Pennyw0rth
LDAP: Got exception with PyAsn1
Describe the bug Got exception with PyAsn1
To Reproduce
Command: netexec ldap -u username -p password
Resulted in:
┌──(xiaoli㉿kali)-[/tmp/work]
└─$ proxychains4 -f proxychains.conf nxc ldap 10.111.17.29 -u test -p 111qqq... --no-smb 1 ⚙
[proxychains] config file found: proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
LDAP 10.111.17.29 389 10.111.17.29 [*] DC=xxx,DC=com (Hostname: xxx) (domain: xxx.com)
[15:56:31] ERROR Exception while calling proto_flow() on target 10.111.17.29: Attempted "__iter__" operation on ASN.1 schema object connection.py:174
╭───────────────────────────────────────────────────────────────────────────────── Traceback (most recent call last) ──────────────────────────────────────────────────────────────────────────────────╮
│ /home/xiaoli/.local/pipx/venvs/netexec/lib/python3.12/site-packages/nxc/connection.py:166 in __init__ │
│ │
│ 163 │ │ self.logger.info(f"Socket info: host={self.host}, hostname={self.hostname}, │
│ kerberos={self.kerberos}, ipv6={self.is_ipv6}, link-local │
│ ipv6={self.is_link_local_ipv6}") │
│ 164 │ │ │
│ 165 │ │ try: │
│ ❱ 166 │ │ │ self.proto_flow() │
│ 167 │ │ except Exception as e: │
│ 168 │ │ │ if "ERROR_DEPENDENT_SERVICES_RUNNING" in str(e): │
│ 169 │ │ │ │ self.logger.error(f"Exception while calling proto_flow() on target │
│ {target}: {e}") │
│ │
│ /home/xiaoli/.local/pipx/venvs/netexec/lib/python3.12/site-packages/nxc/connection.py:232 in proto_flow │
│ │
│ 229 │ │ else: │
│ 230 │ │ │ self.logger.debug("Created connection object") │
│ 231 │ │ │ self.enum_host_info() │
│ ❱ 232 │ │ │ if self.print_host_info() and (self.login() or (self.username == "" and │
│ self.password == "")): │
│ 233 │ │ │ │ if hasattr(self.args, "module") and self.args.module: │
│ 234 │ │ │ │ │ self.load_modules() │
│ 235 │ │ │ │ │ self.logger.debug("Calling modules") │
│ │
│ /home/xiaoli/.local/pipx/venvs/netexec/lib/python3.12/site-packages/nxc/connection.py:560 in login │
│ │
│ 557 │ │ if not self.args.no_bruteforce: │
│ 558 │ │ │ for secr_index, secr in enumerate(secret): │
│ 559 │ │ │ │ for user_index, user in enumerate(username): │
│ ❱ 560 │ │ │ │ │ if self.try_credentials(domain[user_index], user, owned[user_index], │
│ secr, cred_type[secr_index], data[secr_index]): │
│ 561 │ │ │ │ │ │ owned[user_index] = True │
│ 562 │ │ │ │ │ │ if not self.args.continue_on_success: │
│ 563 │ │ │ │ │ │ │ return True │
│ │
│ /home/xiaoli/.local/pipx/venvs/netexec/lib/python3.12/site-packages/nxc/connection.py:495 in try_credentials │
│ │
│ 492 │ │ │ │ │ return self.kerberos_login(domain, username, secret, "", "", │
│ self.kdcHost, False) │
│ 493 │ │ │ │ elif hasattr(self.args, "domain"): # Some protocols don't use domain │
│ for login │
│ 494 │ │ │ │ │ self.logger.debug("Trying to authenticate using plaintext with │
│ domain") │
│ ❱ 495 │ │ │ │ │ return self.plaintext_login(domain, username, secret) │
│ 496 │ │ │ │ elif self.args.protocol == "ssh": │
│ 497 │ │ │ │ │ self.logger.debug("Trying to authenticate using plaintext over SSH") │
