Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[NSE] ldap.lua vs AD objectSID #938

Closed
wants to merge 4 commits into from

Conversation

TomSellers
Copy link

@TomSellers TomSellers commented Jul 12, 2017

The ldap.lua NSE library currently in SVN doesn't correctly handle the Active Directory objectSID attribute. Instead it attempts to perform additional asn.1 decoding on it. Attached is a patch that implements the correct conversion from bytes to the human readable string such as 1-5-21-542895397-2936746693-3965599772-500.

If there aren't any issues or concerns I'll commit the code later this week.

Testing command

This command was tested against a Windows 2012 R2 host functioning as a Active Directory Controller. The user had Domain Admin privileges and so should be able to access all attributes.

nmap -d -p 389 --script ldap-search --script-args \
'ldap.username="CN=Administrator,CN=Users,DC=adlab,DC=pwnable", \
ldap.password="UserPasswordHere", \
ldap.qfilter=users, \
ldap.attrib=*, \
ldap.savesearch=test' \
-Pn  192.168.50.231

Before patch

<snip>
NSE: ldap-search against 192.168.50.231:389 threw an error!
/usr/local/bin/../share/nmap/nselib/ldap.lua:657: bad argument #3 to 'format' (number expected, got boolean)
stack traceback:
	[C]: in function 'string.format'
	/usr/local/bin/../share/nmap/nselib/ldap.lua:657: in function 'ldap.searchResultToTable'
	/usr/local/bin/../share/nmap/scripts/ldap-search.nse:263: in function </usr/local/bin/../share/nmap/scripts/ldap-search.nse:119>
	(...tail calls...)

<snip>

After patch

Screen output below as well as output to CSV file. The correct objectSID, objectSid: 1-5-21-542895397-2936746693-3965599772-500 was extracted.

PORT    STATE SERVICE REASON
389/tcp open  ldap    syn-ack
| ldap-search: 
|   Context: DC=adlab,DC=pwnable; QFilter: users; Attributes: *
|     dn: CN=Administrator,CN=Users,DC=adlab,DC=pwnable
|         objectClass: top
|         objectClass: person
|         objectClass: organizationalPerson
|         objectClass: user
|         cn: Administrator
|         description: Built-in account for administering the computer/domain
|         distinguishedName: CN=Administrator,CN=Users,DC=adlab,DC=pwnable
|         instanceType: 4
|         whenCreated: 2017/07/08 17:53:55 UTC
|         whenChanged: 2017/07/08 18:10:24 UTC
|         uSNCreated: 8196
|         memberOf: CN=Group Policy Creator Owners,CN=Users,DC=adlab,DC=pwnable
|         memberOf: CN=Domain Admins,CN=Users,DC=adlab,DC=pwnable
|         memberOf: CN=Enterprise Admins,CN=Users,DC=adlab,DC=pwnable
|         memberOf: CN=Schema Admins,CN=Users,DC=adlab,DC=pwnable
|         memberOf: CN=Administrators,CN=Builtin,DC=adlab,DC=pwnable
|         uSNChanged: 12749
|         name: Administrator
|         objectGUID: 28b03a96-697b-244d-9b27-c7c3d67cd268
|         userAccountControl: 512
|         badPwdCount: 0
|         codePage: 0
|         countryCode: 0
|         badPasswordTime: 2017/07/09 13:51:26 UTC
|         lastLogoff: 0
|         lastLogon: 2017/07/11 12:20:09 UTC
|         logonHours: \xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF
|         pwdLastSet: 2017/07/08 17:00:21 UTC
|         primaryGroupID: 513
|         objectSid: 1-5-21-542895397-2936746693-3965599772-500
|         adminCount: 1
|         accountExpires: Never
|         logonCount: 11
|         sAMAccountName: Administrator
|         sAMAccountType: 805306368
|         objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=adlab,DC=pwnable
|         isCriticalSystemObject: TRUE
|         dSCorePropagationData: 2017/07/08 18:10:24 UTC
|         dSCorePropagationData: 2017/07/08 18:10:24 UTC
|         dSCorePropagationData: 2017/07/08 17:55:14 UTC
|         dSCorePropagationData: 1601/01/01 18:12:16 UTC
|         lastLogonTimestamp: 2017/07/08 17:56:13 UTC
|     dn: CN=Guest,CN=Users,DC=adlab,DC=pwnable
|         objectClass: top
|         objectClass: person
|         objectClass: organizationalPerson
|         objectClass: user
|         cn: Guest
|         description: Built-in account for guest access to the computer/domain
|         distinguishedName: CN=Guest,CN=Users,DC=adlab,DC=pwnable
|         instanceType: 4
|         whenCreated: 2017/07/08 17:53:55 UTC
|         whenChanged: 2017/07/08 17:53:55 UTC
|         uSNCreated: 8197
|         memberOf: CN=Guests,CN=Builtin,DC=adlab,DC=pwnable
|         uSNChanged: 8197
|         name: Guest
|         objectGUID: 47f9e07a-577-164d-a948-7220d99e8e
|         userAccountControl: 66082
|         badPwdCount: 0
|         codePage: 0
|         countryCode: 0
|         badPasswordTime: Never
|         lastLogoff: 0
|         lastLogon: Never
|         pwdLastSet: Never
|         primaryGroupID: 514
|         objectSid: 1-5-21-542895397-2936746693-3965599772-501
|         accountExpires: 30828/09/14 02:48:05 UTC
|         logonCount: 0
|         sAMAccountName: Guest
|         sAMAccountType: 805306368
|         objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=adlab,DC=pwnable
|         isCriticalSystemObject: TRUE
|         dSCorePropagationData: 2017/07/08 17:55:14 UTC
|         dSCorePropagationData: 1601/01/01 00:00:01 UTC
|     dn: CN=PWNWINDC01,OU=Domain Controllers,DC=adlab,DC=pwnable
|         objectClass: top
|         objectClass: person
|         objectClass: organizationalPerson
|         objectClass: user
|         objectClass: computer
|         cn: PWNWINDC01
<SNIP>

@nmap-bot nmap-bot closed this in 1663733 Jul 16, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant