franc-pentest / ldeep

In-depth ldap enumeration utility
MIT License
424 stars 46 forks source link

SSL/TLS error with create_computer module #49

Closed noraj closed 5 months ago

noraj commented 7 months ago

Using create_computer module I get this error:

Can't create computer, TLS needed: wrap socket error: [Errno 104] Connection reset by peer

TLS needed: wrap socket error: [Errno 104] Connection reset by peer error seems to come from ldap3. Most possibly because the SSL/TLS version is too old and have been disabled in newer openssl version.

➜ openssl --version                          
OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)

nmap scripts shows me the server accept old SSL v2

| sslv2:                                                                                                                                                                                                             
|   SSLv2 supported                                                                                                                                                                                                  
|   ciphers:                                                                                                                                                                                                         
|     SSL2_RC4_128_WITH_MD5                                                                                                                                                                                          
|_    SSL2_DES_192_EDE3_CBC_WITH_MD5

It seems the solution is to provide a custom openssl configuration https://takraw-s.medium.com/fix-errors-socket-ssl-wrapping-error-errno-104-connection-reset-by-peer-9c63c551cd7.

What I don't understand, is that I was successfully able to use other modules without TLS errors. So there is maybe somethign else.

BastienFaure commented 5 months ago

That is a very unique situation, and we can't really have a package that interacts with people system configuration. I could envision a solution where we embed a custom TLS implementation that supports SSL2 but that will likely impact performance there might be side effects. Unless you are willing to step into that and offer a generous PR, I will close the issue :)

noraj commented 5 months ago

Have you an idea why other commands were working and just this one complained about TLS issues? I mean, it was always the same LDAP server.

BastienFaure commented 5 months ago

My wild guess is that the commands you used worked just fine using LDAP, but certain LDAP queries have to be done over TLS.

I suppose the commands that worked did work because TLS wasn't required. And suddenly one command requires TLS and thus cause the program to crash due to the incompatibilities in the TLS stack.