Fix issue #732
parent
ce1293b12c
commit
60a7d8bdc0
|
@ -4,8 +4,13 @@
|
|||
import ldap3
|
||||
import ssl
|
||||
import asyncio
|
||||
|
||||
from msldap.connection import MSLDAPClientConnection
|
||||
from msldap.commons.factory import LDAPConnectionFactory
|
||||
from msldap.commons.target import MSLDAPTarget
|
||||
|
||||
from asyauth.common.constants import asyauthProtocol, asyauthSecret
|
||||
from asyauth.common.credentials.ntlm import NTLMCredential
|
||||
from asyauth.common.credentials.kerberos import KerberosCredential
|
||||
|
||||
class CMEModule:
|
||||
'''
|
||||
|
@ -17,7 +22,7 @@ class CMEModule:
|
|||
name = 'ldap-checker'
|
||||
description = 'Checks whether LDAP signing and binding are required and / or enforced'
|
||||
supported_protocols = ['ldap']
|
||||
opsec_safe= True
|
||||
opsec_safe = True
|
||||
multiple_hosts = True
|
||||
|
||||
def options(self, context, module_options):
|
||||
|
@ -68,11 +73,11 @@ class CMEModule:
|
|||
#if it's set to "when supported" based on the potential
|
||||
#error recieved from the bind attempt.
|
||||
async def run_ldaps_withEPA(inputUser, inputPassword, dcTarget):
|
||||
try:
|
||||
url = 'ldaps+ntlm-password://'+inputUser + ':' + inputPassword +'@' + dcTarget
|
||||
conn_url = LDAPConnectionFactory.from_url(url)
|
||||
ldaps_client = conn_url.get_client()
|
||||
ldapsClientConn = MSLDAPClientConnection(ldaps_client.target, ldaps_client.creds)
|
||||
target = MSLDAPTarget(ip=connection.host, hostname=connection.hostname, domain=connection.domain, dc_ip=connection.domain)
|
||||
stype = asyauthSecret.PASS if not connection.nthash else asyauthSecret.NT
|
||||
secret = connection.password if not connection.nthash else connection.nthash
|
||||
credential = NTLMCredential(secret=secret, username=connection.username, domain=connection.domain, stype=stype)
|
||||
ldapsClientConn = MSLDAPClientConnection(target, credential)
|
||||
_, err = await ldapsClientConn.connect()
|
||||
if err is not None:
|
||||
context.log.error("ERROR while connecting to " + dcTarget + ": " + err)
|
||||
|
@ -87,8 +92,7 @@ class CMEModule:
|
|||
context.log.error("ERROR while connecting to " + dcTarget + ": " + err)
|
||||
elif err is None:
|
||||
return False
|
||||
except Exception as e:
|
||||
context.log.error("something went wrong during ldaps_withEPA bind:" + str(e))
|
||||
|
||||
|
||||
#Domain Controllers do not have a certificate setup for
|
||||
#LDAPS on port 636 by default. If this has not been setup,
|
||||
|
@ -142,7 +146,6 @@ class CMEModule:
|
|||
exit()
|
||||
|
||||
#Run trough all our code blocks to determine LDAP signing and channel binding settings.
|
||||
try:
|
||||
|
||||
ldapIsProtected = run_ldap(inputUser, inputPassword, dcTarget)
|
||||
|
||||
|
@ -164,5 +167,3 @@ class CMEModule:
|
|||
exit()
|
||||
else:
|
||||
context.log.error(dcTarget + " - cannot complete TLS handshake, cert likely not configured")
|
||||
except Exception as e:
|
||||
context.log.error("ERROR: " + str(e))
|
Loading…
Reference in New Issue