LDAP console / LDAP "-add-groupmember" command
jsdhasfedssad opened this issue · comments
Hi. I look forward to using your tool but at the moment I am still trying to learn how to use it. I find your instructions a bit lacking so I have to try things instead. At the moment I am trying to add a domain user to a domain group but it either does not work or I get an error.
I am logged in as domainuser1 (low priv.) on a Windows 10 machine. I also have a session as domainadmin1 (privileged) on the same machine. First I list the sessions. This works.
I then try to get an LDAP shell as domainadmin1 (session 1) on my domain controller running Server 2019. This also works.
Using the LDAP command "add-groupmember "domain admins" domainuser1" I get no error but domainuser1 is also not added to the group Domain Admins. I verify this using Active Directory Users and Computers on the DC.
Finally I try your command "-add-groupmember" but that fails with "LDAP_UNWILLING_TO_PERFORM" and again, domainuser1 is not added to the group Domain Admins.
the ldap console was fixed in a commit 1 hour ago, try the latest version
add-groupmember may not work for groups with admincount set to 1
I updated but the only changes I see are that I am now forced to enter a CLSID and that I now get the same error in the LDAP console, "ldap_modify: LDAP_UNWILLING_TO_PERFORM".
I also get LDAP_UNWILLING_TO_PERFORM for groups containing spaces.
I think the issue lies in KrbRelay.Clients.Ldap lines 46-47:
string arg1 = attacks["add-groupmember"].Split(new[] { ' ' }, 2)[0];
string arg2 = attacks["add-groupmember"].Split(new[] { ' ' }, 2)[1];
so when "attacks["add-groupmember"]= "Domain Admins domainuser1" arg1 and arg2 end up being e.g. "Domain" and "Admins" rather than "Domain Admins" and "domainuser1".
I don't know what the best fix for this is. Maybe in the arg-parsing section (Program.cs:388)
attacks.Add("add-groupmember", args[entry.index + 1] + " " + args[entry.index + 2]);
use a different separator (other than " ") ?
P.S. What a brilliant tool! Thanks @cube0x0 !