zyn3rgy / ldaprelayscan Goto Github PK
View Code? Open in Web Editor NEWCheck for LDAP protections regarding the relay of NTLM authentication
License: MIT License
Check for LDAP protections regarding the relay of NTLM authentication
License: MIT License
Hi,
Thank you for this tool.
Upon testing this today on the latest version of Kali I get the below error. I have installed LdapRelayScan as per your instructions here using the venv method. That by the way contains an error, "virtualenv env" should be "virtualenv venv".
I have successfully used LdapRelayScan over the years since the release without this issue occurring.
Update 1: I think this is the issue, wbond/oscrypto#78
Update 2: Confirmed that the issue is with oscrypto. See link above. As of 231012 there is no new release of oscrypto available. To fix this temporarily, edit requirements_exact.txt. Comment out "oscrypto==1.2.1" and add "git+https://github.com/wbond/oscrypto.git@d5f3437".
Hey zyn3rgy,
could you please add an output option to create a json file.
I want to consume it with max.py and extend the Bloodhound database.
Cheers
If connection fails, the script crashes.
Traceback (most recent call last):
File "/root/LdapRelayScan/LdapRelayScan.py", line 230, in
if DoesLdapsCompleteHandshake(dc) == True:
File "/root/LdapRelayScan/LdapRelayScan.py", line 124, in DoesLdapsCompleteHandshake
ssl_sock.connect((dcIp, 636))
File "/usr/lib/python3.9/ssl.py", line 1342, in connect
self._real_connect(addr, False)
File "/usr/lib/python3.9/ssl.py", line 1329, in _real_connect
super().connect(addr)
socket.timeout: timed out
On Python 3.10.4 I get the following deprecation warning when running the tool.
LdapRelayScan.py:121: DeprecationWarning: ssl.wrap_socket() is deprecated, use SSLContext.wrap_socket()
Changes to msldap break imports in LdapRelayScan.
For example, importing MSLDAPURLDecoder, MSLDAPClientConnection from msldap.commons.url is not possible since 0.4.0.
Please update requirements.txt
with the exact versions of the libraries (for all dependencies).
Cannot import name "MSLDAPClientConnection' from 'msldap.commons.url'
I did pip3 install msldap
but it still can't import the dependancy. Running on kali with python3.9.7-1
I'm trying to utilize this with a password that is fairly strong, and it fails. However, if I use a username with a very simplistic password, it works fine. Here's the error when I do it with a password containing special characters:
[~/LdapRelayScan] # python3.9 LdapRelayScan.py -method BOTH -dc-ip 192.168.1.1 -u complexuser -p 'Du8Yl;\KF?(~@wl'
~Domain Controllers identified~
dc2.redacted.com
drdc1.redacted.com
~Checking DCs for LDAP NTLM relay protections~
dc2.redacted.com
[+] (LDAP) SERVER SIGNING REQUIREMENTS NOT ENFORCED!
something went wrong during ldaps_withEPA bind:Port could not be cast to integer value as 'Du8Yl;\\KF'
Something went wrong...
For troubleshooting:
ldapsChannelBindingAlwaysCheck - False
ldapsChannelBindingWhenSupportedCheck: None
Without digging in too far, I would suspect it to be line 54 causing the issue.
url = 'ldaps+ntlm-password://'+inputUser + ':' + inputPassword +'@' + dcTarget
You can see that the first part of the password is being included as the port number to connect to in the error message, which leads me to this speculation. Passwords may need to be escaped somehow?
Intro
Since some time the LdapRelayScan started failing when checking LDAPS Channel Binding. After some debugging it seems this is due to changes in 'asysocks', a dependency of LdapRelayScan. Among other things, something regarding the SSL context was changed in this dependency.
OS and Python version
OS: Ubuntu 20.04.1 LTS
Python: Python3.8 & Python3.9
Replication & Fix
This is the current state after cloning LdapRelayScan and installing the dependencies from requirements.txt:
Notice the error: "something went wrong during ldaps_withEPA bind: an integer is required (got type NoneType)"
Now let's swap the 'asysocks' package from version 0.2.7 (changed three weeks ago), to the older 0.2.5 version:
And afterwards we run LdapRelayScan to verify everything is working again:
So it seems we either need to hardcode the version of asysocks in the dependencies, or the codebase needs to be changed to work with the newer version of asysocks.
Hi,
would you please consider adding a license? I'm hesitant to re-use your code without knowing your terms and I'd like to respect your copyright.
Thanks!
I'm not super familiar with docker containers so I may be doing something horribly wrong. Trying to get this application going in a docker on a Pi4 running the latest Kali, fully updated (2023.4)
At first, doing exactly as the github instructions state I was getting this error:
So I added RUN apt install gcc -y
to the Dockerfile and re-ran.
I googled and people were saying you need libffi-dev so I added RUN apt install libffi-dev
to the Dockerfile as well and re-ran.
Feels like I'm going down a rabbit hole. Should I be doing this a different way or is the setup I'm on just not supported?
@ToweringDragoon found an issue where only a portion of DCs were being identified. The SRV record lookup is not being parsed correctly. Planning to fix shortly.
I am trying to perform an anonymous check against an actual company production domain. I redacted it all here, but tried to be consistent. With out without sudo
permissions failed. No other tools are running in the background. I can try Python 3.10 if needed. My machine is fully up-to-date in apt and has been restarted since updating just in case.
I would expect the LDAP check would fail and try the next DC until all have been checked while handling the errors appropriately.
Separate issue, but I noticed that identified
in ~Domain Controllers identifed~
is spelled incorrectly. Also noticed the password help command talks about the username -p password Domain username value
. Quick fixes not worth their own issue.
Let me know if you need more information.
┌──(kali㉿workstation)-[~/Tools/LdapRelayScan]
└─$ python './LdapRelayScan.py' -dc-ip 10.10.10.10 -method LDAPS
~Domain Controllers identifed~
dc1.domain.tld
dc2.domain.tld
dc3.domain.tld
dc4.domain.tld
dc5.domain.tld
~Checking DCs for LDAP NTLM relay protections~
dc1.domain.tld
UNEXPECTED ERROR: {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906C6, comment: AcceptSecurityContext error, data 775, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
something went wrong during ldaps_withEPA bind:can only concatenate str (not "LDAPBindException") to str
Something went wrong...
For troubleshooting:
ldapsChannelBindingAlwaysCheck - None
ldapsChannelBindingWhenSupportedCheck: None
┌──(kali㉿workstation)-[~/Tools/LdapRelayScan]
└─$ lsb_release -a
No LSB modules are available.
Distributor ID: Kali
Description: Kali GNU/Linux Rolling
Release: 2022.1
Codename: kali-rolling
┌──(kali㉿workstation)-[~/Tools/LdapRelayScan]
└─$ sudo proxychains pip install -r requirements.txt
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Requirement already satisfied: dnspython in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (2.2.0)
Requirement already satisfied: ldap3 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 2)) (2.8.1)
Requirement already satisfied: msldap in /usr/lib/python3/dist-packages (from -r requirements.txt (line 3)) (0.3.30)
Requirement already satisfied: minikerberos>=0.2.14 in /usr/lib/python3/dist-packages (from msldap->-r requirements.txt (line 3)) (0.2.14)
Requirement already satisfied: asysocks>=0.0.11 in /usr/lib/python3/dist-packages (from minikerberos>=0.2.14->msldap->-r requirements.txt (line 3)) (0.1.2)
Requirement already satisfied: oscrypto>=1.2.1 in /usr/local/lib/python3.9/dist-packages (from minikerberos>=0.2.14->msldap->-r requirements.txt (line 3)) (1.3.0)
Requirement already satisfied: asn1crypto>=1.5.1 in /usr/local/lib/python3.9/dist-packages (from oscrypto>=1.2.1->minikerberos>=0.2.14->msldap->-r requirements.txt (line 3)) (1.5.1)
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
┌──(kali㉿workstation)-[~/Tools/LdapRelayScan]
└─$ python -V
Python 3.9.11
┌──(kali㉿workstation)-[~/Tools/LdapRelayScan]
└─$ sudo nmap -Pn -sU -p 53 10.10.10.10 --open
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 10:10 CDT
Nmap scan report for dc1.domain.tld (10.10.10.10)
Host is up (0.1111s latency).
PORT STATE SERVICE
53/udp open domain
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
Hi, I wanted to try this in my lab to exploit RBCD webclient (https://www.bussink.net/rbcd-webclient-attack/). But trying this tool against the dc gives the following error. The DC Is running AD Directory services, DNS and DHCP. DNS is configured on my kali machine.
┌──(user㉿pentest)-[/opt/LdapRelayScan]
└─$ python3 LdapRelayScan.py -dc-ip 10.0.0.3 -u labuser -p 'Password01' -method BOTH 1 ⨯
~Domain Controllers identifed~
dc01.lab.local
~Checking DCs for LDAP NTLM relay protections~
dc01.lab.local
[+] (LDAP) SERVER SIGNING REQUIREMENTS NOT ENFORCED!
Traceback (most recent call last):
File "/opt/LdapRelayScan/LdapRelayScan.py", line 95, in DoesLdapsCompleteHandshake
ssl_sock.do_handshake()
File "/usr/lib/python3.9/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ConnectionResetError: [Errno 104] Connection reset by peer
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/LdapRelayScan/LdapRelayScan.py", line 198, in <module>
if DoesLdapsCompleteHandshake(dc) == True:
File "/opt/LdapRelayScan/LdapRelayScan.py", line 106, in DoesLdapsCompleteHandshake
print("Unexpected error during LDAPS handshake: " + e)
TypeError: can only concatenate str (not "ConnectionResetError") to str
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.