Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LDAP: Got exception with PyAsn1 #467

Open
XiaoliChan opened this issue Oct 19, 2024 · 3 comments
Open

LDAP: Got exception with PyAsn1 #467

XiaoliChan opened this issue Oct 19, 2024 · 3 comments

Comments

@XiaoliChan
Copy link
Contributor

XiaoliChan commented Oct 19, 2024

Describe the bug
Got exception with PyAsn1

To Reproduce
Command: netexec ldap -u username -p password
Resulted in:

┌──(xiaoli㉿kali)-[/tmp/work]
└─$ proxychains4 -f proxychains.conf nxc ldap 10.111.17.29 -u test -p 111qqq... --no-smb                                                                                                                                        1 ⚙
[proxychains] config file found: proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
LDAP        10.111.17.29    389    10.111.17.29     [*] DC=xxx,DC=com (Hostname: xxx) (domain: xxx.com)
[15:56:31] ERROR    Exception while calling proto_flow() on target 10.111.17.29: Attempted "__iter__" operation on ASN.1 schema object                                                                                       connection.py:174
                    ╭───────────────────────────────────────────────────────────────────────────────── Traceback (most recent call last) ──────────────────────────────────────────────────────────────────────────────────╮
                    │ /home/xiaoli/.local/pipx/venvs/netexec/lib/python3.12/site-packages/nxc/connection.py:166 in __init__                                                                                                │
                    │                                                                                                                                                                                                      │
                    │   163 │   │   self.logger.info(f"Socket info: host={self.host}, hostname={self.hostname},                                                                                                            │
                    │       kerberos={self.kerberos}, ipv6={self.is_ipv6}, link-local                                                                                                                                      │
                    │       ipv6={self.is_link_local_ipv6}")                                                                                                                                                               │
                    │   164 │   │                                                                                                                                                                                          │
                    │   165 │   │   try:                                                                                                                                                                                   │
                    │ ❱ 166 │   │   │   self.proto_flow()                                                                                                                                                                  │
                    │   167 │   │   except Exception as e:                                                                                                                                                                 │
                    │   168 │   │   │   if "ERROR_DEPENDENT_SERVICES_RUNNING" in str(e):                                                                                                                                   │
                    │   169 │   │   │   │   self.logger.error(f"Exception while calling proto_flow() on target                                                                                                             │
                    │       {target}: {e}")                                                                                                                                                                                │
                    │                                                                                                                                                                                                      │
                    │ /home/xiaoli/.local/pipx/venvs/netexec/lib/python3.12/site-packages/nxc/connection.py:232 in proto_flow                                                                                              │
                    │                                                                                                                                                                                                      │
                    │   229 │   │   else:                                                                                                                                                                                  │
                    │   230 │   │   │   self.logger.debug("Created connection object")                                                                                                                                     │
                    │   231 │   │   │   self.enum_host_info()                                                                                                                                                              │
                    │ ❱ 232 │   │   │   if self.print_host_info() and (self.login() or (self.username == "" and                                                                                                            │
                    │       self.password == "")):                                                                                                                                                                         │
                    │   233 │   │   │   │   if hasattr(self.args, "module") and self.args.module:                                                                                                                          │
                    │   234 │   │   │   │   │   self.load_modules()                                                                                                                                                        │
                    │   235 │   │   │   │   │   self.logger.debug("Calling modules")                                                                                                                                       │
                    │                                                                                                                                                                                                      │
                    │ /home/xiaoli/.local/pipx/venvs/netexec/lib/python3.12/site-packages/nxc/connection.py:560 in login                                                                                                   │
                    │                                                                                                                                                                                                      │
                    │   557 │   │   if not self.args.no_bruteforce:                                                                                                                                                        │
                    │   558 │   │   │   for secr_index, secr in enumerate(secret):                                                                                                                                         │
                    │   559 │   │   │   │   for user_index, user in enumerate(username):                                                                                                                                   │
                    │ ❱ 560 │   │   │   │   │   if self.try_credentials(domain[user_index], user, owned[user_index],                                                                                                       │
                    │       secr, cred_type[secr_index], data[secr_index]):                                                                                                                                                │
                    │   561 │   │   │   │   │   │   owned[user_index] = True                                                                                                                                               │
                    │   562 │   │   │   │   │   │   if not self.args.continue_on_success:                                                                                                                                  │
                    │   563 │   │   │   │   │   │   │   return True                                                                                                                                                        │
                    │                                                                                                                                                                                                      │
                    │ /home/xiaoli/.local/pipx/venvs/netexec/lib/python3.12/site-packages/nxc/connection.py:495 in try_credentials                                                                                         │
                    │                                                                                                                                                                                                      │
                    │   492 │   │   │   │   │   return self.kerberos_login(domain, username, secret, "", "",                                                                                                               │
                    │       self.kdcHost, False)                                                                                                                                                                           │
                    │   493 │   │   │   │   elif hasattr(self.args, "domain"):  # Some protocols don't use domain                                                                                                          │
                    │       for login                                                                                                                                                                                      │
                    │   494 │   │   │   │   │   self.logger.debug("Trying to authenticate using plaintext with                                                                                                             │
                    │       domain")                                                                                                                                                                                       │
                    │ ❱ 495 │   │   │   │   │   return self.plaintext_login(domain, username, secret)                                                                                                                      │
                    │   496 │   │   │   │   elif self.args.protocol == "ssh":                                                                                                                                              │
                    │   497 │   │   │   │   │   self.logger.debug("Trying to authenticate using plaintext over SSH")                                                                                                       │
