LdapRelayScan - Check for LDAP protections regarding the relay of NTLM authentication

Overview

LDAP Relay Scan

A tool to check Domain Controllers for LDAP server protections regarding the relay of NTLM authentication. If you're interested in the specifics of the error-based enumeration, see below. For details regarding what can be done when you identify a lack of LDAP protections, see the references section.

Summary

There are a couple server-side protections when attempting to relay NTLM authentication LDAP on Domain Controllers. The LDAP protections this tools attempts to enumerate include:

The enforcement of channel binding for LDAP over SSL/TLS can be determined from an unauthenticated perspective. This is because the error associated with an LDAP client lacking the ability to conduct channel binding properly will occur before credentials are validated during the LDAP bind process.

However, to determine if the server-side protection of standard LDAP is enforced (server signing integrity requirements) the clients credential's must first be validated during the LDAP bind. The potential error identifying the enforcement of this protection is identified from an authenticated perspective.

TL;DR - LDAPS can be checked unauthenticated, but checking LDAP requires authentication.

Usage

Note: DNS needs to resolve properly. If you are routing through SOCKS or running on a non-domain-joined host, ensure this is working.

The tool has two methods, LDAPS (the default), and BOTH. LDAPS only requires a domain controller IP address, because this check can be preformed unauthenticated. The BOTH method will require a username and password or NT hash. The Active Directory domain is not required, it will be determine via anonymous LDAP bind.

Examples

Note: Tested using python3.9 on client-side, targeting unpatched Windows Server 2016 and up-to-date Windows Server 2022

python3.9 LdapRelayScan.py -method LDAPS -dc-ip 10.0.0.20
python3.9 LdapRelayScan.py -method BOTH -dc-ip 10.0.0.20 -u domainuser1 
python3.9 LdapRelayScan.py -method BOTH -dc-ip 10.0.0.20 -u domainuser1 -p badpassword2
python3.9 LdapRelayScan.py -method BOTH -dc-ip 10.0.0.20 -u domainuser1 -nthash e6ee750a1feb2c7ee50d46819a6e4d25

Error-Based Enumeration Specifics

[LDAPS] Channel Binding Token Requirements

On a Domain Controller that has been patched since CVE-2017-8563, the capability to enforce LDAPS channel binding has existed. The specific policy is called Domain Controller: LDAP server channel binding token requirements and can be set to either Never, When supported, or Always. This is also not required by default (at the time of writing this).

Decrypting and monitoring LDAP over SSL/TLS traffic on a Domain Controller allowed for the identification of a difference in errors during bind attempts when channel binding is enforced versus when it's not. When attempting a bind to LDAP over SSL/TLS using invalid credentials, you will recieve the expected resultCode 49, and in the error message contents you will see data 52e. However, when channel binding is enforced and the LDAP client does not calculate and include the Channel Binding Token (CBT), the resultCode will still be 49, but the error message contents will contain data 80090346 meaning SEC_E_BAD_BINDINGS or that the client's Supplied Support Provider Interface (SSPI) channel bindings were incorrect.

Note: Mentions of the data 8009034 error during LDAP over SSL/TLS binding [1] [2] [3] [4] [5]

[LDAP] Server Signing Requirements

On a Domain Controller, the policy called Domain Controller: LDAP server signing requirements is set to None, Require signing, or it's just not defined. When not defined, it defaults to not requiring signing (at the time of writing this). The error which identifies this protection as required is when a sicily NTLM or simple bind attempt responds with a resultCode of 8, signifying strongerAuthRequired. This will only occur if credentials during the LDAP bind are validated.

References

A few invaluable resources for contextualization of this material and how it fits into common attack scenarios.

Comments
  • Deprecation Warning `ssl.wrap_socket()`

    Deprecation Warning `ssl.wrap_socket()`

    On Python 3.10.4 I get the following deprecation warning when running the tool.

    LdapRelayScan.py:121: DeprecationWarning: ssl.wrap_socket() is deprecated, use SSLContext.wrap_socket()
    
    opened by exploide 7
  • Major changes of msldap 0.4.0

    Major changes of msldap 0.4.0

    Changes to msldap break imports in LdapRelayScan.

    For example, importing MSLDAPURLDecoder, MSLDAPClientConnection from msldap.commons.url is not possible since 0.4.0.

