Multiple exceptions in LDAP

[saltasatelites]

Hi.

That's what I get running on Archlinux. All requirements installed. Running python 3.8.2-2

==================================================
| Getting information via LDAP for 127.0.0.1 |

``[root@Archlinux enum4linux-ng]# python enum4linux-ng.py 127.0.0.1
ENUM4LINUX-NG

==========================
| Target Information |

[] Target ........... 127.0.0.1
[] Username ......... ''
[] Random Username .. 'pfrqocuh'
[] Password ......... ''
[] RID Range(s) ..... 500-550,1000-1050
[] Known Usernames .. 'administrator,guest,krbtgt,domain admins,root,bin,none'

==================================================
| Getting information via LDAP for 127.0.0.1 |

[*] Trying LDAP
Traceback (most recent call last):
File "enum4linux-ng.py", line 435, in get_namingcontexts
ldap_con = Connection(server, auto_bind=True)
File "/usr/lib/python3.8/site-packages/ldap3/core/connection.py", line 355, in init
self.do_auto_bind()

File "/usr/lib/python3.8/site-packages/ldap3/core/connection.py", line 370, in do_auto_bind
self.open(read_server_info=False)
File "/usr/lib/python3.8/site-packages/ldap3/strategy/sync.py", line 56, in open
BaseStrategy.open(self, reset_usage, read_server_info)
File "/usr/lib/python3.8/site-packages/ldap3/strategy/base.py", line 139, in open
raise exception_history[0][0]
ldap3.core.exceptions.LDAPSocketOpenError: socket connection error while opening: [Errno 111] Connection refused

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "enum4linux-ng.py", line 1885, in
main()
File "enum4linux-ng.py", line 1817, in main
result = run_module_ldapsearch(target)
File "enum4linux-ng.py", line 1275, in run_module_ldapsearch
namingcontexts = get_namingcontexts(target)
File "enum4linux-ng.py", line 438, in get_namingcontexts
error = str(e.args[1][0][0])
IndexError: tuple index out of range

[cddmp]

Thanks for reporting the issue! Will fix the exception handling later today.

[cddmp]

I prepared a debug script, which you can find here. You can checkout the script like that:

git clone https://github.com/cddmp/enum4linux-ng
git checkout debug

The script is then in the debug directory.

Can you please run this script and paste the output here?

[saltasatelites]

Here it is. I have tried a few times and shows a socket error

`[root@Archlinux ~]# cd /usr/share/enum4linux-ng

[root@Archlinux enum4linux-ng]# cd debug

[root@Archlinux debug]# ls

ldap-debug.py

[root@Archlinux debug]# python3 ldap-debug.py localhost

('unable to open socket',
[(LDAPSocketOpenError('socket connection error while opening: [Errno 111] Connection refused'), ('::1', 636, 0, 0)),
(LDAPSocketOpenError('socket connection error while opening: [Errno 111] Connection refused'),
('127.0.0.1', 636))]) ('unable to open socket',
[(LDAPSocketOpenError('socket connection error while opening: [Errno 111] Connection refused'),
('::1', 389, 0, 0)),
(LDAPSocketOpenError('socket connection error while opening: [Errno 111] Connection refused'),
('127.0.0.1', 389))])

[root@Archlinux debug]#

[cddmp]

Alright, some more tests...
Can you please run the following command on the machine where you are running enum4linux and paste the output here:

netstat -tulpan 2>&1 | grep -E '636|389'

I've update the ldap-debug.py script. Can you fetch the most recent version and run it again and paste the output here?

