Open tiyeuse opened 2 months ago
@zblurx can you check ? :)
Cannot reproduce
(venv) $ nxc ldap 192.168.56.30 -u accueil -p accueil -M ldap-checker
SMB 192.168.56.30 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:testlab.local) (signing:True) (SMBv1:False)
LDAPS 192.168.56.30 636 DC01 [+] testlab.local\accueil:accueil
LDAP-CHE... 192.168.56.30 389 DC01 [-] LDAP Signing IS Enforced
LDAP-CHE... 192.168.56.30 389 DC01 LDAPS Channel Binding is set to "NEVER"
(venv) $ nxc --version
1.1.0 - nxc4u - 1f8a0ef4
@tiyeuse can you run ls -la ~/.local/pipx/venvs/netexec/lib/python3.10/site-packages/ | grep msldap
?
My output is :
$ ls -la ~/.local/pipx/venvs/netexec/lib/python3.10/site-packages/ | grep msldap
drwxrwxr-x - tse 23 avril 19:59 msldap
drwxrwxr-x - tse 23 avril 19:59 msldap-0.5.10.dist-info
The module won't work if it's not msldap 0.5.10.
It's failling with pipx since the poetry lock file was not updated when the version in the pyproject was changed. The pyproject need to be updated
@mpgn very nice finding! It isn't even in the pyproject.toml lol. I will add it in #269
@tiyeuse can you try again with pipx install git+https://github.com/Pennyw0rth/NetExec@neff-dependencies --force
?
Cannot reproduce
(venv) $ nxc ldap 192.168.56.30 -u accueil -p accueil -M ldap-checker SMB 192.168.56.30 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:testlab.local) (signing:True) (SMBv1:False) LDAPS 192.168.56.30 636 DC01 [+] testlab.local\accueil:accueil LDAP-CHE... 192.168.56.30 389 DC01 [-] LDAP Signing IS Enforced LDAP-CHE... 192.168.56.30 389 DC01 LDAPS Channel Binding is set to "NEVER" (venv) $ nxc --version 1.1.0 - nxc4u - 1f8a0ef4
@tiyeuse can you run
ls -la ~/.local/pipx/venvs/netexec/lib/python3.10/site-packages/ | grep msldap
? My output is :$ ls -la ~/.local/pipx/venvs/netexec/lib/python3.10/site-packages/ | grep msldap drwxrwxr-x - tse 23 avril 19:59 msldap drwxrwxr-x - tse 23 avril 19:59 msldap-0.5.10.dist-info
The module won't work if it's not msldap 0.5.10.
Ldap library version:
# ll /root/.local/bin/nxc
lrwxrwxrwx 1 root root 45 Apr 23 11:06 /root/.local/bin/nxc -> /root/.local/share/pipx/venvs/netexec/bin/nxc
# ls -la ~/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/ | grep msldap
drwxr-xr-x 11 root root 4096 Apr 23 11:06 msldap
drwxr-xr-x 2 root root 4096 Apr 23 11:06 msldap-0.5.10.dist-info
New reinstall from scratch:
# pipx uninstall netexec
uninstalled netexec! β¨ π β¨
# which nxc
# pipx install git+https://github.com/Pennyw0rth/NetExec@neff-dependencies --force
installed package netexec 1.1.0+18c3fd0, installed using Python 3.11.8
These apps are now globally available
- NetExec
- netexec
- nxc
- nxcdb
done! β¨ π β¨
# nxc ldap 192.168.57.5 -u bob -p pass -d corp.local -M ldap-checker -k
SMB 192.168.57.5 445 DC01 [*] Windows Server 2016 Standard 14393 x64 (name:DC01) (domain:CORP.LOCAL) (signing:True) (SMBv1:True)
LDAPS 192.168.57.5 636 DC01 [+] corp.local\bob
LDAP-CHE... 192.168.57.5 389 DC01 LDAP Signing NOT Enforced!
