Skip to content

Commit

Permalink
Switch to an enum option for the signing
Browse files Browse the repository at this point in the history
  • Loading branch information
@smcintyre-r7
smcintyre-r7 committed May 3, 2024
1 parent 6d915db commit 69d603e
Show file tree
Hide file tree
Showing 11 changed files with 120 additions and 116 deletions.
1 change: 0 additions & 1 deletion ...etasploit-framework.wiki/ad-certificates/Attacking-AD-CS-ESC-Vulnerabilities.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -196,7 +196,6 @@ Module options (auxiliary/gather/ldap_esc_vulnerable_cert_finder):
DOMAIN no The domain to authenticate to
PASSWORD no The password to authenticate with
REPORT_NONENROLLABLE false yes Report nonenrollable certificate templates
REQUIRE_SIGNING true yes Use signed and encrypted LDAP
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit
-framework/wiki/Using-Metasploit
RPORT 389 yes The target port
Expand Down
21 changes: 10 additions & 11 deletions documentation/modules/auxiliary/admin/ldap/shadow_credentials.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,16 +107,15 @@ msf6 auxiliary(admin/ldap/shadow_credentials) > show options
Module options (auxiliary/admin/ldap/shadow_credentials):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN no The domain to authenticate to
PASSWORD no The password to authenticate with
REQUIRE_SIGNING true yes Use signed and encrypted LDAP
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 389 yes The target port
SSL false no Enable SSL on the LDAP connection
TARGET_USER yes The target to write to
USERNAME no The username to authenticate with
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN no The domain to authenticate to
PASSWORD no The password to authenticate with
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 389 yes The target port
SSL false no Enable SSL on the LDAP connection
TARGET_USER yes The target to write to
USERNAME no The username to authenticate with
When ACTION is REMOVE:
Expand Down Expand Up @@ -262,4 +261,4 @@ msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 username
[*] Certificate stored at: /home/user/.msf4/loot/20240404122240_default_20.92.148.129_windows.ad.cs_785877.pfx
[+] Successfully updated the msDS-KeyCredentialLink attribute; certificate with device ID 1107833b-0eb6-0477-a7c6-3590b326851a
[*] Auxiliary module execution completed
```
```
23 changes: 11 additions & 12 deletions documentation/modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,18 +60,17 @@ msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > options
Module options (auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass):
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
DOMAIN no The domain to authenticate to
NEW_PASSWORD no Password of admin user to add
NEW_USERNAME no Username of admin user to add
PASSWORD no The password to authenticate with
REQUIRE_SIGNING true yes Use signed and encrypted LDAP
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 636 yes The target port
SSL true no Enable SSL on the LDAP connection
USERNAME no The username to authenticate with
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
DOMAIN no The domain to authenticate to
NEW_PASSWORD no Password of admin user to add
NEW_USERNAME no Username of admin user to add
PASSWORD no The password to authenticate with
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 636 yes The target port
SSL true no Enable SSL on the LDAP connection
USERNAME no The username to authenticate with
Auxiliary action:
Expand Down
1 change: 0 additions & 1 deletion documentation/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,6 @@ Module options (auxiliary/gather/ldap_esc_vulnerable_cert_finder):
BIND_DN DAFOREST\Administrator no The username to authenticate to LDAP server
BIND_PW theAdmin123 no Password for the BIND_DN
REPORT_NONENROLLABLE false yes Report nonenrollable certificate templates
REQUIRE_SIGNING true yes Use signed and encrypted LDAP
RHOSTS 172.26.104.157 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 389 yes The target port
SSL false no Enable SSL on the LDAP connection
Expand Down
36 changes: 17 additions & 19 deletions documentation/modules/auxiliary/gather/ldap_hashdump.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,27 +28,25 @@ msf5 auxiliary(gather/ldap_hashdump) > options
Module options (auxiliary/gather/ldap_hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
DOMAIN no The domain to authenticate to
MAX_LOOT no Maximum number of LDAP entries to loot
PASSWORD no The password to authenticate with
PASS_ATTR userPassword, sambantpassword, sambalmpassword, mailu yes LDAP attribute, that contains password hashes
serpassword, password, pwdhistory, passwordhistory, c
learpassword
READ_TIMEOUT 600 no LDAP read timeout in seconds
REQUIRE_SIGNING true yes Use signed and encrypted LDAP
RHOSTS 127.0.0.1 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.ht
ml
RPORT 1389 yes The target port
SSL true no Enable SSL on the LDAP connection
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no The username to authenticate with
USER_ATTR dn no LDAP attribute(s), that contains username
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it]
DOMAIN no The domain to authenticate to
MAX_LOOT no Maximum number of LDAP entries to loot
PASSWORD no The password to authenticate with
PASS_ATTR userPassword, sambantpassword, sambalmpassword, mailu yes LDAP attribute, that contains password hashes
serpassword, password, pwdhistory, passwordhistory, c
learpassword
READ_TIMEOUT 600 no LDAP read timeout in seconds
RHOSTS 127.0.0.1 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.h
tml
RPORT 1389 yes The target port
SSL true no Enable SSL on the LDAP connection
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no The username to authenticate with
USER_ATTR dn no LDAP attribute(s), that contains username
Auxiliary action:
Name Description
---- -----------
Dump Dump all LDAP data
Expand Down
20 changes: 9 additions & 11 deletions documentation/modules/auxiliary/gather/ldap_query.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -215,16 +215,15 @@ msf6 auxiliary(gather/ldap_query) > show options
Module options (auxiliary/gather/ldap_query):
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
DOMAIN no The domain to authenticate to
OUTPUT_FORMAT table yes The output format to use (Accepted: csv, table, json)
PASSWORD thePassword123 no The password to authenticate with
REQUIRE_SIGNING true yes Use signed and encrypted LDAP
RHOSTS 172.27.51.83 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 389 yes The target port
SSL false no Enable SSL on the LDAP connection
USERNAME [email protected] no The username to authenticate with
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
DOMAIN no The domain to authenticate to
OUTPUT_FORMAT table yes The output format to use (Accepted: csv, table, json)
PASSWORD thePassword123 no The password to authenticate with
RHOSTS 172.27.51.83 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 389 yes The target port
SSL false no Enable SSL on the LDAP connection
USERNAME [email protected] no The username to authenticate with
When ACTION is RUN_QUERY_FILE:
Expand All @@ -242,7 +241,6 @@ Module options (auxiliary/gather/ldap_query):
QUERY_FILTER no Filter to send to the target LDAP server to perform the query
Auxiliary action:
Name Description
---- -----------
RUN_QUERY_FILE Execute a custom set of LDAP queries from the JSON or YAML file specified by QUERY_FILE.
Expand Down
22 changes: 10 additions & 12 deletions documentation/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,18 +39,16 @@ If you already have the LDAP base DN, you may set it in this option.
msf5 > use auxiliary/gather/vmware_vcenter_vmdir_ldap
msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > options
Module options (auxiliary/gather/vmware_vcenter_vmdir_ldap):
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
DOMAIN no The domain to authenticate to
PASSWORD no The password to authenticate with
REQUIRE_SIGNING true yes Use signed and encrypted LDAP
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 636 yes The target port
SSL true no Enable SSL on the LDAP connection
USERNAME no The username to authenticate with
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
DOMAIN no The domain to authenticate to
PASSWORD no The password to authenticate with
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 636 yes The target port
SSL true no Enable SSL on the LDAP connection
USERNAME no The username to authenticate with
Auxiliary action:
Expand Down
35 changes: 19 additions & 16 deletions lib/metasploit/framework/ldap/client.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,18 +127,16 @@ def ldap_connect_opts(rhost, rport, connect_timeout, ssl: true, opts: {})

