CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'metasploit/framework/credential_collection'
7
require 'metasploit/framework/login_scanner/ldap'
8

9
class MetasploitModule < Msf::Auxiliary
10
  include Msf::Auxiliary::Report
11
  include Msf::Auxiliary::AuthBrute
12
  include Msf::Auxiliary::Scanner
13
  include Msf::Exploit::Remote::LDAP
14
  include Msf::Sessions::CreateSessionOptions
15
  include Msf::Auxiliary::CommandShell
16
  include Msf::Auxiliary::ReportSummary
17

18
  def initialize(info = {})
19
    super(
20
      update_info(
21
        info,
22
        'Name' => 'LDAP Login Scanner',
23
        'Description' => 'This module attempts to login to the LDAP service.',
24
        'Author' => [ 'Dean Welch' ],
25
        'License' => MSF_LICENSE,
26
        'Notes' => {
27
          'Stability' => [CRASH_SAFE],
28
          'Reliability' => [],
29
          'SideEffects' => []
30
        }
31
      )
32
    )
33

34
    register_options(
35
      [
36
        OptBool.new(
37
          'APPEND_DOMAIN', [true, 'Appends `@<DOMAIN> to the username for authentication`', false],
38
          conditions: ['LDAP::Auth', 'in', [Msf::Exploit::Remote::AuthOption::AUTO, Msf::Exploit::Remote::AuthOption::PLAINTEXT]]
39
        )
40
      ]
41
    )
42

43
    # A password must be supplied unless doing anonymous login
44
    options_to_deregister = %w[BLANK_PASSWORDS]
45

46
    if framework.features.enabled?(Msf::FeatureManager::LDAP_SESSION_TYPE)
47
      add_info('The %grnCreateSession%clr option within this module can open an interactive session')
48
    else
49
      # Don't give the option to create a session unless ldap sessions are enabled
50
      options_to_deregister << 'CreateSession'
51
    end
52

53
    deregister_options(*options_to_deregister)
54
  end
55

56
  def create_session?
57
    # The CreateSession option is de-registered if LDAP_SESSION_TYPE is not enabled
58
    # but the option can still be set/saved so check to see if we should use it
59
    if framework.features.enabled?(Msf::FeatureManager::LDAP_SESSION_TYPE)
60
      datastore['CreateSession']
61
    else
62
      false
63
    end
64
  end
65

66
  def run
67
    validate_connect_options!
68
    results = super
69
    logins = results.flat_map { |_k, v| v[:successful_logins] }
70
    sessions = results.flat_map { |_k, v| v[:successful_sessions] }
71
    print_status("Bruteforce completed, #{logins.size} #{logins.size == 1 ? 'credential was' : 'credentials were'} successful.")
72
    return results unless framework.features.enabled?(Msf::FeatureManager::LDAP_SESSION_TYPE)
73

74
    if create_session?
75
      print_status("#{sessions.size} LDAP #{sessions.size == 1 ? 'session was' : 'sessions were'} opened successfully.")
76
    else
77
      print_status('You can open an LDAP session with these credentials and %grnCreateSession%clr set to true')
78
    end
79
    results
80
  end
81

82
  def validate_connect_options!
83
    # Verify we can create arbitrary connect opts, this won't make a connection out to the real host - but will verify the values are valid
84
    get_connect_opts
85
  rescue Msf::ValidationError => e
86
    fail_with(Msf::Exploit::Remote::Failure::BadConfig, "Invalid datastore options for chosen auth type: #{e.message}")
87
  end
88

89
  def run_host(ip)
90
    cred_collection = build_credential_collection(
91
      username: datastore['USERNAME'],
92
      password: datastore['PASSWORD'],
93
      realm: datastore['DOMAIN'],
94
      anonymous_login: datastore['ANONYMOUS_LOGIN'],
95
      blank_passwords: false
96
    )
97

98
    opts = {
99
      domain: datastore['DOMAIN'],
100
      append_domain: datastore['APPEND_DOMAIN'],
101
      ssl: datastore['SSL'],
102
      proxies: datastore['PROXIES'],
103
      domain_controller_rhost: datastore['DomainControllerRhost'],
104
      ldap_auth: datastore['LDAP::Auth'],
105
      ldap_cert_file: datastore['LDAP::CertFile'],
106
      ldap_rhostname: datastore['Ldap::Rhostname'],
107
      ldap_krb_offered_enc_types: datastore['Ldap::KrbOfferedEncryptionTypes'],
108
      ldap_krb5_cname: datastore['Ldap::Krb5Ccname'],
109
      # Write only cache so we keep all gathered tickets but don't reuse them for auth while running the module
110
      kerberos_ticket_storage: kerberos_ticket_storage({ read: false, write: true })
111
    }
112

113
    realm_key = nil
114
    if opts[:ldap_auth] == Msf::Exploit::Remote::AuthOption::KERBEROS
115
      realm_key = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
116
    end
117

118
    scanner = Metasploit::Framework::LoginScanner::LDAP.new(
119
      configure_login_scanner(
120
        host: ip,
121
        port: rport,
122
        cred_details: cred_collection,
123
        stop_on_success: datastore['STOP_ON_SUCCESS'],
124
        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
125
        connection_timeout: datastore['LDAP::ConnectTimeout'].to_i,
126
        framework: framework,
127
        framework_module: self,
128
        realm_key: realm_key,
129
        opts: opts,
130
        use_client_as_proof: create_session?
131
      )
132
    )
133

134
    successful_logins = []
135
    successful_sessions = []
136
    scanner.scan! do |result|
137
      credential_data = result.to_h
138
      credential_data.merge!(
139
        module_fullname: fullname,
140
        workspace_id: myworkspace_id,
141
        service_name: 'ldap',
142
        protocol: 'tcp'
143
      )
144
      if result.success?
145
        successful_logins << result
146
        if opts[:ldap_auth] == Msf::Exploit::Remote::AuthOption::SCHANNEL
147
          # Schannel auth has no meaningful credential information to store in the DB
148
          print_brute level: :good, ip: ip, msg: "Success: 'Cert File #{opts[:ldap_cert_file]}'"
149
        else
150
          create_credential_and_login(credential_data)
151
          print_brute level: :good, ip: ip, msg: "Success: '#{result.credential}'"
152
        end
153
        successful_sessions << create_session(result, ip) if create_session?
154
      else
155
        invalidate_login(credential_data)
156
        vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"
157
      end
158
    end
159
    { successful_logins: successful_logins, successful_sessions: successful_sessions }
160
  end
161

162
  private
163

164
  def create_session(result, ip)
165
    session_setup(result)
166
  rescue StandardError => e
167
    elog('Failed to setup the session', error: e)
168
    print_brute level: :error, ip: ip, msg: "Failed to setup the session - #{e.class} #{e.message}"
169
    result.connection.close unless result.connection.nil?
170
  end
171

172
  # @param [Metasploit::Framework::LoginScanner::Result] result
173
  # @return [Msf::Sessions::LDAP]
174
  def session_setup(result)
175
    return unless result.connection && result.proof
176

177
    # Create a new session
178
    my_session = Msf::Sessions::LDAP.new(result.connection, { client: result.proof })
179

180
    merge_me = {
181
      'USERPASS_FILE' => nil,
182
      'USER_FILE' => nil,
183
      'PASS_FILE' => nil,
184
      'USERNAME' => result.credential.public,
185
      'PASSWORD' => result.credential.private
186
    }
187

188
    start_session(self, nil, merge_me, false, my_session.rstream, my_session)
189
  end
190
end
191

192