search

AlmondOffSec / PassTheCert

Proof-of-Concept tool to authenticate to an LDAP/S server with a certificate through Schannel
Apache License 2.0
555 stars 71 forks source link

LDAP server not found #2

Closed 7MinSec closed 2 years ago

7MinSec commented 2 years ago

Hello!

Per this thread I'm excited to give PassTheCert a try but am having an issue. When I run this...

PassTheCert.exe --server FQDN.OF.A.DOMAINCONTROLLER --cert-path domainadmin.pfx --elevate --target "DC=victim,DC=domain" --sid XXX

I get this:

Unhandled Exception: System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
   at System.DirectoryServices.Protocols.LdapConnection.Connect()
   at System.DirectoryServices.Protocols.LdapConnection.SendRequestHelper(DirectoryRequest request, Int32& messageID)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at PassTheCert.Program.GetSecurityDescriptor(LdapConnection connection, String target, String filter, String attribute, Boolean flag_control)
   at PassTheCert.Program.AclAttack(LdapConnection connection, String target, String filter, String attribute, AccessControlEntry[] new_aces, String restore_file, Boolean flag_control)
   at PassTheCert.Program.ElevateUserAttack(LdapConnection connection, String target, String sid, String restore_file)
   at PassTheCert.Program.Main(String[] args)

Any thoughts? The FQDN.OF.A.DOMAINCONTROLLER is resolvable and online (and a DC :-)

7MinSec commented 2 years ago

Not sure if it matters, but one thing I noticed is if I do nmap -p389,636 FQDN.OF.A.DOMAINCONTROLLER it reports as "down" but if I add the no-ping flag of -Pn the nmap finishes with the results I expect.

the-useless-one commented 2 years ago

Hi!

By default, PassTheCert tries the LDAPS port. Is it reported as open in your nmap scan? Either way, you can try using --start-tls, which will connect to the LDAP port. Let me know your results.

7MinSec commented 2 years ago

Thank you again @the-useless-one for the super fast help. The LDAPS did report as open.

This is a huge environment and I tried all the other DCs just for grins, and the last one worked! So I didn't end up trying start-tls but I'll make note of it.

I'll check my new (hopefully) super powers and report back on the certipy thread as to how things go...

the-useless-one commented 2 years ago

Hi @DeserranoJorden,

This is weird. Would you be able to provide a Wireshark capture? One for LDAPS and one for LDAP with StartTLS would be great.

Cheers,

Y