URL based examples¶
Both the connection and the authentication can be controlled via the url parameter.
The same example code will be used in this tutorial, only the url parameter will change
Sample code¶
import asyncio
from msldap.commons.factory import LDAPConnectionFactory
url = 'ldap+simple://TEST\\victim:Passw0rd!1@10.10.10.2'
async def client(url):
conn_url = LDAPConnectionFactory.from_url(url)
ldap_client = conn_url.get_client()
_, err = await ldap_client.connect()
if err is not None:
raise err
user = await ldap_client.get_user('Administrator')
print(str(user))
if __name__ == '__main__':
asyncio.run(client(url))
Authentication¶
Simple bind¶
username and password
'ldap+simple://TEST\\victim:Passw0rd!1@10.10.10.2'
Sicily bind¶
The sicily bind was created by Microsoft and provides the same mechanisms as “GSSAPI - NTLM”
username and password
'ldap+sicily://TEST\\victim:Passw0rd!1@10.10.10.2'
GSSAPI - NTLM bind¶
username and password
'ldap+ntlm-password://TEST\\victim:Passw0rd!1@10.10.10.2'
NT hash of the user
'ldap+ntlm-nt://TEST\\victim:f8963568a1ec62a3161d9d6449baba93@10.10.10.2'
SSPI integrated auth. This will use the current user’s authentication context. The username doesn’t matter, but the correct domain must be set! Windows only
'ldap+sspi-ntlm://TEST\\victim@10.10.10.2'
GSSAPI - Kerberos bind¶
Warning
For kerberos authentication type, the dc parameter with the kerberos server’s IP address must be set!
username and password
this allows they kerberos ticket encryption type to be set with the etype parameter
'ldap+kerberos-password://TEST\\victim:Passw0rd!1@10.10.10.2/?dc=10.10.10.2'
'ldap+kerberos-password://TEST\\victim:Passw0rd!1@10.10.10.2/?dc=10.10.10.2&etype=23'
RC4 key (same as NT hash)
'ldap+kerberos-rc4://TEST\\victim:f8963568a1ec62a3161d9d6449baba93@10.10.10.2/?dc=10.10.10.2'
AES key (both 128 and 256 bits supported)
'ldap+kerberos-aes://TEST\\victim:XXXXX@10.10.10.2/?dc=10.10.10.2'
SSPI integrated auth.
This will use the current user’s authentication context.
The username doesn’t matter, but the correct domain must be set! Windows only
'ldap+sspi-kerberos://TEST\\victim@10.10.10.2/?dc=10.10.10.2'
Anonymous Bind¶
Currently only the simple bind provides anonymous auth
'ldap+simple://10.10.10.2'
Connection¶
Various connection options available. Most of them are listed below.
LDAPS¶
LDAP-over-SSL can be selected by replacing the ldap specification in the url parameter with ldaps
Warning
For a successful connection over LDAPS the proper hostname of the server must be used!
'ldaps+simple://dc1.test.corp'
Channel Binding¶
When LDAPS is used, the module automatically performs channel binding. No additional changes necessary
Encryption¶
When GSSAPI authentication is used, the encryption can be turned on to provide more security.
This is done by the encrypt parameter added to the url.
It is not enabled by default, as it can slow down the connection considerably.
Warning
Channel encryption MUST NOT be used together with LDAPS! Doing so will result in failed connection! (this limitation is in the server implementation, not in msldap)
'ldap+ntlm-password://TEST\\victim:Passw0rd!1@10.10.10.2/?encrypt=1'
Proxy¶
Socks4 and Socks5 proxying is fully supported.
Proxy settings are controlled via additional url parameters
The following attributes must be set:
proxyhost - IP address or hostname of the proxy server
proxyport - port of the proxy service
proxytype - type os the proxy. Can be socks5 or socks4
'ldap+ntlm-password://TEST\\victim:Passw0rd!1@10.10.10.2/?proxyhost=127.0.0.1&proxyport=1080&proxytype=socks5'