Skip to content

Add support for SASL and SIMPLE authentication and RootDSE queries in ntlmrelayx.py LDAP(s) SOCKS#2131

Open
d3cept wants to merge 9 commits into
fortra:masterfrom
d3cept:ldap-relay-socks-sasl
Open

Add support for SASL and SIMPLE authentication and RootDSE queries in ntlmrelayx.py LDAP(s) SOCKS#2131
d3cept wants to merge 9 commits into
fortra:masterfrom
d3cept:ldap-relay-socks-sasl

Conversation

@d3cept
Copy link
Copy Markdown

@d3cept d3cept commented Feb 21, 2026

Adds two features to the LDAP and LDAPS SOCKS plugins.

  • Adds support for SASL and SIMPLE authentication mechanisms
  • Adds support for RootDSE queries

This allows tools that do not use Sicily authentication to proxy through the LDAP(s) SOCKS relay, and handles RootDSE queries that are commonly performed prior to authentication. Overall, this increases the compatibility of the LDAP(s) SOCKS plugins.

Some technical details about this update:

  • SASL and Sicily authentication send similar BindResponse NTLMSSP_CHALLENGE responses, prompting the creation of the build_NTLM_challenge() function to reduce code repetition
  • Similarly, the creation of the check_proxy_sessions() function was needed to reduce the code repetition between all three (3) authentication mechanisms when verifying the authenticating user
  • The LDAP relay client will now perform a RootDSE query upon initial connection to the target LDAP server. This is to add support for all future client RootDSE queries performed through the LDAP(s) SOCKS plugin as unauthenticated queries cannot be passed through

Please let me know if there are any improvements or changes that I can make.

Here are some examples of tools that are supported with this PR:

Netexec

$ proxychains -q nxc ldap 10.129.231.186 --port 389 -d certified.htb -u judith.mader -p proxy --simple-bind --users                  
LDAP        10.129.231.186  389    DC01             [*] None (name:DC01) (domain:certified.htb) (signing:None) (channel binding:Unknown) (NTLM:False)
LDAP        10.129.231.186  389    DC01             [+] certified.htb\judith.mader:proxy 
LDAP        10.129.231.186  389    DC01             [*] Enumerated 9 domain users: certified.htb
LDAP        10.129.231.186  389    DC01             -Username-                    -Last PW Set-       -BadPW-  -Description-                                               
LDAP        10.129.231.186  389    DC01             Administrator                 2024-05-13 08:53:16 0        Built-in account for administering the computer/domain      
LDAP        10.129.231.186  389    DC01             Guest                         <never>             0        Built-in account for guest access to the computer/domain    
LDAP        10.129.231.186  389    DC01             krbtgt                        2024-05-13 09:02:51 0        Key Distribution Center Service Account                     
LDAP        10.129.231.186  389    DC01             judith.mader                  2024-05-14 13:22:11 0                                                                    
LDAP        10.129.231.186  389    DC01             management_svc                2024-05-13 09:30:51 0                                                                    
LDAP        10.129.231.186  389    DC01             ca_operator                   2024-05-13 09:32:03 0                                                                    
LDAP        10.129.231.186  389    DC01             alexander.huges               2024-05-14 10:39:08 0                                                                    
LDAP        10.129.231.186  389    DC01             harry.wilson                  2024-05-14 10:39:37 0                                                                    
LDAP        10.129.231.186  389    DC01             gregory.cameron               2024-05-14 10:40:05 0

ldapsearch

$ proxychains -q ldapsearch -x -D 'judith.mader@certified.htb' -w test -H ldap://10.129.231.186 -b 'dc=certified,dc=htb' '(samaccountname=judith.mader)' samaccountname 
# extended LDIF
#
# LDAPv3
# base <dc=certified,dc=htb> with scope subtree
# filter: (samaccountname=judith.mader)
# requesting: samaccountname 
#

# Judith Mader, Users, certified.htb
dn: CN=Judith Mader,CN=Users,DC=certified,DC=htb
sAMAccountName: judith.mader

# search reference
ref: ldap://ForestDnsZones.certified.htb/DC=ForestDnsZones,DC=certified,DC=htb

# search reference
ref: ldap://DomainDnsZones.certified.htb/DC=DomainDnsZones,DC=certified,DC=htb

# search reference
ref: ldap://certified.htb/CN=Configuration,DC=certified,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

@anadrianmanrique anadrianmanrique added the in review This issue or pull request is being analyzed label Feb 26, 2026
@anadrianmanrique anadrianmanrique self-assigned this Feb 26, 2026
@anadrianmanrique anadrianmanrique added enhancement Implemented features can be improved or revised medium Medium priority item and removed in review This issue or pull request is being analyzed labels Apr 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@anadrianmanrique anadrianmanrique

Labels

enhancement Implemented features can be improved or revised medium Medium priority item

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@d3cept @gabrielg5 @anadrianmanrique