smartbrute icon indicating copy to clipboard operation
smartbrute copied to clipboard

Published 20 hours ago verified publisher icon ShutdownRepo

Fixed LDAPS support for Brute mode

Open lap1nou opened this issue 2 years ago • 4 comments

Hello,

I'm not sure, but I think the brute mode wasn't working with LDAPS only server:

[!] Error in bindRequest -> strongerAuthRequired: 00002028: LdapErr: DSID-0C090259, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection

However it is working fine with the smart mode, since it has a --use-ldaps flag, in this PR I added this flag for the brute mode aswell.

Hope I haven't break anything else, I basically copied your existing code from the smart mode to the brute mode.

lap1nou avatar Jun 12 '22 22:06 lap1nou

Thank you for this PR! As it turns out LDAPS seems to be supported for Kerberos only at the moment. Even in smart mode, NTLM doesn't have the --use-ldaps option. However, there is already theoretical support in the code, only the option seems to be missing. Would you be able/have the time to fix this as well?

ShutdownRepo avatar Jun 13 '22 09:06 ShutdownRepo

Hello,

Yes sure, however I'm currently struggling to "enable" LDAPS on my lab, I basically just installed the DC role, this works fine as usual, then I installed the AD CS role, this also works fine, but then I can't connect on port 636, either with "ldp.exe" or with Smartbrute, I checked with Wireshark, the connection is immediately reset by the DC, even though LDAP work fine.

The AD CS certificate is indeed in the local computer store, and the subject name is the DC hostname, do you have an idea why this isn't working ? Or maybe a ressource you are using to create an LDAPS lab. Note that I have installed both role on the same server.

EDIT: Ok I got it working, I had to put the FQDN in the subject field of the certificate

lap1nou avatar Jun 19 '22 10:06 lap1nou

This should work, I tested the commit with a command for each combinations (NTLM/Kerberos/Smart/Brute), and verifying LDAPS was indeed used each time it was specified.

The code snippet:

# Handling LDAPS
if self.options.auth_use_ldaps:
    try:
        ldap_connection = self.ntlm.LDAP_authentication(target=target, tls_version=ssl.PROTOCOL_TLSv1_2, domain=self.options.auth_domain, user=self.options.auth_user, password=self.options.auth_password, lm_hash=auth_lm_hash, nt_hash=auth_nt_hash)
    except:
        ldap_connection = self.ntlm.LDAP_authentication(target=target, tls_version=ssl.PROTOCOL_TLSv1, domain=self.options.auth_domain, user=self.options.auth_user, password=self.options.auth_password, lm_hash=auth_lm_hash, nt_hash=auth_nt_hash)
else:
    ldap_connection = self.ntlm.LDAP_authentication(target=target, tls_version=None, domain=self.options.auth_domain, user=self.options.auth_user, password=self.options.auth_password, lm_hash=auth_lm_hash, nt_hash=auth_nt_hash)

is appearing a lot of time in the code by my fault, I should probably put this in a function.

I also spotted some unused variable I think, I might add another 1-2 commit to remove them and test it.

lap1nou avatar Jun 20 '22 00:06 lap1nou

I added a --dc-host option similar to this PR: https://github.com/ShutdownRepo/targetedKerberoast/pull/4, hope this is going to be useful (one day maybe).

lap1nou avatar Jun 27 '22 17:06 lap1nou

Please merge, if feasible :)

cmprmsd avatar Dec 15 '22 13:12 cmprmsd

Thank you @cmprmsd for the reminder Merging, thank you @lap1nou

ShutdownRepo avatar Dec 15 '22 16:12 ShutdownRepo