[Draft] POC ldap3 implementation for schannel authentication #412
Conversation
LightxR
requested review from
zblurx,
Marshall-Hallenbeck,
NeffIsBack and
mpgn
as code owners
LightxR
changed the title
|
The problem with ldap3 is that kerberos auth is not native, you need to manually install using apt or whatever |
|
I get your point but not sure to understand if it will be a problem for this PR : I only replace the impacket.ldap import and the code is still using impacket.krb5 so this should be OK.
|
Ok, i read the code a little bit to fast then, if this is working without any additional package this is an awesome PR ! |
|
As you already wrote it into the title i converted the PR into a draft :) |
|
And of course thanks for the PR! |
There was a problem hiding this comment.
First of all thanks for the PR! This would be really cool to have!
There are many changes in the PR that seems to revert previous changes. Could it be that they were accidentally commited?
With them in here it is nearly impossible to track what have been changed (and should have an impact on the new feature) and what not.
The same applies to the patch from the impacket ldap file. Currently i don't get a diff because the whole file is added. I think it would be best if we PR&merge it into the Pennyw0rth impacket fork so we can test it with this PR. Could you open up a PR to the fork?
When both changes are done i can review the PR and give proper feedback.
Fyi if you want to use a local version (or just some other repo) for impacket you can change that in the pyproject.toml file.
This is how you can use a local repo:
[tool.poetry.dependencies]
my-package = { path = "../my/path" }
| if is_admin: | ||
| self.context.log.debug("User is admin!") | ||
| self.admin_privs = True | ||
| return True | ||
| else: |
There was a problem hiding this comment.
Something is off here. Multiple lines are fixes introduced in the last months. Perhaps the commit containing this change reverted them.
| if is_admin: | ||
| self.admin_privs = True | ||
| return True | ||
| else: |
|
@LightxR if you need help with git, hit me up on discord :) |
POC for ldap3 implementation.
The main goal of this PR is to provide schannel authentication support to Netexec through ldap3 implementation.
Future improvements could be ldap signing and channel binding support (available on ldap3 dev branch at the moment). Great article about it here : https://offsec.almond.consulting/ldap-authentication-in-active-directory-environments.html
A workaround is possible right now to bypass channel binding with a fallback on port 389 and StartTLS, see another great article here : https://offsec.almond.consulting/bypassing-ldap-channel-binding-with-starttls.html. This code logic can be added into the actual code.
Another feature worth to consider is the pkinit function from Certipy.