zyn3rgy / ldaprelayscan Goto Github PK

Hi,

Thank you for this tool.

Upon testing this today on the latest version of Kali I get the below error. I have installed LdapRelayScan as per your instructions here using the venv method. That by the way contains an error, "virtualenv env" should be "virtualenv venv".

I have successfully used LdapRelayScan over the years since the release without this issue occurring.

Update 1: I think this is the issue, wbond/oscrypto#78

Update 2: Confirmed that the issue is with oscrypto. See link above. As of 231012 there is no new release of oscrypto available. To fix this temporarily, edit requirements_exact.txt. Comment out "oscrypto==1.2.1" and add "git+https://github.com/wbond/oscrypto.git@d5f3437".

Hey zyn3rgy,

could you please add an output option to create a json file.
I want to consume it with max.py and extend the Bloodhound database.

Cheers

If connection fails, the script crashes.

Traceback (most recent call last):
File "/root/LdapRelayScan/LdapRelayScan.py", line 230, in
if DoesLdapsCompleteHandshake(dc) == True:
File "/root/LdapRelayScan/LdapRelayScan.py", line 124, in DoesLdapsCompleteHandshake
ssl_sock.connect((dcIp, 636))
File "/usr/lib/python3.9/ssl.py", line 1342, in connect
self._real_connect(addr, False)
File "/usr/lib/python3.9/ssl.py", line 1329, in _real_connect
super().connect(addr)
socket.timeout: timed out

On Python 3.10.4 I get the following deprecation warning when running the tool.

LdapRelayScan.py:121: DeprecationWarning: ssl.wrap_socket() is deprecated, use SSLContext.wrap_socket()

Changes to msldap break imports in LdapRelayScan.

For example, importing MSLDAPURLDecoder, MSLDAPClientConnection from msldap.commons.url is not possible since 0.4.0.

Please update requirements.txt with the exact versions of the libraries (for all dependencies).

Cannot import name "MSLDAPClientConnection' from 'msldap.commons.url'

I did pip3 install msldap but it still can't import the dependancy. Running on kali with python3.9.7-1

I'm trying to utilize this with a password that is fairly strong, and it fails. However, if I use a username with a very simplistic password, it works fine. Here's the error when I do it with a password containing special characters:

[~/LdapRelayScan] # python3.9 LdapRelayScan.py -method BOTH -dc-ip 192.168.1.1 -u complexuser -p 'Du8Yl;\KF?(~@wl'

~Domain Controllers identified~
   dc2.redacted.com
   drdc1.redacted.com

~Checking DCs for LDAP NTLM relay protections~
   dc2.redacted.com
      [+] (LDAP)  SERVER SIGNING REQUIREMENTS NOT ENFORCED!
something went wrong during ldaps_withEPA bind:Port could not be cast to integer value as 'Du8Yl;\\KF'

Something went wrong...
For troubleshooting:
ldapsChannelBindingAlwaysCheck - False
ldapsChannelBindingWhenSupportedCheck: None

Without digging in too far, I would suspect it to be line 54 causing the issue.

url = 'ldaps+ntlm-password://'+inputUser + ':' + inputPassword +'@' + dcTarget

You can see that the first part of the password is being included as the port number to connect to in the error message, which leads me to this speculation. Passwords may need to be escaped somehow?

Intro
Since some time the LdapRelayScan started failing when checking LDAPS Channel Binding. After some debugging it seems this is due to changes in 'asysocks', a dependency of LdapRelayScan. Among other things, something regarding the SSL context was changed in this dependency.

OS and Python version
OS: Ubuntu 20.04.1 LTS
Python: Python3.8 & Python3.9

Replication & Fix
This is the current state after cloning LdapRelayScan and installing the dependencies from requirements.txt:

Notice the error: "something went wrong during ldaps_withEPA bind: an integer is required (got type NoneType)"

Now let's swap the 'asysocks' package from version 0.2.7 (changed three weeks ago), to the older 0.2.5 version:

And afterwards we run LdapRelayScan to verify everything is working again:

So it seems we either need to hardcode the version of asysocks in the dependencies, or the codebase needs to be changed to work with the newer version of asysocks.

Hi,

would you please consider adding a license? I'm hesitant to re-use your code without knowing your terms and I'd like to respect your copyright.

Thanks!

I'm not super familiar with docker containers so I may be doing something horribly wrong. Trying to get this application going in a docker on a Pi4 running the latest Kali, fully updated (2023.4)

At first, doing exactly as the github instructions state I was getting this error:

So I added RUN apt install gcc -y to the Dockerfile and re-ran.

Then I got this error:

I googled and people were saying you need libffi-dev so I added RUN apt install libffi-dev to the Dockerfile as well and re-ran.

Now I'm getting this:

Feels like I'm going down a rabbit hole. Should I be doing this a different way or is the setup I'm on just not supported?

@ToweringDragoon found an issue where only a portion of DCs were being identified. The SRV record lookup is not being parsed correctly. Planning to fix shortly.

I am trying to perform an anonymous check against an actual company production domain. I redacted it all here, but tried to be consistent. With out without sudo permissions failed. No other tools are running in the background. I can try Python 3.10 if needed. My machine is fully up-to-date in apt and has been restarted since updating just in case.

I would expect the LDAP check would fail and try the next DC until all have been checked while handling the errors appropriately.

Separate issue, but I noticed that identified in ~Domain Controllers identifed~ is spelled incorrectly. Also noticed the password help command talks about the username -p password Domain username value. Quick fixes not worth their own issue.

Let me know if you need more information.

┌──(kali㉿workstation)-[~/Tools/LdapRelayScan]
└─$ python './LdapRelayScan.py' -dc-ip 10.10.10.10 -method LDAPS

~Domain Controllers identifed~
  dc1.domain.tld
  dc2.domain.tld
  dc3.domain.tld
  dc4.domain.tld
  dc5.domain.tld

~Checking DCs for LDAP NTLM relay protections~
   dc1.domain.tld
UNEXPECTED ERROR: {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906C6, comment: AcceptSecurityContext error, data 775, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
something went wrong during ldaps_withEPA bind:can only concatenate str (not "LDAPBindException") to str

Something went wrong...
For troubleshooting:
ldapsChannelBindingAlwaysCheck - None
ldapsChannelBindingWhenSupportedCheck: None

┌──(kali㉿workstation)-[~/Tools/LdapRelayScan]
└─$ lsb_release -a
No LSB modules are available.
Distributor ID: Kali
Description:    Kali GNU/Linux Rolling
Release:        2022.1
Codename:       kali-rolling

┌──(kali㉿workstation)-[~/Tools/LdapRelayScan]
└─$ sudo proxychains pip install -r requirements.txt
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Requirement already satisfied: dnspython in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (2.2.0)
Requirement already satisfied: ldap3 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 2)) (2.8.1)
Requirement already satisfied: msldap in /usr/lib/python3/dist-packages (from -r requirements.txt (line 3)) (0.3.30)
Requirement already satisfied: minikerberos>=0.2.14 in /usr/lib/python3/dist-packages (from msldap->-r requirements.txt (line 3)) (0.2.14)
Requirement already satisfied: asysocks>=0.0.11 in /usr/lib/python3/dist-packages (from minikerberos>=0.2.14->msldap->-r requirements.txt (line 3)) (0.1.2)
Requirement already satisfied: oscrypto>=1.2.1 in /usr/local/lib/python3.9/dist-packages (from minikerberos>=0.2.14->msldap->-r requirements.txt (line 3)) (1.3.0)
Requirement already satisfied: asn1crypto>=1.5.1 in /usr/local/lib/python3.9/dist-packages (from oscrypto>=1.2.1->minikerberos>=0.2.14->msldap->-r requirements.txt (line 3)) (1.5.1)
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

┌──(kali㉿workstation)-[~/Tools/LdapRelayScan]
└─$ python -V
Python 3.9.11

┌──(kali㉿workstation)-[~/Tools/LdapRelayScan]
└─$ sudo nmap -Pn -sU -p 53 10.10.10.10 --open                                                                                                                                                                        
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 10:10 CDT
Nmap scan report for dc1.domain.tld (10.10.10.10)
Host is up (0.1111s latency).

PORT   STATE SERVICE
53/udp open  domain

Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

Hi, I wanted to try this in my lab to exploit RBCD webclient (https://www.bussink.net/rbcd-webclient-attack/). But trying this tool against the dc gives the following error. The DC Is running AD Directory services, DNS and DHCP. DNS is configured on my kali machine.

┌──(user㉿pentest)-[/opt/LdapRelayScan]
└─$ python3 LdapRelayScan.py -dc-ip 10.0.0.3 -u labuser -p 'Password01' -method BOTH                                                                                                                                                                              1 ⨯

~Domain Controllers identifed~
   dc01.lab.local

~Checking DCs for LDAP NTLM relay protections~
   dc01.lab.local
      [+] (LDAP) SERVER SIGNING REQUIREMENTS NOT ENFORCED! 
Traceback (most recent call last):
  File "/opt/LdapRelayScan/LdapRelayScan.py", line 95, in DoesLdapsCompleteHandshake
    ssl_sock.do_handshake()
  File "/usr/lib/python3.9/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ConnectionResetError: [Errno 104] Connection reset by peer

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/LdapRelayScan/LdapRelayScan.py", line 198, in <module>
    if DoesLdapsCompleteHandshake(dc) == True:
  File "/opt/LdapRelayScan/LdapRelayScan.py", line 106, in DoesLdapsCompleteHandshake
    print("Unexpected error during LDAPS handshake: " + e)
TypeError: can only concatenate str (not "ConnectionResetError") to str