    Please update requirements.txt with the exact versions of the libraries (for all dependencies).

    opened by fabelx 4
  • String Concatenation Error

    String Concatenation Error

    I am trying to perform an anonymous check against an actual company production domain. I redacted it all here, but tried to be consistent. With out without sudo permissions failed. No other tools are running in the background. I can try Python 3.10 if needed. My machine is fully up-to-date in apt and has been restarted since updating just in case.

    I would expect the LDAP check would fail and try the next DC until all have been checked while handling the errors appropriately.

    Separate issue, but I noticed that identified in ~Domain Controllers identifed~ is spelled incorrectly. Also noticed the password help command talks about the username -p password Domain username value. Quick fixes not worth their own issue.

    Let me know if you need more information.

    ┌──(kali㉿workstation)-[~/Tools/LdapRelayScan]
    └─$ python './LdapRelayScan.py' -dc-ip 10.10.10.10 -method LDAPS
    
    ~Domain Controllers identifed~
      dc1.domain.tld
      dc2.domain.tld
      dc3.domain.tld
      dc4.domain.tld
      dc5.domain.tld
    
    ~Checking DCs for LDAP NTLM relay protections~
       dc1.domain.tld
    UNEXPECTED ERROR: {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906C6, comment: AcceptSecurityContext error, data 775, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
    something went wrong during ldaps_withEPA bind:can only concatenate str (not "LDAPBindException") to str
    
    Something went wrong...
    For troubleshooting:
    ldapsChannelBindingAlwaysCheck - None
    ldapsChannelBindingWhenSupportedCheck: None
    
    ┌──(kali㉿workstation)-[~/Tools/LdapRelayScan]
    └─$ lsb_release -a
    No LSB modules are available.
    Distributor ID: Kali
    Description:    Kali GNU/Linux Rolling
    Release:        2022.1
    Codename:       kali-rolling
    
    ┌──(kali㉿workstation)-[~/Tools/LdapRelayScan]
    └─$ sudo proxychains pip install -r requirements.txt
    [proxychains] config file found: /etc/proxychains4.conf
    [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
    [proxychains] DLL init: proxychains-ng 4.16
    Requirement already satisfied: dnspython in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (2.2.0)
    Requirement already satisfied: ldap3 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 2)) (2.8.1)
    Requirement already satisfied: msldap in /usr/lib/python3/dist-packages (from -r requirements.txt (line 3)) (0.3.30)
    Requirement already satisfied: minikerberos>=0.2.14 in /usr/lib/python3/dist-packages (from msldap->-r requirements.txt (line 3)) (0.2.14)
    Requirement already satisfied: asysocks>=0.0.11 in /usr/lib/python3/dist-packages (from minikerberos>=0.2.14->msldap->-r requirements.txt (line 3)) (0.1.2)
    Requirement already satisfied: oscrypto>=1.2.1 in /usr/local/lib/python3.9/dist-packages (from minikerberos>=0.2.14->msldap->-r requirements.txt (line 3)) (1.3.0)
    Requirement already satisfied: asn1crypto>=1.5.1 in /usr/local/lib/python3.9/dist-packages (from oscrypto>=1.2.1->minikerberos>=0.2.14->msldap->-r requirements.txt (line 3)) (1.5.1)
    WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
    
    ┌──(kali㉿workstation)-[~/Tools/LdapRelayScan]
    └─$ python -V
    Python 3.9.11
    
    ┌──(kali㉿workstation)-[~/Tools/LdapRelayScan]
    └─$ sudo nmap -Pn -sU -p 53 10.10.10.10 --open                                                                                                                                                                        
    Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 10:10 CDT
    Nmap scan report for dc1.domain.tld (10.10.10.10)
    Host is up (0.1111s latency).
    
    PORT   STATE SERVICE
    53/udp open  domain
    
    Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
    
    opened by Zamanry 3
  • Exception not well handled when timeout

    Exception not well handled when timeout

    If connection fails, the script crashes.

    Traceback (most recent call last): File "/root/LdapRelayScan/LdapRelayScan.py", line 230, in if DoesLdapsCompleteHandshake(dc) == True: File "/root/LdapRelayScan/LdapRelayScan.py", line 124, in DoesLdapsCompleteHandshake ssl_sock.connect((dcIp, 636)) File "/usr/lib/python3.9/ssl.py", line 1342, in connect self._real_connect(addr, False) File "/usr/lib/python3.9/ssl.py", line 1329, in _real_connect super().connect(addr) socket.timeout: timed out

    opened by k4nfr3 3
  • Specify DNS, hardcode DC, error handling, ssl update.

    Specify DNS, hardcode DC, error handling, ssl update.

    • Added ability to specify DNS server separate from DC
    • Added ability to hardcode a DC
    • Added a bunch of try/except logic to nail down errors more easily
    • Moved from ssl.wrap_socket to the supported SSL context creation feature (https://docs.python.org/3/library/ssl.html#ssl.SSLContext.wrap_socket)
    opened by arthurianred 1
  • Connection reset by peer

    Connection reset by peer

    Hi, I wanted to try this in my lab to exploit RBCD webclient (https://www.bussink.net/rbcd-webclient-attack/). But trying this tool against the dc gives the following error. The DC Is running AD Directory services, DNS and DHCP. DNS is configured on my kali machine.

    ┌──(user㉿pentest)-[/opt/LdapRelayScan]
    └─$ python3 LdapRelayScan.py -dc-ip 10.0.0.3 -u labuser -p 'Password01' -method BOTH                                                                                                                                                                              1 ⨯
    
    ~Domain Controllers identifed~
       dc01.lab.local
    
    ~Checking DCs for LDAP NTLM relay protections~
       dc01.lab.local
          [+] (LDAP) SERVER SIGNING REQUIREMENTS NOT ENFORCED! 
    Traceback (most recent call last):
      File "/opt/LdapRelayScan/LdapRelayScan.py", line 95, in DoesLdapsCompleteHandshake
        ssl_sock.do_handshake()
      File "/usr/lib/python3.9/ssl.py", line 1309, in do_handshake
        self._sslobj.do_handshake()
    ConnectionResetError: [Errno 104] Connection reset by peer
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/opt/LdapRelayScan/LdapRelayScan.py", line 198, in <module>
        if DoesLdapsCompleteHandshake(dc) == True:
      File "/opt/LdapRelayScan/LdapRelayScan.py", line 106, in DoesLdapsCompleteHandshake
        print("Unexpected error during LDAPS handshake: " + e)
    TypeError: can only concatenate str (not "ConnectionResetError") to str
    
    opened by 0xJs 0
  • LDAP Relay Scan

    LDAP Relay Scan

    Cannot import name "MSLDAPClientConnection' from 'msldap.commons.url'

    I did pip3 install msldap but it still can't import the dependancy. Running on kali with python3.9.7-1

    opened by 0xJs 0
  • ssl.wrap_socket deprecation fix

    ssl.wrap_socket deprecation fix

    Minimum necessary code to migrate for ISSUE #9 - ssl.wrap_socket() is deprecated.

    This just implements the SSLContext.wrap_socket function as recommended in the Python spec:

    Deprecated since version 3.7: Since Python 3.2 and 2.7.9, it is recommended to use the SSLContext.wrap_socket() instead of wrap_socket(). The top-level function is limited and creates an insecure client socket without server name indication or hostname matching.

    (Source: https://docs.python.org/3/library/ssl.html)

    Example of the deprecation warning:

    (venv) PS C:\Users\taborlin\Desktop\LdapRelayScan-main> python .\LdapRelayScan.py -dc-ip 10.0.0.10 -u "taborlin" -p "password lol"
    
    ~Domain Controllers identified~
       university.temerant.local
    
    ~Checking DCs for LDAP NTLM relay protections~
       university.temerant.local
    C:\Users\taborlin\Desktop\LdapRelayScan-main\LdapRelayScan.py:123: DeprecationWarning: ssl.wrap_socket() is deprecated, use SSLContext.wrap_socket()
      ssl_sock = ssl.wrap_socket(s,
          [+] (LDAPS) CHANNEL BINDING SET TO "NEVER"! PARTY TIME!
    
    opened by arthurianred 1
  • Converted to CLI utility

    Converted to CLI utility

    Converted the tool for use as a CLI utility to prevent having to deal with Python "dependency hell."

    To test, install using pipx:

    pipx install git+https://github.com/puzzlepeaches/LdapRelayScan.git@packaged
    

    The tool can then be called with either lrs or ldaprelayscan on the command line.

    Once merged with the master you will need to:

    • Update the README and pyproject.toml
    • Publish the utility to PyPi potentially if wanted.