│ 498 │ │ │ │ │ return self.plaintext_login(username, secret, data) │
│ │
│ /home/xiaoli/.local/pipx/venvs/netexec/lib/python3.12/site-packages/nxc/protocols/ldap.py:460 in plaintext_login │
│ │
│ 457 │ │ │ self.logger.info(f"Connecting to {ldap_url} - {self.baseDN} - {self.host} │
│ [3]") │
│ 458 │ │ │ self.ldapConnection = ldap_impacket.LDAPConnection(url=ldap_url, │
│ baseDN=self.baseDN, dstIp=self.host) │
│ 459 │ │ │ self.ldapConnection.login(self.username, self.password, self.domain, │
│ self.lmhash, self.nthash) │
│ ❱ 460 │ │ │ self.check_if_admin() │
│ 461 │ │ │ │
│ 462 │ │ │ # Prepare success credential text │
│ 463 │ │ │ │
│ self.logger.success(f"{domain}\\{self.username}:{process_secret(self.password)} │
│ {self.mark_pwned()}") │
│ │
│ /home/xiaoli/.local/pipx/venvs/netexec/lib/python3.12/site-packages/nxc/protocols/ldap.py:664 in check_if_admin │
│ │
│ 661 │ │ resp = self.search(search_filter, attributes, sizeLimit=0) │
│ 662 │ │ answers = [] │
│ 663 │ │ if resp and (self.password != "" or self.lmhash != "" or self.nthash != "") and │
│ self.username != "": │
│ ❱ 664 │ │ │ for attribute in resp[0][1]: │
│ 665 │ │ │ │ if str(attribute["type"]) == "objectSid": │
│ 666 │ │ │ │ │ sid = self.sid_to_str(attribute["vals"][0]) │
│ 667 │ │ │ │ │ self.sid_domain = "-".join(sid.split("-")[:-1]) │
│ │
│ /home/xiaoli/.local/pipx/venvs/netexec/lib/python3.12/site-packages/pyasn1/type/univ.py:1038 in __iter__ │
│ │
│ 1035 │ │ │ return self._value[i] │
│ 1036 │ │
│ 1037 │ def __iter__(self): │
│ ❱ 1038 │ │ return iter(self._value) │
│ 1039 │ │
│ 1040 │ def __contains__(self, value): │
│ 1041 │ │ return value in self._value │
│ │
│ /home/xiaoli/.local/pipx/venvs/netexec/lib/python3.12/site-packages/pyasn1/type/base.py:214 in plug │
│ │
│ 211 │ │ if cls._instance is None: │
│ 212 │ │ │ def getPlug(name): │
│ 213 │ │ │ │ def plug(self, *args, **kw): │
│ ❱ 214 │ │ │ │ │ raise error.PyAsn1Error('Attempted "%s" operation on ASN.1 schema │
│ object' % name) │
│ 215 │ │ │ │ return plug │
│ 216 │ │ │ │
│ 217 │ │ │ op_names = [name │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
PyAsn1Error: Attempted "__iter__" operation on ASN.1 schema object
Expected behavior No exceptions
NetExec info
- OS: Kali Linux
- Version of nxc: v1.3.0 Need for Speed
- Installed from: pipx
Looks like somehow you can login but not query. Are the credentials valid? Can you try to query it with an account that is allowed to use ldap?
@NeffIsBack Oh, this exception is found in real-world attacks, and now the red team op is ended.
Hmm okay, not sure how to fix this. I think we need to wait for someone to run into the same bug to further debug it
I ran into this today, seemed to be an issue with the version of pyasn1 I was using. In my case, I resolved it with the following:
pip unsinstall pyasn1; pip install pyasn1==0.4.8
I am not sure if doing this broke anything else, but if I run into any addition errors that may be attributed to the downgrade, I'll return with an update.
Good2know thanks! Any idea which attribute that could have triggered? What was roughly what you queried?
