-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add in LDAP Query Module #16598
Add in LDAP Query Module #16598
Conversation
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
This comment was marked as resolved.
This comment was marked as resolved.
Rebasing to pull in #16640 which fixes many issues that were being encountered when testing. Thanks to Spencer for the fix 👍 |
Need to update this to now start parsing some of the output a little bit more or figure out how we will actually handle the returned data a bit more, but main issues have been addressed r.e retrieval of the data and making sure we don't crash, so that part should now be done. |
e2b1654
to
49845ff
Compare
Forced update since we have made a lot of changes over the last 20 days since I last touched this and its in need of update. |
62c7cc8
to
4cac967
Compare
b39e092
to
22b0e22
Compare
…uery logic thanks to help from Alan David Foster so the query itself will specify what fields we need vs us having to manually filter this out later on. Makes it a lot quicker and easier to work with
…e accordingly. Also update the initialization code so it will now load the possible actions dynamically from default.yaml.
…es. Then update code so we use Msf::Config.get_config_root to store the config file that we parse to get the actions outside of a Git tracked location. We will still use the default file to populate this non-git tracked location if its not already populated though.
…e. Also update the multi query logic to match new data format as it was broken before as a result of changes to file format. Finally remove extra parameters that are no longer needed.
…te DefaultAction to default to first entry in the list or RUN_QUERY_FILE if no other action is available
…ode and documentation accordingly. This will allow users to run single queries with associated attribute filters if they want to test out single queries at a time without changing YAML files
…ed. Also fix up module and documentation descriptions to be a bit clearer.
… if they have changed anything or added any new ACTIONs
…e the default queries without issues vs preventing updates from occuring. If users want to override the defaults, then they accept the risk of not getting updates. Update documentation to also note this.
This makes a few changes that should enable the module to function better should it be dropped into a fresh MSF installation on its own.
a489381
to
25f50e6
Compare
@smcintyre-r7 Pulled in your fixes after making some adjustments to them, and then rebased the commit history down to 15 commits. Let me know if you think it should be rebased down further but I think there are a lot of valid commit messages still so didn't want to go too small. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes look good and everything is working smoothly now. I tried the builtin actions and both custom actions. The error handling is solid, and the module loads without the data files and will work with the two custom actions.
Testing Output
msf6 auxiliary(gather/ldap_query) > show options
Module options (auxiliary/gather/ldap_query):
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
BIND_DN smcintyre@msflab.local no The username to authenticate to LDAP server
BIND_PW Password1! no Password for the BIND_DN
OUTPUT_FORMAT table yes The output format to use (Accepted: csv, table, json)
QUERY_ATTRIBUTES no Comma seperated list of attributes to retrieve from the serv
er
QUERY_FILTER no Filter to send to the target LDAP server to perform the quer
y
RHOSTS 192.168.159.10 yes The target host(s), see https://github.com/rapid7/metasploit
-framework/wiki/Using-Metasploit
RPORT 389 yes The target port
SSL false no Enable SSL on the LDAP connection
Auxiliary action:
Name Description
---- -----------
RUN_SINGLE_QUERY Execute a single LDAP query using the QUERY_FILTER and QUERY_ATTRIBUTES options.
