Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GetUserSPNs.py: "Error in bindRequest -> invalidCredentials: 80090346: LdapErr: DSID-0C09069E, comment: AcceptSecurityContext error, data 80090346, v2580" #884

Open
corsch opened this issue Jun 17, 2020 · 6 comments · May be fixed by #1652
Open

GetUserSPNs.py: "Error in bindRequest -> invalidCredentials: 80090346: LdapErr: DSID-0C09069E, comment: AcceptSecurityContext error, data 80090346, v2580" #884

corsch opened this issue Jun 17, 2020 · 6 comments · May be fixed by #1652

Comments

@corsch
Copy link

corsch commented Jun 17, 2020

Configuration

impacket version: Impacket v0.9.21
Python version: Python 3.8.3
Target OS: kali-rolling

Debug Output With Command String

python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py -request -dc-ip <DC_IP> <DOMAIN/USER> -debug

python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py -request  -dc-ip <DC_IP> <DOMAIN/USER> -debug
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
Password:
[+] Connecting to <DC_IP>, port 389, SSL False
[+] Connecting to <DC_IP>, port 636, SSL True
Traceback (most recent call last):
  File "/usr/share/doc/python3-impacket/examples/GetUserSPNs.py", line 261, in run
    ldapConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
  File "/usr/lib/python3/dist-packages/impacket/ldap/ldap.py", line 341, in login
    raise LDAPSessionError(
impacket.ldap.ldap.LDAPSessionError: Error in bindRequest -> strongerAuthRequired: 00002028: LdapErr: DSID-0C09026E, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v2580

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/share/doc/python3-impacket/examples/GetUserSPNs.py", line 466, in <module>
    executer.run()
  File "/usr/share/doc/python3-impacket/examples/GetUserSPNs.py", line 270, in run
    ldapConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
  File "/usr/lib/python3/dist-packages/impacket/ldap/ldap.py", line 341, in login
    raise LDAPSessionError(
impacket.ldap.ldap.LDAPSessionError: Error in bindRequest -> invalidCredentials: 80090346: LdapErr: DSID-0C09069E, comment: AcceptSecurityContext error, data 80090346, v2580
[-] Error in bindRequest -> invalidCredentials: 80090346: LdapErr: DSID-0C09069E, comment: AcceptSecurityContext error, data 80090346, v2580

Additional context

Active Directory is running on Server 2012R2 (2012R2 Mode)

As far as I can tell the issue started after enabling "LDAP Channel Binding and LDAP Signing" as described in the following Security Advisory:

ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
@corsch corsch changed the title GetUserSPNs.py: " Error in bindRequest -> invalidCredentials: 80090346: LdapErr: DSID-0C09069E, comment: AcceptSecurityContext error, data 80090346, v2580" GetUserSPNs.py: "Error in bindRequest -> invalidCredentials: 80090346: LdapErr: DSID-0C09069E, comment: AcceptSecurityContext error, data 80090346, v2580" Jun 17, 2020
@maaaaz
Copy link

maaaaz commented Jun 20, 2020
edited
Loading

cf. #474

@0xdeaddood 0xdeaddood added this to the 0.9.23 milestone Mar 16, 2021
@0xdeaddood 0xdeaddood removed this from the 0.9.23 milestone Jun 14, 2021
@rmdavy
Copy link

rmdavy commented Aug 17, 2021

Any progress on this issue? had the same problem.

