URL based examples

Both the connection and the authentication can be controlled via the url parameter.

The same example code will be used in this tutorial, only the url parameter will change

Sample code

import asyncio
from msldap.commons.factory import LDAPConnectionFactory

url = 'ldap+simple://TEST\\victim:Passw0rd!1@10.10.10.2'

async def client(url):
	conn_url = LDAPConnectionFactory.from_url(url)
	ldap_client = conn_url.get_client()
	_, err = await ldap_client.connect()
	if err is not None:
		raise err

	user = await ldap_client.get_user('Administrator')
	print(str(user))

if __name__ == '__main__':	
	asyncio.run(client(url))

Authentication

Simple bind

username and password

'ldap+simple://TEST\\victim:Passw0rd!1@10.10.10.2'

Sicily bind

The sicily bind was created by Microsoft and provides the same mechanisms as “GSSAPI - NTLM”

username and password

'ldap+sicily://TEST\\victim:Passw0rd!1@10.10.10.2'

GSSAPI - NTLM bind

username and password

'ldap+ntlm-password://TEST\\victim:Passw0rd!1@10.10.10.2'

NT hash of the user

'ldap+ntlm-nt://TEST\\victim:f8963568a1ec62a3161d9d6449baba93@10.10.10.2'

SSPI integrated auth. This will use the current user’s authentication context. The username doesn’t matter, but the correct domain must be set! Windows only

'ldap+sspi-ntlm://TEST\\victim@10.10.10.2'

GSSAPI - Kerberos bind

Warning

For kerberos authentication type, the dc parameter with the kerberos server’s IP address must be set!

username and password

this allows they kerberos ticket encryption type to be set with the etype parameter

'ldap+kerberos-password://TEST\\victim:Passw0rd!1@10.10.10.2/?dc=10.10.10.2'

'ldap+kerberos-password://TEST\\victim:Passw0rd!1@10.10.10.2/?dc=10.10.10.2&etype=23'

RC4 key (same as NT hash)

'ldap+kerberos-rc4://TEST\\victim:f8963568a1ec62a3161d9d6449baba93@10.10.10.2/?dc=10.10.10.2'

AES key (both 128 and 256 bits supported)

'ldap+kerberos-aes://TEST\\victim:XXXXX@10.10.10.2/?dc=10.10.10.2'

SSPI integrated auth.

This will use the current user’s authentication context.

The username doesn’t matter, but the correct domain must be set! Windows only

'ldap+sspi-kerberos://TEST\\victim@10.10.10.2/?dc=10.10.10.2'

Anonymous Bind

Currently only the simple bind provides anonymous auth

'ldap+simple://10.10.10.2'

Connection

Various connection options available. Most of them are listed below.

LDAPS

LDAP-over-SSL can be selected by replacing the ldap specification in the url parameter with ldaps

Warning

For a successful connection over LDAPS the proper hostname of the server must be used!

'ldaps+simple://dc1.test.corp'

Channel Binding

When LDAPS is used, the module automatically performs channel binding. No additional changes necessary

Encryption

When GSSAPI authentication is used, the encryption can be turned on to provide more security.

This is done by the encrypt parameter added to the url.

It is not enabled by default, as it can slow down the connection considerably.

Warning

Channel encryption MUST NOT be used together with LDAPS! Doing so will result in failed connection! (this limitation is in the server implementation, not in msldap)

'ldap+ntlm-password://TEST\\victim:Passw0rd!1@10.10.10.2/?encrypt=1'

Proxy

Socks4 and Socks5 proxying is fully supported.

Proxy settings are controlled via additional url parameters

The following attributes must be set:

proxyhost - IP address or hostname of the proxy server

proxyport - port of the proxy service

proxytype - type os the proxy. Can be socks5 or socks4

'ldap+ntlm-password://TEST\\victim:Passw0rd!1@10.10.10.2/?proxyhost=127.0.0.1&proxyport=1080&proxytype=socks5'