Add LDAP relay server to ntlmrelayx

[emilyastranova]

Added support for incoming LDAP credentials and the ability to relay them using things like the -i interactive shell.

Useful for things like finding printers with LDAP configured and changing the hostname to your own host.

[Romern]

I only tested impacket-based clients, works very nice for that. It should also work with Windows clients when they support NTLM, but currently it would only works when NTLM is their highest priority MechType.

Also did you experiment with ommiting LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID in the initial searchrequest? In the MS docs it says that with NTLM auth this is used as a capabitlity for signing, would be interesting if dropping this could lead a client to not set the signing bits in the NTLM negotiation.

[Romern]

this assumes that the client is sending the NTLMSSP header, but they could also just send their Kerberos ticket, and say that they also support NTLMSSP, for example on my windows 11:

Then we need to renegotiate.

I tried it in 3796872 , but I haven't tested it.

[emilyastranova]

Just reading through the code this looks like it will work, but I'd need to set up an environment to test this. If someone else wants to try and beat me to it, it'd be much appreciated :)

[rtpt-romankarwacik]

I just tested it in my lab and it seems like with the current ROOT query response, Windows does not do GSSAPI at all, only NTLMSSP. So maybe it isn't even needed to renegotiate the mechtype at all.

Also I stumbled upon the CLDAP ping message which is sometimes done in Windows before any actual LDAP requests to confirm that the server is up. This seems to be only needed when no connection in the current user session has been established. If it is not send in a session, no LDAP connection seems to be established.

[rtpt-romankarwacik]

With CLDAP (implemented with scapy and pyasn1_ldap (somehow the regular LDAPMessage from ldap3 and impacket do cannot parse these CLDAP messages properly?): 5f00665 ) I get GSSAPI authentications, but somehow without support for NTLM (Windows 11 24H2 and Server 2025 without signing and sealing). Sometimes I also get siciliy authentications.

Could someone try this in their lab?
Use this pretender version: https://github.com/rtpt-romankarwacik/pretender/tree/ldap_srv_requests (replies to SRV request):

$ sudo pretender -i eth0

And this impacket branch: https://github.com/rtpt-romankarwacik/impacket/tree/ntlmrelayx-ldap-server

sudo ntlmrelayx.py -smb2support -debug -i -t smb://192.168.56.5  --keep-relaying

And reset the Ethernet controller of a windows client in the network, this should trigger DNS requests to LDAP, then CLDAP and then LDAP. If this does not work, just click on the user in the start menu on Windows 11, this also triggers an LDAP request.

[Romern]

I would put the CLDAP stuff in another PR when its ready, for other LDAP clients this works nicely 👍