Merge pull request Pennyw0rth#670 from Pennyw0rth/ldap_fail

mpgn · web-flow · commit 1319fb4fc49d · 2025-05-22T22:53:10.000+02:00
Fix ldap simple auth with base object
diff --git a/nxc/protocols/ldap.py b/nxc/protocols/ldap.py
@@ -151,6 +151,7 @@ def __init__(self, args, db, host):
         self.admin_privs = False
         self.no_ntlm = False
         self.sid_domain = ""
+        self.scope = None
 
         connection.__init__(self, args, db, host)
 
@@ -249,6 +250,8 @@ def enum_host_info(self):
         if ntlm_challenge:
             ntlm_info = parse_challenge(ntlm_challenge)
             self.server_os = ntlm_info["os_version"]
+        else:
+            self.no_ntlm = True
 
         if self.args.domain:
             self.domain = self.args.domain
@@ -419,6 +422,7 @@ def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="",
                 return False
 
     def plaintext_login(self, domain, username, password):
+
         self.username = username
         self.password = password
         self.domain = domain
@@ -623,7 +627,7 @@ def getUnixTime(self, t):
         return t
 
     def search(self, searchFilter, attributes, sizeLimit=0, baseDN=None) -> list:
-        if baseDN is None and self.args.base_dn:
+        if baseDN is None and self.args.base_dn is not None:
             baseDN = self.args.base_dn
         elif baseDN is None:
             baseDN = self.baseDN
@@ -633,19 +637,24 @@ def search(self, searchFilter, attributes, sizeLimit=0, baseDN=None) -> list:
                 self.logger.debug(f"Search Filter={searchFilter}")
 
                 # Microsoft Active Directory set an hard limit of 1000 entries returned by any search
-                paged_search_control = ldapasn1_impacket.SimplePagedResultsControl(criticality=True, size=1000)
+                paged_search_control = [ldapasn1_impacket.SimplePagedResultsControl(criticality=True, size=1000)] if not self.no_ntlm else ""
                 return self.ldap_connection.search(
+                    scope=self.scope,
                     searchBase=baseDN,
                     searchFilter=searchFilter,
                     attributes=attributes,
                     sizeLimit=sizeLimit,
-                    searchControls=[paged_search_control],
+                    searchControls=paged_search_control,
                 )
         except ldap_impacket.LDAPSearchError as e:
-            if e.getErrorString().find("sizeLimitExceeded") >= 0:
+            if "sizeLimitExceeded" in str(e):
                 # We should never reach this code as we use paged search now
                 self.logger.fail("sizeLimitExceeded exception caught, giving up and processing the data received")
                 e.getAnswers()
+            # if empty username and password is possible that we need to change the scope, we try with a baseObject before returning a fail
+            elif "operationsError" in str(e) and self.scope is None and self.username == "" and self.password == "":
+                self.scope = ldapasn1_impacket.Scope("baseObject")
+                return self.search(searchFilter, attributes, sizeLimit, baseDN)
             else:
                 self.logger.fail(e)
                 return []
