On Python 3.10.4 I get the following deprecation warning when running the tool.

LdapRelayScan.py:121: DeprecationWarning: ssl.wrap_socket() is deprecated, use SSLContext.wrap_socket()

Changes to msldap break imports in LdapRelayScan.

For example, importing MSLDAPURLDecoder, MSLDAPClientConnection from msldap.commons.url is not possible since 0.4.0.

Please update requirements.txt with the exact versions of the libraries (for all dependencies).

I am trying to perform an anonymous check against an actual company production domain. I redacted it all here, but tried to be consistent. With out without sudo permissions failed. No other tools are running in the background. I can try Python 3.10 if needed. My machine is fully up-to-date in apt and has been restarted since updating just in case.

I would expect the LDAP check would fail and try the next DC until all have been checked while handling the errors appropriately.

Separate issue, but I noticed that identified in ~Domain Controllers identifed~ is spelled incorrectly. Also noticed the password help command talks about the username -p password Domain username value. Quick fixes not worth their own issue.

Let me know if you need more information.

┌──(kali㉿workstation)-[~/Tools/LdapRelayScan]
└─$ python './LdapRelayScan.py' -dc-ip 10.10.10.10 -method LDAPS

~Domain Controllers identifed~
  dc1.domain.tld
  dc2.domain.tld
  dc3.domain.tld
  dc4.domain.tld
  dc5.domain.tld

~Checking DCs for LDAP NTLM relay protections~
   dc1.domain.tld
UNEXPECTED ERROR: {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0906C6, comment: AcceptSecurityContext error, data 775, v3839\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
something went wrong during ldaps_withEPA bind:can only concatenate str (not "LDAPBindException") to str

Something went wrong...
For troubleshooting:
ldapsChannelBindingAlwaysCheck - None
ldapsChannelBindingWhenSupportedCheck: None

┌──(kali㉿workstation)-[~/Tools/LdapRelayScan]
└─$ lsb_release -a
No LSB modules are available.
Distributor ID: Kali
Description:    Kali GNU/Linux Rolling
Release:        2022.1
Codename:       kali-rolling

┌──(kali㉿workstation)-[~/Tools/LdapRelayScan]
└─$ sudo proxychains pip install -r requirements.txt
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Requirement already satisfied: dnspython in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (2.2.0)
Requirement already satisfied: ldap3 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 2)) (2.8.1)
Requirement already satisfied: msldap in /usr/lib/python3/dist-packages (from -r requirements.txt (line 3)) (0.3.30)
Requirement already satisfied: minikerberos>=0.2.14 in /usr/lib/python3/dist-packages (from msldap->-r requirements.txt (line 3)) (0.2.14)
Requirement already satisfied: asysocks>=0.0.11 in /usr/lib/python3/dist-packages (from minikerberos>=0.2.14->msldap->-r requirements.txt (line 3)) (0.1.2)
Requirement already satisfied: oscrypto>=1.2.1 in /usr/local/lib/python3.9/dist-packages (from minikerberos>=0.2.14->msldap->-r requirements.txt (line 3)) (1.3.0)
Requirement already satisfied: asn1crypto>=1.5.1 in /usr/local/lib/python3.9/dist-packages (from oscrypto>=1.2.1->minikerberos>=0.2.14->msldap->-r requirements.txt (line 3)) (1.5.1)
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

┌──(kali㉿workstation)-[~/Tools/LdapRelayScan]
└─$ python -V
Python 3.9.11

┌──(kali㉿workstation)-[~/Tools/LdapRelayScan]
└─$ sudo nmap -Pn -sU -p 53 10.10.10.10 --open                                                                                                                                                                        
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 10:10 CDT
Nmap scan report for dc1.domain.tld (10.10.10.10)
Host is up (0.1111s latency).

PORT   STATE SERVICE
53/udp open  domain

Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

If connection fails, the script crashes.

