LDAP: Got exception with PyAsn1

[XiaoliChan]

Describe the bug
Got exception with PyAsn1

To Reproduce
Command: netexec ldap -u username -p password
Resulted in:

┌──(xiaoli㉿kali)-[/tmp/work]
└─$ proxychains4 -f proxychains.conf nxc ldap 10.111.17.29 -u test -p 111qqq... --no-smb                                                                                                                                        1 ⚙
[proxychains] config file found: proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
LDAP        10.111.17.29    389    10.111.17.29     [*] DC=xxx,DC=com (Hostname: xxx) (domain: xxx.com)
[15:56:31] ERROR    Exception while calling proto_flow() on target 10.111.17.29: Attempted "__iter__" operation on ASN.1 schema object                                                                                       connection.py:174
                    ╭───────────────────────────────────────────────────────────────────────────────── Traceback (most recent call last) ──────────────────────────────────────────────────────────────────────────────────╮
                    │ /home/xiaoli/.local/pipx/venvs/netexec/lib/python3.12/site-packages/nxc/connection.py:166 in __init__                                                                                                │
                    │                                                                                                                                                                                                      │
                    │   163 │   │   self.logger.info(f"Socket info: host={self.host}, hostname={self.hostname},                                                                                                            │
                    │       kerberos={self.kerberos}, ipv6={self.is_ipv6}, link-local                                                                                                                                      │
                    │       ipv6={self.is_link_local_ipv6}")                                                                                                                                                               │
                    │   164 │   │                                                                                                                                                                                          │
                    │   165 │   │   try:                                                                                                                                                                                   │
                    │ ❱ 166 │   │   │   self.proto_flow()                                                                                                                                                                  │
                    │   167 │   │   except Exception as e:                                                                                                                                                                 │
                    │   168 │   │   │   if "ERROR_DEPENDENT_SERVICES_RUNNING" in str(e):                                                                                                                                   │
                    │   169 │   │   │   │   self.logger.error(f"Exception while calling proto_flow() on target                                                                                                             │
                    │       {target}: {e}")                                                                                                                                                                                │
                    │                                                                                                                                                                                                      │
                    │ /home/xiaoli/.local/pipx/venvs/netexec/lib/python3.12/site-packages/nxc/connection.py:232 in proto_flow                                                                                              │
                    │                                                                                                                                                                                                      │
                    │   229 │   │   else:                                                                                                                                                                                  │
                    │   230 │   │   │   self.logger.debug("Created connection object")                                                                                                                                     │
                    │   231 │   │   │   self.enum_host_info()                                                                                                                                                              │
                    │ ❱ 232 │   │   │   if self.print_host_info() and (self.login() or (self.username == "" and                                                                                                            │
                    │       self.password == "")):                                                                                                                                                                         │
                    │   233 │   │   │   │   if hasattr(self.args, "module") and self.args.module:                                                                                                                          │
                    │   234 │   │   │   │   │   self.load_modules()                                                                                                                                                        │
                    │   235 │   │   │   │   │   self.logger.debug("Calling modules")                                                                                                                                       │
                    │                                                                                                                                                                                                      │
                    │ /home/xiaoli/.local/pipx/venvs/netexec/lib/python3.12/site-packages/nxc/connection.py:560 in login                                                                                                   │
                    │                                                                                                                                                                                                      │
                    │   557 │   │   if not self.args.no_bruteforce:                                                                                                                                                        │
                    │   558 │   │   │   for secr_index, secr in enumerate(secret):                                                                                                                                         │
                    │   559 │   │   │   │   for user_index, user in enumerate(username):                                                                                                                                   │
                    │ ❱ 560 │   │   │   │   │   if self.try_credentials(domain[user_index], user, owned[user_index],                                                                                                       │
                    │       secr, cred_type[secr_index], data[secr_index]):                                                                                                                                                │
                    │   561 │   │   │   │   │   │   owned[user_index] = True                                                                                                                                               │
                    │   562 │   │   │   │   │   │   if not self.args.continue_on_success:                                                                                                                                  │
                    │   563 │   │   │   │   │   │   │   return True                                                                                                                                                        │
                    │                                                                                                                                                                                                      │
                    │ /home/xiaoli/.local/pipx/venvs/netexec/lib/python3.12/site-packages/nxc/connection.py:495 in try_credentials                                                                                         │
                    │                                                                                                                                                                                                      │
                    │   492 │   │   │   │   │   return self.kerberos_login(domain, username, secret, "", "",                                                                                                               │
                    │       self.kdcHost, False)                                                                                                                                                                           │
                    │   493 │   │   │   │   elif hasattr(self.args, "domain"):  # Some protocols don't use domain                                                                                                          │
                    │       for login                                                                                                                                                                                      │
                    │   494 │   │   │   │   │   self.logger.debug("Trying to authenticate using plaintext with                                                                                                             │
                    │       domain")                                                                                                                                                                                       │
                    │ ❱ 495 │   │   │   │   │   return self.plaintext_login(domain, username, secret)                                                                                                                      │
                    │   496 │   │   │   │   elif self.args.protocol == "ssh":                                                                                                                                              │
                    │   497 │   │   │   │   │   self.logger.debug("Trying to authenticate using plaintext over SSH")                                                                                                       │
