Fix ADCS certihound collection failing with Kerberos auth (GSSAPI ASN1 error)#1170
Fix ADCS certihound collection failing with Kerberos auth (GSSAPI ASN1 error)#11700x0Trace wants to merge 1 commit intoPennyw0rth:mainfrom
Conversation
Use ldap3 Kerberos connection for ADCS collection instead of impacket's LDAP, which has a GSSAPI frame reassembly bug in recv_raw() that corrupts responses from Configuration NC queries. NTLM auth continues to use the existing ImpacketLDAPAdapter. Co-Authored-By: Claude Opus 4.6 <[email protected]>
0x0Trace
requested review from
Marshall-Hallenbeck,
NeffIsBack,
mpgn and
zblurx
as code owners
|
Very interesting, thanks for the PR! However, instead of switching to ldap3 (which doesn't support the GSSAPI)) we should fix the bug in impacket (looking at @zblurx :D (he implemented GSSAPI support for impacket so he can probably fix it relatively quickly). |
Oww xD That would be awesome tbh. |
|
Hey @0x0Trace , thanks for the PR (and issue) ! I have been trying to reproduce the issue but I can't. Can you give me more details on the setup ? NXC / Impacket version, how did you installed the tools, stuff like that. Also, I see in your working screenshot that CertiHound collector found 0 certificate template and 0 enterprise CA -> Maybe ldap3 is not working much more than impacket, or maybe your lab is broken ? |
Hey, sorry for the late response been a bit busy. So regarding the lab setup: the original box where I hit the issue (Ghost machine from HTB, Server 2022 Build 20348) didn't have any certificate templates, which is why the screenshot shows 0 templates and 0 Enterprise CAs. That's expected for that environment ldap3 was working fine, the lab just had no ADCS objects to find. That said, I went back and tried reproducing the original ASN1 error against Ghost again and couldn't trigger it this time. Tested against a couple of other boxes as well with no luck. So the issue seems to be intermittent or dependent on specific conditions I haven't been able to pin down yet. No need to continue with this PR if more people report the same issue we can revisit it then. |
|
Interesting okay, @0x0Trace could you create an issue with your finding(s), so we can track it? Hopefully someone runs into this again and we can figure out what is going on. Either some weird setup or network issues perhaps. |
3 participants
Description
When using Kerberos authentication (
--kerberosor--use-kcache) with--bloodhound --collection All/adcs, the CertiHound ADCS collection fails with ASN1 parsing errors like:Root cause: Impacket's LDAP
recv_raw()method has a bug in its GSSAPI frame reassembly. When Kerberos signing/sealing is active, ADCS queries to the Configuration naming context can return responses spanning multiple GSSAPI frames. The reassembly loop condition (while message_length != len(data) - 4) reads too much data when the initial recv contains more bytes than the first frame's length, causingdecrypt()to produce corrupted data that fails ASN1 parsing.Fix: For Kerberos auth, ADCS collection now creates a fresh ldap3 connection using
ADAuthentication.getLDAPConnection()(the same approach BloodHound-CE uses for its own Kerberos LDAP queries). This bypasses impacket's broken GSSAPI wrapping entirely. NTLM/password auth continues to use the existingImpacketLDAPAdapterwhich works correctly without GSSAPI.This PR was created with the assistance of AI (Claude Opus 4.6) for debugging the GSSAPI issue.
Type of change
Setup guide for the review
Bug reproduction:
getTGT.pyorkinit) and export it asKRB5CCNAMEKRB5CCNAME=<ccache> nxc ldap <dc> --use-kcache --bloodhound --collection All --dns-server <dns><TagSet object, tags 64:0:21> not in asn1Spec(or similar tag like192:0:8)After fix:
Test environment:
Screenshots :
Before :
After :
Checklist:
poetry run ruff check ., use--fixto automatically fix what it can)tests/e2e_commands.txtfile if necessary (new modules or features are required to be added to the e2e tests)