I believe it errored out before getting an affirmative [+] auth message, yeah. I did have a --users at the end of mine but otherwise no modules or anything (didn't try without --users). May be worth noting I did not have the same issue with a different domain that I have in scope atm. Unfortunately, can't share logs (customer environment) but, time permitting, I may be able to do a couple troubleshooting steps if you have requests.
Thanks for all the great work!
Thanks!
Yeah it somehow fails on the admin-check. I will push some code that you could try and see if that helps.
@bc0la i pushed some debug code to the branch neff-patch-1. Can you try that branch and check what is printed out (either checkout the branch in git or install it via pipx with appending @branchname to the command)? If working correctly the SID of the user should be printed out like that:
my resp_parsed is much larger, containing 20 or so objectSids (none seem to translate to my user's expected SID) and I am getting a SID from the second pprint, just not the SID I expected for my user (and I'm not seeing that SID in my bloodhound database for some reason).
Might be worth noting that I'm abusing a domain trust here. I am running nxc against domain2 using domain1\user, but afaik the SID should remain the same?
I've got to dip for a while but I'll investigate a bit further in a little while.
Might be worth noting that I'm abusing a domain trust here. I am running nxc against domain2 using domain1\user, but afaik the SID should remain the same?
Oh that is an interesting fact! The first query (that fails) tries to enumerate the Domain SID by just looking up an object (in my case it returns the DC) and then throwing away the object number (.split("-")[:-1]). So the first object should have an objectSid attribute, but if not it fails. Perhaps that has something to do with the trust relationship? I will push some new code so you get more information which objects are returned.
Pushed logic that should check if any returned object has the objectSid attribute and not only the first one. Maybe fixes the problem, but would still be very interesting which object is the first one which does have an objectSid.
Tinkering a bit on this one to try and track it down. The new logic does not print out a SID for me at all (with either pyasn1 version).
I've tinkered a bit at to get it to print them all out, and discovered the last one to print out (another DC) is behaving weirdly. I can see the objectSid in resp_parsed, but it reported as Missing objectSid. 🤷♂️
I'll take a deeper look with fresh eyes tomorrow or later in the week, I am also very curious as to what's happening. Appreciate it!
But the parsed response is printed right? And no returned object has a SID attribute? Because either all returned objects do not have an objectSid (somehow) or the parsing of the SID fails. But if no SID is returned you maybe have no read permission on that attribute somehow.
These are the lines of code btw: https://github.com/Pennyw0rth/NetExec/blob/0813dee98e70d674926b6cf0d46ab2179bc5bb0c/nxc/protocols/ldap.py#L580-L590
I am also now encountering this issue:
[Apr 19, 2025 - 20:55:13 (EDT)] exegol-htb NetExec # nxc ldap <ip> -u <valid_user> -H <valid_hash>
LDAP <ip> 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:<hostname>) (domain:<domain>)
[20:55:15] ERROR Exception while calling proto_flow() on target <ip>: Attempted "__bool__" operation on ASN.1 schema object connection.py:176
