Merge pull request #495 from @qtc-de

Add ldap-signing module
2021-11-24 20:35:36 +01:00 · 2021-11-24 20:35:36 +01:00 · f2ce260666
parent 79bcdfe84a 577372e233
commit f2ce260666
1 changed files with 46 additions and 0 deletions
--- a/cme/modules/ldap-signing.py
+++ b/cme/modules/ldap-signing.py
@ -0,0 +1,46 @@
+from impacket.ldap import ldap
+
+class CMEModule:
+    '''
+    Checks whether LDAP signing is required.
+
+    Module by Tobias Neitzel (@qtc_de)
+    '''
+    name = 'ldap-signing'
+    description = 'Check whether LDAP signing is required'
+    supported_protocols = ['ldap']
+    opsec_safe= True
+    multiple_hosts = True 
+
+    def options(self, context, module_options):
+        '''
+        No options available.
+        '''
+        pass
+
+    def on_login(self, context, connection):
+        '''
+        Perform a second logon attempt without LDAP signing.
+        '''
+        domain = connection.domain
+        username = connection.username
+        password = connection.password
+        ldap_host = connection.conn.getRemoteHost()
+
+        try:
+            connection = ldap.LDAPConnection('ldap://{}'.format(ldap_host))
+            connection.login(username, password, domain, '', '')
+            context.log.highlight('LDAP signing is NOT enforced on {}'.format(ldap_host)) 
+
+        except ldap.LDAPSessionError as e:
+
+            error_msg = str(e)
+
+            if 'strongerAuthRequired' in error_msg:
+                context.log.info('LDAP signing is enforced on {}'.format(ldap_host)) 
+
+            else:
+                context.log.error("Unexpected LDAP error: '{}'".format(error_msg))
+
+        except Exception as e:
+            context.log.error("Unexpected LDAP error: '{}'".format(str(e)))