NetExec LDAP is using System's DNS #184

bmigette · 2024-02-19T16:43:29Z

Describe the bug
When using NetExec with ldap protocol, netexec is doing some dns resolutions that uses system's DNS and will cause failure.
There's numerous case where we should be able to :

Specify DNS server manually
Or automatically dectect it (assume Domain Conntroller is doing DNS)

Also, the error is misleading. In my particular case, the target IP (172.16.230.10) can be used for LDAP, but because netexec resolved this to a different IP using public DNS, connection failed.

To Reproduce
Command: netexec --debug ldap 172.16.230.10 -u myuser -p 'mypass'

Resulted in:

$ netexec --debug ldap 172.16.230.10 -u myuser -p 'mypass'
[16:59:18] DEBUG    PYTHON VERSION: 3.11.7 (main, Dec  8 2023, 14:22:46) [GCC 13.2.0]                                                           netexec.py:89
           DEBUG    RUNNING ON: Linux Release: 6.6.9-amd64                                                                                      netexec.py:90
           DEBUG    Passed args: Namespace(threads=100, timeout=None, jitter=None, no_progress=False, verbose=False, debug=True, version=False, netexec.py:91
                    protocol='ldap', target=['172.16.230.10'], cred_id=[], username=['myuser'], password=['mypass'],
                    ignore_pw_decoding=False, kerberos=False, no_bruteforce=False, continue_on_success=False, use_kcache=False, log=None,
                    aesKey=None, kdcHost=None, gfail_limit=None, ufail_limit=None, fail_limit=None, module=None, module_options=[],
                    list_modules=False, show_module_options=False, server='https', server_host='0.0.0.0', server_port=None,
                    connectback_host=None, hash=[], port=389, no_smb=False, domain=None, local_auth=False, asreproast=None, kerberoasting=None,
                    trusted_for_delegation=False, password_not_required=False, admin_count=False, users=False, groups=False, dc_list=False,
                    get_sid=False, active_users=False, gmsa=False, gmsa_convert_id=None, gmsa_decrypt_lsa=None, bloodhound=False,
                    nameserver='172.16.230.10', collection=None)
           DEBUG    Protocol: ldap                                                                                                             netexec.py:145
           DEBUG    Protocol Path: /home/babadmin/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/ldap.py                 netexec.py:148
           DEBUG    Protocol DB Path: /home/babadmin/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/ldap/database.py     netexec.py:150
[16:59:19] DEBUG    Protocol Object: <class 'protocol.ldap'>                                                                                   netexec.py:153
           DEBUG    Protocol DB Object: <class 'protocol.database'>                                                                            netexec.py:155
           DEBUG    DB Path: /home/babadmin/.nxc/workspaces/default/ldap.db                                                                    netexec.py:158
           DEBUG    Using selector: EpollSelector                                                                                       selector_events.py:54
           DEBUG    Creating ThreadPoolExecutor                                                                                                 netexec.py:47
           DEBUG    Creating thread for <class 'protocol.ldap'>                                                                                 netexec.py:50
           INFO     Socket info: host=172.16.230.10, hostname=172.16.230.10, kerberos=False, ipv6=False, link-local ipv6=False              connection.py:103
           DEBUG    Kicking off proto_flow                                                                                                  connection.py:163
           DEBUG    Creating smbv1 connection object                                                                                              ldap.py:637
           DEBUG    Error creating SMBv1 connection to 172.16.230.10: Error while reading from remote                                             ldap.py:648
           DEBUG    Creating smbv3 connection object                                                                                              ldap.py:653
           DEBUG    SMBv3 Connection successful                                                                                                   ldap.py:658
           DEBUG    Created connection object                                                                                               connection.py:166
           INFO     Connecting to ldap://172.16.230.10 with no baseDN                                                                             ldap.py:166
           DEBUG    Connecting to 172.16.230.10, port 389, SSL False                                                                              ldap.py:107
           DEBUG    ldap_connection: <impacket.ldap.ldap.LDAPConnection object at 0x7f8904022910>                                                 ldap.py:170
           DEBUG    Target: DC01.mydomain.com; target_domain: mydomain.com; base_dn: DC=mydomain,DC=com                                              ldap.py:208
           DEBUG    Creating smbv1 connection object                                                                                              ldap.py:637
           DEBUG    Error creating SMBv1 connection to 172.16.230.10: Error while reading from remote                                             ldap.py:648
           DEBUG    Creating smbv3 connection object                                                                                              ldap.py:653
           DEBUG    SMBv3 Connection successful                                                                                                   ldap.py:658
           DEBUG    Printing host info for LDAP                                                                                                   ldap.py:295
SMB         172.16.230.10   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:mydomain.com) (signing:True) (SMBv1:False)
           INFO     SMB         172.16.230.10   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01)                     logger.py:145
                    (domain:mydomain.com) (signing:True) (SMBv1:False)
           DEBUG    Trying to authenticate using plaintext with domain                                                                      connection.py:406
           DEBUG    Connecting to ldap://DC01.mydomain.com - DC=mydomain,DC=com [3]                                                                 ldap.py:481
           DEBUG    Connecting to DC01.mydomain.com, port 389, SSL False                                                                           ldap.py:107
LDAP        172.16.230.10   445    DC01             [-] mydomain.com\myuser:mypass Error connecting to the domain, are you sure LDAP service is running on the target?
Error: [Errno 111] Connection refused
           INFO     LDAP        172.16.230.10   445    DC01             [-] mydomain.com\myuser:mypass Error connecting to the domain, are you logger.py:145
                    sure LDAP service is running on the target?
                    Error: [Errno 111] Connection refused