╭───────────────────────────────────────────────────────────────────────────────── Traceback (most recent call last) ──────────────────────────────────────────────────────────────────────────────────╮
│ /root/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/connection.py:168 in __init__ │
│ │
│ 165 │ │ self.logger.info(f"Socket info: host={self.host}, hostname={self.hostname}, │
│ kerberos={self.kerberos}, ipv6={self.is_ipv6}, link-local │
│ ipv6={self.is_link_local_ipv6}") │
│ 166 │ │ │
│ 167 │ │ try: │
│ ❱ 168 │ │ │ self.proto_flow() │
│ 169 │ │ except Exception as e: │
│ 170 │ │ │ if "ERROR_DEPENDENT_SERVICES_RUNNING" in str(e): │
│ 171 │ │ │ │ self.logger.error(f"Exception while calling proto_flow() on target │
│ {target}: {e}") │
│ │
│ /root/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/connection.py:235 in proto_flow │
│ │
│ 232 │ │ │ self.logger.debug("Created connection object") │
│ 233 │ │ │ self.enum_host_info() │
│ 234 │ │ │ self.print_host_info() │
│ ❱ 235 │ │ │ if self.login() or (self.username == "" and self.password == ""): │
│ 236 │ │ │ │ if hasattr(self.args, "module") and self.args.module: │
│ 237 │ │ │ │ │ self.load_modules() │
│ 238 │ │ │ │ │ self.logger.debug("Calling modules") │
│ │
│ /root/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/connection.py:571 in login │
│ │
│ 568 │ │ if not self.args.no_bruteforce: │
│ 569 │ │ │ for secr_index, secr in enumerate(secret): │
│ 570 │ │ │ │ for user_index, user in enumerate(username): │
│ ❱ 571 │ │ │ │ │ if self.try_credentials(domain[user_index], user, owned[user_index], │
│ secr, cred_type[secr_index], data[secr_index]): │
│ 572 │ │ │ │ │ │ owned[user_index] = True │
│ 573 │ │ │ │ │ │ if not self.args.continue_on_success: │
│ 574 │ │ │ │ │ │ │ return True │
│ │
│ /root/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/connection.py:508 in try_credentials │
│ │
│ 505 │ │ │ elif cred_type == "hash": │
│ 506 │ │ │ │ if self.kerberos: │
│ 507 │ │ │ │ │ return self.kerberos_login(domain, username, "", secret, "", │
│ self.kdcHost, False) │
│ ❱ 508 │ │ │ │ return self.hash_login(domain, username, secret) │
│ 509 │ │ │ elif cred_type == "aesKey": │
│ 510 │ │ │ │ return self.kerberos_login(domain, username, "", "", secret, │
│ self.kdcHost, False) │
│ 511 │
│ │
│ /root/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/ldap.py:525 in hash_login │
│ │
│ 522 │ │ │ self.logger.info(f"Connecting to {ldaps_url} - {self.baseDN} - {self.host}") │
│ 523 │ │ │ self.ldap_connection = ldap_impacket.LDAPConnection(url=ldaps_url, │
│ baseDN=self.baseDN, dstIp=self.host) │
│ 524 │ │ │ self.ldap_connection.login(self.username, self.password, self.domain, │
│ self.lmhash, self.nthash) │
│ ❱ 525 │ │ │ self.check_if_admin() │
│ 526 │ │ │ self.logger.debug(f"Adding credential: │
│ {domain}/{self.username}:{self.hash}") │
│ 527 │ │ │ self.db.add_credential("hash", domain, self.username, self.hash) │
│ 528 │
│ │
│ /root/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/ldap.py:595 in check_if_admin │
│ │
│ 592 │ │ │ # 2. get all group cn name │
│ 593 │ │ │ search_filter = │
│ f"(|(objectSid={self.sid_domain}-512)(objectSid={self.sid_domain}-544)(objectSid={self.s │
│ id_domain}-519)(objectSid=S-1-5-32-549)(objectSid=S-1-5-32-551))" │
│ 594 │ │ │ attributes = ["distinguishedName"] │
│ ❱ 595 │ │ │ resp = self.search(search_filter, attributes, sizeLimit=0, │
│ baseDN=self.baseDN) │
│ 596 │ │ │ resp_parsed = parse_result_attributes(resp) │
│ 597 │ │ │ answers = [] │
│ 598 │ │ │ for item in resp_parsed: │
│ │
│ /root/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/ldap.py:629 in search │
