Make encrypting/signing an option

smashery · Apr 24, 2024 · 92f1017 · 92f1017
1 parent cd56efd
commit 92f1017
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 14 deletions.
diff --git a/lib/metasploit/framework/ldap/client.rb b/lib/metasploit/framework/ldap/client.rb
@@ -180,32 +180,40 @@ def ldap_auth_opts_kerberos(opts)
             initial_credential: proc do
               encryptor.get_initial_credential
             end,
-            auth_context_setup: encryptor.method(:kerberos_setup),
             challenge_response: true
           }
+
+          if opts[:should_encrypt]
+            auth_opts[:auth][:auth_context_setup] = encryptor.method(:kerberos_setup)
+          end
+
           auth_opts
         end
 
         def ldap_auth_opts_ntlm(opts)
           auth_opts = {}
-          ntlm_client = RubySMB::NTLM::Client.new(
-            opts[:username],
-            opts[:password],
-            workstation: 'WORKSTATION',
-            domain: opts[:domain].blank? ? '.' : opts[:domain],
-            flags:
-              RubySMB::NTLM::NEGOTIATE_FLAGS[:UNICODE] |
+          flags = RubySMB::NTLM::NEGOTIATE_FLAGS[:UNICODE] |
                 RubySMB::NTLM::NEGOTIATE_FLAGS[:REQUEST_TARGET] |
-                RubySMB::NTLM::NEGOTIATE_FLAGS[:SIGN] |
-                RubySMB::NTLM::NEGOTIATE_FLAGS[:SEAL] |
                 RubySMB::NTLM::NEGOTIATE_FLAGS[:NTLM] |
                 RubySMB::NTLM::NEGOTIATE_FLAGS[:ALWAYS_SIGN] |
                 RubySMB::NTLM::NEGOTIATE_FLAGS[:EXTENDED_SECURITY] |
                 RubySMB::NTLM::NEGOTIATE_FLAGS[:KEY_EXCHANGE] |
                 RubySMB::NTLM::NEGOTIATE_FLAGS[:TARGET_INFO] |
-                RubySMB::NTLM::NEGOTIATE_FLAGS[:KEY128] |
-                RubySMB::NTLM::NEGOTIATE_FLAGS[:KEY56] |
                 RubySMB::NTLM::NEGOTIATE_FLAGS[:VERSION_INFO]
+
+          if opts[:should_encrypt]
+            flags = flags |
+                RubySMB::NTLM::NEGOTIATE_FLAGS[:SIGN] |
+                RubySMB::NTLM::NEGOTIATE_FLAGS[:SEAL] |
+                RubySMB::NTLM::NEGOTIATE_FLAGS[:KEY128] |
+                RubySMB::NTLM::NEGOTIATE_FLAGS[:KEY56]
+          end
+          ntlm_client = RubySMB::NTLM::Client.new(
+            opts[:username],
+            opts[:password],
+            workstation: 'WORKSTATION',
+            domain: opts[:domain].blank? ? '.' : opts[:domain],
+            flags: flags
           )
 
           negotiate = proc do |challenge|
@@ -223,8 +231,12 @@ def ldap_auth_opts_ntlm(opts)
             mechanism: 'GSS-SPNEGO',
             initial_credential: ntlm_client.init_context.serialize,
             challenge_response: negotiate,
-            auth_context_setup: encryptor.method(:ntlm_setup)
           }
+
+          if opts[:should_encrypt]
+            auth_opts[:auth][:auth_context_setup] = encryptor.method(:ntlm_setup)
+          end
+
           auth_opts
         end
 

diff --git a/lib/msf/core/exploit/remote/ldap.rb b/lib/msf/core/exploit/remote/ldap.rb
@@ -32,7 +32,8 @@ def initialize(info = {})
         OptBool.new('SSL', [false, 'Enable SSL on the LDAP connection', false]),
         Msf::OptString.new('DOMAIN', [false, 'The domain to authenticate to']),
         Msf::OptString.new('USERNAME', [false, 'The username to authenticate with'], aliases: ['BIND_DN']),
-        Msf::OptString.new('PASSWORD', [false, 'The password to authenticate with'], aliases: ['BIND_PW'])
+        Msf::OptString.new('PASSWORD', [false, 'The password to authenticate with'], aliases: ['BIND_PW']),
+        OptBool.new('ENCRYPT_COMMS', [true, 'Use Signed and Encrypted LDAP', true])
       ])
 
       register_advanced_options(
@@ -79,6 +80,7 @@ def get_connect_opts
         password: datastore['PASSWORD'],
         domain: datastore['DOMAIN'],
         domain_controller_rhost: datastore['DomainControllerRhost'],
+        should_encrypt: datastore['ENCRYPT_COMMS'],
         ldap_auth: datastore['LDAP::Auth'],
         ldap_cert_file: datastore['LDAP::CertFile'],
         ldap_rhostname: datastore['Ldap::Rhostname'],