fix ldap connection

2023-05-25 04:00:22 -04:00 · 2023-05-25 04:00:22 -04:00 · 4f46a19631
parent 95bd9bca54
commit 4f46a19631
2 changed files with 25 additions and 17 deletions
--- a/cme/modules/ldap-checker.py
+++ b/cme/modules/ldap-checker.py
@ -42,6 +42,9 @@ class CMEModule:
        async def run_ldaps_noEPA(target, credential):
            ldapsClientConn = MSLDAPClientConnection(target, credential)
            _, err = await ldapsClientConn.connect()
+            if err is not None:
+                context.log.fail("ERROR while connecting to " + str(connection.domain) + ": " + str(err))
+                exit()
            _, err = await ldapsClientConn.bind()
            if "data 80090346" in str(err):
                return True  # channel binding IS enforced
@ -63,6 +66,7 @@ class CMEModule:
            _, err = await ldapsClientConn.connect()
            if err is not None:
                context.log.fail("ERROR while connecting to " + str(connection.domain) + ": " + str(err))
+                exit()
            # forcing a miscalculation of the "Channel Bindings" av pair in Type 3 NTLM message
            ldapsClientConn.cb_data = b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
            _, err = await ldapsClientConn.bind()
@ -115,14 +119,17 @@ class CMEModule:
        async def run_ldap(target, credential):
            ldapsClientConn = MSLDAPClientConnection(target, credential)
            _, err = await ldapsClientConn.connect()
-            _, err = await ldapsClientConn.bind()
-            if "stronger" in str(err):
-                return True  # because LDAP server signing requirements ARE enforced
-            elif ("data 52e" or "data 532") in str(err):
-                context.log.fail("Not connected... exiting")
-                exit()
-            elif err is None:
-                return False
+            if err is None:
+                _, err = await ldapsClientConn.bind()
+                if "stronger" in str(err):
+                    return True  # because LDAP server signing requirements ARE enforced
+                elif ("data 52e" or "data 532") in str(err):
+                    context.log.fail("Not connected... exiting")
+                    exit()
+                elif err is None:
+                    return False
+            else:
+                context.log.fail(str(err))

        # Run trough all our code blocks to determine LDAP signing and channel binding settings.   
        stype = asyauthSecret.PASS if not connection.nthash else asyauthSecret.NT
--- a/cme/protocols/ldap.py
+++ b/cme/protocols/ldap.py
@ -51,6 +51,7 @@ ldap_error_status = {
    "773": "STATUS_PASSWORD_MUST_CHANGE",
    "775": "USER_ACCOUNT_LOCKED",
    "50": "LDAP_INSUFFICIENT_ACCESS",
+    "0": "LDAP Signing IS Enforced",
    "KDC_ERR_CLIENT_REVOKED": "KDC_ERR_CLIENT_REVOKED",
    "KDC_ERR_PREAUTH_FAILED": "KDC_ERR_PREAUTH_FAILED",
 }
@ -561,13 +562,6 @@ class ldap(connection):
                        add_user_bh(self.username, self.domain, self.logger, self.config)
                    if not self.args.continue_on_success:
                        return True
-                except ldap_impacket.LDAPSessionError as e:
-                    error_code = str(e).split()[-2][:-1]
-                    self.logger.fail(
-                        f"{self.domain}\\{self.username}:{self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode') * 8} {ldap_error_status[error_code] if error_code in ldap_error_status else ''}",
-                        color="magenta" if error_code in ldap_error_status else "red",
-                    )
-                    return False
                except SessionError as e:
                    error, desc = e.getErrorString()
                    self.logger.fail(
@ -575,6 +569,13 @@ class ldap(connection):
                        color="magenta" if error in ldap_error_status else "red",
                    )
                    return False
+                except:
+                    error_code = str(e).split()[-2][:-1]
+                    self.logger.fail(
+                        f"{self.domain}\\{self.username}:{self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode') * 8} {ldap_error_status[error_code] if error_code in ldap_error_status else ''}",
+                        color="magenta" if error_code in ldap_error_status else "red",
+                    )
+                    return False
            else:
                error_code = str(e).split()[-2][:-1]
                self.logger.fail(
@ -621,7 +622,7 @@ class ldap(connection):
                # We need to try SSL
                try:
                    # Connect to LDAPS
-                    ldaps_url = f"{proto}://{self.target}"
+                    ldaps_url = f"ldaps://{self.target}"
                    self.logger.info(f"Connecting to {ldaps_url} - {self.baseDN} [4]")
                    self.ldapConnection = ldap_impacket.LDAPConnection(ldaps_url, self.baseDN)
                    self.ldapConnection.login(
@ -643,7 +644,7 @@ class ldap(connection):
                        add_user_bh(self.username, self.domain, self.logger, self.config)
                    if not self.args.continue_on_success:
                        return True
-                except ldap_impacket.LDAPSessionError as e:
+                except:
                    error_code = str(e).split()[-2][:-1]
                    self.logger.fail(
                        f"{self.domain}\\{self.username}:{self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode') * 8} {ldap_error_status[error_code] if error_code in ldap_error_status else ''}",