From 05d6e9815d25c0b5249377a1694f6fd44ee7829b Mon Sep 17 00:00:00 2001 From: JustAnda7 Date: Sun, 20 Aug 2023 07:22:41 -0400 Subject: [PATCH] changes-to-support-nmap --- modules/auxiliary/server/capture/ldap.rb | 78 ++++++++++++++++-------- 1 file changed, 52 insertions(+), 26 deletions(-) diff --git a/modules/auxiliary/server/capture/ldap.rb b/modules/auxiliary/server/capture/ldap.rb index 1076dfcb4f95..fa909ff5288f 100644 --- a/modules/auxiliary/server/capture/ldap.rb +++ b/modules/auxiliary/server/capture/ldap.rb @@ -76,7 +76,7 @@ def on_dispatch_request(client, data) result_code = nil user_login = pdu.bind_parameters - if user_login.name.empty? || user_login.authentication.empty? + if user_login.name.empty? && user_login.authentication.empty? state[client][:user] = user_login.name state[client][:pass] = user_login.authentication state[client][:domain] = nil @@ -103,12 +103,21 @@ def on_dispatch_request(client, data) end state[client][:user] = names.first state[client][:domain] = domains.empty? ? nil : domains.join('.') - rescue StandardError => e + rescue InvalidDNError => e print_error("LDAP Login Attempt => From:#{state[client][:name]} DN:#{user_login.name}") raise e end + elsif user_login.name =~ /\\/ + pub_info = user_login.name.split('\\') + if pub_info.length <= 2 + state[client][:user] = pub_info[1] + state[client][:domain] = pub_info[0] + else + result_code = Net::LDAP::ResultCodeInvalidCredentials + print_error("LDAP Login Attempt => From:#{state[client][:name]} DN:#{user_login.name}") + end else - state[client][:user] = '' + state[client][:user] = user_login.name state[client][:domain] = nil result_code = Net::LDAP::ResultCodeInvalidCredentials end @@ -129,7 +138,9 @@ def on_dispatch_request(client, data) domain: state[client][:domain] ) end - print_good("LDAP Login Attempt => From:#{state[client][:name]} Username:#{state[client][:user]} Password:#{state[client][:pass]}") + result_message = "LDAP Login Attempt => From:#{state[client][:name]} Username:#{state[client][:user]} Password:#{state[client][:pass]}" + result_message += " Domain:#{state[client][:domain]}" if state[client][:domain] + print_good(result_message) result_code = Net::LDAP::ResultCodeAuthMethodNotSupported if result_code.nil? service.encode_ldap_response( pdu.message_id, @@ -138,8 +149,7 @@ def on_dispatch_request(client, data) Net::LDAP::ResultStrings[result_code], Net::LDAP::PDU::BindResult ) - when Net::LDAP::PDU::SearchRequest # search request - # Perform query against some loaded LDIF structure + when Net::LDAP::PDU::SearchRequest filter = Net::LDAP::Filter.parse_ldap_filter(pdu.search_parameters[:filter]) attrs = pdu.search_parameters[:attributes].empty? ? :all : pdu.search_parameters[:attributes] res = search_res(filter, pdu.message_id, attrs) @@ -160,26 +170,23 @@ def on_dispatch_request(client, data) client.close nil else - result_code = Net::LDAP::ResultCodeUnwillingToPerform - service.encode_ldap_response( - pdu.message_id, - result_code, - '', - Net::LDAP::ResultStrings[result_code], - Net::LDAP::PDU::SearchResult - ) + if suitable_response(pdu.app_tag) + result_code = Net::LDAP::ResultCodeUnwillingToPerform + service.encode_ldap_response( + pdu.message_id, + result_code, + '', + Net::LDAP::ResultStrings[result_code], + suitable_response(pdu.app_tag) + ) + else + client.close + end end on_send_response(client, res) unless res.nil? rescue StandardError => e - on_send_response(client, - service.encode_ldap_response( - 1, - Net::LDAP::ResultCodeUnwillingToPerform, - '', - Net::LDAP::ResultStrings[ResultCodeUnwillingToPerform], - Net::LDAP::PDU::BindResult - )) + client.close print_error("Failed to handle LDAP request due to #{e}") end end @@ -198,12 +205,16 @@ def report_cred(opts) module_fullname: fullname, username: opts[:user], private_data: opts[:password], - private_type: :password, - domain: opts[:domain], - realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN, - realm_value: opts[:domain] + private_type: :password }.merge(service_data) + if opts[:domain] + credential_data = { + realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN, + realm_value: opts[:domain] + }.merge(credential_data) + end + login_data = { core: create_credential(credential_data), status: Metasploit::Model::Login::Status::UNTRIED @@ -246,4 +257,19 @@ def search_res(filter, msgid, attrflt = :all) end.compact.join end end + + def suitable_response(request) + responses = { + Net::LDAP::PDU::BindRequest => Net::LDAP::PDU::BindResult, + Net::LDAP::PDU::SearchRequest => Net::LDAP::PDU::SearchResult, + Net::LDAP::PDU::ModifyRequest => Net::LDAP::PDU::ModifyResponse, + Net::LDAP::PDU::AddRequest => Net::LDAP::PDU::AddResponse, + Net::LDAP::PDU::DeleteRequest => Net::LDAP::PDU::DeleteResponse, + Net::LDAP::PDU::ModifyRDNRequest => Net::LDAP::PDU::ModifyRDNResponse, + Net::LDAP::PDU::CompareRequest => Net::LDAP::PDU::CompareResponse, + Net::LDAP::PDU::ExtendedRequest => Net::LDAP::PDU::ExtendedResponse + } + + responses[request] + end end