search

Pennyw0rth / NetExec

The Network Execution Tool
https://netexec.wiki/
BSD 2-Clause "Simplified" License
2.58k stars 265 forks source link

ldap-checker module fails on LDAP signing #274

Open tiyeuse opened 2 months ago

tiyeuse commented 2 months ago

Describe the bug The ldap-checker module fails to determine if LDAP signing is enabled.

To Reproduce Enable LDAP signing with the registry key:

PS C:\> reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /v ldapserverintegrity
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
    ldapserverintegrity    REG_DWORD    0x2

Install nxc from the git repo:

# which nxc
# pipx install git+https://github.com/Pennyw0rth/NetExec
[...]
done! ✨ 🌟 ✨
# nxc --version
1.1.0 - nxc4u - 1f8a0ef

Check if signing is enabled:

# nxc ldap 192.168.57.5 -u bob -p pass -d corp.local -M ldap-checker -k
SMB         192.168.57.5    445    DC01             [*] Windows Server 2016 Standard 14393 x64 (name:DC01) (domain:CORP.LOCAL) (signing:True) (SMBv1:True)
LDAPS       192.168.57.5    636    DC01             [+] corp.local\bob 
LDAP-CHE... 192.168.57.5    389    DC01             LDAP Signing NOT Enforced!
LDAP-CHE... 192.168.57.5    389    DC01             [-] LDAPS Channel Binding is set to "Required"

Confirm that signing is enable with LdapRelayScan or ntlmrelayx.py:

# python3 LdapRelayScan.py -m BOTH -dc-ip 192.168.57.5 -u bob -p pass
~Domain Controllers identified~
   DC01.CORP.LOCAL
~Checking DCs for LDAP NTLM relay protections~
   DC01.CORP.LOCAL
      [-] (LDAP)  server enforcing signing requirements
  ssl_sock = ssl.wrap_socket(s,
      [-] (LDAPS) channel binding set to "required", no fun allowed

# ntlmrelayx.py -t ldap://192.168.57.5 --no-dump --no-da
[...]
[*] Servers started, waiting for connections
[*] HTTPD(80): Client requested path: /bla
[*] HTTPD(80): Client requested path: /bla
[*] HTTPD(80): Connection from 192.168.57.60 controlled, attacking target ldap://192.168.57.5
[*] HTTPD(80): Client requested path: /bla
[-] HTTPD(80): Exception in HTTP request handler: Server rejected authentication because LDAP signing is enabled. Try connecting with TLS enabled (specify target as ldaps://hostname )

Expected behavior LDAP signing result should display "enforced".

NetExec info

mpgn commented 2 months ago

@zblurx can you check ? :)

zblurx commented 2 months ago

Cannot reproduce

(venv) $ nxc ldap 192.168.56.30 -u accueil -p accueil -M ldap-checker
SMB         192.168.56.30   445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:testlab.local) (signing:True) (SMBv1:False)
LDAPS       192.168.56.30   636    DC01             [+] testlab.local\accueil:accueil
LDAP-CHE... 192.168.56.30   389    DC01             [-] LDAP Signing IS Enforced
LDAP-CHE... 192.168.56.30   389    DC01             LDAPS Channel Binding is set to "NEVER"
(venv) $ nxc --version
1.1.0 - nxc4u - 1f8a0ef4

@tiyeuse can you run ls -la ~/.local/pipx/venvs/netexec/lib/python3.10/site-packages/ | grep msldap ? My output is :

$ ls -la ~/.local/pipx/venvs/netexec/lib/python3.10/site-packages/ | grep msldap
drwxrwxr-x    - tse 23 avril 19:59 msldap
drwxrwxr-x    - tse 23 avril 19:59 msldap-0.5.10.dist-info

The module won't work if it's not msldap 0.5.10.

mpgn commented 2 months ago

It's failling with pipx since the poetry lock file was not updated when the version in the pyproject was changed. The pyproject need to be updated

NeffIsBack commented 2 months ago

@mpgn very nice finding! It isn't even in the pyproject.toml lol. I will add it in #269

NeffIsBack commented 2 months ago

@tiyeuse can you try again with pipx install git+https://github.com/Pennyw0rth/NetExec@neff-dependencies --force?

tiyeuse commented 2 months ago

Cannot reproduce

(venv) $ nxc ldap 192.168.56.30 -u accueil -p accueil -M ldap-checker
SMB         192.168.56.30   445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:testlab.local) (signing:True) (SMBv1:False)
LDAPS       192.168.56.30   636    DC01             [+] testlab.local\accueil:accueil
LDAP-CHE... 192.168.56.30   389    DC01             [-] LDAP Signing IS Enforced
LDAP-CHE... 192.168.56.30   389    DC01             LDAPS Channel Binding is set to "NEVER"
(venv) $ nxc --version
1.1.0 - nxc4u - 1f8a0ef4

