NetExec icon indicating copy to clipboard operation
NetExec copied to clipboard
verified publisher icon Pennyw0rth

added support for LDAP simple auth

Open c4pit0ch3f opened this issue 8 months ago • 2 comments

Description

This change adds support for LDAP SIMPLE auth when both kerberos and NTLM are unavailable. This change affects only the ldap module and has no further dependencies.

Just like in smb module, the no_ntlm attribute for ldap class is populated based on the ntlm challenge received during the enum_host_info phase (l252-253). Then, this var is used to display if NTLM is not supported (l278-279) and to use SIMPLE authentication during connection phase (l437/460)

Type of change

Please delete options that are not relevant.

  • [X] New feature (non-breaking change which adds functionality)

How Has This Been Tested?

Tested with basic commands such as --users, --dc-list, etc. Tested on both LDAP and LDAPS configurations.

Env test :

  • Debian 12 (Debian 6.1.124-1)
  • Python 3.11.2
  • Against a Windows server 2022 (last patch 3/03/2022) acting as DC

Screenshots (if appropriate):

netexec

Checklist:

  • [ ] I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
  • [ ] I have added or updated the tests/e2e_commands.txt file if necessary
  • [ ] New and existing e2e tests pass locally with my changes
  • [x] My code follows the style guidelines of this project (should be covered by Ruff above)
  • [x] If reliant on third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
  • [X] I have performed a self-review of my own code
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

c4pit0ch3f avatar Apr 17 '25 13:04 c4pit0ch3f

Thanks for the addition!

From the top of my head i am wondering if it wouldn't be best to switch to kerberos or just alert that ntlm is not available. We could then implement another flag to use simple auth if there is indeed a server that does neither accept ntlm nor kerberos. Could be that we have limited functionality available if we use simple auth, because for some actions AD requires encryption.

NeffIsBack avatar Apr 18 '25 23:04 NeffIsBack

This is going to be patched in Impacket as well btw https://github.com/fortra/impacket/pull/1971, and now, as far as we tested it (with azoxlpf), simple bind does work as expected and allows bypassing some hardening configurations

Dfte avatar Jun 03 '25 08:06 Dfte