Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for LDAP and LDAPS in ntlmrelayx SOCKS #74

Closed
wants to merge 7 commits into from
Closed
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Use real NTLM Challenge message during LDAP socks relay
b1two committed Oct 26, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
commit 6c5f97d5b3f5035126ed0a258a9cf68a8b0e85e6
1 change: 1 addition & 0 deletions impacket/examples/ntlmrelayx/clients/ldaprelayclient.py
Original file line number Diff line number Diff line change
@@ -99,6 +99,7 @@ def sendNegotiate(self, negotiateMessage):
if result['result'] == RESULT_SUCCESS:
challenge = NTLMAuthChallenge()
challenge.fromString(result['server_creds'])
self.sessionData['CHALLENGE_MESSAGE'] = challenge
return challenge
else:
raise LDAPRelayClientException('Server did not offer NTLM authentication!')
50 changes: 7 additions & 43 deletions impacket/examples/ntlmrelayx/servers/socksplugins/ldap.py
Original file line number Diff line number Diff line change
@@ -13,6 +13,7 @@
from impacket.examples.ntlmrelayx.servers.socksserver import SocksRelay
from impacket.ldap.ldap import LDAPSessionError
from impacket.ldap.ldapasn1 import KNOWN_NOTIFICATIONS, LDAPDN, NOTIFICATION_DISCONNECT, BindRequest, BindResponse, LDAPMessage, LDAPString, ResultCode
from impacket.ntlm import NTLMSSP_NEGOTIATE_SIGN, NTLMSSP_NEGOTIATE_SEAL

PLUGIN_CLASS = 'LDAPSocksRelay'

@@ -64,52 +65,15 @@ def skipAuthentication(self):

LOG.debug('Got NTLM bind request')

# Building the NTLM negotiate message
# It is taken from the smbserver example
# Load negotiate message
negotiateMessage = ntlm.NTLMAuthNegotiate()
negotiateMessage.fromString(msg_component['authentication']['sicilyNegotiate'].asOctets())

# Let's build the answer flags
ansFlags = 0

if negotiateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_56:
ansFlags |= ntlm.NTLMSSP_NEGOTIATE_56
if negotiateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_128:
ansFlags |= ntlm.NTLMSSP_NEGOTIATE_128
if negotiateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_KEY_EXCH:
ansFlags |= ntlm.NTLMSSP_NEGOTIATE_KEY_EXCH
if negotiateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY:
ansFlags |= ntlm.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
if negotiateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE:
ansFlags |= ntlm.NTLMSSP_NEGOTIATE_UNICODE
if negotiateMessage['flags'] & ntlm.NTLM_NEGOTIATE_OEM:
ansFlags |= ntlm.NTLM_NEGOTIATE_OEM

ansFlags |= ntlm.NTLMSSP_NEGOTIATE_VERSION | ntlm.NTLMSSP_NEGOTIATE_TARGET_INFO | ntlm.NTLMSSP_TARGET_TYPE_SERVER | ntlm.NTLMSSP_NEGOTIATE_NTLM | ntlm.NTLMSSP_REQUEST_TARGET

# Generating the AV_PAIRS
# Using dummy data with the client
av_pairs = ntlm.AV_PAIRS()
av_pairs[ntlm.NTLMSSP_AV_HOSTNAME] = av_pairs[
ntlm.NTLMSSP_AV_DNS_HOSTNAME] = 'DUMMY'.encode('utf-16le')
av_pairs[ntlm.NTLMSSP_AV_DOMAINNAME] = av_pairs[
ntlm.NTLMSSP_AV_DNS_DOMAINNAME] = 'DUMMY'.encode('utf-16le')
av_pairs[ntlm.NTLMSSP_AV_TIME] = struct.pack('<q', (
116444736000000000 + calendar.timegm(time.gmtime()) * 10000000))

challengeMessage = ntlm.NTLMAuthChallenge()
challengeMessage['flags'] = ansFlags
challengeMessage['domain_len'] = len('DUMMY'.encode('utf-16le'))
challengeMessage['domain_max_len'] = challengeMessage['domain_len']
challengeMessage['domain_offset'] = 40 + 16
challengeMessage['challenge'] = binascii.unhexlify('1122334455667788')
challengeMessage['domain_name'] = 'DUMMY'.encode('utf-16le')
challengeMessage['TargetInfoFields_len'] = len(av_pairs)
challengeMessage['TargetInfoFields_max_len'] = len(av_pairs)
challengeMessage['TargetInfoFields'] = av_pairs
challengeMessage['TargetInfoFields_offset'] = 40 + 16 + len(challengeMessage['domain_name'])
challengeMessage['Version'] = b'\xff' * 8
challengeMessage['VersionLen'] = 8
# Reuse the challenge message from the real authentication with the server
challengeMessage = self.sessionData['CHALLENGE_MESSAGE']
# We still remove the annoying flags
challengeMessage['flags'] &= ~(NTLMSSP_NEGOTIATE_SIGN)
challengeMessage['flags'] &= ~(NTLMSSP_NEGOTIATE_SEAL)

# Building the LDAP bind response message
bindresponse = BindResponse()