CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/auxiliary/gather/ldap_query.md
Views: 1904
Vulnerable Application
This module allows users to query an LDAP server using either a custom LDAP query, or a set of LDAP queries under a specific category. Users can also specify a JSON or YAML file containing custom queries to be executed using the RUN_QUERY_FILE action. If this action is specified, then QUERY_FILE_PATH must be a path to the location of this JSON/YAML file on disk.
Users can also run a single query by using the RUN_SINGLE_QUERY option and then setting the QUERY_FILTER datastore option to the filter to send to the LDAP server and QUERY_ATTRIBUTES to a comma separated string containing the list of attributes they are interested in obtaining from the results.
As a third option can run one of several predefined queries by setting ACTION to the appropriate value. These options will be loaded from the ldap_queries_default.yaml file located in the MSF configuration directory, located by default at ~/.msf4/ldap_queries_default.yaml.
Note that you can override the default query settings in this way by defining a query with an action name that is the same as one of existing actions in the file at data/auxiliary/gather/ldap_query/ldap_queries_default.yaml. This will however prevent any updates for that action that may be made to the data/auxiliary/gather/ldap_query/ldap_queries_default.yaml file, which may occur as part of Metasploit updates/upgrades, from being used though, so keep this in mind when using the ~/.msf4/ldap_queries_default.yaml file.
All results will be returned to the user in table, CSV or JSON format, depending on the value of the OUTPUT_FORMAT datastore option. The characters || will be used as a delimiter should multiple items exist within a single column.
Verification Steps
Do:
use auxiliary/gather/ldap_queryDo:
set ACTION <target action>Do:
set RHOSTS <target IP(s)>Optional:
set RPORT <target port>if target port is non-default. 5: Optional:set SSL trueif the target port is SSL enabled. 6: Do:run
Options
OUTPUT_FORMAT
The output format to use. Can be either csv, table or json for CSV, Rex table output, or JSON output respectively.
BASE_DN
The LDAP base DN if already obtained. If not supplied, the module will automatically attempt to find the base DN for the target LDAP server.
QUERY_FILE_PATH
If the ACTION is set to RUN_QUERY_FILE, then this option is required and must be set to the full path to the JSON or YAML file containing the queries to be run.
The file format must follow the following convention:
Where queries is an array of queries to be run, each containing an action field containing the name of the action to be run, a description field describing the action, a filter field containing the filter to send to the LDAP server (aka what to search on), and the list of attributes that we are interested in from the results as an array.
QUERY_FILTER
Used only when the RUN_SINGLE_QUERY action is used. This should be set to the filter aka query that you want to send to the target LDAP server.
QUERY_ATTRIBUTES
Used only when the RUN_SINGLE_QUERY action is used. Should be a comma separated list of attributes to display from the full result set for each entry that was returned by the target LDAP server. Used to filter the results down to manageable sets of data.
Scenarios
RUN_SINGLE_QUERY with Table Output
RUN_QUERY_FILE with Table Output
Here is the sample query file we will be using:
Here is the results of using this file with the RUN_QUERY_FILE action which will run all queries within the file one after another.