                    │   498 │   │   │   │   │   return self.plaintext_login(username, secret, data)                                                                                                                        │
                    │                                                                                                                                                                                                      │
                    │ /home/xiaoli/.local/pipx/venvs/netexec/lib/python3.12/site-packages/nxc/protocols/ldap.py:460 in plaintext_login                                                                                     │
                    │                                                                                                                                                                                                      │
                    │    457 │   │   │   self.logger.info(f"Connecting to {ldap_url} - {self.baseDN} - {self.host}                                                                                                         │
                    │        [3]")                                                                                                                                                                                         │
                    │    458 │   │   │   self.ldapConnection = ldap_impacket.LDAPConnection(url=ldap_url,                                                                                                                  │
                    │        baseDN=self.baseDN, dstIp=self.host)                                                                                                                                                          │
                    │    459 │   │   │   self.ldapConnection.login(self.username, self.password, self.domain,                                                                                                              │
                    │        self.lmhash, self.nthash)                                                                                                                                                                     │
                    │ ❱  460 │   │   │   self.check_if_admin()                                                                                                                                                             │
                    │    461 │   │   │                                                                                                                                                                                     │
                    │    462 │   │   │   # Prepare success credential text                                                                                                                                                 │
                    │    463 │   │   │                                                                                                                                                                                     │
                    │        self.logger.success(f"{domain}\\{self.username}:{process_secret(self.password)}                                                                                                               │
                    │        {self.mark_pwned()}")                                                                                                                                                                         │
                    │                                                                                                                                                                                                      │
                    │ /home/xiaoli/.local/pipx/venvs/netexec/lib/python3.12/site-packages/nxc/protocols/ldap.py:664 in check_if_admin                                                                                      │
                    │                                                                                                                                                                                                      │
                    │    661 │   │   resp = self.search(search_filter, attributes, sizeLimit=0)                                                                                                                            │
                    │    662 │   │   answers = []                                                                                                                                                                          │
                    │    663 │   │   if resp and (self.password != "" or self.lmhash != "" or self.nthash != "") and                                                                                                       │
                    │        self.username != "":                                                                                                                                                                          │
                    │ ❱  664 │   │   │   for attribute in resp[0][1]:                                                                                                                                                      │
                    │    665 │   │   │   │   if str(attribute["type"]) == "objectSid":                                                                                                                                     │
                    │    666 │   │   │   │   │   sid = self.sid_to_str(attribute["vals"][0])                                                                                                                               │
                    │    667 │   │   │   │   │   self.sid_domain = "-".join(sid.split("-")[:-1])                                                                                                                           │
                    │                                                                                                                                                                                                      │
                    │ /home/xiaoli/.local/pipx/venvs/netexec/lib/python3.12/site-packages/pyasn1/type/univ.py:1038 in __iter__                                                                                             │
                    │                                                                                                                                                                                                      │
                    │   1035 │   │   │   return self._value[i]                                                                                                                                                             │
                    │   1036 │                                                                                                                                                                                             │
                    │   1037 │   def __iter__(self):                                                                                                                                                                       │
                    │ ❱ 1038 │   │   return iter(self._value)                                                                                                                                                              │
                    │   1039 │                                                                                                                                                                                             │
                    │   1040 │   def __contains__(self, value):                                                                                                                                                            │
                    │   1041 │   │   return value in self._value                                                                                                                                                           │
                    │                                                                                                                                                                                                      │
                    │ /home/xiaoli/.local/pipx/venvs/netexec/lib/python3.12/site-packages/pyasn1/type/base.py:214 in plug                                                                                                  │
                    │                                                                                                                                                                                                      │
                    │   211 │   │   if cls._instance is None:                                                                                                                                                              │
                    │   212 │   │   │   def getPlug(name):                                                                                                                                                                 │
                    │   213 │   │   │   │   def plug(self, *args, **kw):                                                                                                                                                   │
                    │ ❱ 214 │   │   │   │   │   raise error.PyAsn1Error('Attempted "%s" operation on ASN.1 schema                                                                                                          │
                    │       object' % name)                                                                                                                                                                                │
                    │   215 │   │   │   │   return plug                                                                                                                                                                    │
                    │   216 │   │   │                                                                                                                                                                                      │
                    │   217 │   │   │   op_names = [name                                                                                                                                                                   │
                    ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
                    PyAsn1Error: Attempted "__iter__" operation on ASN.1 schema object

Expected behavior
No exceptions

NetExec info

• OS: Kali Linux
• Version of nxc: v1.3.0 Need for Speed
• Installed from: pipx

[NeffIsBack]

Looks like somehow you can login but not query. Are the credentials valid? Can you try to query it with an account that is allowed to use ldap?

[XiaoliChan]

@NeffIsBack Oh, this exception is found in real-world attacks, and now the red team op is ended.

[NeffIsBack]

Hmm okay, not sure how to fix this. I think we need to wait for someone to run into the same bug to further debug it