msf6 auxiliary(gather/ldap_query) > set QUERY_FILTER (&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))
QUERY_FILTER => (&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))
msf6 auxiliary(gather/ldap_query) > set QUERY_ATTRIBUTES dn,displayName,dNSHostname
QUERY_ATTRIBUTES => dn,displayName,dNSHostname
msf6 auxiliary(gather/ldap_query) > run
[*] Running module against 192.168.159.10
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[*] 192.168.159.10:389 Getting root DSE
dn:
namingcontexts: DC=msflab,DC=local
namingcontexts: CN=Configuration,DC=msflab,DC=local
namingcontexts: CN=Schema,CN=Configuration,DC=msflab,DC=local
namingcontexts: DC=DomainDnsZones,DC=msflab,DC=local
namingcontexts: DC=ForestDnsZones,DC=msflab,DC=local
supportedcapabilities: 1.2.840.113556.1.4.800
supportedcapabilities: 1.2.840.113556.1.4.1670
supportedcapabilities: 1.2.840.113556.1.4.1791
supportedcapabilities: 1.2.840.113556.1.4.1935
supportedcapabilities: 1.2.840.113556.1.4.2080
supportedcapabilities: 1.2.840.113556.1.4.2237
supportedcontrol: 1.2.840.113556.1.4.319
supportedcontrol: 1.2.840.113556.1.4.801
supportedcontrol: 1.2.840.113556.1.4.473
supportedcontrol: 1.2.840.113556.1.4.528
supportedcontrol: 1.2.840.113556.1.4.417
supportedcontrol: 1.2.840.113556.1.4.619
supportedcontrol: 1.2.840.113556.1.4.841
supportedcontrol: 1.2.840.113556.1.4.529
supportedcontrol: 1.2.840.113556.1.4.805
supportedcontrol: 1.2.840.113556.1.4.521
supportedcontrol: 1.2.840.113556.1.4.970
supportedcontrol: 1.2.840.113556.1.4.1338
supportedcontrol: 1.2.840.113556.1.4.474
supportedcontrol: 1.2.840.113556.1.4.1339
supportedcontrol: 1.2.840.113556.1.4.1340
supportedcontrol: 1.2.840.113556.1.4.1413
supportedcontrol: 2.16.840.1.113730.3.4.9
supportedcontrol: 2.16.840.1.113730.3.4.10
supportedcontrol: 1.2.840.113556.1.4.1504
supportedcontrol: 1.2.840.113556.1.4.1852
supportedcontrol: 1.2.840.113556.1.4.802
supportedcontrol: 1.2.840.113556.1.4.1907
supportedcontrol: 1.2.840.113556.1.4.1948
supportedcontrol: 1.2.840.113556.1.4.1974
supportedcontrol: 1.2.840.113556.1.4.1341
supportedcontrol: 1.2.840.113556.1.4.2026
supportedcontrol: 1.2.840.113556.1.4.2064
supportedcontrol: 1.2.840.113556.1.4.2065
supportedcontrol: 1.2.840.113556.1.4.2066
supportedcontrol: 1.2.840.113556.1.4.2090
supportedcontrol: 1.2.840.113556.1.4.2205
supportedcontrol: 1.2.840.113556.1.4.2204
supportedcontrol: 1.2.840.113556.1.4.2206
supportedcontrol: 1.2.840.113556.1.4.2211
supportedcontrol: 1.2.840.113556.1.4.2239
supportedcontrol: 1.2.840.113556.1.4.2255
supportedcontrol: 1.2.840.113556.1.4.2256
supportedcontrol: 1.2.840.113556.1.4.2309
supportedcontrol: 1.2.840.113556.1.4.2330
supportedcontrol: 1.2.840.113556.1.4.2354
supportedextension: 1.3.6.1.4.1.1466.20037
supportedextension: 1.3.6.1.4.1.1466.101.119.1
supportedextension: 1.2.840.113556.1.4.1781
supportedextension: 1.3.6.1.4.1.4203.1.11.3
supportedextension: 1.2.840.113556.1.4.2212
supportedldapversion: 3
supportedldapversion: 2
supportedsaslmechanisms: GSSAPI
supportedsaslmechanisms: GSS-SPNEGO
supportedsaslmechanisms: EXTERNAL
supportedsaslmechanisms: DIGEST-MD5
[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
[*] Sending single query (&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192)) to the LDAP server...
[+] Successfully queried LDAP server!
[*] CN=WIN-3MSP8K2LCGC OU=Domain Controllers DC=msflab DC=local
===========================================================
Name Attributes
---- ----------
dnshostname WIN-3MSP8K2LCGC.msflab.local
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_query) > set QUERY_FILTER (&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192)
QUERY_FILTER => (&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192)
msf6 auxiliary(gather/ldap_query) > run
[*] Running module against 192.168.159.10
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[*] 192.168.159.10:389 Getting root DSE
dn:
namingcontexts: DC=msflab,DC=local
namingcontexts: CN=Configuration,DC=msflab,DC=local
namingcontexts: CN=Schema,CN=Configuration,DC=msflab,DC=local
namingcontexts: DC=DomainDnsZones,DC=msflab,DC=local
namingcontexts: DC=ForestDnsZones,DC=msflab,DC=local
supportedcapabilities: 1.2.840.113556.1.4.800
supportedcapabilities: 1.2.840.113556.1.4.1670
supportedcapabilities: 1.2.840.113556.1.4.1791
supportedcapabilities: 1.2.840.113556.1.4.1935
supportedcapabilities: 1.2.840.113556.1.4.2080
supportedcapabilities: 1.2.840.113556.1.4.2237
supportedcontrol: 1.2.840.113556.1.4.319
supportedcontrol: 1.2.840.113556.1.4.801
supportedcontrol: 1.2.840.113556.1.4.473
supportedcontrol: 1.2.840.113556.1.4.528
supportedcontrol: 1.2.840.113556.1.4.417
supportedcontrol: 1.2.840.113556.1.4.619
supportedcontrol: 1.2.840.113556.1.4.841
supportedcontrol: 1.2.840.113556.1.4.529
supportedcontrol: 1.2.840.113556.1.4.805
supportedcontrol: 1.2.840.113556.1.4.521
supportedcontrol: 1.2.840.113556.1.4.970
supportedcontrol: 1.2.840.113556.1.4.1338
supportedcontrol: 1.2.840.113556.1.4.474
supportedcontrol: 1.2.840.113556.1.4.1339
supportedcontrol: 1.2.840.113556.1.4.1340
supportedcontrol: 1.2.840.113556.1.4.1413
supportedcontrol: 2.16.840.1.113730.3.4.9
supportedcontrol: 2.16.840.1.113730.3.4.10
supportedcontrol: 1.2.840.113556.1.4.1504
supportedcontrol: 1.2.840.113556.1.4.1852
supportedcontrol: 1.2.840.113556.1.4.802
supportedcontrol: 1.2.840.113556.1.4.1907
supportedcontrol: 1.2.840.113556.1.4.1948
supportedcontrol: 1.2.840.113556.1.4.1974
supportedcontrol: 1.2.840.113556.1.4.1341
supportedcontrol: 1.2.840.113556.1.4.2026
supportedcontrol: 1.2.840.113556.1.4.2064
supportedcontrol: 1.2.840.113556.1.4.2065
supportedcontrol: 1.2.840.113556.1.4.2066
supportedcontrol: 1.2.840.113556.1.4.2090
supportedcontrol: 1.2.840.113556.1.4.2205
supportedcontrol: 1.2.840.113556.1.4.2204
supportedcontrol: 1.2.840.113556.1.4.2206
supportedcontrol: 1.2.840.113556.1.4.2211
supportedcontrol: 1.2.840.113556.1.4.2239
supportedcontrol: 1.2.840.113556.1.4.2255
supportedcontrol: 1.2.840.113556.1.4.2256
supportedcontrol: 1.2.840.113556.1.4.2309
supportedcontrol: 1.2.840.113556.1.4.2330
supportedcontrol: 1.2.840.113556.1.4.2354
supportedextension: 1.3.6.1.4.1.1466.20037
supportedextension: 1.3.6.1.4.1.1466.101.119.1
supportedextension: 1.2.840.113556.1.4.1781
supportedextension: 1.3.6.1.4.1.4203.1.11.3
supportedextension: 1.2.840.113556.1.4.2212
supportedldapversion: 3
supportedldapversion: 2
supportedsaslmechanisms: GSSAPI
supportedsaslmechanisms: GSS-SPNEGO
supportedsaslmechanisms: EXTERNAL
supportedsaslmechanisms: DIGEST-MD5
[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
[-] Auxiliary aborted due to failure: bad-config: Could not compile the filter (&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192). Error was Invalid filter syntax.
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_query) > set BASE_DN DC=msflab,DC=local
BASE_DN => DC=msflab,DC=local
msf6 auxiliary(gather/ldap_query) > run
[*] Running module against 192.168.159.10
[+] Successfully bound to the LDAP server!
[*] User-specified base DN: DC=msflab,DC=local
[-] Auxiliary aborted due to failure: bad-config: Could not compile the filter (&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192). Error was Invalid filter syntax.
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_query) > set QUERY_FILTER (&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))
QUERY_FILTER => (&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))
msf6 auxiliary(gather/ldap_query) > run
[*] Running module against 192.168.159.10
[+] Successfully bound to the LDAP server!
