DC01 [-] LDAPS Channel Binding is set to "Required"
Confirm that signing is enable with LdapRelayScan or ntlmrelayx.py:
# python3 LdapRelayScan.py -m BOTH -dc-ip 192.168.57.5 -u bob -p pass
~Domain Controllers identified~
DC01.CORP.LOCAL
~Checking DCs for LDAP NTLM relay protections~
DC01.CORP.LOCAL
[-] (LDAP) server enforcing signing requirements
ssl_sock = ssl.wrap_socket(s,
[-] (LDAPS) channel binding set to "required", no fun allowed
# ntlmrelayx.py -t ldap://192.168.57.5 --no-dump --no-da
[...]
[*] Servers started, waiting for connections
[*] HTTPD(80): Client requested path: /bla
[*] HTTPD(80): Client requested path: /bla
[*] HTTPD(80): Connection from 192.168.57.60 controlled, attacking target ldap://192.168.57.5
[*] HTTPD(80): Client requested path: /bla
[-] HTTPD(80): Exception in HTTP request handler: Server rejected authentication because LDAP signing is enabled. Try connecting with TLS enabled (specify target as ldaps://hostname )
Expected behavior LDAP signing result should display "enforced".
NetExec info
- OS: Kali
- Version of nxc: 1.1.0
- Installed from: pipx
Cannot reproduce
(venv) $ nxc ldap 192.168.56.30 -u accueil -p accueil -M ldap-checker
SMB 192.168.56.30 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:testlab.local) (signing:True) (SMBv1:False)
LDAPS 192.168.56.30 636 DC01 [+] testlab.local\accueil:accueil
LDAP-CHE... 192.168.56.30 389 DC01 [-] LDAP Signing IS Enforced
LDAP-CHE... 192.168.56.30 389 DC01 LDAPS Channel Binding is set to "NEVER"
(venv) $ nxc --version
1.1.0 - nxc4u - 1f8a0ef4
@tiyeuse can you run ls -la ~/.local/pipx/venvs/netexec/lib/python3.10/site-packages/ | grep msldap ?
My output is :
$ ls -la ~/.local/pipx/venvs/netexec/lib/python3.10/site-packages/ | grep msldap
drwxrwxr-x - tse 23 avril 19:59 msldap
drwxrwxr-x - tse 23 avril 19:59 msldap-0.5.10.dist-info
The module won't work if it's not msldap 0.5.10.
It's failling with pipx since the poetry lock file was not updated when the version in the pyproject was changed. The pyproject need to be updated
@mpgn very nice finding! It isn't even in the pyproject.toml lol. I will add it in #269
@tiyeuse can you try again with pipx install git+https://github.com/Pennyw0rth/NetExec@neff-dependencies --force?
Cannot reproduce
(venv) $ nxc ldap 192.168.56.30 -u accueil -p accueil -M ldap-checker SMB 192.168.56.30 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:testlab.local) (signing:True) (SMBv1:False) LDAPS 192.168.56.30 636 DC01 [+] testlab.local\accueil:accueil LDAP-CHE... 192.168.56.30 389 DC01 [-] LDAP Signing IS Enforced LDAP-CHE... 192.168.56.30 389 DC01 LDAPS Channel Binding is set to "NEVER" (venv) $ nxc --version 1.1.0 - nxc4u - 1f8a0ef4@tiyeuse can you run
ls -la ~/.local/pipx/venvs/netexec/lib/python3.10/site-packages/ | grep msldap? My output is :$ ls -la ~/.local/pipx/venvs/netexec/lib/python3.10/site-packages/ | grep msldap drwxrwxr-x - tse 23 avril 19:59 msldap drwxrwxr-x - tse 23 avril 19:59 msldap-0.5.10.dist-infoThe module won't work if it's not msldap 0.5.10.
Ldap library version:
# ll /root/.local/bin/nxc
lrwxrwxrwx 1 root root 45 Apr 23 11:06 /root/.local/bin/nxc -> /root/.local/share/pipx/venvs/netexec/bin/nxc
# ls -la ~/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/ | grep msldap
drwxr-xr-x 11 root root 4096 Apr 23 11:06 msldap
drwxr-xr-x 2 root root 4096 Apr 23 11:06 msldap-0.5.10.dist-info
New reinstall from scratch:
# pipx uninstall netexec
uninstalled netexec! ✨ 🌟 ✨
# which nxc
# pipx install git+https://github.com/Pennyw0rth/NetExec@neff-dependencies --force
installed package netexec 1.1.0+18c3fd0, installed using Python 3.11.8
These apps are now globally available
- NetExec
- netexec
- nxc
- nxcdb
done! ✨ 🌟 ✨
# nxc ldap 192.168.57.5 -u bob -p pass -d corp.local -M ldap-checker -k
SMB 192.168.57.5 445 DC01 [*] Windows Server 2016 Standard 14393 x64 (name:DC01) (domain:CORP.LOCAL) (signing:True) (SMBv1:True)
LDAPS 192.168.57.5 636 DC01 [+] corp.local\bob
LDAP-CHE... 192.168.57.5 389 DC01 LDAP Signing NOT Enforced!
LDAP-CHE... 192.168.57.5 389 DC01 [-] LDAPS Channel Binding is set to "Required"
# python3 LdapRelayScan/LdapRelayScan.py -m BOTH -dc-ip 192.168.57.5 -u bob -p pass
~Domain Controllers identified~
DC01.CORP.LOCAL
~Checking DCs for LDAP NTLM relay protections~
DC01.CORP.LOCAL
[-] (LDAP) server enforcing signing requirements
[-] (LDAPS) channel binding set to "required", no fun allowed
can you check without the flag -k @tiyeuse ? :)
can you check the flag -k @zblurx ? :)
The code workflow stop if channel binding is enabled(no check on LDAP signing performed) without Kerberos argument (it shouldn't imho):
# nxc ldap 192.168.57.5 -u bob -p pass -d corp.local -M ldap-checker
SMB 192.168.57.5 445 DC01 [*] Windows Server 2016 Standard 14393 x64 (name:DC01) (domain:CORP.LOCAL) (signing:True) (SMBv1:True)
LDAPS 192.168.57.5 636 DC01 [-] corp.local\bob:pass
LDAPS 192.168.57.5 636 DC01 [-] LDAPS channel binding might be enabled, this is only supported with kerberos authentication. Try using '-k'.
If I disable channel binding:
- with Kerberos (assuming the IP address is replaced by the FQDN, I haven't checked the code)
└─# nxc ldap 192.168.57.5 -u bob -p pass -d corp.local -M ldap-checker -k
SMB 192.168.57.5 445 DC01 [*] Windows Server 2016 Standard 14393 x64 (name:DC01) (domain:CORP.LOCAL) (signing:True) (SMBv1:True)
LDAPS 192.168.57.5 636 DC01 [+] corp.local\bob
LDAP-CHE... 192.168.57.5 389 DC01 LDAP Signing NOT Enforced!
LDAP-CHE... 192.168.57.5 389 DC01 LDAPS Channel Binding is set to "NEVER"
- without Kerberos
└─# nxc ldap 192.168.57.5 -u bob -p pass -d corp.local -M ldap-checker
SMB 192.168.57.5 445 DC01 [*] Windows Server 2016 Standard 14393 x64 (name:DC01) (domain:CORP.LOCAL) (signing:True) (SMBv1:True)
LDAPS 192.168.57.5 636 DC01 [+] corp.local\bob:pass
LDAP-CHE... 192.168.57.5 389 DC01 [-] LDAP Signing IS Enforced
LDAP-CHE... 192.168.57.5 389 DC01 LDAPS Channel Binding is set to "NEVER"
The code path with Kerberos seems to return false results.
With the fix in https://github.com/skelsec/msldap/pull/47 :
$ nxc ldap 192.168.56.30 -u accueil -p accueil -M ldap-checker -k
SMB 192.168.56.30 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:testlab.local) (signing:True) (SMBv1:False)
LDAPS 192.168.56.30 636 DC01 [+] testlab.local\accueil
LDAP-CHE... 192.168.56.30 389 DC01 [-] LDAP Signing IS Enforced
LDAP-CHE... 192.168.56.30 389 DC01 [-] LDAPS Channel Binding is set to "Required"
Reopening as it is only fully fixed when https://github.com/skelsec/msldap/pull/47 is merged and a new version is released
Having a similar issue when I set Channel Binding to Required I get this (the password is correct) no combination of arguments will get it to work
Sorry I had it in the first photo but I removed that one because it was irrelevant.
1.1.0 - ItsAlwaysDNS - 6858958
Should be fixed with https://github.com/Pennyw0rth/NetExec/commit/502c6276158e04a55756e26757df748750359058