Add ability to bind with only NTLM Hash instead of password (#269)

* add NTLMBindWithHash, update go.mod

* add NTLMBindWithHash, update go.mod on v2

Co-authored-by: Ronnie Flathers <ronnie.flathersii@motorolasolutions.com>

Author: ropnop

bind.go

@@ -400,6 +400,8 @@ type NTLMBindRequest struct {
 	Username string
 	// Password is the credentials to bind with
 	Password string
+	// Hash is the hex NTLM hash to bind with. Password or hash must be provided
+	Hash string
 	// Controls are optional controls to send with the bind request
 	Controls []Control
 }
@@ -441,9 +443,20 @@ func (l *Conn) NTLMBind(domain, username, password string) error {
 	return err
 }
 
+// NTLMBindWithHash performs an NTLM Bind with an NTLM hash instead of plaintext password (pass-the-hash)
+func (l *Conn) NTLMBindWithHash(domain, username, hash string) error {
+	req := &NTLMBindRequest{
+		Domain:   domain,
+		Username: username,
+		Hash:     hash,
+	}
+	_, err := l.NTLMChallengeBind(req)
+	return err
+}
+
 // NTLMChallengeBind performs the NTLMSSP bind operation defined in the given request
 func (l *Conn) NTLMChallengeBind(ntlmBindRequest *NTLMBindRequest) (*NTLMBindResult, error) {
-	if ntlmBindRequest.Password == "" {
+	if ntlmBindRequest.Password == "" && ntlmBindRequest.Hash == "" {
 		return nil, NewError(ErrorEmptyPassword, errors.New("ldap: empty password not allowed by the client"))
 	}
 
@@ -481,8 +494,16 @@ func (l *Conn) NTLMChallengeBind(ntlmBindRequest *NTLMBindRequest) (*NTLMBindRes
 		}
 	}
 	if ntlmsspChallenge != nil {
-		// generate a response message to the challenge with the given Username/Password
-		responseMessage, err := ntlmssp.ProcessChallenge(ntlmsspChallenge, ntlmBindRequest.Username, ntlmBindRequest.Password)
+		var err error
+		var responseMessage []byte
+		// generate a response message to the challenge with the given Username/Password if password is provided
+		if ntlmBindRequest.Password != "" {
+			responseMessage, err = ntlmssp.ProcessChallenge(ntlmsspChallenge, ntlmBindRequest.Username, ntlmBindRequest.Password)
+		} else if ntlmBindRequest.Hash != "" {
+			responseMessage, err = ntlmssp.ProcessChallengeWithHash(ntlmsspChallenge, ntlmBindRequest.Username, ntlmBindRequest.Hash)
+		} else {
+			err = fmt.Errorf("need a password or hash to generate reply")
+		}
 		if err != nil {
 			return result, fmt.Errorf("parsing ntlm-challenge: %s", err)
 		}

go.mod

@@ -2,4 +2,8 @@ module github.com/go-ldap/ldap
 
 go 1.13
 
-require github.com/go-asn1-ber/asn1-ber v1.5.0
+require (
+	github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c
+	github.com/go-asn1-ber/asn1-ber v1.5.0
+	golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9 // indirect
+)

go.sum

@@ -1,2 +1,11 @@
+github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c h1:/IBSNwUN8+eKzUzbJPqhK839ygXJ82sde8x3ogr6R28=
+github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/go-asn1-ber/asn1-ber v1.5.0 h1:/S4hO/AO6tLMlPX0oftGSOcdGJJN/MuYzfgWRMn199E=
 github.com/go-asn1-ber/asn1-ber v1.5.0/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9 h1:vEg9joUBmeBcK9iSJftGNf3coIG4HqZElCPehJsfAYM=
+golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

v3/bind.go

@@ -400,6 +400,8 @@ type NTLMBindRequest struct {
 	Username string
 	// Password is the credentials to bind with
 	Password string
+	// Hash is the hex NTLM hash to bind with. Password or hash must be provided
+	Hash string
 	// Controls are optional controls to send with the bind request
 	Controls []Control
 }
@@ -441,9 +443,20 @@ func (l *Conn) NTLMBind(domain, username, password string) error {
 	return err
 }
 
+// NTLMBindWithHash performs an NTLM Bind with an NTLM hash instead of plaintext password (pass-the-hash)
+func (l *Conn) NTLMBindWithHash(domain, username, hash string) error {
+	req := &NTLMBindRequest{
+		Domain:   domain,
+		Username: username,
+		Hash:     hash,
+	}
+	_, err := l.NTLMChallengeBind(req)
+	return err
+}
+
 // NTLMChallengeBind performs the NTLMSSP bind operation defined in the given request
 func (l *Conn) NTLMChallengeBind(ntlmBindRequest *NTLMBindRequest) (*NTLMBindResult, error) {
-	if ntlmBindRequest.Password == "" {
+	if ntlmBindRequest.Password == "" && ntlmBindRequest.Hash == "" {
 		return nil, NewError(ErrorEmptyPassword, errors.New("ldap: empty password not allowed by the client"))
 	}
 
@@ -481,8 +494,16 @@ func (l *Conn) NTLMChallengeBind(ntlmBindRequest *NTLMBindRequest) (*NTLMBindRes
 		}
 	}
 	if ntlmsspChallenge != nil {
-		// generate a response message to the challenge with the given Username/Password
-		responseMessage, err := ntlmssp.ProcessChallenge(ntlmsspChallenge, ntlmBindRequest.Username, ntlmBindRequest.Password)
+		var err error
+		var responseMessage []byte
+		// generate a response message to the challenge with the given Username/Password if password is provided
+		if ntlmBindRequest.Password != "" {
+			responseMessage, err = ntlmssp.ProcessChallenge(ntlmsspChallenge, ntlmBindRequest.Username, ntlmBindRequest.Password)
+		} else if ntlmBindRequest.Hash != "" {
+			responseMessage, err = ntlmssp.ProcessChallengeWithHash(ntlmsspChallenge, ntlmBindRequest.Username, ntlmBindRequest.Hash)
+		} else {
+			err = fmt.Errorf("need a password or hash to generate reply")
+		}
 		if err != nil {
 			return result, fmt.Errorf("parsing ntlm-challenge: %s", err)
 		}

v3/go.mod

@@ -2,4 +2,8 @@ module github.com/go-ldap/ldap/v3
 
 go 1.13
 
-require github.com/go-asn1-ber/asn1-ber v1.5.0
+require (
+	github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c
+	github.com/go-asn1-ber/asn1-ber v1.5.0
+	golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9 // indirect
+)

v3/go.sum

@@ -1,2 +1,11 @@
+github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c h1:/IBSNwUN8+eKzUzbJPqhK839ygXJ82sde8x3ogr6R28=
+github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/go-asn1-ber/asn1-ber v1.5.0 h1:/S4hO/AO6tLMlPX0oftGSOcdGJJN/MuYzfgWRMn199E=
 github.com/go-asn1-ber/asn1-ber v1.5.0/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9 h1:vEg9joUBmeBcK9iSJftGNf3coIG4HqZElCPehJsfAYM=
+golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=