search

AlmondOffSec / PassTheCert

Proof-of-Concept tool to authenticate to an LDAP/S server with a certificate through Schannel
Apache License 2.0
555 stars 71 forks source link

LDAP server not found #6

Closed DeserranoJorden closed 2 years ago

DeserranoJorden commented 2 years ago

Hi,

Following up on issue https://github.com/AlmondOffSec/PassTheCert/issues/2.

I'm currently having the same issue. I started troubleshooting the same way @braimee did here, starting all the way back from the Certipy thread. Likewise, I also received the Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type) error. And I'm currently stuck on the error shown below.

Unhandled Exception: System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
   at System.DirectoryServices.Protocols.LdapConnection.Connect()
   at System.DirectoryServices.Protocols.LdapConnection.SendRequestHelper(DirectoryRequest request, Int32& messageID)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at PassTheCert.Program.GetSecurityDescriptor(LdapConnection connection, String target, String filter, String attribute, Boolean flag_control) in [PATH]\PassTheCert.cs:line 117
   at PassTheCert.Program.AclAttack(LdapConnection connection, String target, String filter, String attribute, AccessControlEntry[] new_aces, String restore_file, Boolean flag_control) in [PATH]\PassTheCert.cs:line 205
   at PassTheCert.Program.ElevateUserAttack(LdapConnection connection, String target, String sid, String restore_file) in [PATH]\PassTheCert.cs:line 228
   at PassTheCert.Program.Main(String[] args) in [PATH]\PassTheCert.cs:line 491

I've tried different DCs, all with port 389 and 636 fully open (as shown in nmap). The --start-tls also just throws a different error for me.

Unhandled Exception: System.DirectoryServices.Protocols.TlsOperationException: An unspecified operation error occurred.
   at System.DirectoryServices.Protocols.LdapSessionOptions.StartTransportLayerSecurity(DirectoryControlCollection controls)
   at PassTheCert.Program.Main(String[] args) in [PATH]\PassTheCert.cs:line 479

Any thoughts on why this error occurs?

My command looks like this:

.\PassTheCert.exe --cert-path admin.pfx --elevate --target DC=test,DC=local --sid [SID] --server [DC]
the-useless-one commented 2 years ago

So there's no StartTLS support? What about LDAPS, you mentioned that the 636 port is reported open in nmap?

DeserranoJorden commented 2 years ago

Thanks for the quick responses @the-useless-one. It was my own mistake and it worked on a different DC.

the-useless-one commented 2 years ago

Glad it worked!