Don't store passwords to creds if the password wasn't needed for the …

…auth type
rapid7 · Sep 20, 2023 · b639527 · b639527
1 parent 09c7575
commit b639527
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 3 deletions.
diff --git a/lib/metasploit/framework/login_scanner/ldap.rb b/lib/metasploit/framework/login_scanner/ldap.rb
@@ -58,6 +58,13 @@ def each_credential
             # so make sure that whatever it is, we end up with a Credential.
             credential = raw_cred.to_credential
 
+            if (opts[:ldap_auth] == Msf::Exploit::Remote::AuthOption::KERBEROS && opts[:ldap_krb5_cname]) ||
+               opts[:ldap_auth] == Msf::Exploit::Remote::AuthOption::SCHANNEL
+              # If we're using kerberos auth with a ccache or doing schannel auth then the password is irrelevant
+              # Remove it from the credential so we don't store it
+              credential.private = nil
+            end
+
             if credential.realm.present? && realm_key.present?
               credential.realm_key = realm_key
             elsif credential.realm.present? && realm_key.blank?

diff --git a/lib/msf/core/auxiliary/auth_brute.rb b/lib/msf/core/auxiliary/auth_brute.rb
@@ -27,6 +27,7 @@ def initialize(info = {})
       OptBool.new('DB_ALL_PASS', [false,"Add all passwords in the current database to the list",false]),
       OptEnum.new('DB_SKIP_EXISTING', [false,"Skip existing credentials stored in the current database", 'none', %w[ none user user&realm ]]),
       OptBool.new('STOP_ON_SUCCESS', [ true, "Stop guessing when a credential works for a host", false]),
+      OptBool.new('ANONYMOUS_LOGIN', [ true, "Attempt to login with a blank username and password", false])
     ], Auxiliary::AuthBrute)
 
     register_advanced_options([

diff --git a/modules/auxiliary/scanner/ldap/ldap_login.rb b/modules/auxiliary/scanner/ldap/ldap_login.rb
@@ -57,7 +57,7 @@ def run_host(ip)
       username: datastore['USERNAME'],
       password: datastore['PASSWORD'],
       realm: datastore['DOMAIN'],
-      anonymous_login: false,
+      anonymous_login: datastore['ANONYMOUS_LOGIN'],
       blank_passwords: false
     )
 
@@ -71,7 +71,9 @@ def run_host(ip)
       ldap_cert_file: datastore['LDAP::CertFile'],
       ldap_rhostname: datastore['Ldap::Rhostname'],
       ldap_krb_offered_enc_types: datastore['Ldap::KrbOfferedEncryptionTypes'],
-      ldap_krb5_cname: datastore['Ldap::Krb5Ccname']
+      ldap_krb5_cname: datastore['Ldap::Krb5Ccname'],
+      # Write only cache so we keep all gathered tickets but don't reuse them for auth while running the module
+      kerberos_ticket_storage: kerberos_ticket_storage({ read: false, write: true })
     }
 
     realm_key = nil

diff --git a/modules/auxiliary/scanner/smb/smb_login.rb b/modules/auxiliary/scanner/smb/smb_login.rb
@@ -87,7 +87,8 @@ def run_host(ip)
           framework: framework,
           framework_module: self,
           cache_file: datastore['Smb::Krb5Ccname'].blank? ? nil : datastore['Smb::Krb5Ccname'],
-          ticket_storage: kerberos_ticket_storage
+          # Write only cache so we keep all gathered tickets but don't reuse them for auth while running the module
+          ticket_storage: kerberos_ticket_storage({ read: false, write: true })
         )
       end
     end