CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/scanner/ldap/ldap_login.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'metasploit/framework/credential_collection'6require 'metasploit/framework/login_scanner/ldap'78class MetasploitModule < Msf::Auxiliary9include Msf::Auxiliary::Report10include Msf::Auxiliary::AuthBrute11include Msf::Auxiliary::Scanner12include Msf::Exploit::Remote::LDAP13include Msf::Sessions::CreateSessionOptions14include Msf::Auxiliary::CommandShell15include Msf::Auxiliary::ReportSummary1617def initialize(info = {})18super(19update_info(20info,21'Name' => 'LDAP Login Scanner',22'Description' => 'This module attempts to login to the LDAP service.',23'Author' => [ 'Dean Welch' ],24'License' => MSF_LICENSE,25'Notes' => {26'Stability' => [CRASH_SAFE],27'Reliability' => [],28'SideEffects' => []29}30)31)3233register_options(34[35OptBool.new(36'APPEND_DOMAIN', [true, 'Appends `@<DOMAIN> to the username for authentication`', false],37conditions: ['LDAP::Auth', 'in', [Msf::Exploit::Remote::AuthOption::AUTO, Msf::Exploit::Remote::AuthOption::PLAINTEXT]]38)39]40)4142# A password must be supplied unless doing anonymous login43options_to_deregister = %w[BLANK_PASSWORDS]4445if framework.features.enabled?(Msf::FeatureManager::LDAP_SESSION_TYPE)46add_info('The %grnCreateSession%clr option within this module can open an interactive session')47else48# Don't give the option to create a session unless ldap sessions are enabled49options_to_deregister << 'CreateSession'50end5152deregister_options(*options_to_deregister)53end5455def create_session?56# The CreateSession option is de-registered if LDAP_SESSION_TYPE is not enabled57# but the option can still be set/saved so check to see if we should use it58if framework.features.enabled?(Msf::FeatureManager::LDAP_SESSION_TYPE)59datastore['CreateSession']60else61false62end63end6465def run66validate_connect_options!67results = super68logins = results.flat_map { |_k, v| v[:successful_logins] }69sessions = results.flat_map { |_k, v| v[:successful_sessions] }70print_status("Bruteforce completed, #{logins.size} #{logins.size == 1 ? 'credential was' : 'credentials were'} successful.")71return results unless framework.features.enabled?(Msf::FeatureManager::LDAP_SESSION_TYPE)7273if create_session?74print_status("#{sessions.size} LDAP #{sessions.size == 1 ? 'session was' : 'sessions were'} opened successfully.")75else76print_status('You can open an LDAP session with these credentials and %grnCreateSession%clr set to true')77end78results79end8081def validate_connect_options!82# Verify we can create arbitrary connect opts, this won't make a connection out to the real host - but will verify the values are valid83get_connect_opts84rescue Msf::ValidationError => e85fail_with(Msf::Exploit::Remote::Failure::BadConfig, "Invalid datastore options for chosen auth type: #{e.message}")86end8788def run_host(ip)89cred_collection = build_credential_collection(90username: datastore['USERNAME'],91password: datastore['PASSWORD'],92realm: datastore['DOMAIN'],93anonymous_login: datastore['ANONYMOUS_LOGIN'],94blank_passwords: false95)9697opts = {98domain: datastore['DOMAIN'],99append_domain: datastore['APPEND_DOMAIN'],100ssl: datastore['SSL'],101proxies: datastore['PROXIES'],102domain_controller_rhost: datastore['DomainControllerRhost'],103ldap_auth: datastore['LDAP::Auth'],104ldap_cert_file: datastore['LDAP::CertFile'],105ldap_rhostname: datastore['Ldap::Rhostname'],106ldap_krb_offered_enc_types: datastore['Ldap::KrbOfferedEncryptionTypes'],107ldap_krb5_cname: datastore['Ldap::Krb5Ccname'],108# Write only cache so we keep all gathered tickets but don't reuse them for auth while running the module109kerberos_ticket_storage: kerberos_ticket_storage({ read: false, write: true })110}111112realm_key = nil113if opts[:ldap_auth] == Msf::Exploit::Remote::AuthOption::KERBEROS114realm_key = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN115end116117scanner = Metasploit::Framework::LoginScanner::LDAP.new(118configure_login_scanner(119host: ip,120port: rport,121cred_details: cred_collection,122stop_on_success: datastore['STOP_ON_SUCCESS'],123bruteforce_speed: datastore['BRUTEFORCE_SPEED'],124connection_timeout: datastore['LDAP::ConnectTimeout'].to_i,125framework: framework,126framework_module: self,127realm_key: realm_key,128opts: opts,129use_client_as_proof: create_session?130)131)132133successful_logins = []134successful_sessions = []135scanner.scan! do |result|136credential_data = result.to_h137credential_data.merge!(138module_fullname: fullname,139workspace_id: myworkspace_id,140service_name: 'ldap',141protocol: 'tcp'142)143if result.success?144successful_logins << result145if opts[:ldap_auth] == Msf::Exploit::Remote::AuthOption::SCHANNEL146# Schannel auth has no meaningful credential information to store in the DB147print_brute level: :good, ip: ip, msg: "Success: 'Cert File #{opts[:ldap_cert_file]}'"148else149create_credential_and_login(credential_data)150print_brute level: :good, ip: ip, msg: "Success: '#{result.credential}'"151end152successful_sessions << create_session(result, ip) if create_session?153else154invalidate_login(credential_data)155vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"156end157end158{ successful_logins: successful_logins, successful_sessions: successful_sessions }159end160161private162163def create_session(result, ip)164session_setup(result)165rescue StandardError => e166elog('Failed to setup the session', error: e)167print_brute level: :error, ip: ip, msg: "Failed to setup the session - #{e.class} #{e.message}"168result.connection.close unless result.connection.nil?169end170171# @param [Metasploit::Framework::LoginScanner::Result] result172# @return [Msf::Sessions::LDAP]173def session_setup(result)174return unless result.connection && result.proof175176# Create a new session177my_session = Msf::Sessions::LDAP.new(result.connection, { client: result.proof })178179merge_me = {180'USERPASS_FILE' => nil,181'USER_FILE' => nil,182'PASS_FILE' => nil,183'USERNAME' => result.credential.public,184'PASSWORD' => result.credential.private185}186187start_session(self, nil, merge_me, false, my_session.rstream, my_session)188end189end190191192