Add ldap signing and ldaps channel binding

franc-pentest · Jun 25, 2024 · 0d286f1 · 0d286f1
1 parent c80c727
commit 0d286f1
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 32 deletions.
diff --git a/ldeep/__main__.py b/ldeep/__main__.py
@@ -1660,19 +1660,13 @@ def action_create_computer(self, kwargs):
 
         Arguments:
             #computer_name:string
-                Name of computer to add.
+                Name of computer to add (no '$' needed).
             #computer_pass:string
                 Password set to computer account
         """
         computer = kwargs["computer_name"]
         password = kwargs["computer_pass"]
 
-        try:
-            self.engine.ldap.start_tls()
-        except Exception as e:
-            print(f"Can't create computer, TLS needed: {e}")
-            return
-
         if self.engine.create_computer(computer, password):
             info(f"Computer {computer} successfully created with password {password}")
         else:
@@ -1716,12 +1710,6 @@ def action_create_user(self, kwargs):
         user = kwargs["user_name"]
         password = kwargs["user_pass"]
 
-        try:
-            self.engine.ldap.start_tls()
-        except Exception as e:
-            print(f"Can't create user, TLS needed: {e}")
-            return
-
         if self.engine.create_user(user, password):
             info(f"User {user} successfully created with password {password}")
         else:

diff --git a/ldeep/views/ldap_activedirectory.py b/ldeep/views/ldap_activedirectory.py
@@ -17,6 +17,8 @@
     ALL as LDAP3_ALL,
     BASE,
     DEREF_NEVER,
+    TLS_CHANNEL_BINDING,
+    ENCRYPT,
 )
 from ldap3 import SIMPLE
 from ldap3.protocol.formatters.formatters import format_sid
@@ -413,7 +415,10 @@ def __init__(
             server = Server(self.server, get_info=LDAP3_ALL)
 
         if method == "Kerberos":
-            self.ldap = Connection(server, authentication=SASL, sasl_mechanism=KERBEROS)
+            if self.server.startswith("ldaps"):
+                self.ldap = Connection(server, authentication=SASL, sasl_mechanism=KERBEROS)
+            else:
+                self.ldap = Connection(server, authentication=SASL, sasl_mechanism=KERBEROS, session_security=ENCRYPT)
         elif method == "Certificate":
             self.ldap = Connection(server)
         elif method == "anonymous":
@@ -430,26 +435,58 @@ def __init__(
                     print(e)
                     print("Incorrect hash, format is LMHASH:NTHASH")
                     exit(1)
-            self.ldap = Connection(
-                server,
-                user=f"{domain}\\{username}",
-                password=ntlm,
-                authentication=NTLM,
-                check_names=True,
-            )
+            if self.server.startswith("ldaps"):
+                self.ldap = Connection(
+                    server,
+                    user=f"{domain}\\{username}",
+                    password=ntlm,
+                    channel_binding=TLS_CHANNEL_BINDING,
+                    authentication=NTLM,
+                    check_names=True,
+                )
+            else:
+                self.ldap = Connection(
+                    server,
+                    user=f"{domain}\\{username}",
+                    password=ntlm,
+                    session_security=ENCRYPT,
+                    authentication=NTLM,
+                    check_names=True,
+                )
         elif method == "SIMPLE":
-            if not password:
-                print("Password is required (-p)")
-                exit(1)
             if "." in domain:
                 domain, _, _ = domain.partition(".")
-            self.ldap = Connection(
-                server,
-                user=f"{domain}\\{username}",
-                password=password,
-                authentication=SIMPLE,
-                check_names=True,
-            )
+            if self.server.startswith("ldaps"):
+                if not password:
+                    print("Password is required (-p)")
+                    exit(1)
+                self.ldap = Connection(
+                    server,
+                    user=f"{domain}\\{username}",
+                    password=password,
+                    authentication=SIMPLE,
+                    check_names=True,
+                )
+            else:
+                if not ntlm:
+                    print("Please authenticate using the NT hash for simple bind without ldaps")
+                    exit(1)
+                try:
+                    lm, nt = ntlm.split(":")
+                    lm = "aad3b435b51404eeaad3b435b51404ee" if not lm else lm
+                    ntlm = f"{lm}:{nt}"
+                except Exception as e:
+                    print(e)
+                    print("Incorrect hash, format is LMHASH:NTHASH")
+                    exit(1)
+                self.ldap = Connection(
+                    server,
+                    user=f"{domain}\\{username}",
+                    password=ntlm,
+                    session_security=ENCRYPT,
+                    authentication=NTLM,
+                    check_names=True,
+                )
 
         try:
             if method == "Certificate":

diff --git a/pyproject.toml b/pyproject.toml
@@ -11,7 +11,7 @@ dependencies = [
     "cryptography>=42.0.7",
     "dnspython >= 1.15.0",
     "gssapi >= 1.8.0, < 2",
-    "ldap3 >= 2.5.1, < 3",
+     "ldap3 @ git+https://github.com/tiyeuse/ldap3.git@dev",
     "oscrypto >= 1.3.0, < 2",
     "pycryptodome >= 3.19.0, < 4",
     "pycryptodomex >= 3.19.0, < 4",