│ │
│ 626 │ │ │ │ │
│ 627 │ │ │ │ # Microsoft Active Directory set an hard limit of 1000 entries returned │
│ by any search │
│ 628 │ │ │ │ paged_search_control = │
│ ldapasn1_impacket.SimplePagedResultsControl(criticality=True, size=1000) │
│ ❱ 629 │ │ │ │ return self.ldap_connection.search( │
│ 630 │ │ │ │ │ searchBase=baseDN, │
│ 631 │ │ │ │ │ searchFilter=searchFilter, │
│ 632 │ │ │ │ │ attributes=attributes, │
│ │
│ /root/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/impacket/ldap/ldap.py:496 in search │
│ │
│ 493 │ │ answers = [] │
│ 494 │ │ # We keep asking records until we get a SearchResultDone packet and all controls │
│ are handled │
│ 495 │ │ while not done: │
│ ❱ 496 │ │ │ response = self.sendReceive(searchRequest, searchControls) │
│ 497 │ │ │ for message in response: │
│ 498 │ │ │ │ searchResult = message['protocolOp'].getComponent() │
│ 499 │ │ │ │ if searchResult.isSameTypeWith(SearchResultDone()): │
│ │
│ /root/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/impacket/ldap/ldap.py:594 in sendReceive │
│ │
│ 591 │ │
│ 592 │ def sendReceive(self, request, controls=None): │
│ 593 │ │ self.send(request, controls) │
│ ❱ 594 │ │ return self.recv() │
│ 595 │ │
│ 596 │ def _parseFilter(self, filterStr): │
│ 597 │ │ try: │
│ │
│ /root/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/impacket/ldap/ldap.py:577 in recv │
│ │
│ 574 │ │ │ │ remaining = data + self._socket.recv(REQUEST_SIZE) │
│ 575 │ │ │ else: │
│ 576 │ │ │ │ if message['messageID'] == 0: # unsolicited notification │
│ ❱ 577 │ │ │ │ │ name = message['protocolOp']['extendedResp']['responseName'] or │
│ message['responseName'] │
│ 578 │ │ │ │ │ notification = KNOWN_NOTIFICATIONS.get(name, "Unsolicited │
│ Notification '%s'" % name) │
│ 579 │ │ │ │ │ if name == NOTIFICATION_DISCONNECT: # Server has disconnected │
│ 580 │ │ │ │ │ │ self.close() │
│ │
│ /root/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/pyasn1/type/base.py:316 in __bool__ │
│ │
│ 313 │ │ │ return self._value and True or False │
│ 314 │ else: │
│ 315 │ │ def __bool__(self): │
│ ❱ 316 │ │ │ return self._value and True or False │
│ 317 │ │
│ 318 │ def __hash__(self): │
│ 319 │ │ return hash(self._value) │
│ │
│ /root/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/pyasn1/type/base.py:214 in plug │
│ │
│ 211 │ │ if cls._instance is None: │
│ 212 │ │ │ def getPlug(name): │
│ 213 │ │ │ │ def plug(self, *args, **kw): │
│ ❱ 214 │ │ │ │ │ raise error.PyAsn1Error('Attempted "%s" operation on ASN.1 schema │
│ object' % name) │
│ 215 │ │ │ │ return plug │
│ 216 │ │ │ │
│ 217 │ │ │ op_names = [name │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
PyAsn1Error: Attempted "__bool__" operation on ASN.1 schema object
I've figured out the Issue to be associated with the latest impacket commit, rollback using the following commands:
pipx runpip netexec uninstall impacket
pipx runpip netexec install "git+https://github.com/fortra/impacket.git@00ced47#egg=impacket"
This is the ldap filter that crashes:
"(|(objectSid={self.sid_domain}-512)(objectSid={self.sid_domain}-544)(objectSid={self.sid_domain}-519)(objectSid=S-1-5-32-549)(objectSid=S-1-5-32-551))"
Can you try to figure out which of these objects produces the crash? You can use --query with the ldap protocol of NetExec
I've figured out the Issue to be associated with the latest impacket commit, rollback using the following commands:
pipx runpip netexec uninstall impacket pipx runpip netexec install "git+https://github.com/fortra/impacket.git@00ced47#egg=impacket"
This works for me