LDAP-CHE... 192.168.57.5 389 DC01 [-] LDAPS Channel Binding is set to "Required"
# python3 LdapRelayScan/LdapRelayScan.py -m BOTH -dc-ip 192.168.57.5 -u bob -p pass
~Domain Controllers identified~
DC01.CORP.LOCAL
~Checking DCs for LDAP NTLM relay protections~
DC01.CORP.LOCAL
[-] (LDAP) server enforcing signing requirements
[-] (LDAPS) channel binding set to "required", no fun allowed
can you check without the flag -k
@tiyeuse ? :)
can you check the flag -k
@zblurx ? :)
The code workflow stop if channel binding is enabled(no check on LDAP signing performed) without Kerberos argument (it shouldn't imho):
# nxc ldap 192.168.57.5 -u bob -p pass -d corp.local -M ldap-checker
SMB 192.168.57.5 445 DC01 [*] Windows Server 2016 Standard 14393 x64 (name:DC01) (domain:CORP.LOCAL) (signing:True) (SMBv1:True)
LDAPS 192.168.57.5 636 DC01 [-] corp.local\bob:pass
LDAPS 192.168.57.5 636 DC01 [-] LDAPS channel binding might be enabled, this is only supported with kerberos authentication. Try using '-k'.
If I disable channel binding:
with Kerberos (assuming the IP address is replaced by the FQDN, I haven't checked the code)
ββ# nxc ldap 192.168.57.5 -u bob -p pass -d corp.local -M ldap-checker -k
SMB 192.168.57.5 445 DC01 [*] Windows Server 2016 Standard 14393 x64 (name:DC01) (domain:CORP.LOCAL) (signing:True) (SMBv1:True)
LDAPS 192.168.57.5 636 DC01 [+] corp.local\bob
LDAP-CHE... 192.168.57.5 389 DC01 LDAP Signing NOT Enforced!
LDAP-CHE... 192.168.57.5 389 DC01 LDAPS Channel Binding is set to "NEVER"
without Kerberos
ββ# nxc ldap 192.168.57.5 -u bob -p pass -d corp.local -M ldap-checker
SMB 192.168.57.5 445 DC01 [*] Windows Server 2016 Standard 14393 x64 (name:DC01) (domain:CORP.LOCAL) (signing:True) (SMBv1:True)
LDAPS 192.168.57.5 636 DC01 [+] corp.local\bob:pass
LDAP-CHE... 192.168.57.5 389 DC01 [-] LDAP Signing IS Enforced
LDAP-CHE... 192.168.57.5 389 DC01 LDAPS Channel Binding is set to "NEVER"
The code path with Kerberos seems to return false results.
With the fix in https://github.com/skelsec/msldap/pull/47 :
$ nxc ldap 192.168.56.30 -u accueil -p accueil -M ldap-checker -k
SMB 192.168.56.30 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:testlab.local) (signing:True) (SMBv1:False)
LDAPS 192.168.56.30 636 DC01 [+] testlab.local\accueil
LDAP-CHE... 192.168.56.30 389 DC01 [-] LDAP Signing IS Enforced
LDAP-CHE... 192.168.56.30 389 DC01 [-] LDAPS Channel Binding is set to "Required"
Reopening as it is only fully fixed when https://github.com/skelsec/msldap/pull/47 is merged and a new version is released
Having a similar issue when I set Channel Binding to Required I get this (the password is correct) no combination of arguments will get it to work
Can you run netexec --version ?
Sorry I had it in the first photo but I removed that one because it was irrelevant.
1.1.0 - ItsAlwaysDNS - 6858958
Describe the bug The ldap-checker module fails to determine if LDAP signing is enabled.
To Reproduce Enable LDAP signing with the registry key:
Install nxc from the git repo:
Check if signing is enabled:
Confirm that signing is enable with LdapRelayScan or ntlmrelayx.py:
Expected behavior LDAP signing result should display "enforced".
NetExec info