search

AlmondOffSec / PassTheCert

Proof-of-Concept tool to authenticate to an LDAP/S server with a certificate through Schannel
Apache License 2.0
555 stars 71 forks source link

SSL: UNEXPECTED_EOF_WHILE_READING - EOF occurred in violation of protocol #17

Closed Fufu-btw closed 11 months ago

Fufu-btw commented 11 months ago

Hello, I have (for few days) this error when i run passthecert : 

┌──(fufu㉿computer)-[~]
└─$ python3 passthecert.py -action ldap-shell -crt user.crt -key user.key -domain corp.local -dc-ip 172.16.1.1                   
Impacket v0.11.0 - Copyright 2023 Fortra

("('socket ssl wrapping error: [SSL: UNEXPECTED_EOF_WHILE_READING] EOF occurred in violation of protocol (_ssl.c:1006)',)",)

I saw on some other issue that you should know if it's not an LDAPS issue. The connexion between the AD and my machine on port 636 and 389 seems ok (nmap/nc + openssl) :

┌──(fufu㉿pan)-[~]
└─$ openssl s_client -connect 172.16.1.1:636
CONNECTED(00000003)
40D76EEFE67F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:303:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 430 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

┌──(fufu㉿pan)-[~]
└─$ nc -zv 172.16.1.1 636   
DC01 [172.16.1.5] 636 (ldaps) open

Should i use another version of impacket to use it ? Or should i modify something else in my openssl configuration ?

Regards Fufu

ThePirateWhoSmellsOfSunflowers commented 11 months ago

Hi,

This issue is typical of a TLS misconfiguration: the TCP port is open but no certificate is configured. You can easily reproduce this issue locally:

$ nc -nvlp 1337
[...]
in another console
[...]
$ openssl s_client -connect 127.0.0.1:1337
CONNECTED(00000003)
40F74D26307F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:308:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 300 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

Thus, your LDAPS service seems not configured.

:sunflower: