Error with dnstool.py remove

[4ndr3w6]

Hi @dirkjanm,

Per our conversation...I am creating this issue. FYI, I first ran ldapdelete, which seemed to work perfectly:

[+] Bind OK
[-] Modifying record
[+] LDAP operation completed successfully

After I ran ldapdelete, I used remove and I got this error:

[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Target has only one record, tombstoning it
Traceback (most recent call last):
  File "dnstool.py", line 536, in <module>
    main()
  File "dnstool.py", line 516, in main
    'dNSTombstoned': [(MODIFY_REPLACE, True)]})
  File "/usr/local/lib/python3.6/dist-packages/ldap3/core/connection.py", line 1140, in modify
    request = modify_operation(dn, changelist, self.auto_encode, self.server.schema if self.server else None, validator=self.server.custom_validator if self.server else None, check_names=self.check_names)
  File "/usr/local/lib/python3.6/dist-packages/ldap3/operation/modify.py", line 70, in modify_operation
    partial_attribute['vals'].setComponentByPosition(index, prepare_for_sending(validate_attribute_value(schema, attribute, value, auto_encode, validator, check_names=check_names)))
  File "/usr/local/lib/python3.6/dist-packages/pyasn1/type/univ.py", line 1920, in setComponentByPosition
    value = componentType.clone(value=value)
  File "/usr/local/lib/python3.6/dist-packages/pyasn1/type/base.py", line 376, in clone
    return self.__class__(value, **initializers)
  File "/usr/local/lib/python3.6/dist-packages/pyasn1/type/univ.py", line 837, in __init__
    base.SimpleAsn1Type.__init__(self, value, **kwargs)
  File "/usr/local/lib/python3.6/dist-packages/pyasn1/type/base.py", line 267, in __init__
    value = self.prettyIn(value)
  File "/usr/local/lib/python3.6/dist-packages/pyasn1/type/univ.py", line 912, in prettyIn
    return bytes(value)
  File "/usr/local/lib/python3.6/dist-packages/impacket/structure.py", line 166, in __getitem__
    return self.fields[key]
KeyError: 0

Hopefully, I cleaned up my A record in the right order :). Thanks again for your help!

[ShutdownRepo]

Hey there, I'm digging this issue, I have also encountered it today. I was able to create, query and modify records but was unable to clean up after. It seems the ldapdelete action isn't doing anything. And I had the same errors when trying to remove the records. Could anyone take a look at this? I'll try to find a fix on my side but I think the authors will be far more efficient that I would be on this :sweat_smile:

[ShutdownRepo]

Further tests showed that using python instead of python3 could help. It may have been dependency issues on my end.

[dirkjanm]

it's likely related to a combination of ldap3 / pyasn1 version since the errors are all occurring there

[i128]

Can confirm this works without issue when using python2.7 (impacket/ldap)

[dirkjanm]

Did some further digging and it turned out the issue was actually with the script and it more or less by chance worked in python 2. This is fixed now. I've also actually implemented the ldapdelete operation (which was previously missing).

[bwhack16]

Hello, I just wanted to follow up and see if anybody has confirm that this functionality is now working, I ran the below and received the following back "SPN Modified successfully":

python3 addspn.py -u 'DOMAIN\unconstrainedhost$' -p 'REDACTED:REDACTED' -s HOST/attacker.DOMAIN.NET --remove domaincontroller

I see that when querying the host the msDs-AdditionalDNS for attacker.DOMAIN.NET is no longer present; however the ATTACKER$ record is still there.

[dirkjanm]

this thread is about the dns tool, not the SPN tool. You may need to repeat your command for the ATTACKER$ SPN to remove the netbios name which got added automatically.