[*] User-specified base DN: DC=msflab,DC=local
[*] Sending single query (&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192)) to the LDAP server...
[+] Successfully queried LDAP server!
[*] CN=WIN-3MSP8K2LCGC OU=Domain Controllers DC=msflab DC=local
===========================================================
Name Attributes
---- ----------
dnshostname WIN-3MSP8K2LCGC.msflab.local
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_query) > run OUTPUT_FORMAT=csv
[*] Running module against 192.168.159.10
[+] Successfully bound to the LDAP server!
[*] User-specified base DN: DC=msflab,DC=local
[*] Sending single query (&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192)) to the LDAP server...
[+] Successfully queried LDAP server!
[*] Name,Attributes
"dn","CN=WIN-3MSP8K2LCGC,OU=Domain Controllers,DC=msflab,DC=local"
"dnshostname","WIN-3MSP8K2LCGC.msflab.local"
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_query) > run OUTPUT_FORMAT=json
[*] Running module against 192.168.159.10
[+] Successfully bound to the LDAP server!
[*] User-specified base DN: DC=msflab,DC=local
[*] Sending single query (&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192)) to the LDAP server...
[+] Successfully queried LDAP server!
[*] CN=WIN-3MSP8K2LCGC OU=Domain Controllers DC=msflab DC=local
{
"dn": "CN=WIN-3MSP8K2LCGC,OU=Domain Controllers,DC=msflab,DC=local",
"dnshostname": "WIN-3MSP8K2LCGC.msflab.local"
}
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_query) > set ACTION RUN_QUERY_FILE
ACTION => RUN_QUERY_FILE
msf6 auxiliary(gather/ldap_query) > set QUERY_FILE_PATH /tmp/enum_accounts.yaml
QUERY_FILE_PATH => /tmp/enum_accounts.yaml
msf6 auxiliary(gather/ldap_query) > run
[*] Running module against 192.168.159.10
[+] Successfully bound to the LDAP server!
[*] User-specified base DN: DC=msflab,DC=local
[*] Loading queries from /tmp/enum_accounts.yaml...
[*] Running ENUM_COMPUTERS...
[+] Successfully queried LDAP server!
[*] CN=WIN-3MSP8K2LCGC OU=Domain Controllers DC=msflab DC=local
===========================================================
Name Attributes
---- ----------
distinguishedname CN=WIN-3MSP8K2LCGC,OU=Domain Controllers,DC=msflab,DC=local
dnshostname WIN-3MSP8K2LCGC.msflab.local
name WIN-3MSP8K2LCGC
operatingsystemversion 10.0 (17763)
[*] CN=EXCHANGE CN=Computers DC=msflab DC=local
===========================================
Name Attributes
---- ----------
distinguishedname CN=EXCHANGE,CN=Computers,DC=msflab,DC=local
dnshostname exchange.msflab.local
name EXCHANGE
operatingsystemversion 6.3 (9600)
[*] CN=SERVER2012 CN=Computers DC=msflab DC=local
=============================================
Name Attributes
---- ----------
distinguishedname CN=SERVER2012,CN=Computers,DC=msflab,DC=local
dnshostname SERVER2012.msflab.local
name SERVER2012
operatingsystemversion 6.3 (9600)
[*] CN=SHRPNT2019 CN=Computers DC=msflab DC=local
=============================================
Name Attributes
---- ----------
distinguishedname CN=SHRPNT2019,CN=Computers,DC=msflab,DC=local
dnshostname SHRPNT2019.msflab.local
name SHRPNT2019
operatingsystemversion 10.0 (14393)
[*] CN=SOLARSUCK CN=Computers DC=msflab DC=local
============================================
Name Attributes
---- ----------
distinguishedname CN=SOLARSUCK,CN=Computers,DC=msflab,DC=local
dnshostname SOLARSUCK.msflab.local
name SOLARSUCK
operatingsystemversion 6.3 (9600)
[*] CN=HORIZON CN=Computers DC=msflab DC=local
==========================================
Name Attributes
---- ----------
distinguishedname CN=HORIZON,CN=Computers,DC=msflab,DC=local
dnshostname HORIZON.msflab.local
name HORIZON
operatingsystemversion 10.0 (17763)
[*] CN=DESKTOP-LG5V486E CN=Computers DC=msflab DC=local
===================================================
Name Attributes
---- ----------
