changes-to-support-nmap

modules/auxiliary/server/capture/ldap.rb

@@ -76,7 +76,7 @@ def on_dispatch_request(client, data)
               result_code = nil
               user_login = pdu.bind_parameters
 
-              if user_login.name.empty? || user_login.authentication.empty?
+              if user_login.name.empty? && user_login.authentication.empty?
                 state[client][:user] = user_login.name
                 state[client][:pass] = user_login.authentication
                 state[client][:domain] = nil
@@ -103,12 +103,21 @@ def on_dispatch_request(client, data)
                     end
                     state[client][:user] = names.first
                     state[client][:domain] = domains.empty? ? nil : domains.join('.')
-                  rescue StandardError => e
+                  rescue InvalidDNError => e
                     print_error("LDAP Login Attempt => From:#{state[client][:name]} DN:#{user_login.name}")
                     raise e
                   end
+                elsif user_login.name =~ /\\/
+                  pub_info = user_login.name.split('\\')
+                  if pub_info.length <= 2
+                    state[client][:user] = pub_info[1]
+                    state[client][:domain] = pub_info[0]
+                  else
+                    result_code = Net::LDAP::ResultCodeInvalidCredentials
+                    print_error("LDAP Login Attempt => From:#{state[client][:name]} DN:#{user_login.name}")
+                  end
                 else
-                  state[client][:user] = ''
+                  state[client][:user] = user_login.name
                   state[client][:domain] = nil
                   result_code = Net::LDAP::ResultCodeInvalidCredentials
                 end
@@ -129,7 +138,9 @@ def on_dispatch_request(client, data)
                   domain: state[client][:domain]
                 )
               end
-              print_good("LDAP Login Attempt => From:#{state[client][:name]} Username:#{state[client][:user]} Password:#{state[client][:pass]}")
+              result_message = "LDAP Login Attempt => From:#{state[client][:name]} Username:#{state[client][:user]} Password:#{state[client][:pass]}"
+              result_message += " Domain:#{state[client][:domain]}" if state[client][:domain]
+              print_good(result_message)
               result_code = Net::LDAP::ResultCodeAuthMethodNotSupported if result_code.nil?
               service.encode_ldap_response(
                 pdu.message_id,
@@ -138,8 +149,7 @@ def on_dispatch_request(client, data)
                 Net::LDAP::ResultStrings[result_code],
                 Net::LDAP::PDU::BindResult
               )
-            when Net::LDAP::PDU::SearchRequest # search request
-              # Perform query against some loaded LDIF structure
+            when Net::LDAP::PDU::SearchRequest
               filter = Net::LDAP::Filter.parse_ldap_filter(pdu.search_parameters[:filter])
               attrs = pdu.search_parameters[:attributes].empty? ? :all : pdu.search_parameters[:attributes]
               res = search_res(filter, pdu.message_id, attrs)
@@ -160,26 +170,23 @@ def on_dispatch_request(client, data)
               client.close
               nil
             else
-              result_code = Net::LDAP::ResultCodeUnwillingToPerform
-              service.encode_ldap_response(
-                pdu.message_id,
-                result_code,
-                '',
-                Net::LDAP::ResultStrings[result_code],
-                Net::LDAP::PDU::SearchResult
-              )
+              if suitable_response(pdu.app_tag)
+                result_code = Net::LDAP::ResultCodeUnwillingToPerform
+                service.encode_ldap_response(
+                  pdu.message_id,
+                  result_code,
+                  '',
+                  Net::LDAP::ResultStrings[result_code],
+                  suitable_response(pdu.app_tag)
+                )
+              else
+                client.close
+              end
             end
 
       on_send_response(client, res) unless res.nil?
     rescue StandardError => e
-      on_send_response(client,
-                       service.encode_ldap_response(
-                         1,
-                         Net::LDAP::ResultCodeUnwillingToPerform,
-                         '',
-                         Net::LDAP::ResultStrings[ResultCodeUnwillingToPerform],
-                         Net::LDAP::PDU::BindResult
-                       ))
+      client.close
       print_error("Failed to handle LDAP request due to #{e}")
     end
   end
@@ -198,12 +205,16 @@ def report_cred(opts)
       module_fullname: fullname,
       username: opts[:user],
       private_data: opts[:password],
-      private_type: :password,
-      domain: opts[:domain],
-      realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
-      realm_value: opts[:domain]
+      private_type: :password
     }.merge(service_data)
 
+    if opts[:domain]
+      credential_data = {
+        realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
+        realm_value: opts[:domain]
+      }.merge(credential_data)
+    end
+
     login_data = {
       core: create_credential(credential_data),
       status: Metasploit::Model::Login::Status::UNTRIED
@@ -246,4 +257,19 @@ def search_res(filter, msgid, attrflt = :all)
       end.compact.join
     end
   end
+
+  def suitable_response(request)
+    responses = {
+      Net::LDAP::PDU::BindRequest => Net::LDAP::PDU::BindResult,
+      Net::LDAP::PDU::SearchRequest => Net::LDAP::PDU::SearchResult,
+      Net::LDAP::PDU::ModifyRequest => Net::LDAP::PDU::ModifyResponse,
+      Net::LDAP::PDU::AddRequest => Net::LDAP::PDU::AddResponse,
+      Net::LDAP::PDU::DeleteRequest => Net::LDAP::PDU::DeleteResponse,
+      Net::LDAP::PDU::ModifyRDNRequest => Net::LDAP::PDU::ModifyRDNResponse,
+      Net::LDAP::PDU::CompareRequest => Net::LDAP::PDU::CompareResponse,
+      Net::LDAP::PDU::ExtendedRequest => Net::LDAP::PDU::ExtendedResponse
+    }
+
+    responses[request]
+  end
 end