Open corsch opened 2 years ago
In order to solve this problem, I recreated a test environment:
Setting registry keys in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
to the following values:
LDAPServerIntegrity
: 2 (Require Signing)LdapEnforceChannelBinding
: 2 (Always)We now have the following values:
Open ports on the target DC:
Nmap scan report for 192.168.2.1
Host is up (0.00033s latency).
Not shown: 65510 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-01-04 22:32:27Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: LAB.local0., Site: Paris)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: LAB.local0., Site: Paris)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49686/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
49698/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:88:B4:2F (Oracle VirtualBox virtual NIC)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 568.72 seconds
./ldapmonitor.py -d LAB.local -u Administrator -p 'Admin123!' --dc-ip 192.168.2.1
[+]======================================================
[+] LDAP live monitor v1.3 @podalirius_
[+]======================================================
[>] Trying to connect to 192.168.2.1 ...
Traceback (most recent call last):
File "/data/./ldapmonitor.py", line 532, in <module>
raise e
File "/data/./ldapmonitor.py", line 501, in <module>
ldap_server, ldap_session = init_ldap_session(
File "/data/./ldapmonitor.py", line 217, in init_ldap_session
return init_ldap_connection(target, None, args, domain, username, password, lmhash, nthash)
File "/data/./ldapmonitor.py", line 197, in init_ldap_connection
ldap_session = ldap3.Connection(ldap_server, user=user, password=password, authentication=ldap3.NTLM, auto_bind=True)
File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 356, in __init__
self._do_auto_bind()
File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 405, in _do_auto_bind
raise LDAPBindError(error)
[trace.pcapng.zip](https://github.com/p0dalirius/LDAPmonitor/files/7810613/trace.pcapng.zip)
ldap3.core.exceptions.LDAPBindError: automatic bind not successful - strongerAuthRequired
During this bug, a Wireshark capture of the traffic was made from the domain controller:
The problem seems to come from the required LDAP signing (in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
):
Property | Value | LDAPmonitor can connect? |
---|---|---|
LDAPServerIntegrity |
1 (None) | Yes :heavy_check_mark: |
LDAPServerIntegrity |
2 (Require Signing) | Nope :x: |
And LDAPmonitor works fine with LDAPServerIntegrity
set to 1 (None) which does not require signing:
This issue could be solved by using ldap3 dev branch (nice PR for ldap signing and channel binding) or waiting the merge on the main branch. I tested it out by modifying sectools librairy, see : https://github.com/p0dalirius/sectools/pull/10
This is a great tool, but unfortunately is is not working if the DC enforces "LDAP Signing" and "Channel Binding".