distinguishedname CN=DESKTOP-LG5V486E,CN=Computers,DC=msflab,DC=local
name DESKTOP-LG5V486E
[*] CN=DESKTOP-GL7J8D5I CN=Computers DC=msflab DC=local
===================================================
Name Attributes
---- ----------
distinguishedname CN=DESKTOP-GL7J8D5I,CN=Computers,DC=msflab,DC=local
name DESKTOP-GL7J8D5I
[*] CN=DESKTOP-BSCMRX5D CN=Computers DC=msflab DC=local
===================================================
Name Attributes
---- ----------
distinguishedname CN=DESKTOP-BSCMRX5D,CN=Computers,DC=msflab,DC=local
name DESKTOP-BSCMRX5D
[*] CN=DESKTOP-QI754IN8 CN=Computers DC=msflab DC=local
===================================================
Name Attributes
---- ----------
distinguishedname CN=DESKTOP-QI754IN8,CN=Computers,DC=msflab,DC=local
name DESKTOP-QI754IN8
[*] CN=DESKTOP-YAE4ELIV CN=Computers DC=msflab DC=local
===================================================
Name Attributes
---- ----------
distinguishedname CN=DESKTOP-YAE4ELIV,CN=Computers,DC=msflab,DC=local
name DESKTOP-YAE4ELIV
[*] CN=MSSQL CN=Computers DC=msflab DC=local
========================================
Name Attributes
---- ----------
distinguishedname CN=MSSQL,CN=Computers,DC=msflab,DC=local
dnshostname MSSQL.msflab.local
name MSSQL
operatingsystemversion 10.0 (14393)
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_DOMAIN_CONTROLLERS
ACTION => ENUM_DOMAIN_CONTROLLERS
msf6 auxiliary(gather/ldap_query) > run
[*] Running module against 192.168.159.10
[+] Successfully bound to the LDAP server!
[*] User-specified base DN: DC=msflab,DC=local
[+] Successfully queried LDAP server!
[*] CN=WIN-3MSP8K2LCGC OU=Domain Controllers DC=msflab DC=local
===========================================================
Name Attributes
---- ----------
distinguishedname CN=WIN-3MSP8K2LCGC,OU=Domain Controllers,DC=msflab,DC=local
dnshostname WIN-3MSP8K2LCGC.msflab.local
name WIN-3MSP8K2LCGC
operatingsystemversion 10.0 (17763)
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_query) >
Release NotesThis adds a generic module to perform LDAP queries. Users can execute custom queries either through configuration files on disk, or through a combination of datastore options. The module also includes multiple, builtin queries for common operations. |
This module adds in a new module which takes advantage of Net::LDAP to do a remote query of an LDAP server. It allows for both custom LDAP queries, provided they meet ASN.1 standards, as well as the option to run groups of queries for common classes of information such as computers on a domain, domain controllers, Exchange Server, groups, organizational units, etc.
The popular queries were taken from http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm and I filtered a few out that require more relational mappings that we don't have support for yet. Hopefully we will have support for these in the future, but at this point without the backend data relation models to support this information, we are currently restricted to just querying and then dumping the raw information.
Verification
msfconsole
use auxiliary/gather/query_ldap.rb
set RHOSTS *target ip*
set RPORT 636
if targeting the SSL encrypted port (or whatever port runs LDAP over SSL).set SSL true
if targeting a port with SSL enabled.set BASE_DN "DC=www,DC=test,DC=com"
or similar if you know the base domain name that you want to query, otherwise the module will try to find it on its own.set LDAPQUERY *custom query*
to a custom LDAP query.run
and make sure the results are as expected.unset LDAPQUERY
set PREDEFINEDQUERY *one of the enum values*
run
and verify the results are as expected.unset PREDEFINEDQUERY
andunset LDAPQUERY
run
and verify an error is raised since bothLDAPQUERY
andPREDEFINEDQUERY
are not set.Optional but highly desired:
BIND_DN
andBIND_PW
to the username and password respectively.