LDAP console / LDAP "-add-groupmember" command

Question

LDAP console / LDAP "-add-groupmember" command

jsdhasfedssad opened this issue 2 years ago · comments

Hi. I look forward to using your tool but at the moment I am still trying to learn how to use it. I find your instructions a bit lacking so I have to try things instead. At the moment I am trying to add a domain user to a domain group but it either does not work or I get an error.

I am logged in as domainuser1 (low priv.) on a Windows 10 machine. I also have a session as domainadmin1 (privileged) on the same machine. First I list the sessions. This works.

I then try to get an LDAP shell as domainadmin1 (session 1) on my domain controller running Server 2019. This also works.

Using the LDAP command "add-groupmember "domain admins" domainuser1" I get no error but domainuser1 is also not added to the group Domain Admins. I verify this using Active Directory Users and Computers on the DC.

Finally I try your command "-add-groupmember" but that fails with "LDAP_UNWILLING_TO_PERFORM" and again, domainuser1 is not added to the group Domain Admins.

cube0x0 · Answer 1 · Tue Feb 15 2022 18:06:48 GMT+0800 (China Standard Time)

the ldap console was fixed in a commit 1 hour ago, try the latest version
add-groupmember may not work for groups with admincount set to 1

jsdhasfedssad · Answer 2 · Tue Feb 15 2022 18:18:07 GMT+0800 (China Standard Time)

I updated but the only changes I see are that I am now forced to enter a CLSID and that I now get the same error in the LDAP console, "ldap_modify: LDAP_UNWILLING_TO_PERFORM".

tbaker57 · Answer 3 · Wed Feb 16 2022 06:36:09 GMT+0800 (China Standard Time)

I also get LDAP_UNWILLING_TO_PERFORM for groups containing spaces.

I think the issue lies in KrbRelay.Clients.Ldap lines 46-47:

                    string arg1 = attacks["add-groupmember"].Split(new[] { ' ' }, 2)[0];
                    string arg2 = attacks["add-groupmember"].Split(new[] { ' ' }, 2)[1];

so when "attacks["add-groupmember"]= "Domain Admins domainuser1" arg1 and arg2 end up being e.g. "Domain" and "Admins" rather than "Domain Admins" and "domainuser1".

I don't know what the best fix for this is. Maybe in the arg-parsing section (Program.cs:388)
attacks.Add("add-groupmember", args[entry.index + 1] + " " + args[entry.index + 2]);

use a different separator (other than " ") ?

P.S. What a brilliant tool! Thanks @cube0x0 !

cube0x0 · Answer 4 · Fri Feb 18 2022 22:02:17 GMT+0800 (China Standard Time)

Temporary fix until i get a new command line parser
double quote the group and it will work
5b5d424