Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add in LDAP Query Module #16598

Merged
merged 16 commits into from
Jul 19, 2022
Merged

Add in LDAP Query Module #16598

merged 16 commits into from
Jul 19, 2022

Conversation

gwillcox-r7
Copy link
Contributor

This module adds in a new module which takes advantage of Net::LDAP to do a remote query of an LDAP server. It allows for both custom LDAP queries, provided they meet ASN.1 standards, as well as the option to run groups of queries for common classes of information such as computers on a domain, domain controllers, Exchange Server, groups, organizational units, etc.

The popular queries were taken from http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm and I filtered a few out that require more relational mappings that we don't have support for yet. Hopefully we will have support for these in the future, but at this point without the backend data relation models to support this information, we are currently restricted to just querying and then dumping the raw information.

Verification

  • Start msfconsole
  • use auxiliary/gather/query_ldap.rb
  • set RHOSTS *target ip*
  • Optional: set RPORT 636 if targeting the SSL encrypted port (or whatever port runs LDAP over SSL).
  • Optional: set SSL true if targeting a port with SSL enabled.
  • Optional: set BASE_DN "DC=www,DC=test,DC=com" or similar if you know the base domain name that you want to query, otherwise the module will try to find it on its own.
  • set LDAPQUERY *custom query* to a custom LDAP query.
  • run and make sure the results are as expected.
  • unset LDAPQUERY
  • set PREDEFINEDQUERY *one of the enum values*
  • run and verify the results are as expected.
  • unset PREDEFINEDQUERY and unset LDAPQUERY
  • run and verify an error is raised since both LDAPQUERY and PREDEFINEDQUERY are not set.

Optional but highly desired:

  • Test that you can successfully authenticate to a LDAP server that requires authentication to bind by setting BIND_DN and BIND_PW to the username and password respectively.

@gwillcox-r7 gwillcox-r7 marked this pull request as draft May 19, 2022 20:58
@github-actions
Copy link

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

@gwillcox-r7

This comment was marked as resolved.

Sign in to view
smcintyre-r7
smcintyre-r7 reviewed May 19, 2022
View reviewed changes
modules/auxiliary/gather/query_ldap.rb Outdated Show resolved Hide resolved
modules/auxiliary/gather/query_ldap.rb Outdated Show resolved Hide resolved
@zeroSteiner zeroSteiner mentioned this pull request Jun 1, 2022
Merged
2 tasks
@gwillcox-r7
Copy link
Contributor Author

Rebasing to pull in #16640 which fixes many issues that were being encountered when testing. Thanks to Spencer for the fix 👍

@gwillcox-r7
Copy link
Contributor Author

Need to update this to now start parsing some of the output a little bit more or figure out how we will actually handle the returned data a bit more, but main issues have been addressed r.e retrieval of the data and making sure we don't crash, so that part should now be done.

@zeroSteiner zeroSteiner mentioned this pull request Jun 21, 2022
Merged
5 tasks
@gwillcox-r7
Copy link
Contributor Author

Forced update since we have made a lot of changes over the last 20 days since I last touched this and its in need of update.

