search

AlmondOffSec / PassTheCert

Proof-of-Concept tool to authenticate to an LDAP/S server with a certificate through Schannel
Apache License 2.0
555 stars 70 forks source link

Unhandled Exception: System.DirectoryServices.Protocols.TlsOperationException #13

Closed 7MinSec closed 11 months ago

7MinSec commented 1 year ago

Hello!

I've got an ESC1 vulnerability on a pentest where I've used Certify to request a cert on behalf of a domain admin. In PassTheCert I've done:

PassTheCert.exe --start-tls --server dc.victim.domain --cert-path cert.pfx --elevate --target "dc=victim,dc=domain" --sid XXX

The full error I get is:

Unhandled Exception: System.DirectoryServices.Protocols.TlsOperationException: An unspecified operation error occurred.
   at System.DirectoryServices.Protocols.LdapSessionOptions.StartTransportLayerSecurity(DirectoryControlCollection controls)
   at PassTheCert.Program.Main(String[] args)

I've tried without --start-tls and error changes to:

Unhandled Exception: System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
   at System.DirectoryServices.Protocols.LdapConnection.Connect()
   at System.DirectoryServices.Protocols.LdapConnection.SendRequestHelper(DirectoryRequest request, Int32& messageID)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at PassTheCert.Program.GetSecurityDescriptor(LdapConnection connection, String target, String filter, String attribute, Boolean flag_control)
   at PassTheCert.Program.AclAttack(LdapConnection connection, String target, String filter, String attribute, AccessControlEntry[] new_aces, String restore_file, Boolean flag_control)
   at PassTheCert.Program.ElevateUserAttack(LdapConnection connection, String target, String sid, String restore_file)
   at PassTheCert.Program.Main(String[] args)

Any thoughts on what else to try from here?

the-useless-one commented 1 year ago

Hi @7MinSec,

Can you make sure that:

  1. The LDAPS port is opened (TCP/636) is opened and the DC sends a certificate. You can check that with openssl: 
    $ openssl s_client -connect $DC_IP:636
  2. The DC supports StartTLS on the LDAP port (TCP/389).

Otherwise, something funky might be going on, as @ThePirateWhoSmellsOfSunflowers says in this issue. Maybe try a different DC or wait a little bit :shrug:

Cheers,

Y

7MinSec commented 1 year ago

Sorry for the delay. This is on my todo list in the lab. I'll update this issue as soon as I know more.

ThePirateWhoSmellsOfSunflowers commented 11 months ago

No activity, now closing. Re open if needed

:sunflower: