search

CroweCybersecurity / ad-ldap-enum

An LDAP based Active Directory user and group enumeration tool
MIT License
303 stars 67 forks source link

Exploding large groups: ldap.FILTER_ERROR: {'desc': 'Bad search filter'} #14

Closed bill-e-ghote closed 6 years ago

bill-e-ghote commented 7 years ago

As seen just now, query was to my AD logon server. Any hints?

$ python ad-ldap-enum.py -l host-fqdn -d my-domain -u me -p my_pass 2017-07-05 15:00:55 INFO Querying users 2017-07-05 15:06:32 INFO Querying groups 2017-07-05 15:14:01 INFO Querying computers 2017-07-05 15:15:16 INFO Building users dictionary 2017-07-05 15:15:16 INFO Building groups dictionary 2017-07-05 15:15:16 INFO Building computers dictionary 2017-07-05 15:15:16 INFO Exploding large groups Traceback (most recent call last): File "ad-ldap-enum.py", line 460, in ldap_queries(ldap_client, base_dn, args.nested_groups) File "ad-ldap-enum.py", line 210, in ldap_queries groups_dictionary[group_key].members = get_membership_with_ranges(ldap_client, base_dn, group_key) File "ad-ldap-enum.py", line 387, in get_membership_with_ranges membership_results = query_ldap_with_paging(ldap_client, base_dn, membership_filter, ['distinguishedName']) File "ad-ldap-enum.py", line 356, in query_ldap_with_paging msgid = ldap_client.search_ext(base_dn, ldap.SCOPE_SUBTREE, search_filter, attributes, serverctrls=[ldap_control]) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 586, in search_ext timeout,sizelimit, File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) ldap.FILTER_ERROR: {'desc': 'Bad search filter'}

bill-e-ghote commented 7 years ago

Executed the same another time, failed, but at a different place. Is this a connectivity issue (I'm doing it over a flaky VPN at the moment)?

$ python ad-ldap-enum.py -l host-fqdn -d my-domain -u me-p my_pass -v 2017-07-05 16:12:36 DEBUG Connecting to LDAP server at [ldap://nyp-vhqdc02-at.hq.nt.newyorklife.com:389] 2017-07-05 16:12:37 DEBUG Using BaseDN of [dc=hq,dc=nt,dc=newyorklife,dc=com] 2017-07-05 16:12:37 INFO Querying users 2017-07-05 16:17:19 INFO Querying groups 2017-07-05 16:23:59 INFO Querying computers 2017-07-05 16:25:13 INFO Building users dictionary 2017-07-05 16:25:13 INFO Building groups dictionary 2017-07-05 16:25:13 INFO Building computers dictionary 2017-07-05 16:25:13 INFO Exploding large groups 2017-07-05 16:25:13 DEBUG Getting full membership for [CN=SU_Workstations_ProdPhase2(redacted),OU=Sccm,OU=Security,OU=Groups,OU=CORP,DC=redacted,DC=redacted,DC=redacted,DC=com] Traceback (most recent call last): File "ad-ldap-enum.py", line 460, in ldap_queries(ldap_client, base_dn, args.nested_groups) File "ad-ldap-enum.py", line 210, in ldap_queries groups_dictionary[group_key].members = get_membership_with_ranges(ldap_client, base_dn, group_key) File "ad-ldap-enum.py", line 387, in get_membership_with_ranges membership_results = query_ldap_with_paging(ldap_client, base_dn, membership_filter, ['distinguishedName']) File "ad-ldap-enum.py", line 356, in query_ldap_with_paging msgid = ldap_client.search_ext(base_dn, ldap.SCOPE_SUBTREE, search_filter, attributes, serverctrls=[ldap_control]) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 586, in search_ext timeout,sizelimit, File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) ldap.FILTER_ERROR: {'desc': 'Bad search filter'}

ebrinkster commented 7 years ago

I too am encountering this problem often when I run the tool against extremely large active directory environments.

I don't think that this is a connectivity issue. I have encountered this issue while on the same local network as a domain controller.

Seeking help as well.

@edepree seeking help

ebrinkster commented 7 years ago

Hi @edepree, have you encountered this error before?

edepree commented 7 years ago

I have not seen this issue before. Instead of -l host-fqdn could you try -l ip-address-of-dc? The main reason I ask is I do not believe I have targeted a server using a domain name for a host. I always use an IP address so I wanted to flush out that edge case.

edepree commented 7 years ago

One other item that I would be interested in knowing is what version of python-ldap do you have installed when getting this error?

ebrinkster commented 7 years ago

I get this error when using the IP address.

ebrinkster commented 7 years ago

Was using the latest version of the tool.

edepree commented 7 years ago

@bill-e-ghote, I have been able to recreate this error and I have a fix that I will push as part of a larger rewrite I am doing. The issue is that the script is not sanitizing search filters per RFC 4515, so the '(' and the ')' are breaking the search query. If you update the get_membership_with_ranges function to look like the following it should fix this.

sanatized_group_dn = group_dn.replace('(', '\28').replace(')', '\29').replace('*', '\2a').replace('\\', '\5c')
membership_filter = '(&(|(objectcategory=user)(objectcategory=group)(objectcategory=computer))(memberof={0}))'.format(sanatized_group_dn)

Please give that a test and let me know if it helps in your situation.