@gwillcox-r7 gwillcox-r7 marked this pull request as ready for review June 22, 2022 20:01
@smcintyre-r7 smcintyre-r7 self-assigned this Jun 22, 2022
@smcintyre-r7 smcintyre-r7 added docs rn-modules release notes for new or majorly enhanced modules and removed needs-docs labels Jun 22, 2022
smcintyre-r7
smcintyre-r7 requested changes Jun 22, 2022
View reviewed changes
modules/auxiliary/gather/query_ldap.rb Outdated Show resolved Hide resolved
modules/auxiliary/gather/query_ldap.rb Outdated Show resolved Hide resolved
modules/auxiliary/gather/query_ldap.rb Outdated Show resolved Hide resolved
modules/auxiliary/gather/query_ldap.rb Outdated Show resolved Hide resolved
modules/auxiliary/gather/query_ldap.rb Outdated Show resolved Hide resolved
@adfoster-r7 adfoster-r7 mentioned this pull request Jun 25, 2022
Merged
@gwillcox-r7 gwillcox-r7 mentioned this pull request Jun 29, 2022
Merged
9 tasks
@gwillcox-r7 gwillcox-r7 mentioned this pull request Jun 29, 2022
Closed
gwillcox-r7 and others added 15 commits July 15, 2022 16:27
@gwillcox-r7
Push initial copy of work up
65b9e1c
@gwillcox-r7
Add in YAML query file implementation
515bfd2
@gwillcox-r7
Add in JSON output option
d480921
@gwillcox-r7
Add in CSV reporting formatting thanks to some help from Alan David F…
2a1a8aa 
…oster
@gwillcox-r7
Rework the logic for output and make it a lot neater. Also redo the q…
438b4b1 
…uery logic thanks to help from Alan David Foster so the query itself will specify what fields we need vs us having to manually filter this out later on. Makes it a lot quicker and easier to work with
@gwillcox-r7
Remove default actions and move them to default.yaml, then update cod…
3c56e27 
…e accordingly. Also update the initialization code so it will now load the possible actions dynamically from default.yaml.
@gwillcox-r7
Rename files to follow proper format. Add in documentation for exampl…
8c236e7 
…es. Then update code so we use Msf::Config.get_config_root to store the config file that we parse to get the actions outside of a Git tracked location. We will still use the default file to populate this non-git tracked location if its not already populated though.
@gwillcox-r7
Fix up usage of the word columns where attributes was more appropriat…
c5f2507 
…e. Also update the multi query logic to match new data format as it was broken before as a result of changes to file format. Finally remove extra parameters that are no longer needed.
@gwillcox-r7
Update error description to be more helpful when debugging. Also upda…
32e5884 
…te DefaultAction to default to first entry in the list or RUN_QUERY_FILE if no other action is available
@gwillcox-r7
Update documentation to include RUN_QUERY_FILE example.
67cf39f
@gwillcox-r7
Add in RUN_SINGLE_QUERY and associated options, and then update the c…
03ebbaf 
…ode and documentation accordingly. This will allow users to run single queries with associated attribute filters if they want to test out single queries at a time without changing YAML files
@gwillcox-r7
Refactor code and also add in proper fail_with error codes where need…
2d1acc0 
…ed. Also fix up module and documentation descriptions to be a bit clearer.
@gwillcox-r7
Make sure that we load ACTIONs from the user's custom file at startup…
1e05630 
… if they have changed anything or added any new ACTIONs
@gwillcox-r7
Default to having a near empty custom file so that we can still updat…
2a8d95c 
…e the default queries without issues vs preventing updates from occuring. If users want to override the defaults, then they accept the risk of not getting updates. Update documentation to also note this.
@smcintyre-r7 @gwillcox-r7
Reduce code, be more permissive
25f50e6 
This makes a few changes that should enable the module to function
better should it be dropped into a fresh MSF installation on its own.
@gwillcox-r7
Copy link
Contributor Author

@smcintyre-r7 Pulled in your fixes after making some adjustments to them, and then rebased the commit history down to 15 commits. Let me know if you think it should be rebased down further but I think there are a lot of valid commit messages still so didn't want to go too small.

smcintyre-r7
smcintyre-r7 approved these changes Jul 19, 2022
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good and everything is working smoothly now. I tried the builtin actions and both custom actions. The error handling is solid, and the module loads without the data files and will work with the two custom actions.

Testing Output 
msf6 auxiliary(gather/ldap_query) > show options 

Module options (auxiliary/gather/ldap_query):

   Name              Current Setting         Required  Description
   ----              ---------------         --------  -----------
   BASE_DN                                   no        LDAP base DN if you already have it
   BIND_DN           smcintyre@msflab.local  no        The username to authenticate to LDAP server
   BIND_PW           Password1!              no        Password for the BIND_DN
   OUTPUT_FORMAT     table                   yes       The output format to use (Accepted: csv, table, json)
   QUERY_ATTRIBUTES                          no        Comma seperated list of attributes to retrieve from the serv
                                                       er
   QUERY_FILTER                              no        Filter to send to the target LDAP server to perform the quer
                                                       y
   RHOSTS            192.168.159.10          yes       The target host(s), see https://github.com/rapid7/metasploit
                                                       -framework/wiki/Using-Metasploit
   RPORT             389                     yes       The target port
   SSL               false                   no        Enable SSL on the LDAP connection


Auxiliary action:

   Name              Description
   ----              -----------
   RUN_SINGLE_QUERY  Execute a single LDAP query using the QUERY_FILTER and QUERY_ATTRIBUTES options.