Expected behavior
DNS resolution should use a custom server (like the -ns option for bloodhound), or find the domain DNS automatically.
Using System's DNS assume everytime we do a ldap test we need to adjust system's DNS.

Lastly, in the above example, the domain was resolved by public DNS to a public IP that was filtered. The logs never showed any attempt to connect to this public IP and I had to do a TCPDump capture to understand what's going on.

NetExec info

OS: Kali Linux
Version of nxc: 1.1.0 - nxc4u
Installed from: pipx

Additional context
None

The text was updated successfully, but these errors were encountered:

NeffIsBack · 2024-02-19T16:50:17Z

Unfortunately impacket does not support using a custom name server (atleast the last time checked). That's the reason it hasn't been done yet, although many people already run into the problem.
We should take care of changing the impacket code tho at some point to support it.

bmigette · 2024-02-19T16:57:44Z

Thanks for your prompt response :) I'll update here if I can find a suitable workaround (apart changing my system's dns)

mpgn · 2024-02-19T17:28:35Z

Adding the ip/host to you hosts file is not an option ?

bmigette · 2024-02-19T17:43:55Z

Adding the ip/host to you hosts file is not an option ?

That would work indeed, but needs root privileges (or change permissions on the /etc/host file), which I try to avoid when not necessary. Especially because i'm automating this.

bmigette · 2024-02-19T17:50:07Z

That's what i'm going to do :)

┌──(user㉿kali) - 18:48:20 - [/tmp/NetExec]
└─$ firejail --dns=172.16.230.10 netexec ldap 172.16.230.10 -u xxx -p 'yyyy'

XiaoliChan · 2024-03-03T06:50:44Z

@bmigette It's nxc --dns x.x.x.x you needed?

bmigette · 2024-03-03T10:20:31Z

@XiaoliChanis this a new option ? Could not find it in the doc

XiaoliChan · 2024-03-03T10:44:22Z

@XiaoliChanis this a new option ? Could not find it in the doc

No, but I can try to add it

bmigette · 2024-03-03T10:53:46Z

@XiaoliChan would definitely be useful but it was mentionned above that it's a limitation from impacket lib, so not sure how easy / feasible it would be :)

mpgn · 2024-03-04T21:05:42Z

@bmigette can you test #196 ?

bmigette · 2024-03-04T22:46:36Z

@mpgn works for me thanks a lot !! Added the comments in the pull request.

NeffIsBack added the enhancement New feature or request label Feb 19, 2024

NeffIsBack mentioned this issue Mar 5, 2024

[DNS] Add DNS args #196

Merged

Marshall-Hallenbeck closed this as completed in #196 May 20, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

NetExec LDAP is using System's DNS #184

NetExec LDAP is using System's DNS #184

bmigette commented Feb 19, 2024 •

edited

NeffIsBack commented Feb 19, 2024

bmigette commented Feb 19, 2024

mpgn commented Feb 19, 2024

bmigette commented Feb 19, 2024 •

edited

bmigette commented Feb 19, 2024 •

edited

XiaoliChan commented Mar 3, 2024

bmigette commented Mar 3, 2024

XiaoliChan commented Mar 3, 2024

bmigette commented Mar 3, 2024

mpgn commented Mar 4, 2024

bmigette commented Mar 4, 2024

NetExec LDAP is using System's DNS #184

NetExec LDAP is using System's DNS #184

Comments

bmigette commented Feb 19, 2024 • edited

NeffIsBack commented Feb 19, 2024

bmigette commented Feb 19, 2024

mpgn commented Feb 19, 2024

bmigette commented Feb 19, 2024 • edited

bmigette commented Feb 19, 2024 • edited

XiaoliChan commented Mar 3, 2024

bmigette commented Mar 3, 2024

XiaoliChan commented Mar 3, 2024

bmigette commented Mar 3, 2024

mpgn commented Mar 4, 2024

bmigette commented Mar 4, 2024

bmigette commented Feb 19, 2024 •

edited

bmigette commented Feb 19, 2024 •

edited

bmigette commented Feb 19, 2024 •

edited