[saltasatelites]

No problem about doing all the tests you need.
The output of netstat:
[jn@Archlinux ~]$ netstat -tulpan 2>&1 | grep -E '636|389'
tcp 0 0 192.168.1.132:59636 5.9.250.164:443 TIME_WAIT -

[saltasatelites]

And the output of ldap-debug.py after the last update:
[root@Archlinux debug]# python3 ldap-debug.py localhost

('unable to open socket',
[(LDAPSocketOpenError('socket connection error while opening: [Errno 111] Connection refused'),
('::1', 636, 0, 0)),
(LDAPSocketOpenError('socket connection error while opening: [Errno 111] Connection refused'),
('127.0.0.1', 636))])
Connection refused
('unable to open socket',
[(LDAPSocketOpenError('socket connection error while opening: [Errno 111] Connection refused'),
('::1', 389, 0, 0)),
(LDAPSocketOpenError('socket connection error while opening: [Errno 111] Connection refused'),
('127.0.0.1', 389))])

[saltasatelites]

This this the output of python enum4linux-ng.py 127.0.0.1

`[root@Archlinux enum4linux-ng]# python enum4linux-ng.py 127.0.0.1
ENUM4LINUX-NG

==========================
| Target Information |

[] Target ........... 127.0.0.1
[] Username ......... ''
[] Random Username .. 'otqxrkvg'
[] Password ......... ''
[] RID Range(s) ..... 500-550,1000-1050
[] Known Usernames .. 'administrator,guest,krbtgt,domain admins,root,bin,none'

==================================================
| Getting information via LDAP for 127.0.0.1 |

[] Trying LDAP
[-] LDAP connect error: Connection refused
[] Trying LDAPS
[-] LDAPS connect error: Connection refused

===========================================
| Getting NetBIOS names for 127.0.0.1 |

[-] Could not get NetBIOS names information via nmblookup: host does not reply

==================================
| Session Check on 127.0.0.1 |

[] Check for null session
[-] Server connection failed for null session: NT_STATUS_CONNECTION_REFUSED
[] Check for random user session
[-] Server connection failed for random user session: NT_STATUS_CONNECTION_REFUSED
[-] Sessions failed. Aborting remainder of tests.`

[cddmp]

Thanks for your reply, it seems that the exceptions have been disappeared with the latest commit.

The output of your netstat command indicates, that there is no LDAP running on localhost. That's why you get a "connection refused" message for LDAP and LDAPS (LDAP over TLS). So this normal behaviour.
There also doesn't seem to be samba running on your local Arch installation. That's why the other tests throw error messages. Again, these error messages are normal and should tell the user that enumeration was not possible.
I hope that helps!

[saltasatelites]

As an end of the topic, I have run enum4linux against an CTF Box (WestWild)
This is the result:

`[root@Archlinux enum4linux-ng]# python enum4linux-ng.py 192.168.1.82
ENUM4LINUX-NG

==========================
| Target Information |

[] Target ........... 192.168.1.82
[] Username ......... ''
[] Random Username .. 'gwbbbucx'
[] Password ......... ''
[] RID Range(s) ..... 500-550,1000-1050
[] Known Usernames .. 'administrator,guest,krbtgt,domain admins,root,bin,none'

=====================================================
| Getting information via LDAP for 192.168.1.82 |

[] Trying LDAP
[-] LDAP connect error: Connection refused
[] Trying LDAPS
[-] LDAPS connect error: Connection refused

==============================================
| Getting NetBIOS names for 192.168.1.82 |

[+] Got domain/workgroup name: WORKGROUP
[+] Full NetBIOS names information:

• WESTWILD <00> - B Workstation Service
• WESTWILD <03> - B Messenger Service
• WESTWILD <20> - B File Server Service
• WORKGROUP <00> - B Domain/Workgroup Name
• WORKGROUP <1e> - B Browser Service Elections
• MAC Address = 00-00-00-00-00-00

=====================================
| Session Check on 192.168.1.82 |

[] Check for null session
[+] Server allows session using username '', password ''
[] Check for random user session
[+] Server allows session using username 'gwbbbucx', password ''
[+] Re-running enumeration with user 'gwbbbucx' might give more results.

