Connection reset by peer when adding a DNS record with dnstool.py

[benji1000]

Hello,

here is what happens when I try adding a record using dnstool.py (of course replacing the values for DOMAIN, USER, PASSWORD):

python3 /opt/krbrelayx/dnstool.py -u 'DOMAIN\USER' -p 'PASSWORD' --record 'kali' --action add --data 192.168.50.59 SRV-AD-02

[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/dist-packages/ldap3/strategy/sync.py", line 82, in receiving
    data = self.connection.socket.recv(self.socket_size)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ConnectionResetError: [Errno 104] Connection reset by peer

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/krbrelayx/dnstool.py", line 610, in <module>
    main()
  File "/opt/krbrelayx/dnstool.py", line 538, in main
    c.add(record_dn, ['top', 'dnsNode'], node_data)
  File "/usr/local/lib/python3.11/dist-packages/ldap3/core/connection.py", line 987, in add
    response = self.post_send_single_response(self.send('addRequest', request, controls))
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/ldap3/strategy/sync.py", line 121, in post_send_single_response
    responses, result = self.get_response(message_id)
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/ldap3/strategy/base.py", line 356, in get_response
    responses = self._get_response(message_id, timeout)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/ldap3/strategy/sync.py", line 157, in _get_response
    responses = self.receiving()
                ^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/ldap3/strategy/sync.py", line 92, in receiving
    raise communication_exception_factory(LDAPSocketReceiveError, type(e)(str(e)))(self.connection.last_error)
ldap3.core.exceptions.LDAPSocketReceiveError: error receiving data: [Errno 104] Connection reset by peer

After that, I am not able to make a simple connection to the DC using cme/nxc...

It is the use of dnstool.py that creates this situation, no other tool does that. What could I provide you with to help you troubleshoot?

[dirkjanm]

That is odd. Is this a real environment or a lab? Could you try instead to specify the hostname with ldaps:// prefix

[benji1000]

It is a real environment. I used ldaps://MACHINE-NAME and ldaps://MACHINE-NAME.DOMAIN.TLD.

Different stacktrace:

[-] Connecting to host...
[-] Binding to host
Traceback (most recent call last):
  File "/opt/krbrelayx/dnstool.py", line 610, in <module>
    main()
  File "/opt/krbrelayx/dnstool.py", line 430, in main
    if not c.bind():
           ^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/ldap3/core/connection.py", line 589, in bind
    self.open(read_server_info=False)
  File "/usr/local/lib/python3.11/dist-packages/ldap3/strategy/sync.py", line 57, in open
    BaseStrategy.open(self, reset_usage, read_server_info)
  File "/usr/local/lib/python3.11/dist-packages/ldap3/strategy/base.py", line 146, in open
    raise exception_history[0][0]
ldap3.core.exceptions.LDAPSocketOpenError: socket ssl wrapping error: [Errno 104] Connection reset by peer

The LDAPS TCP/636 port is open on the machine.

[benji1000]

I have access to the environment until Friday 16th 11:00 AM UTC. Feel free to tell me if I can perform other tests!

[dirkjanm]

since I have never seen Windows behave this way, it sounds like some IDS/IPS/EDR product is dropping your connection. usually using LDAP over TLS works around this but in your environment it doesn't sound like that is working either. I don't have any ideas right now what you could try to bypass this

[benji1000]

There isn't any specific EDR on the machine, only Windows Defender. I didn't have the chance to investigate the logs, so I guess the story ends here... If I am able to gather some logs, I will post them, but I doubt it.

Thank you for your time anyway! And for the tool, which works well in other environments where I was able to use it :)

[kulinacs]

tl;dr instead of using ldaps://host to connect, use -force-ssl and -port 636

Just encountered this error as well - it appears be an odd behavior due to how arguments are passed when creating a connection.

https://github.com/dirkjanm/krbrelayx/blob/master/dnstool.py#L424

My guess is that it attempts to use port 389, even if you try ldaps://host

[qu35t-code]

Hi all,

Update: we encountered the same issue (EDR ban). Switching to LDAPS by forcing SSL on port 636 resolved it. Thank you.

[samy4samy]

@qu35t-code : i guess i'm in the same situation where you were ( i guess there is some SSL inspection by FW or EDR ) ...even when specifying LDAPS on port 636 got the same error : (
any thought ?

[qu35t-code]

Hey @samy4samy,

I haven’t tested this approach, but creating a machine and configuring DNS on it might bypass this detection, rather than doing it through a user account maybe