                    │   498 │   │   │   │   │   return self.plaintext_login(username, secret, data)                                                                                                                        │
                    │                                                                                                                                                                                                      │
                    │ /home/xiaoli/.local/pipx/venvs/netexec/lib/python3.12/site-packages/nxc/protocols/ldap.py:460 in plaintext_login                                                                                     │
                    │                                                                                                                                                                                                      │
                    │    457 │   │   │   self.logger.info(f"Connecting to {ldap_url} - {self.baseDN} - {self.host}                                                                                                         │
                    │        [3]")                                                                                                                                                                                         │
                    │    458 │   │   │   self.ldapConnection = ldap_impacket.LDAPConnection(url=ldap_url,                                                                                                                  │
                    │        baseDN=self.baseDN, dstIp=self.host)                                                                                                                                                          │
                    │    459 │   │   │   self.ldapConnection.login(self.username, self.password, self.domain,                                                                                                              │
                    │        self.lmhash, self.nthash)                                                                                                                                                                     │
                    │ ❱  460 │   │   │   self.check_if_admin()                                                                                                                                                             │
                    │    461 │   │   │                                                                                                                                                                                     │
                    │    462 │   │   │   # Prepare success credential text                                                                                                                                                 │
                    │    463 │   │   │                                                                                                                                                                                     │
                    │        self.logger.success(f"{domain}\\{self.username}:{process_secret(self.password)}                                                                                                               │
                    │        {self.mark_pwned()}")                                                                                                                                                                         │
                    │                                                                                                                                                                                                      │
                    │ /home/xiaoli/.local/pipx/venvs/netexec/lib/python3.12/site-packages/nxc/protocols/ldap.py:664 in check_if_admin                                                                                      │
                    │                                                                                                                                                                                                      │
                    │    661 │   │   resp = self.search(search_filter, attributes, sizeLimit=0)                                                                                                                            │
                    │    662 │   │   answers = []                                                                                                                                                                          │
                    │    663 │   │   if resp and (self.password != "" or self.lmhash != "" or self.nthash != "") and                                                                                                       │
                    │        self.username != "":                                                                                                                                                                          │
                    │ ❱  664 │   │   │   for attribute in resp[0][1]:                                                                                                                                                      │
                    │    665 │   │   │   │   if str(attribute["type"]) == "objectSid":                                                                                                                                     │
                    │    666 │   │   │   │   │   sid = self.sid_to_str(attribute["vals"][0])                                                                                                                               │
                    │    667 │   │   │   │   │   self.sid_domain = "-".join(sid.split("-")[:-1])                                                                                                                           │
                    │                                                                                                                                                                                                      │
                    │ /home/xiaoli/.local/pipx/venvs/netexec/lib/python3.12/site-packages/pyasn1/type/univ.py:1038 in __iter__                                                                                             │
                    │                                                                                                                                                                                                      │
                    │   1035 │   │   │   return self._value[i]                                                                                                                                                             │
                    │   1036 │                                                                                                                                                                                             │
                    │   1037 │   def __iter__(self):                                                                                                                                                                       │
                    │ ❱ 1038 │   │   return iter(self._value)                                                                                                                                                              │
                    │   1039 │                                                                                                                                                                                             │
                    │   1040 │   def __contains__(self, value):                                                                                                                                                            │
                    │   1041 │   │   return value in self._value                                                                                                                                                           │
                    │                                                                                                                                                                                                      │
                    │ /home/xiaoli/.local/pipx/venvs/netexec/lib/python3.12/site-packages/pyasn1/type/base.py:214 in plug                                                                                                  │
                    │                                                                                                                                                                                                      │
                    │   211 │   │   if cls._instance is None:                                                                                                                                                              │
                    │   212 │   │   │   def getPlug(name):                                                                                                                                                                 │
                    │   213 │   │   │   │   def plug(self, *args, **kw):                                                                                                                                                   │
                    │ ❱ 214 │   │   │   │   │   raise error.PyAsn1Error('Attempted "%s" operation on ASN.1 schema                                                                                                          │
                    │       object' % name)                                                                                                                                                                                │
                    │   215 │   │   │   │   return plug                                                                                                                                                                    │
                    │   216 │   │   │                                                                                                                                                                                      │
                    │   217 │   │   │   op_names = [name                                                                                                                                                                   │
                    ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
                    PyAsn1Error: Attempted "__iter__" operation on ASN.1 schema object

Expected behavior
No exceptions

NetExec info

  • OS: Kali Linux
  • Version of nxc: v1.3.0 Need for Speed
  • Installed from: pipx
@NeffIsBack
Copy link
Contributor

NeffIsBack commented Oct 21, 2024

Looks like somehow you can login but not query. Are the credentials valid? Can you try to query it with an account that is allowed to use ldap?

@NeffIsBack NeffIsBack added the bug Something isn't working label Oct 21, 2024
@XiaoliChan
Copy link
Contributor Author

@NeffIsBack Oh, this exception is found in real-world attacks, and now the red team op is ended.

@NeffIsBack
Copy link
Contributor

Hmm okay, not sure how to fix this. I think we need to wait for someone to run into the same bug to further debug it

@NeffIsBack NeffIsBack removed the bug Something isn't working label Jan 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants