From 4f46a196311681f662517fee066a01a026a6949d Mon Sep 17 00:00:00 2001 From: mpgn Date: Thu, 25 May 2023 04:00:22 -0400 Subject: [PATCH] fix ldap connection --- cme/modules/ldap-checker.py | 23 +++++++++++++++-------- cme/protocols/ldap.py | 19 ++++++++++--------- 2 files changed, 25 insertions(+), 17 deletions(-) diff --git a/cme/modules/ldap-checker.py b/cme/modules/ldap-checker.py index 6f6cd901..98ea6597 100644 --- a/cme/modules/ldap-checker.py +++ b/cme/modules/ldap-checker.py @@ -42,6 +42,9 @@ class CMEModule: async def run_ldaps_noEPA(target, credential): ldapsClientConn = MSLDAPClientConnection(target, credential) _, err = await ldapsClientConn.connect() + if err is not None: + context.log.fail("ERROR while connecting to " + str(connection.domain) + ": " + str(err)) + exit() _, err = await ldapsClientConn.bind() if "data 80090346" in str(err): return True # channel binding IS enforced @@ -63,6 +66,7 @@ class CMEModule: _, err = await ldapsClientConn.connect() if err is not None: context.log.fail("ERROR while connecting to " + str(connection.domain) + ": " + str(err)) + exit() # forcing a miscalculation of the "Channel Bindings" av pair in Type 3 NTLM message ldapsClientConn.cb_data = b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" _, err = await ldapsClientConn.bind() @@ -115,14 +119,17 @@ class CMEModule: async def run_ldap(target, credential): ldapsClientConn = MSLDAPClientConnection(target, credential) _, err = await ldapsClientConn.connect() - _, err = await ldapsClientConn.bind() - if "stronger" in str(err): - return True # because LDAP server signing requirements ARE enforced - elif ("data 52e" or "data 532") in str(err): - context.log.fail("Not connected... exiting") - exit() - elif err is None: - return False + if err is None: + _, err = await ldapsClientConn.bind() + if "stronger" in str(err): + return True # because LDAP server signing requirements ARE enforced + elif ("data 52e" or "data 532") in str(err): + context.log.fail("Not connected... exiting") + exit() + elif err is None: + return False + else: + context.log.fail(str(err)) # Run trough all our code blocks to determine LDAP signing and channel binding settings. stype = asyauthSecret.PASS if not connection.nthash else asyauthSecret.NT diff --git a/cme/protocols/ldap.py b/cme/protocols/ldap.py index 8cc7bd0b..0a7fb9a2 100644 --- a/cme/protocols/ldap.py +++ b/cme/protocols/ldap.py @@ -51,6 +51,7 @@ ldap_error_status = { "773": "STATUS_PASSWORD_MUST_CHANGE", "775": "USER_ACCOUNT_LOCKED", "50": "LDAP_INSUFFICIENT_ACCESS", + "0": "LDAP Signing IS Enforced", "KDC_ERR_CLIENT_REVOKED": "KDC_ERR_CLIENT_REVOKED", "KDC_ERR_PREAUTH_FAILED": "KDC_ERR_PREAUTH_FAILED", } @@ -561,13 +562,6 @@ class ldap(connection): add_user_bh(self.username, self.domain, self.logger, self.config) if not self.args.continue_on_success: return True - except ldap_impacket.LDAPSessionError as e: - error_code = str(e).split()[-2][:-1] - self.logger.fail( - f"{self.domain}\\{self.username}:{self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode') * 8} {ldap_error_status[error_code] if error_code in ldap_error_status else ''}", - color="magenta" if error_code in ldap_error_status else "red", - ) - return False except SessionError as e: error, desc = e.getErrorString() self.logger.fail( @@ -575,6 +569,13 @@ class ldap(connection): color="magenta" if error in ldap_error_status else "red", ) return False + except: + error_code = str(e).split()[-2][:-1] + self.logger.fail( + f"{self.domain}\\{self.username}:{self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode') * 8} {ldap_error_status[error_code] if error_code in ldap_error_status else ''}", + color="magenta" if error_code in ldap_error_status else "red", + ) + return False else: error_code = str(e).split()[-2][:-1] self.logger.fail( @@ -621,7 +622,7 @@ class ldap(connection): # We need to try SSL try: # Connect to LDAPS - ldaps_url = f"{proto}://{self.target}" + ldaps_url = f"ldaps://{self.target}" self.logger.info(f"Connecting to {ldaps_url} - {self.baseDN} [4]") self.ldapConnection = ldap_impacket.LDAPConnection(ldaps_url, self.baseDN) self.ldapConnection.login( @@ -643,7 +644,7 @@ class ldap(connection): add_user_bh(self.username, self.domain, self.logger, self.config) if not self.args.continue_on_success: return True - except ldap_impacket.LDAPSessionError as e: + except: error_code = str(e).split()[-2][:-1] self.logger.fail( f"{self.domain}\\{self.username}:{self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode') * 8} {ldap_error_status[error_code] if error_code in ldap_error_status else ''}",