Skip to content

Latest commit

 

History

History
100 lines (81 loc) · 4.26 KB

README.md

File metadata and controls

100 lines (81 loc) · 4.26 KB

adauth

Active Directory Authentication Library

Release Go Doc GitHub Action: Check Software License Go Report Card

Warning: The API of this library is not yet stable. Expect breaking changes.

adauth is a Go library for active directory authentication. It can be used to quickly set up authentication options:

var (
    ctx = context.Background()
    authOpts = &adauth.Options{}
)

authOpts.RegisterFlags(pflag.CommandLine)
pflag.Parse()
//     --aes-key hex key       Kerberos AES hex key
//     --ccache file           Kerberos CCache file name (defaults to $KRB5CCNAME, currently unset)
//     --dc string             Domain controller
// -k, --kerberos              Use Kerberos authentication
// -H, --nt-hash hash          NT hash ('NT', ':NT' or 'LM:NT')
// -p, --password string       Password
//     --pfx file              Client certificate and private key as PFX file
//     --pfx-password string   Password for PFX file
// -u, --user user@domain      Username ('user@domain', 'domain\user', 'domain/user' or 'user')

// Credentials for an arbitrary target:
creds, target, err := authOpts.WithTarget(ctx, "smb", pflag.Arg(0))
if err != nil { /* error handling */ }


// Only credentials are needed, no specific target:
creds, err := authOpts.NoTarget()
if err != nil { /* error handling */ }

// Credentials to authenticate to the corresponding DC:
creds, dc, err := authOpts.WithDCTarget(ctx, "ldap")
if err != nil { /* error handling */ }

It deduces as much information from the parameters as possible. For example, Kerberos authentication is possible even when specifying the target via IP address if reverse lookups are possible. Similarly, the domain can be omitted when the target hostname contains the domain.

The library also contains helper packages for LDAP and DCERPC, a Kerebros PKINIT implementation as well as helpers for creating and writing CCache files (see examples).

Features

  • Kerberos
    • PKINIT
    • UnPAC-the-Hash
    • Pass-the-Hash (RC4/NT or AES key)
    • CCache (containing TGT or ST)
  • NTLM
    • Pass-the-Hash
  • LDAP
    • Kerberos, NTLM, Simple Bind
    • mTLS Authentication / Pass-the-Certificate (LDAPS or LDAP+StartTLS)
    • Channel Binding (Kerberos and NTLM)
  • DCERPC:
    • Kerberos, NTLM
    • Raw endpoits (with port mapping)
    • Named pipes (SMB)
    • Signing
    • Sealing

Caveats

LDAP:

The LDAP helper package does not support authentication using RC4 service tickets from ccache, since Windows returns unsupported GSSAPI wrap tokens during the SASL handshake when presented with an RC4 service ticket (see github.com/jcmturner/gokrb5/pull/498).

However, it should still be possible to request an AES256 service ticket instead, even when an NT hash was used for pre-authentication . Unfortunately, impacket always requests RC4 tickets. This behavior can be changed by adding int(constants.EncryptionTypes.aes256_cts_hmac_sha1_96.value), as the first element of this list.

The LDAP library does not (yet) support LDAP signing, but it supports channel binding for LDAPS and LDAP+StartTLS which is typically sufficient as a workaround unless the server lacks a TLS certificate.