    Please let me know if you have any questions or if I can help out with testing.

    opened by puzzlepeaches 0
Owner
null
Magicspoofing - A python3 script for search possible misconfiguration in a DNS related to security protections of email service from the domain name

A python3 script for search possible misconfiguration in a DNS related to security protections of email service from the domain name. This project is for educational use, we are not responsible for its misuse.

null 20 Dec 2, 2022
Lnkbomb - Malicious shortcut generator for collecting NTLM hashes from insecure file shares

Lnkbomb Lnkbomb is used for uploading malicious shortcut files to insecure file

Joe Helle 216 Jan 8, 2023
Tor Relay availability checker, for using it as a bridge in countries with censorship

Tor Relay Availability Checker This small script downloads all Tor Relay IP addresses from onionoo.torproject.org and checks whether random Relays are

ValdikSS 161 Dec 30, 2022
A Docker based LDAP RCE exploit demo for CVE-2021-44228 Log4Shell

log4j-poc An LDAP RCE exploit for CVE-2021-44228 Log4Shell Description This demo Tomcat 8 server has a vulnerable app deployed on it and is also vulne

null 60 Dec 10, 2022
PoC for CVE-2020-6207 (Missing Authentication Check in SAP Solution Manager)

PoC for CVE-2020-6207 (Missing Authentication Check in SAP Solution Manager) This script allows to check and exploit missing authentication checks in

chipik 82 Nov 9, 2022
A wordlist generator tool, that allows you to supply a set of words, giving you the possibility to craft multiple variations from the given words, creating a unique and ideal wordlist to use regarding a specific target.

A wordlist generator tool, that allows you to supply a set of words, giving you the possibility to craft multiple variations from the given words, creating a unique and ideal wordlist to use regarding a specific target.

Cycurity 39 Dec 10, 2022
LinOTP - the open source solution for two factor authentication

LinOTP LinOTP - the Open Source solution for multi-factor authentication Copyright © 2010-2019 KeyIdentity GmbH Coypright © 2019- arxes-tolina GmbH In

LinOTP 462 Jan 2, 2023
:closed_lock_with_key: multi factor authentication system (2FA, MFA, OTP Server)

privacyIDEA privacyIDEA is an open solution for strong two-factor authentication like OTP tokens, SMS, smartphones or SSH keys. Using privacyIDEA you

null 1.3k Jan 3, 2023
Coerce authentication from Windows hosts via MS-FSRVP (Requires FS-VSS-AGENT service running on host)

VSSTrigger Coerce authentication from Windows hosts via MS-FSRVP (Requires FS-VS

Filip Dragovic 6 Jul 24, 2022
A Burp extension adding a passive scan check to flag parameters whose name or value may indicate a possible insertion point for SSRF or LFI.

BurpParamFlagger A Burp extension adding a passive scan check to flag parameters whose name or value may indicate a possible insertion point for SSRF

Allyson O'Malley 118 Nov 7, 2022
Vulnerability Scanner & Auto Exploiter You can use this tool to check the security by finding the vulnerability in your website or you can use this tool to Get Shells

About create a target list or select one target, scans then exploits, done! Vulnnr is a Vulnerability Scanner & Auto Exploiter You can use this tool t

Nano 108 Dec 4, 2021
A python implementation of the windows 95 product key check.

Windows 95 Product Key Check Info: This is a python implementation of the windows 95 product key check. This was just a bit of fun and a massive 5 hou

null 11 Aug 7, 2022
Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries

Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries. Using xrefs to commonly injected and format string'd files, it will scan binaries faster than Firmware Slap.

Christopher Roberts 3 Nov 16, 2021
A hashtag check python module

A hashtag check python module

Fayas Noushad 3 Aug 10, 2022
This tool help you to check if your Windows machine has hidden miner.

Hidden Miner Detector This tool help you to check if your Windows machine has hidden miner. Miners track when you open antivirus software or task mana

Николай Борщёв 2 Oct 5, 2022
Proof of concept to check if hosts are vulnerable to CVE-2021-41773

CVE-2021-41773 PoC Proof of concept to check if hosts are vulnerable to CVE-2021-41773. Description (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CV

Jordan Jay 43 Nov 9, 2022
Tool to check if your DNS comply to Polish Ministry of Finance gambling domains restrictions

dns-mf-hazard Tool to check if your DNS comply to Polish Ministry of Finance gambling domains restrictions How to use it? Installation You need python

Marek Wajdzik 2 Jan 1, 2022
Mass Check Vulnerable Log4j CVE-2021-44228

Log4j-CVE-2021-44228 Mass Check Vulnerable Log4j CVE-2021-44228 Introduction Actually I just checked via Vulnerable Application from https://github.co

Justakazh 6 Dec 28, 2022