LDAP Signing & Channel Binding Ojačavanje

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

Zašto je važno

LDAP relay/MITM omogućava napadačima da prosleđuju bindove ka Domain Controller-ima kako bi dobili autentifikovane kontekste. Dve kontrole na strani servera umanjuju ove puteve:

  • LDAP Channel Binding (CBT) veže LDAPS bind za određeni TLS tunel, onemogućavajući relays/replays preko različitih kanala.
  • LDAP Signing primorava integritetom zaštićene LDAP poruke, sprečavajući izmenu (tampering) i većinu nepotpisanih relaya.

Brza ofensivna provera: alati kao netexec ldap <dc> -u user -p pass ispišu konfiguraciju servera. Ako vidite (signing:None) i (channel binding:Never), Kerberos/NTLM relays to LDAP su izvodljivi (npr. koristeći KrbRelayUp za upis msDS-AllowedToActOnBehalfOfOtherIdentity za RBCD i impersonaciju administratora).

Server 2025 DCs uvode novu GPO (LDAP server signing requirements Enforcement) koja po podrazumevanoj vrednosti postavlja Require Signing kada je ostavljena Not Configured. Da biste izbegli prisiljavanje, morate eksplicitno postaviti tu politiku na Disabled.

LDAP Channel Binding (LDAPS only)

  • Requirements:
  • CVE-2017-8563 patch (2017) adds Extended Protection for Authentication support.
  • KB4520412 (Server 2019/2022) adds LDAPS CBT “what-if” telemetry.
  • GPO (DCs): Domain controller: LDAP server channel binding token requirements
  • Never (podrazumevano, nema CBT)
  • When Supported (audit: beleži neuspehe, ne blokira)
  • Always (enforce: odbija LDAPS bindove bez važećeg CBT)
  • Audit: set When Supported to surface:
  • 3074 – LDAPS bind would have failed CBT validation if enforced.
  • 3075 – LDAPS bind omitted CBT data and would be rejected if enforced.
  • (Event 3039 still signals CBT failures on older builds.)
  • Enforcement: set Always once LDAPS clients send CBTs; only effective on LDAPS (not raw 389).

LDAP Signing

  • Client GPO: Network security: LDAP client signing requirements = Require signing (vs Negotiate signing default on modern Windows).
  • DC GPO:
  • Legacy: Domain controller: LDAP server signing requirements = Require signing (default is None).
  • Server 2025: leave legacy policy at None and set LDAP server signing requirements Enforcement = Enabled (Not Configured = enforced by default; set Disabled to avoid it).
  • Compatibility: only Windows XP SP3+ supports LDAP signing; older systems will break when enforcement is enabled.
  1. Enable LDAP interface diagnostics on each DC to log unsigned binds (Event 2889):
Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2
  1. Podesite DC GPO LDAP server channel binding token requirements = When Supported da biste pokrenuli CBT telemetriju.
  2. Pratite Directory Service događaje:
  • 2889 – unsigned/unsigned-allow binds (signing neusklađeno).
  • 3074/3075 – LDAPS binds koji bi propali ili izostavili CBT (zahteva KB4520412 na 2019/2022 i korak 2 iznad).
  1. Sprovodite u odvojenim izmenama:
  • LDAP server channel binding token requirements = Always (DCs).
  • LDAP client signing requirements = Require signing (clients).
  • LDAP server signing requirements = Require signing (DCs) or (Server 2025) LDAP server signing requirements Enforcement = Enabled.

References

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks