search

fortra / impacket

Impacket is a collection of Python classes for working with network protocols.
https://www.coresecurity.com
Other
13.33k stars 3.55k forks source link

Create ldap filter with parenthesis #975

Closed ThePirateWhoSmellsOfSunflowers closed 1 year ago

ThePirateWhoSmellsOfSunflowers commented 3 years ago

According to the code, you need to follow the RFC4515 to build the LDAP filter. However the following code returns an empty response:

# tested with impacket version fe642b24be7aa870251df8a650ba1ac3bb8ef7e4, my group name is literally "(groupe)"

from impacket.ldap import ldap, ldapasn1
ldap_connection = ldap.LDAPConnection('ldap://172.16.0.1', 'dc=domain,dc=org', '172.16.0.1')
ldap_connection.login('admin', 'Password123', 'domain', '', '')
attributes=list()
paged_search_control = ldapasn1.SimplePagedResultsControl(criticality=True,size=10)
search_filter = '(&(objectCategory=group)(name=\\28groupe\\29))'
search_results = ldap_connection.search(searchFilter=search_filter,searchControls=[paged_search_control],attributes=attributes)

Using search_filter = '(&(objectCategory=group)(name=(groupe)))' just raise a impacket.ldap.ldap.LDAPFilterSyntaxError exception as expected.

The same LDAP filter works with ldapsearch

$ ldapsearch -H ldap://172.16.0.1 -x -W -D "admin@domain.org" -b "dc=domain,dc=org" "(&(objectCatego
ry=group)(name=\28groupe\29))"
Enter LDAP Password:
# extended LDIF                                                                                                       
#                                                                                                                     
# LDAPv3    
# base <dc=domain,dc=org> with scope subtree  
# filter: (&(objectCategory=group)(name=\28groupe\29))   
# requesting: ALL                        
#     

# (groupe), Users, domain.org          
dn: CN=(groupe),CN=Users,DC=domain,DC=org      
objectClass: top 
objectClass: group  
cn: (groupe)  
member: CN=User One,CN=Users,DC=domain,DC=org 
[...]

Am I missing something or is it a bug ?

:sunflower:

ThePirateWhoSmellsOfSunflowers commented 3 years ago

In Wireshark, I can see that impacket sends the string (&(objectCategory=group)(name=\28groupe\29)) and ldapsearch sends (&(objectCategory=group)(name=(groupe))) to the DC.

Is it possible that you have to escape the parenthesis for the (ASN1) parsing but you need to replace the escaped sequence by the "real" character within the ASN1 struct ?

:sunflower:

0xdeaddood commented 3 years ago

Hi @ThePirateWhoSmellsOfSunflowers!

We were able to reproduce the issue. I did some tests queries with more special characters (such as /, *) and it seems we are not following the RFC. Currently, we are targeting a new release in the next few days so we will not address it for this version. We are going to work on this issue after the release.

alexisbalbachan commented 1 year ago

This issue was fixed at https://github.com/fortra/impacket/pull/1549