case opts[:ldap_auth]
when Msf::Exploit::Remote::AuthOption::SCHANNEL
raise Msf::ValidationError, 'The SSL option must be enabled when using SCHANNEL authentication.' unless ssl

connect_opts.merge!(ldap_auth_opts_schannel(opts))
connect_opts.merge!(ldap_auth_opts_schannel(opts, ssl))
when Msf::Exploit::Remote::AuthOption::KERBEROS
connect_opts.merge!(ldap_auth_opts_kerberos(opts))
connect_opts.merge!(ldap_auth_opts_kerberos(opts, ssl))
when Msf::Exploit::Remote::AuthOption::NTLM
connect_opts.merge!(ldap_auth_opts_ntlm(opts))
connect_opts.merge!(ldap_auth_opts_ntlm(opts, ssl))
when Msf::Exploit::Remote::AuthOption::PLAINTEXT
connect_opts.merge!(ldap_auth_opts_plaintext(opts))
when Msf::Exploit::Remote::AuthOption::AUTO
if opts[:username].present? && opts[:domain].present?
connect_opts.merge!(ldap_auth_opts_ntlm(opts))
connect_opts.merge!(ldap_auth_opts_ntlm(opts, ssl))
elsif opts[:username].present?
connect_opts.merge!(ldap_auth_opts_plaintext(opts))
end
Expand All @@ -149,15 +147,15 @@ def ldap_connect_opts(rhost, rport, connect_timeout, ssl: true, opts: {})

private

def ldap_auth_opts_kerberos(opts)
def ldap_auth_opts_kerberos(opts, ssl)
auth_opts = {}
raise Msf::ValidationError, 'The Ldap::Rhostname option is required when using Kerberos authentication.' if opts[:ldap_rhostname].blank?
raise Msf::ValidationError, 'The LDAP::Rhostname option is required when using Kerberos authentication.' if opts[:ldap_rhostname].blank?
raise Msf::ValidationError, 'The DOMAIN option is required when using Kerberos authentication.' if opts[:domain].blank?