Traceback (most recent call last): File "/root/LdapRelayScan/LdapRelayScan.py", line 230, in if DoesLdapsCompleteHandshake(dc) == True: File "/root/LdapRelayScan/LdapRelayScan.py", line 124, in DoesLdapsCompleteHandshake ssl_sock.connect((dcIp, 636)) File "/usr/lib/python3.9/ssl.py", line 1342, in connect self._real_connect(addr, False) File "/usr/lib/python3.9/ssl.py", line 1329, in _real_connect super().connect(addr) socket.timeout: timed out

• Added ability to specify DNS server separate from DC
• Added ability to hardcode a DC
• Added a bunch of try/except logic to nail down errors more easily
• Moved from ssl.wrap_socket to the supported SSL context creation feature (https://docs.python.org/3/library/ssl.html#ssl.SSLContext.wrap_socket)

Hi, I wanted to try this in my lab to exploit RBCD webclient (https://www.bussink.net/rbcd-webclient-attack/). But trying this tool against the dc gives the following error. The DC Is running AD Directory services, DNS and DHCP. DNS is configured on my kali machine.

┌──(user㉿pentest)-[/opt/LdapRelayScan]
└─$ python3 LdapRelayScan.py -dc-ip 10.0.0.3 -u labuser -p 'Password01' -method BOTH                                                                                                                                                                              1 ⨯

~Domain Controllers identifed~
   dc01.lab.local

~Checking DCs for LDAP NTLM relay protections~
   dc01.lab.local
      [+] (LDAP) SERVER SIGNING REQUIREMENTS NOT ENFORCED! 
Traceback (most recent call last):
  File "/opt/LdapRelayScan/LdapRelayScan.py", line 95, in DoesLdapsCompleteHandshake
    ssl_sock.do_handshake()
  File "/usr/lib/python3.9/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ConnectionResetError: [Errno 104] Connection reset by peer

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/LdapRelayScan/LdapRelayScan.py", line 198, in <module>
    if DoesLdapsCompleteHandshake(dc) == True:
  File "/opt/LdapRelayScan/LdapRelayScan.py", line 106, in DoesLdapsCompleteHandshake
    print("Unexpected error during LDAPS handshake: " + e)
TypeError: can only concatenate str (not "ConnectionResetError") to str

Cannot import name "MSLDAPClientConnection' from 'msldap.commons.url'

I did pip3 install msldap but it still can't import the dependancy. Running on kali with python3.9.7-1

Minimum necessary code to migrate for ISSUE #9 - ssl.wrap_socket() is deprecated.

This just implements the SSLContext.wrap_socket function as recommended in the Python spec:

Deprecated since version 3.7: Since Python 3.2 and 2.7.9, it is recommended to use the SSLContext.wrap_socket() instead of wrap_socket(). The top-level function is limited and creates an insecure client socket without server name indication or hostname matching.

(Source: https://docs.python.org/3/library/ssl.html)

Example of the deprecation warning:

(venv) PS C:\Users\taborlin\Desktop\LdapRelayScan-main> python .\LdapRelayScan.py -dc-ip 10.0.0.10 -u "taborlin" -p "password lol"

~Domain Controllers identified~
   university.temerant.local

~Checking DCs for LDAP NTLM relay protections~
   university.temerant.local
C:\Users\taborlin\Desktop\LdapRelayScan-main\LdapRelayScan.py:123: DeprecationWarning: ssl.wrap_socket() is deprecated, use SSLContext.wrap_socket()
  ssl_sock = ssl.wrap_socket(s,
      [+] (LDAPS) CHANNEL BINDING SET TO "NEVER"! PARTY TIME!

Converted the tool for use as a CLI utility to prevent having to deal with Python "dependency hell."

To test, install using pipx:

pipx install git+https://github.com/puzzlepeaches/LdapRelayScan.git@packaged

The tool can then be called with either lrs or ldaprelayscan on the command line.

Once merged with the master you will need to:

• Update the README and pyproject.toml
• Publish the utility to PyPi potentially if wanted.

Please let me know if you have any questions or if I can help out with testing.