search

0xBallpoint / LOAD

Lord Of Active Directory - automatic vulnerable active directory on AWS
https://ballpoint.fr
GNU General Public License v3.0
128 stars 11 forks source link

Issues with `mordor.local\\gollum` (always him) in multi domains group member #2

Closed ademenet closed 9 months ago

ademenet commented 10 months ago

Hello!

I am running into an issue while running the following command:

$ ansible-playbook ad-groups.yml -vvv

During the task groups/cross_domains : Add a domain user/group from another Domain in the multi-domain forest to a domain group I have three attempts like:

FAILED - RETRYING: [13.48.56.206]: Add a domain user/group from another Domain in the multi-domain forest to a domain group (3 retries left).Result was: {
    "attempts": 1,
    "changed": false,
    "msg": "Unhandled exception while executing module: Either the target name is incorrect or the server has rejected the client credentials.",
    "retries": 4
}

And it finally crashed. Here is the full traceback:

The full traceback is:
Either the target name is incorrect or the server has rejected the client credentials.
At line:64 char:21
+ ... up_member = Get-ADObject -Filter "SamAccountName -eq '$member' -and $ ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [Get-ADObject], AuthenticationException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.Security.Authentication.AuthenticationException,Microsoft.ActiveDirectory.Management.Commands.GetADObject

ScriptStackTrace:
at <ScriptBlock>, <No file>: line 64

System.Security.Authentication.AuthenticationException: Either the target name is incorrect or the server has rejected the client credentials. ---> System.ServiceModel.Security.SecurityNegotiationException: Either the target name is incorrect or the server has rejected the client credentials. ---> System.Security.Authentication.InvalidCredentialException: Either the target name is incorrect or the server has rejected the client credentials. ---> System.ComponentModel.Win32Exception: The logon attempt failed
   --- End of inner exception stack trace ---
   at System.Net.Security.NegoState.StartSendAuthResetSignal(LazyAsyncResult lazyResult, Byte[] message, Exception exception)
   at System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult)
   at System.Net.Security.NegoState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.NegotiateStream.AuthenticateAsClient(NetworkCredential credential, String targetName, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel allowedImpersonationLevel)
   at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)
   --- End of inner exception stack trace ---

Server stack trace:
   at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)
   at System.ServiceModel.Channels.StreamSecurityUpgradeInitiatorBase.InitiateUpgrade(Stream stream)
   at System.ServiceModel.Channels.ConnectionUpgradeHelper.InitiateUpgrade(StreamUpgradeInitiator upgradeInitiator, IConnection& connection, ClientFramingDecoder decoder, IDefaultCommunicationTimeouts defaultTimeouts, TimeoutHelper& timeoutHelper)
   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)
   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)
   at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.ActiveDirectory.WebServices.Proxy.Resource.Get(Message request)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.SearchAnObject(ADSearchRequest request)
   --- End of inner exception stack trace ---
   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowAuthenticationRelatedExceptionIfAny(CommunicationException exception)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.SearchAnObject(ADSearchRequest request)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.Search(ADSearchRequest request)
   at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADSyncOperations.Search(ADSessionHandle handle, ADSearchRequest request)
   at Microsoft.ActiveDirectory.Management.ADObjectSearcher.GetRootDSE()
   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.GetRootDSE()
   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.GetConnectedStore()
   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.GetCmdletSessionInfo()
   at Microsoft.ActiveDirectory.Management.Commands.ADGetCmdletBase`3.ADGetCmdletBaseBeginCSRoutine()
   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.BeginProcessing()
failed: [13.38.46.216] (item={'key': 'Hobbit', 'value': ['bilbo', 'frodo', 'sam', 'merry', 'pippin', 'mordor.local\\gollum']}) => {
    "ansible_loop_var": "item",
    "attempts": 3,
    "changed": false,
    "item": {
        "key": "Hobbit",
        "value": [
            "bilbo",
            "frodo",
            "sam",
            "merry",
            "pippin",
            "mordor.local\\gollum"
        ]
    },
    "msg": "Unhandled exception while executing module: Either the target name is incorrect or the server has rejected the client credentials."
}

I did some testing and found that the task succeed if I remove the user mordor.local\\gollum from multi_domain_groups_member list in config.json:

        "multi_domain_groups_member": {
-           "Hobbit": ["bilbo", "frodo", "sam", "merry", "pippin", "mordor.local\\gollum"]
+          "Hobbit": ["bilbo", "frodo", "sam", "merry", "pippin"]
        },

Then, I am able to run the remaining playbooks smoothly without any errors. But I guess I am losing an exploit opportunity.

Any idea on how I can solve that? I don't know where to look.

Thank you very much for any clues you can give and thank @0xBallpoint for the hard work!

ademenet commented 10 months ago

Okay, I guess I found the error: a typo in the region variable in hosts. I replayed all playbooks and it works with gollum. I guess the DNS is involved in its setup.

Now, I am facing a new issue: I can't manage to list users with either enum4linux or crackmapexec. I am wondering if the anonymous setup well or if its still a DNS issue. Any idea?

Thank you!

hilarex commented 10 months ago

Hello,

Thank you for giving the lab a try ! There is often issues at this moment, that's why there is a loop to try this request multiple times. It is often because the command is looking for 'mordor.local\gollum' under: 'DC=eriador,DC=middle-earth,DC=local', instead of using the 'mordor.local' domain. I haven't find a fix for it yet, but running the command later works most of the time.

Regarding the anonymous issue, did you target the RIVENDELL server ? It only works on DC02 by design. I tried and it works after applying the ad-acl.yml rules and then rebooting DC02. If it still doesn't work, could you open another issue with your command and result ?

Thank you,

ademenet commented 10 months ago

Hello!

Thank you for your reply.

I haven't find a fix for it yet, but running the command later works most of the time.

Apparently yes. But sometimes it keeps failing. Weird. I will look into it so as to maybe find a check to trigger the later config.

Regarding the anonymous issue, did you target the RIVENDELL server ? It only works on DC02 by design. I tried and it works after applying the ad-acl.yml rules and then rebooting DC02. If it still doesn't work, could you open another issue with your command and result ?

You were right! I am going to update the ad-acl.yml rules to add a small reboot at the end. Maybe I can do a PR if it works well. What do you think?

hilarex commented 9 months ago

Yes you're welcome to do any PR to improve the project !