Skip to content

added support for LDAP simple auth #648

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

added support for LDAP simple auth #648

wants to merge 1 commit into from

Conversation

c4pit0ch3f
Copy link

Description

This change adds support for LDAP SIMPLE auth when both kerberos and NTLM are unavailable.
This change affects only the ldap module and has no further dependencies.

Just like in smb module, the no_ntlm attribute for ldap class is populated based on the ntlm challenge received during the enum_host_info phase (l252-253).
Then, this var is used to display if NTLM is not supported (l278-279) and to use SIMPLE authentication during connection phase (l437/460)

Type of change

Please delete options that are not relevant.

  • New feature (non-breaking change which adds functionality)

How Has This Been Tested?

Tested with basic commands such as --users, --dc-list, etc.
Tested on both LDAP and LDAPS configurations.

Env test :

  • Debian 12 (Debian 6.1.124-1)
  • Python 3.11.2
  • Against a Windows server 2022 (last patch 3/03/2022) acting as DC

Screenshots (if appropriate):

netexec

Checklist:

  • I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
  • I have added or updated the tests/e2e_commands.txt file if necessary
  • New and existing e2e tests pass locally with my changes
  • My code follows the style guidelines of this project (should be covered by Ruff above)
  • If reliant on third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

@NeffIsBack
Copy link
Member

Thanks for the addition!

From the top of my head i am wondering if it wouldn't be best to switch to kerberos or just alert that ntlm is not available. We could then implement another flag to use simple auth if there is indeed a server that does neither accept ntlm nor kerberos.
Could be that we have limited functionality available if we use simple auth, because for some actions AD requires encryption.

@NeffIsBack NeffIsBack added the enhancement New feature or request label Apr 18, 2025
@Dfte
Copy link
Contributor

Dfte commented Jun 3, 2025

This is going to be patched in Impacket as well btw fortra/impacket#1971, and now, as far as we tested it (with azoxlpf), simple bind does work as expected and allows bypassing some hardening configurations

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zblurx zblurx Awaiting requested review from zblurx zblurx is a code owner

@Marshall-Hallenbeck Marshall-Hallenbeck Awaiting requested review from Marshall-Hallenbeck Marshall-Hallenbeck is a code owner

@NeffIsBack NeffIsBack Awaiting requested review from NeffIsBack NeffIsBack is a code owner

@mpgn mpgn Awaiting requested review from mpgn mpgn is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@c4pit0ch3f @NeffIsBack @Dfte