Support Schannel authentication

[noraj]

When authenticating with --pfx-cert or --pem-cert I have the following kerberos authentication error:

Error Name: KDC_ERR_CLIENT_NOT_TRUSTED Detail: "The client trust failed or is not implemented"

From my understanding it it because PKINIT authentication is disabled on the domain and netexec is only supporting pkinit authentication with certificates from what I checked in the source code.

With the same certificate I can authenticate and perform LDAP actions using ldeep or PassTheCert because they are supporting Schannel authentication.

(Optional): Suggest A Solution
Support schannel authentication

• Details of the technical implementation: look at what passthecert or ldeep do

[NeffIsBack]

Haven't looked at the code, but could very well be, thanks for the feature request!

Would be a great addition if anyone is reading along :)

[mpgn]

The limitation is well known because ldeep and PassTheCert are limited to one protocol while nxc deal with nxc, ldap etc.

Passing the arg --pfx-cert withing nxc will work for all protocol that the key point.

Using schannel is possible, the limitation is that it will only work on ldap proto.

The only way i see this is to have a logic based on a specfic flag or the proto when using ldap.

For sure it's possible using ldap3 directly, the problem is not really the dev time but the time to create the lab (adcs etc) and test everythings.

[noraj]

The only way i see this is to have a logic based on a specfic flag or the proto when using ldap.

I guess there are two ways of doing that:

1. --pfx-cert fallback to schannel if pkinit fails, the fallback is only occurring if protocol = ldap
2. add a --schannel flag to switch the auth scheme, the flag is only available if protocol = ldap

For sure it's possible using ldap3 directly, the problem is not really the dev time but the time to create the lab (adcs etc) and test everythings.

GOAD and GOAD light labs have an AD CS server and can be deployed automatically. It could help a lot with testing.