CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/lib/metasploit/framework/ldap/client.rb
Views: 1904
# frozen_string_literal: true12require 'rex/proto/ldap/auth_adapter'34module Metasploit5module Framework6module LDAP78module Client9def ldap_connect_opts(rhost, rport, connect_timeout, ssl: true, opts: {})10connect_opts = {11host: rhost,12port: rport,13connect_timeout: connect_timeout,14proxies: opts[:proxies]15}1617if ssl18connect_opts[:encryption] = {19method: :simple_tls,20tls_options: {21verify_mode: OpenSSL::SSL::VERIFY_NONE22}23}24end2526case opts[:ldap_auth]27when Msf::Exploit::Remote::AuthOption::SCHANNEL28connect_opts.merge!(ldap_auth_opts_schannel(opts, ssl))29when Msf::Exploit::Remote::AuthOption::KERBEROS30connect_opts.merge!(ldap_auth_opts_kerberos(opts, ssl))31when Msf::Exploit::Remote::AuthOption::NTLM32connect_opts.merge!(ldap_auth_opts_ntlm(opts, ssl))33when Msf::Exploit::Remote::AuthOption::PLAINTEXT34connect_opts.merge!(ldap_auth_opts_plaintext(opts))35when Msf::Exploit::Remote::AuthOption::AUTO36if opts[:username].present? && opts[:domain].present?37connect_opts.merge!(ldap_auth_opts_ntlm(opts, ssl))38elsif opts[:username].present?39connect_opts.merge!(ldap_auth_opts_plaintext(opts))40end41end4243connect_opts44end4546private4748def ldap_auth_opts_kerberos(opts, ssl)49auth_opts = {}50raise Msf::ValidationError, 'The LDAP::Rhostname option is required when using Kerberos authentication.' if opts[:ldap_rhostname].blank?51raise Msf::ValidationError, 'The DOMAIN option is required when using Kerberos authentication.' if opts[:domain].blank?5253offered_etypes = Msf::Exploit::Remote::AuthOption.as_default_offered_etypes(opts[:ldap_krb_offered_enc_types])54raise Msf::ValidationError, 'At least one encryption type is required when using Kerberos authentication.' if offered_etypes.empty?5556sign_and_seal = opts.fetch(:sign_and_seal, !ssl)57kerberos_authenticator = Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::LDAP.new(58host: opts[:domain_controller_rhost].blank? ? nil : opts[:domain_controller_rhost],59hostname: opts[:ldap_rhostname],60realm: opts[:domain],61username: opts[:username],62password: opts[:password],63framework: opts[:framework],64framework_module: opts[:framework_module],65cache_file: opts[:ldap_krb5_cname].blank? ? nil : opts[:ldap_krb5_cname],66ticket_storage: opts[:kerberos_ticket_storage],67offered_etypes: offered_etypes,68mutual_auth: true,69use_gss_checksum: sign_and_seal || ssl70)7172auth_opts[:auth] = {73method: :rex_kerberos,74kerberos_authenticator: kerberos_authenticator,75sign_and_seal: sign_and_seal76}7778auth_opts79end8081def ldap_auth_opts_ntlm(opts, ssl)82auth_opts = {}8384auth_opts[:auth] = {85# use the rex one provided by us to support TLS channel binding (see: ruby-ldap/ruby-net-ldap#407) and blank86# passwords (see: WinRb/rubyntlm#45)87method: :rex_ntlm,88username: opts[:username],89password: opts[:password],90domain: opts[:domain],91workstation: 'WORKSTATION',92sign_and_seal: opts.fetch(:sign_and_seal, !ssl)93}9495auth_opts96end9798def ldap_auth_opts_plaintext(opts)99auth_opts = {}100raise Msf::ValidationError, 'Can not sign and seal when using Plaintext authentication.' if opts.fetch(:sign_and_seal, false)101102auth_opts[:auth] = {103method: :simple,104username: opts[:username],105password: opts[:password]106}107auth_opts108end109110def ldap_auth_opts_schannel(opts, ssl)111auth_opts = {}112pfx_path = opts[:ldap_cert_file]113raise Msf::ValidationError, 'The SSL option must be enabled when using Schannel authentication.' unless ssl114raise Msf::ValidationError, 'The LDAP::CertFile option is required when using Schannel authentication.' if pfx_path.blank?115raise Msf::ValidationError, 'Can not sign and seal when using Schannel authentication.' if opts.fetch(:sign_and_seal, false)116117unless ::File.file?(pfx_path) && ::File.readable?(pfx_path)118raise Msf::ValidationError, 'Failed to load the PFX certificate file. The path was not a readable file.'119end120121begin122pkcs = OpenSSL::PKCS12.new(File.binread(pfx_path), '')123rescue StandardError => e124raise Msf::ValidationError, "Failed to load the PFX file (#{e})"125end126127auth_opts[:auth] = {128method: :sasl,129mechanism: 'EXTERNAL',130initial_credential: '',131challenge_response: true132}133auth_opts[:encryption] = {134method: :start_tls,135tls_options: {136verify_mode: OpenSSL::SSL::VERIFY_NONE,137cert: pkcs.certificate,138key: pkcs.key139}140}141auth_opts142end143end144end145end146end147148149