search

p0dalirius / LDAPmonitor

Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!
https://podalirius.net/
GNU General Public License v3.0
825 stars 69 forks source link

[bug] Support for "LDAP Signing" and "Channel Binding"? #5

Open corsch opened 2 years ago

corsch commented 2 years ago

This is a great tool, but unfortunately is is not working if the DC enforces "LDAP Signing" and "Channel Binding".

[+]======================================================
[+]    LDAP live monitor v1.1        @podalirius_
[+]======================================================

[>] Trying to connect to <DC IP> ...
Traceback (most recent call last):
  File "<PATH>/tools/LDAPmonitor/python/pyLDAPmonitor.py", line 513, in <module>
    raise e
  File "<PATH>/tools/LDAPmonitor/python/pyLDAPmonitor.py", line 478, in <module>
    ldap_server, ldap_session = init_ldap_session(
  File "<PATH>/tools/LDAPmonitor/python/pyLDAPmonitor.py", line 213, in init_ldap_session
    return init_ldap_connection(target, None, args, domain, username, password, lmhash, nthash)
  File "<PATH>/tools/LDAPmonitor/python/pyLDAPmonitor.py", line 193, in init_ldap_connection
    ldap_session = ldap3.Connection(ldap_server, user=user, password=password, authentication=ldap3.NTLM, auto_bind=True)
  File "/usr/local/lib/python3.9/dist-packages/ldap3/core/connection.py", line 363, in __init__
    self._do_auto_bind()
  File "/usr/local/lib/python3.9/dist-packages/ldap3/core/connection.py", line 412, in _do_auto_bind
    raise LDAPBindError(error)
ldap3.core.exceptions.LDAPBindError: automatic bind not successful - strongerAuthRequired
p0dalirius commented 2 years ago

In order to solve this problem, I recreated a test environment:

Test environment

Setting registry keys in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters to the following values:

Source: https://support.microsoft.com/en-us/topic/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows-ef185fb8-00f7-167d-744c-f299a66fc00a

We now have the following values:

image

Open ports on the target DC:

Nmap scan report for 192.168.2.1
Host is up (0.00033s latency).
Not shown: 65510 closed ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-01-04 22:32:27Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: LAB.local0., Site: Paris)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: LAB.local0., Site: Paris)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49686/tcp open  msrpc         Microsoft Windows RPC
49693/tcp open  msrpc         Microsoft Windows RPC
49698/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 08:00:27:88:B4:2F (Oracle VirtualBox virtual NIC)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 568.72 seconds

Bug

./ldapmonitor.py -d LAB.local -u Administrator -p 'Admin123!' --dc-ip 192.168.2.1
[+]======================================================
[+]    LDAP live monitor v1.3        @podalirius_        
[+]======================================================

[>] Trying to connect to 192.168.2.1 ...
Traceback (most recent call last):
  File "/data/./ldapmonitor.py", line 532, in <module>
    raise e
  File "/data/./ldapmonitor.py", line 501, in <module>
    ldap_server, ldap_session = init_ldap_session(
  File "/data/./ldapmonitor.py", line 217, in init_ldap_session
    return init_ldap_connection(target, None, args, domain, username, password, lmhash, nthash)
  File "/data/./ldapmonitor.py", line 197, in init_ldap_connection
    ldap_session = ldap3.Connection(ldap_server, user=user, password=password, authentication=ldap3.NTLM, auto_bind=True)
  File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 356, in __init__
    self._do_auto_bind()
  File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 405, in _do_auto_bind
    raise LDAPBindError(error)
[trace.pcapng.zip](https://github.com/p0dalirius/LDAPmonitor/files/7810613/trace.pcapng.zip)

ldap3.core.exceptions.LDAPBindError: automatic bind not successful - strongerAuthRequired

Wireshark trace

During this bug, a Wireshark capture of the traffic was made from the domain controller:

image

p0dalirius commented 2 years ago

The problem seems to come from the required LDAP signing (in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters):

Property Value LDAPmonitor can connect?
LDAPServerIntegrity 1 (None) Yes :heavy_check_mark:
LDAPServerIntegrity 2 (Require Signing) Nope :x:

image

And LDAPmonitor works fine with LDAPServerIntegrity set to 1 (None) which does not require signing:

image

LightxR commented 1 month ago

This issue could be solved by using ldap3 dev branch (nice PR for ldap signing and channel binding) or waiting the merge on the main branch. I tested it out by modifying sectools librairy, see : https://github.com/p0dalirius/sectools/pull/10