Allow NTLM authentication without a password #371
Conversation
v3/bind.go
Outdated
| // authenticated or otherwise validated by the LDAP server. | ||
| // | ||
| // See https://tools.ietf.org/html/rfc4513#section-5.1.2 . | ||
| // See https://tools.ietf.org/html/rfc4513#section-6.3.1 . |
There was a problem hiding this comment.
May you please update/add links for the NTLM anonymous request? Maybe refer to this PDF from Microsoft, for example section "3.2.5.1.2 Server Receives an AUTHENTICATE_MESSAGE from the Client"
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-NLMP/%5BMS-NLMP%5D.pdf
There was a problem hiding this comment.
You forgot to update the comment for v3 😅, @nodauf
v3/bind.go
Outdated
| @@ -442,6 +445,24 @@ func (l *Conn) NTLMBind(domain, username, password string) error { | |||
| return err | |||
| } | |||
|
|
|||
| // NTLMUnauthenticatedBind performs an unauthenticated bind. | |||
| // | |||
| // A username may be provided for trace (e.g. logging) purpose only, but it is normally not | |||
There was a problem hiding this comment.
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-NLMP/%5BMS-NLMP%5D.pdf
[...] If the user name and response are empty, the server authenticates the client as the ANONYMOUS user...
In the same document, see section "3.3.2 NTLM v2 Authentication" the pseudo code for the ServerChallenge:
If (User is set to "" && Passwd is set to "") <--
-- Special case for anonymous authentication
Set NtChallengeResponseLen to 0
Set NtChallengeResponseMaxLen to 0
Set NtChallengeResponseBufferOffset to 0
Set LmChallengeResponse to Z(1)
[...]
I interpret that for a anonymous NTLM bind the username must be empty. I don't have an Active Directory server at hand as I'm on vacation, so I can't confirm the behaviour :/
Can someone confirm this?
There was a problem hiding this comment.
Did not notice that paper. The results of my tests are below:
- A username with flag Password Not Required and an empty password (or the hash for empty password): A successful logon and I was able to use my ldap connection to retrieve information
- A blank username and password: The error
parsing ntlm-challenge: Anonymous authentication not supportedis returned
There was a problem hiding this comment.
Thank you for your tests, @nodauf !
It seems anonymous NTLM authentications aren't supported by the Go NTLM library:
//ProcessChallenge crafts an AUTHENTICATE message in response to the CHALLENGE message
//that was received from the server
func ProcessChallenge(challengeMessageData []byte, user, password string) ([]byte, error) {
if user == "" && password == "" {
return nil, errors.New("Anonymous authentication not supported")
}May you update the comment of the function and remove these lines, as atleast a username is required for the NTLM challenge to succeed?
// A username may be provided for trace (e.g. logging) purpose only, but it is normally not
// authenticated or otherwise validated by the LDAP server.
There was a problem hiding this comment.
Thank you for taking the time to look. The comments have been updated (in both root folder and v3 😅 )
* Allow NTLM authentication without a password
* Allow NTLM authentication without a password
* Allow NTLM authentication without a password
Actually, the function
UnauthenticatedBindallows an anonymous or a username without password with a SimpleBindRequest.This PR implements the same feature for an NTLMBind with the help of
NTLMUnauthenticatedBind