Failing to get Domainroot when connecting with LDAPS and Kerberos

[er4z0r]

I am trying to do ADIDNS Poisoning using dnstool.py in an environment that gives me two hurdles:

• IPS in place that inspects unencrypted LDAP Traffic
• The DC is using channel binding but not SMB Signing

What this boils down to is the following:

1. When I use unencrypted LDAP, the IPS misidentifies my attempt to add a record ad an attack on CVE-2020-0664 (LDAP bind works, once dnstool tries to add the record, the connection hangs)
2. When I try to make an encrypted connection using -port 636 and -force-ssl I run into the problem with ldap3 not supporting channel binding.

I have been able to fix 2. by using the code from PR #41

Based on this issue comment, I also tried to use Kerberos so I could keep the vanilla ldap3 dependency and have another option. Unfortunately I seem to be unable to get it working.

I set up my Kerberos as follows:

getTGT.py -ts -debug "$AD_DOMAIN_FQDN/$AD_USER_SAMACCOUNTNAME"
export KRB5CCNAME=$PWD/pentestuser.ccache &&  getST.py -ts -debug -spn "ldap/$AD_DC_FQDN" -k -no-pass "$AD_DOMAIN_FQDN/$AD_USER_SAMACCOUNTNAME"

And then proceeded to call dnstool.py like so

python3 ~/tools/AD-DS/Kerberos/krbrelayx/dnstool.py --user "$AD_DOMAIN_FQDN\\$AD_USER_SAMACCOUNTNAME" --kerberos -port 636 -force-ssl -a query -r "<redacted>" $AD_DC_FQDN 
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
Traceback (most recent call last):
  File "/home/user/tools/AD-DS/Kerberos/krbrelayx/dnstool.py", line 615, in <module>
    main()
  File "/home/user/tools/AD-DS/Kerberos/krbrelayx/dnstool.py", line 438, in main
    domainroot = s.info.other['defaultNamingContext'][0]
                 ^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'other'

Any hints on what I might be doing wrong?

[yesiamdollar]

Hi, I faced the same issue this morning, and I did : adding new records, dump and delete existed records using bloodyAD