TypeError: 'bool' object is not subscriptable | LDAP connection error

[0xArt3mis]

Steps to reproduce

When I try to connect to the LDAP service using CME version 5.2.3 I get the following error.

This was not a problem with 5.1.7dev, since LDAP bind is working fine with version 5.1.7dev.

Command string used

proxychains crackmapexec ldap HOSTNAME.DOMAIN.COM -u username -d domain -p password --kdcHost IP

CME verbose output (using the --verbose flag)

proxychains crackmapexec ldap HOSTNAME.DOMAIN.COM -u username -d domain -p password --kdcHost IP
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
DEBUG Running
DEBUG Started thread poller
DEBUG Error creating SMBv1 connection to hostname.domain.com: Error while reading from remote
DEBUG Error creating SMBv1 connection to hostname.domain.com: Error while reading from remote
SMB         hostname.domain.com 445    HOSTNAME      [*] Windows 6.3 Build 9600 x64 (name:hostname) (domain:domain) (signing:False) (SMBv1:False)
DEBUG Connecting to $IP, port 389, SSL False
DEBUG Search Filter=(userAccountControl:1.2.840.113556.1.4.803:=8192)
SMB         hostname.domain.com 445    HOSTNAME      [-] Error in searchRequest -> referral: 0000202B: RefErr: DSID-0310082F, data 0, 1 access points
        ref 1: 'KDC-IP-Address'
DEBUG Stopped thread poller
Traceback (most recent call last):
  File "/root/.cache/pypoetry/virtualenvs/crackmapexec-p1eIvB8p-py3.9/bin/crackmapexec", line 8, in <module>
    sys.exit(main())
  File "/root/.cache/pypoetry/virtualenvs/crackmapexec-p1eIvB8p-py3.9/lib/python3.9/site-packages/cme/crackmapexec.py", line 254, in main
    asyncio.run(
  File "/usr/lib/python3.9/asyncio/runners.py", line 44, in run
    return loop.run_until_complete(main)
  File "/usr/lib/python3.9/asyncio/base_events.py", line 642, in run_until_complete
    return future.result()
  File "/root/.cache/pypoetry/virtualenvs/crackmapexec-p1eIvB8p-py3.9/lib/python3.9/site-packages/cme/crackmapexec.py", line 102, in start_threadpool
    await asyncio.gather(*jobs)
  File "/root/.cache/pypoetry/virtualenvs/crackmapexec-p1eIvB8p-py3.9/lib/python3.9/site-packages/cme/crackmapexec.py", line 68, in run_protocol
    await asyncio.wait_for(
  File "/usr/lib/python3.9/asyncio/tasks.py", line 442, in wait_for
    return await fut
  File "/usr/lib/python3.9/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/root/.cache/pypoetry/virtualenvs/crackmapexec-p1eIvB8p-py3.9/lib/python3.9/site-packages/cme/protocols/ldap.py", line 53, in __init__
    connection.__init__(self, args, db, host)
  File "/root/.cache/pypoetry/virtualenvs/crackmapexec-p1eIvB8p-py3.9/lib/python3.9/site-packages/cme/connection.py", line 62, in __init__
    self.proto_flow()
  File "/root/.cache/pypoetry/virtualenvs/crackmapexec-p1eIvB8p-py3.9/lib/python3.9/site-packages/cme/connection.py", line 98, in proto_flow
    if self.login() or (self.username == '' and self.password == ''):
  File "/root/.cache/pypoetry/virtualenvs/crackmapexec-p1eIvB8p-py3.9/lib/python3.9/site-packages/cme/connection.py", line 275, in login
    if self.plaintext_login(self.domain, user, password): return True
  File "/root/.cache/pypoetry/virtualenvs/crackmapexec-p1eIvB8p-py3.9/lib/python3.9/site-packages/cme/protocols/ldap.py", line 236, in plaintext_login
    self.check_if_admin()
  File "/root/.cache/pypoetry/virtualenvs/crackmapexec-p1eIvB8p-py3.9/lib/python3.9/site-packages/cme/protocols/ldap.py", line 435, in check_if_admin
    for attribute in resp[0][1]:
TypeError: 'bool' object is not subscriptable

CME Version (cme --version)

Version : 5.2.3 Codename: The Dark Knight

OS

Linux kali 5.14.0-kali2-amd64 #1 SMP Debian 5.14.9-2kali1 (2021-10-04) x86_64 GNU/Linux

Target OS

Windows 6.3 Build 9600 x64

[mpgn]

Hello,

If smb port is accessible go for :

proxychains crackmapexec ldap HOSTNAME.DOMAIN.COM -u username -p password

if not accessible:

proxychains crackmapexec ldap HOSTNAME.DOMAIN.COM -u username -p password -kdcHost DOMAIN.COM

[0xArt3mis]

Okay, so if I connect with

proxychains crackmapexec ldap HOSTNAME.DOMAIN.COM -u username -p password -kdcHost DOMAIN.COM it works. but if I connect with the following:

proxychains crackmapexec ldap HOSTNAME.DOMAIN.COM -u username -p password -kdcHost DC-IP it does not work. I remember this was working already, was this changed?

Also if I execute

proxychains crackmapexec ldap HOSTNAME.DOMAIN.COM -u username -p password -kdcHost DOMAIN.COM -M ldap-signing there is also an error raised.

  File "/root/.cache/pypoetry/virtualenvs/crackmapexec-p1eIvB8p-py3.9/lib/python3.9/site-packages/cme/protocols/ldap.py", line 236, in plaintext_login
    self.check_if_admin()
  File "/root/.cache/pypoetry/virtualenvs/crackmapexec-p1eIvB8p-py3.9/lib/python3.9/site-packages/cme/protocols/ldap.py", line 435, in check_if_admin
    for attribute in resp[0][1]:
TypeError: 'bool' object is not subscriptable

Why does it even connect to SMB when I want LDAP? Is this because of the local admin check? can this be disabled?

It looks like the SMB connection is not closed before LDAP tries to connect. On the target I get the following

wsarecv: An existing connection was forcibly closed by the remote host.

Could it be that it sends the LDAP query over SMB?

SMB         hostname.domain.com 445    HOSTNAME      [-] Error in searchRequest -> referral: 0000202B: RefErr: DSID-0310082F, data 0, 1 access points
        ref 1: 'KDC-IP-Address'

I was using revsocks for testing.

[mpgn]

Hello,

if this command is working

proxychains crackmapexec ldap HOSTNAME.DOMAIN.COM -u username -p password -kdcHost DOMAIN.COM

there is not particular reason for proxychains crackmapexec ldap HOSTNAME.DOMAIN.COM -u username -p password -kdcHost DOMAIN.COM -M ldap-signing to fail.

---

But indeed I said a mistake with smb, I need to update the code so it is not used if you add option no-smb which is important when using a sock proxy.