offered_etypes = Msf::Exploit::Remote::AuthOption.as_default_offered_etypes(opts[:ldap_krb_offered_enc_types])
raise Msf::ValidationError, 'At least one encryption type is required when using Kerberos authentication.' if offered_etypes.empty?

use_gss_checksum = opts[:should_encrypt]
sign_and_seal = opts.fetch(:sign_and_seal, !ssl)
kerberos_authenticator = Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::LDAP.new(
host: opts[:domain_controller_rhost].blank? ? nil : opts[:domain_controller_rhost],
hostname: opts[:ldap_rhostname],
Expand All @@ -170,7 +168,7 @@ def ldap_auth_opts_kerberos(opts)
ticket_storage: opts[:kerberos_ticket_storage],
offered_etypes: offered_etypes,
mutual_auth: true,
use_gss_checksum: use_gss_checksum
use_gss_checksum: sign_and_seal
)

encryptor = SpnegoKerberosEncryptor.new(kerberos_authenticator)
Expand All @@ -184,14 +182,14 @@ def ldap_auth_opts_kerberos(opts)
challenge_response: true
}

if opts[:should_encrypt]
if sign_and_seal
auth_opts[:auth][:auth_context_setup] = encryptor.method(:kerberos_setup)
end

auth_opts
end

def ldap_auth_opts_ntlm(opts)
def ldap_auth_opts_ntlm(opts, ssl)
auth_opts = {}
flags = RubySMB::NTLM::NEGOTIATE_FLAGS[:UNICODE] |
RubySMB::NTLM::NEGOTIATE_FLAGS[:REQUEST_TARGET] |
Expand All @@ -202,7 +200,8 @@ def ldap_auth_opts_ntlm(opts)
RubySMB::NTLM::NEGOTIATE_FLAGS[:TARGET_INFO] |
RubySMB::NTLM::NEGOTIATE_FLAGS[:VERSION_INFO]

if opts[:should_encrypt]
sign_and_seal = opts.fetch(:sign_and_seal, !ssl)
if sign_and_seal
flags = flags |
RubySMB::NTLM::NEGOTIATE_FLAGS[:SIGN] |
RubySMB::NTLM::NEGOTIATE_FLAGS[:SEAL] |
Expand Down Expand Up @@ -234,7 +233,7 @@ def ldap_auth_opts_ntlm(opts)
challenge_response: negotiate
}

if opts[:should_encrypt]
if sign_and_seal
auth_opts[:auth][:auth_context_setup] = encryptor.method(:ntlm_setup)
end

Expand All @@ -243,6 +242,8 @@ def ldap_auth_opts_ntlm(opts)

def ldap_auth_opts_plaintext(opts)
auth_opts = {}
raise Msf::ValidationError, 'Can not sign and seal when using Plaintext authentication.' if opts.fetch(:sign_and_seal, false)

auth_opts[:auth] = {
method: :simple,
username: opts[:username],
Expand All @@ -251,10 +252,12 @@ def ldap_auth_opts_plaintext(opts)
auth_opts
end

def ldap_auth_opts_schannel(opts)
def ldap_auth_opts_schannel(opts, ssl)
auth_opts = {}
pfx_path = opts[:ldap_cert_file]
raise Msf::ValidationError, 'The LDAP::CertFile option is required when using SCHANNEL authentication.' if pfx_path.blank?
raise Msf::ValidationError, 'The SSL option must be enabled when using Schannel authentication.' unless ssl
raise Msf::ValidationError, 'The LDAP::CertFile option is required when using Schannel authentication.' if pfx_path.blank?
raise Msf::ValidationError, 'Can not sign and seal when using Schannel authentication.' if opts.fetch(:sign_and_seal, false)

unless ::File.file?(pfx_path) && ::File.readable?(pfx_path)
raise Msf::ValidationError, 'Failed to load the PFX certificate file. The path was not a readable file.'
Expand Down
Loading

0 comments on commit 69d603e

Please sign in to comment.