@tiyeuse can you run ls -la ~/.local/pipx/venvs/netexec/lib/python3.10/site-packages/ | grep msldap ? My output is :

$ ls -la ~/.local/pipx/venvs/netexec/lib/python3.10/site-packages/ | grep msldap
drwxrwxr-x    - tse 23 avril 19:59 msldap
drwxrwxr-x    - tse 23 avril 19:59 msldap-0.5.10.dist-info

The module won't work if it's not msldap 0.5.10.

Ldap library version:

# ll /root/.local/bin/nxc
lrwxrwxrwx 1 root root 45 Apr 23 11:06 /root/.local/bin/nxc -> /root/.local/share/pipx/venvs/netexec/bin/nxc

# ls -la ~/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/ | grep msldap
drwxr-xr-x  11 root root    4096 Apr 23 11:06 msldap
drwxr-xr-x   2 root root    4096 Apr 23 11:06 msldap-0.5.10.dist-info

New reinstall from scratch:

# pipx uninstall netexec
uninstalled netexec! ✨ 🌟 ✨

# which nxc

# pipx install git+https://github.com/Pennyw0rth/NetExec@neff-dependencies --force
  installed package netexec 1.1.0+18c3fd0, installed using Python 3.11.8
  These apps are now globally available
    - NetExec
    - netexec
    - nxc
    - nxcdb
done! ✨ 🌟 ✨

# nxc ldap 192.168.57.5 -u bob -p pass -d corp.local -M ldap-checker -k
SMB         192.168.57.5    445    DC01             [*] Windows Server 2016 Standard 14393 x64 (name:DC01) (domain:CORP.LOCAL) (signing:True) (SMBv1:True)
LDAPS       192.168.57.5    636    DC01             [+] corp.local\bob
LDAP-CHE... 192.168.57.5    389    DC01             LDAP Signing NOT Enforced!
LDAP-CHE... 192.168.57.5    389    DC01             [-] LDAPS Channel Binding is set to "Required"

# python3 LdapRelayScan/LdapRelayScan.py -m BOTH -dc-ip 192.168.57.5 -u bob -p pass

~Domain Controllers identified~
   DC01.CORP.LOCAL
~Checking DCs for LDAP NTLM relay protections~
   DC01.CORP.LOCAL
      [-] (LDAP)  server enforcing signing requirements
      [-] (LDAPS) channel binding set to "required", no fun allowed
mpgn commented 2 months ago

can you check without the flag -k @tiyeuse ? :) can you check the flag -k @zblurx ? :)

tiyeuse commented 2 months ago

The code workflow stop if channel binding is enabled(no check on LDAP signing performed) without Kerberos argument (it shouldn't imho):

# nxc ldap 192.168.57.5 -u bob -p pass -d corp.local -M ldap-checker 
SMB         192.168.57.5    445    DC01             [*] Windows Server 2016 Standard 14393 x64 (name:DC01) (domain:CORP.LOCAL) (signing:True) (SMBv1:True)
LDAPS       192.168.57.5    636    DC01             [-] corp.local\bob:pass 
LDAPS       192.168.57.5    636    DC01             [-] LDAPS channel binding might be enabled, this is only supported with kerberos authentication. Try using '-k'.

If I disable channel binding:

zblurx commented 2 months ago

With the fix in https://github.com/skelsec/msldap/pull/47 :

$ nxc ldap 192.168.56.30 -u accueil -p accueil -M ldap-checker -k
SMB         192.168.56.30   445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:testlab.local) (signing:True) (SMBv1:False)
LDAPS       192.168.56.30   636    DC01             [+] testlab.local\accueil
LDAP-CHE... 192.168.56.30   389    DC01             [-] LDAP Signing IS Enforced
LDAP-CHE... 192.168.56.30   389    DC01             [-] LDAPS Channel Binding is set to "Required"
NeffIsBack commented 2 months ago

Reopening as it is only fully fixed when https://github.com/skelsec/msldap/pull/47 is merged and a new version is released

samiam1086 commented 1 month ago

Having a similar issue when I set Channel Binding to Required I get this (the password is correct) no combination of arguments will get it to work image

mpgn commented 1 month ago

Can you run netexec --version ?

samiam1086 commented 1 month ago

Sorry I had it in the first photo but I removed that one because it was irrelevant.

1.1.0 - ItsAlwaysDNS - 6858958