[NSE] ldap.lua vs AD objectSID #938

Closed
wants to merge 4 commits into
from

Conversation

Projects
None yet
1 participant

TomSellers commented Jul 12, 2017 edited

The ldap.lua NSE library currently in SVN doesn't correctly handle the Active Directory objectSID attribute. Instead it attempts to perform additional asn.1 decoding on it. Attached is a patch that implements the correct conversion from bytes to the human readable string such as 1-5-21-542895397-2936746693-3965599772-500.

If there aren't any issues or concerns I'll commit the code later this week.

Testing command

This command was tested against a Windows 2012 R2 host functioning as a Active Directory Controller. The user had Domain Admin privileges and so should be able to access all attributes.

nmap -d -p 389 --script ldap-search --script-args \
'ldap.username="CN=Administrator,CN=Users,DC=adlab,DC=pwnable", \
ldap.password="UserPasswordHere", \
ldap.qfilter=users, \
ldap.attrib=*, \
ldap.savesearch=test' \
-Pn  192.168.50.231

Before patch

<snip>
NSE: ldap-search against 192.168.50.231:389 threw an error!
/usr/local/bin/../share/nmap/nselib/ldap.lua:657: bad argument #3 to 'format' (number expected, got boolean)
stack traceback:
	[C]: in function 'string.format'
	/usr/local/bin/../share/nmap/nselib/ldap.lua:657: in function 'ldap.searchResultToTable'
	/usr/local/bin/../share/nmap/scripts/ldap-search.nse:263: in function </usr/local/bin/../share/nmap/scripts/ldap-search.nse:119>
	(...tail calls...)

<snip>

After patch

Screen output below as well as output to CSV file. The correct objectSID, objectSid: 1-5-21-542895397-2936746693-3965599772-500 was extracted.

PORT    STATE SERVICE REASON
389/tcp open  ldap    syn-ack
| ldap-search: 
|   Context: DC=adlab,DC=pwnable; QFilter: users; Attributes: *
|     dn: CN=Administrator,CN=Users,DC=adlab,DC=pwnable
|         objectClass: top
|         objectClass: person
|         objectClass: organizationalPerson
|         objectClass: user
|         cn: Administrator
|         description: Built-in account for administering the computer/domain
|         distinguishedName: CN=Administrator,CN=Users,DC=adlab,DC=pwnable
|         instanceType: 4
|         whenCreated: 2017/07/08 17:53:55 UTC
|         whenChanged: 2017/07/08 18:10:24 UTC
|         uSNCreated: 8196
|         memberOf: CN=Group Policy Creator Owners,CN=Users,DC=adlab,DC=pwnable
|         memberOf: CN=Domain Admins,CN=Users,DC=adlab,DC=pwnable
|         memberOf: CN=Enterprise Admins,CN=Users,DC=adlab,DC=pwnable
|         memberOf: CN=Schema Admins,CN=Users,DC=adlab,DC=pwnable
|         memberOf: CN=Administrators,CN=Builtin,DC=adlab,DC=pwnable
|         uSNChanged: 12749
|         name: Administrator
|         objectGUID: 28b03a96-697b-244d-9b27-c7c3d67cd268
|         userAccountControl: 512
|         badPwdCount: 0
|         codePage: 0
|         countryCode: 0
|         badPasswordTime: 2017/07/09 13:51:26 UTC
|         lastLogoff: 0
|         lastLogon: 2017/07/11 12:20:09 UTC
|         logonHours: \xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF
|         pwdLastSet: 2017/07/08 17:00:21 UTC
|         primaryGroupID: 513
|         objectSid: 1-5-21-542895397-2936746693-3965599772-500
|         adminCount: 1
|         accountExpires: Never
|         logonCount: 11
|         sAMAccountName: Administrator
|         sAMAccountType: 805306368
|         objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=adlab,DC=pwnable
|         isCriticalSystemObject: TRUE
|         dSCorePropagationData: 2017/07/08 18:10:24 UTC
|         dSCorePropagationData: 2017/07/08 18:10:24 UTC
|         dSCorePropagationData: 2017/07/08 17:55:14 UTC
|         dSCorePropagationData: 1601/01/01 18:12:16 UTC
|         lastLogonTimestamp: 2017/07/08 17:56:13 UTC
|     dn: CN=Guest,CN=Users,DC=adlab,DC=pwnable
|         objectClass: top
|         objectClass: person
|         objectClass: organizationalPerson
|         objectClass: user
|         cn: Guest
|         description: Built-in account for guest access to the computer/domain
|         distinguishedName: CN=Guest,CN=Users,DC=adlab,DC=pwnable
|         instanceType: 4
|         whenCreated: 2017/07/08 17:53:55 UTC
|         whenChanged: 2017/07/08 17:53:55 UTC
|         uSNCreated: 8197
|         memberOf: CN=Guests,CN=Builtin,DC=adlab,DC=pwnable
|         uSNChanged: 8197
|         name: Guest
|         objectGUID: 47f9e07a-577-164d-a948-7220d99e8e
|         userAccountControl: 66082
|         badPwdCount: 0
|         codePage: 0
|         countryCode: 0
|         badPasswordTime: Never
|         lastLogoff: 0
|         lastLogon: Never
|         pwdLastSet: Never
|         primaryGroupID: 514
|         objectSid: 1-5-21-542895397-2936746693-3965599772-501
|         accountExpires: 30828/09/14 02:48:05 UTC
|         logonCount: 0
|         sAMAccountName: Guest
|         sAMAccountType: 805306368
|         objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=adlab,DC=pwnable
|         isCriticalSystemObject: TRUE
|         dSCorePropagationData: 2017/07/08 17:55:14 UTC
|         dSCorePropagationData: 1601/01/01 00:00:01 UTC
|     dn: CN=PWNWINDC01,OU=Domain Controllers,DC=adlab,DC=pwnable
|         objectClass: top
|         objectClass: person
|         objectClass: organizationalPerson
|         objectClass: user
|         objectClass: computer
|         cn: PWNWINDC01
<SNIP>

nmap-bot closed this in 1663733 Jul 16, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment