smartbrute
smartbrute copied to clipboard
Fixed LDAPS support for Brute mode
Hello,
I'm not sure, but I think the brute
mode wasn't working with LDAPS only server:
[!] Error in bindRequest -> strongerAuthRequired: 00002028: LdapErr: DSID-0C090259, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection
However it is working fine with the smart
mode, since it has a --use-ldaps
flag, in this PR I added this flag for the brute
mode aswell.
Hope I haven't break anything else, I basically copied your existing code from the smart
mode to the brute
mode.
Thank you for this PR! As it turns out LDAPS seems to be supported for Kerberos only at the moment. Even in smart mode, NTLM doesn't have the --use-ldaps
option. However, there is already theoretical support in the code, only the option seems to be missing. Would you be able/have the time to fix this as well?
Hello,
Yes sure, however I'm currently struggling to "enable" LDAPS on my lab, I basically just installed the DC role, this works fine as usual, then I installed the AD CS role, this also works fine, but then I can't connect on port 636, either with "ldp.exe" or with Smartbrute, I checked with Wireshark, the connection is immediately reset by the DC, even though LDAP work fine.
The AD CS certificate is indeed in the local computer store, and the subject name is the DC hostname, do you have an idea why this isn't working ? Or maybe a ressource you are using to create an LDAPS lab. Note that I have installed both role on the same server.
EDIT: Ok I got it working, I had to put the FQDN in the subject field of the certificate
This should work, I tested the commit with a command for each combinations (NTLM/Kerberos/Smart/Brute), and verifying LDAPS was indeed used each time it was specified.
The code snippet:
# Handling LDAPS
if self.options.auth_use_ldaps:
try:
ldap_connection = self.ntlm.LDAP_authentication(target=target, tls_version=ssl.PROTOCOL_TLSv1_2, domain=self.options.auth_domain, user=self.options.auth_user, password=self.options.auth_password, lm_hash=auth_lm_hash, nt_hash=auth_nt_hash)
except:
ldap_connection = self.ntlm.LDAP_authentication(target=target, tls_version=ssl.PROTOCOL_TLSv1, domain=self.options.auth_domain, user=self.options.auth_user, password=self.options.auth_password, lm_hash=auth_lm_hash, nt_hash=auth_nt_hash)
else:
ldap_connection = self.ntlm.LDAP_authentication(target=target, tls_version=None, domain=self.options.auth_domain, user=self.options.auth_user, password=self.options.auth_password, lm_hash=auth_lm_hash, nt_hash=auth_nt_hash)
is appearing a lot of time in the code by my fault, I should probably put this in a function.
I also spotted some unused variable I think, I might add another 1-2 commit to remove them and test it.
I added a --dc-host
option similar to this PR: https://github.com/ShutdownRepo/targetedKerberoast/pull/4, hope this is going to be useful (one day maybe).
Please merge, if feasible :)
Thank you @cmprmsd for the reminder Merging, thank you @lap1nou