===================================================
| Getting domain information for 192.168.1.82 |

[+] Domain: WORKGROUP
[-] Could not get domain SID from lsaquery
[-] Could not determine if host is part of domain or part of a workgroup

======================================
| OS information on 192.168.1.82 |

[+] The following OS information were found:
server_type_string = Wk Sv PrQ Unx NT SNT WestWild server (Samba, Ubuntu)
platform_id = 500
os_version = 6.1
server_type = 0x809a03

=============================
| Users on 192.168.1.82 |

[*] Enumerating users
[+] Found 3 via 'querydispinfo'
[+] Found 3 via 'enumdomusers'
[+] After merging user results we have 3 users total:
'1000':
username: aveng
name: aveng
acb: '0x00000010'
description: ''
'1001':
username: root
name: root
acb: '0x00000010'
description: ''
'1002':
username: wavex
name: XxWavexX
acb: '0x00000010'
description: ''

==============================
| Groups on 192.168.1.82 |

[*] Enumerating groups
[+] Got an empty response, there no group(s) found via enumalsgroups domain command (this is not an error, there seem to be really none)
[+] Got an empty response, there no group(s) found via enumalsgroups builtin command (this is not an error, there seem to be really none)
[+] Got an empty response, there no group(s) found via enumdomgroups command (this is not an error, there seem to be really none)

=========================================
| Share enumeration on 192.168.1.82 |

[+] Found 3 share(s): print$,wave,IPC$
[] Testing share print$
[+] Mapping: DENIED, Listing: N/A
[] Testing share wave
[+] Mapping: OK, Listing: OK
[*] Testing share IPC$
[-] Could not check share: NT_STATUS_OBJECT_NAME_NOT_FOUND

===========================================
| Policy information for 192.168.1.82 |

[] Trying port 139/tcp
[+] Found policy:
force_logoff_time: not set
lockout_duration: 30 minutes
lockout_observation_window: 30 minutes
lockout_threshold: None
max_pw_age: not set
min_pw_age: none
min_pw_length: 5
pw_history_length: None
pw_properties: []
[] Trying port 445/tcp
[+] Found policy:
force_logoff_time: not set
lockout_duration: 30 minutes
lockout_observation_window: 30 minutes
lockout_threshold: None
max_pw_age: not set
min_pw_age: none
min_pw_length: 5
pw_history_length: None
pw_properties: []

=============================================
| Getting printer info for 192.168.1.82 |

[-] Could not parse result of enumprinters command

Completed after 0.61 seconds
[root@Archlinux enum4linux-ng]# `

[cddmp]

Glad it works now!

I think I spotted another issue which is unrelated to LDAP. I opened another issue for this here: #5 The printer enumeration doesn't work correctly. Could you run this command:
rpcclient -W WORKGROUP -U "%" -c enumprinters 192.168.1.82 2>&1 rpclient.log
Can you then upload the file rpcclient.log somewhere? It is important that no whitespace characters are lost.

This helps me to extend the code so that the output of rpcclient enumprinters is parsed correctly.

[saltasatelites]

Hi,
running this line only shows the help options. I've tried with another CTF box with same results.
The output in the console of rpcclient -W WORKDOMAIN -U "%" -c enumprinters 192.168.1.82 is No printers returned.

[cddmp]

Thanks again for your help! I updated the tool: 380d3e0
The code should handle the enumprinters result correctly now. From my understanding of the rpcclient source code, this is not an error, it just says that there were no printers found. You should see a green line telling you that.

[saltasatelites]

Glad to help you. If you need more tests tell me if you want. :)
I'm not a professional but in my opinion you have made a great rebuild, and the output looks clear and concise.

This time I have test with another CTF box "Synfonos".
And all works fine. !!