@sm00v
Copy link

sm00v commented Jul 13, 2022
edited
Loading

bump. having the same issue

└─# crackmapexec ldap 192.168.100.39 -u user -p '2022test' --kdcHost 'c2.domain.local' --kerberos > 1 ⨯

[] completed: 100.00% (1/1)
SMB 192.168.100.39 445 server [] Windows Server 2016 Standard 14393 x64 (name:server) (domain:server.local) (signing:True) (SMBv1:True)
Traceback (most recent call last):
File "/usr/local/lib/python3.9/dist-packages/cme/protocols/ldap.py", line 176, in kerberos_login
self.ldapConnection.kerberosLogin(self.username, self.password, self.domain, self.lmhash, self.nthash,
File "/usr/local/lib/python3.9/dist-packages/impacket/ldap/ldap.py", line 276, in kerberosLogin
raise LDAPSessionError(
impacket.ldap.ldap.LDAPSessionError: Error in bindRequest -> strongerAuthRequired: 00002028: LdapErr: DSID-0C090273, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the > connection, data 0, v3839

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/bin/crackmapexec", line 8, in
sys.exit(main())
File "/usr/local/lib/python3.9/dist-packages/cme/crackmapexec.py", line 254, in main
asyncio.run(
File "/usr/lib/python3.9/asyncio/runners.py", line 44, in run
return loop.run_until_complete(main)
File "/usr/lib/python3.9/asyncio/base_events.py", line 642, in run_until_complete
return future.result()
File "/usr/local/lib/python3.9/dist-packages/cme/crackmapexec.py", line 102, in start_threadpool
await asyncio.gather(*jobs)
File "/usr/local/lib/python3.9/dist-packages/cme/crackmapexec.py", line 68, in run_protocol
await asyncio.wait_for(
File "/usr/lib/python3.9/asyncio/tasks.py", line 442, in wait_for
return await fut
File "/usr/lib/python3.9/concurrent/futures/thread.py", line 58, in run
result = self.fn(*self.args, **self.kwargs)
File "/usr/local/lib/python3.9/dist-packages/cme/protocols/ldap.py", line 53, in init
connection.init(self, args, db, host)
File "/usr/local/lib/python3.9/dist-packages/cme/connection.py", line 62, in init
self.proto_flow()
File "/usr/local/lib/python3.9/dist-packages/cme/connection.py", line 98, in proto_flow
> if self.login() or (self.username == '' and self.password == ''):
File "/usr/local/lib/python3.9/dist-packages/cme/connection.py", line 163, in login
> if self.kerberos_login(self.domain, self.aesKey, self.kdcHost): return True
File "/usr/local/lib/python3.9/dist-packages/cme/protocols/ldap.py", line 194, in kerberos_login
self.logger.success(out)
UnboundLocalError: local variable 'out' referenced before assignment`

@brownintown01
Copy link

same issue - [+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
Password:
[+] Connecting to <DC_IP>, port 389, SSL False
[+] Connecting to <DC_IP>, port 636, SSL True
Traceback (most recent call last):
File "/usr/share/doc/python3-impacket/examples/GetUserSPNs.py", line 261, in run
ldapConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
File "/usr/lib/python3/dist-packages/impacket/ldap/ldap.py", line 341, in login
raise LDAPSessionError(
impacket.ldap.ldap.LDAPSessionError: Error in bindRequest -> strongerAuthRequired: 00002028: LdapErr: DSID-0C09026E, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v2580

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/share/doc/python3-impacket/examples/GetUserSPNs.py", line 466, in
executer.run()
File "/usr/share/doc/python3-impacket/examples/GetUserSPNs.py", line 270, in run
ldapConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
File "/usr/lib/python3/dist-packages/impacket/ldap/ldap.py", line 341, in login

@Retrospected
Copy link

I am facing the same issue. In my case the targeted LDAP service requires signing and throws this exception. LDAPS is not available.

@FrankSpierings
Copy link

Perform the attack using -k to use kerberos authentication. This appeared to work for me.

@deadjakk deadjakk linked a pull request Nov 22, 2023 that will close this issue
Open
@aconite33 aconite33 mentioned this issue Mar 7, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add LDAP Channel Binding to GetUserSPNs.py deadjakk/impacket
8 participants
@maaaaz @FrankSpierings @Retrospected @corsch @rmdavy @sm00v @0xdeaddood @brownintown01