[root@Archlinux enum4linux-ng]# python enum4linux-ng.py 192.168.1.48
`ENUM4LINUX-NG

==========================
| Target Information |

[] Target ........... 192.168.1.48
[] Username ......... ''
[] Random Username .. 'zpmyosxn'
[] Password ......... ''
[] RID Range(s) ..... 500-550,1000-1050
[] Known Usernames .. 'administrator,guest,krbtgt,domain admins,root,bin,none'

=====================================================
| Getting information via LDAP for 192.168.1.48 |

[] Trying LDAP
[-] LDAP connect error: Connection refused
[] Trying LDAPS
[-] LDAPS connect error: Connection refused

==============================================
| Getting NetBIOS names for 192.168.1.48 |

[+] Got domain/workgroup name: WORKGROUP
[+] Full NetBIOS names information:

• SYMFONOS <00> - B Workstation Service
• SYMFONOS <03> - B Messenger Service
• SYMFONOS <20> - B File Server Service
• WORKGROUP <00> - B Domain/Workgroup Name
• WORKGROUP <1e> - B Browser Service Elections
• MAC Address = 00-00-00-00-00-00

=====================================
| Session Check on 192.168.1.48 |

[] Check for null session
[+] Server allows session using username '', password ''
[] Check for random user session
[+] Server allows session using username 'zpmyosxn', password ''
[+] Re-running enumeration with user 'zpmyosxn' might give more results.

===================================================
| Getting domain information for 192.168.1.48 |

[+] Domain: WORKGROUP
[-] Could not get domain SID from lsaquery
[-] Could not determine if host is part of domain or part of a workgroup

======================================
| OS information on 192.168.1.48 |

[+] The following OS information were found:
server_type_string = Wk Sv PrQ Unx NT SNT Samba 4.5.16-Debian
platform_id = 500
os_version = 6.1
server_type = 0x809a03

=============================
| Users on 192.168.1.48 |

[*] Enumerating users
[+] Found 1 via 'querydispinfo'
[+] Found 1 via 'enumdomusers'
[+] After merging user results we have 1 users total:
'1000':
username: helios
name: ''
acb: '0x00000010'
description: ''

==============================
| Groups on 192.168.1.48 |

[*] Enumerating groups
[+] Got an empty response, there no group(s) found via enumalsgroups domain command (this is not an error, there seem to be really none)
[+] Got an empty response, there no group(s) found via enumalsgroups builtin command (this is not an error, there seem to be really none)
[+] Got an empty response, there no group(s) found via enumdomgroups command (this is not an error, there seem to be really none)

=========================================
| Share enumeration on 192.168.1.48 |

[+] Found 4 share(s): print$,helios,anonymous,IPC$
[] Testing share print$
[+] Mapping: DENIED, Listing: N/A
[] Testing share helios
[+] Mapping: DENIED, Listing: N/A
[] Testing share anonymous
[+] Mapping: OK, Listing: OK
[] Testing share IPC$
[-] Could not check share: NT_STATUS_OBJECT_NAME_NOT_FOUND

===========================================
| Policy information for 192.168.1.48 |

[] Trying port 139/tcp
[+] Found policy:
force_logoff_time: 37 days 6 hours 21 minutes
lockout_duration: 30 minutes
lockout_observation_window: 30 minutes
lockout_threshold: None
max_pw_age: 37 days 6 hours 21 minutes
min_pw_age: none
min_pw_length: 5
pw_history_length: None
pw_properties: []
[] Trying port 445/tcp
[+] Found policy:
force_logoff_time: 37 days 6 hours 21 minutes
lockout_duration: 30 minutes
lockout_observation_window: 30 minutes
lockout_threshold: None
max_pw_age: 37 days 6 hours 21 minutes
min_pw_age: none
min_pw_length: 5
pw_history_length: None
pw_properties: []

=============================================
| Getting printer info for 192.168.1.48 |

[+] No printers returned (this is not an error).

Completed after 0.79 seconds
[root@Archlinux enum4linux-ng]#`

[cddmp]

Thank you! :)
I think that's all for now. If you find other issues, let me know.
Will close this now.