msf6 auxiliary(gather/ldap_query) > set QUERY_FILTER (&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))
QUERY_FILTER => (&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))
msf6 auxiliary(gather/ldap_query) > set QUERY_ATTRIBUTES dn,displayName,dNSHostname
QUERY_ATTRIBUTES => dn,displayName,dNSHostname
msf6 auxiliary(gather/ldap_query) > run
[*] Running module against 192.168.159.10

[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[*] 192.168.159.10:389 Getting root DSE
dn: 
namingcontexts: DC=msflab,DC=local
namingcontexts: CN=Configuration,DC=msflab,DC=local
namingcontexts: CN=Schema,CN=Configuration,DC=msflab,DC=local
namingcontexts: DC=DomainDnsZones,DC=msflab,DC=local
namingcontexts: DC=ForestDnsZones,DC=msflab,DC=local
supportedcapabilities: 1.2.840.113556.1.4.800
supportedcapabilities: 1.2.840.113556.1.4.1670
supportedcapabilities: 1.2.840.113556.1.4.1791
supportedcapabilities: 1.2.840.113556.1.4.1935
supportedcapabilities: 1.2.840.113556.1.4.2080
supportedcapabilities: 1.2.840.113556.1.4.2237
supportedcontrol: 1.2.840.113556.1.4.319
supportedcontrol: 1.2.840.113556.1.4.801
supportedcontrol: 1.2.840.113556.1.4.473
supportedcontrol: 1.2.840.113556.1.4.528
supportedcontrol: 1.2.840.113556.1.4.417
supportedcontrol: 1.2.840.113556.1.4.619
supportedcontrol: 1.2.840.113556.1.4.841
supportedcontrol: 1.2.840.113556.1.4.529
supportedcontrol: 1.2.840.113556.1.4.805
supportedcontrol: 1.2.840.113556.1.4.521
supportedcontrol: 1.2.840.113556.1.4.970
supportedcontrol: 1.2.840.113556.1.4.1338
supportedcontrol: 1.2.840.113556.1.4.474
supportedcontrol: 1.2.840.113556.1.4.1339
supportedcontrol: 1.2.840.113556.1.4.1340
supportedcontrol: 1.2.840.113556.1.4.1413
supportedcontrol: 2.16.840.1.113730.3.4.9
supportedcontrol: 2.16.840.1.113730.3.4.10
supportedcontrol: 1.2.840.113556.1.4.1504
supportedcontrol: 1.2.840.113556.1.4.1852
supportedcontrol: 1.2.840.113556.1.4.802
supportedcontrol: 1.2.840.113556.1.4.1907
supportedcontrol: 1.2.840.113556.1.4.1948
supportedcontrol: 1.2.840.113556.1.4.1974
supportedcontrol: 1.2.840.113556.1.4.1341
supportedcontrol: 1.2.840.113556.1.4.2026
supportedcontrol: 1.2.840.113556.1.4.2064
supportedcontrol: 1.2.840.113556.1.4.2065
supportedcontrol: 1.2.840.113556.1.4.2066
supportedcontrol: 1.2.840.113556.1.4.2090
supportedcontrol: 1.2.840.113556.1.4.2205
supportedcontrol: 1.2.840.113556.1.4.2204
supportedcontrol: 1.2.840.113556.1.4.2206
supportedcontrol: 1.2.840.113556.1.4.2211
supportedcontrol: 1.2.840.113556.1.4.2239
supportedcontrol: 1.2.840.113556.1.4.2255
supportedcontrol: 1.2.840.113556.1.4.2256
supportedcontrol: 1.2.840.113556.1.4.2309
supportedcontrol: 1.2.840.113556.1.4.2330
supportedcontrol: 1.2.840.113556.1.4.2354
supportedextension: 1.3.6.1.4.1.1466.20037
supportedextension: 1.3.6.1.4.1.1466.101.119.1
supportedextension: 1.2.840.113556.1.4.1781
supportedextension: 1.3.6.1.4.1.4203.1.11.3
supportedextension: 1.2.840.113556.1.4.2212
supportedldapversion: 3
supportedldapversion: 2
supportedsaslmechanisms: GSSAPI
supportedsaslmechanisms: GSS-SPNEGO
supportedsaslmechanisms: EXTERNAL
supportedsaslmechanisms: DIGEST-MD5

[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
[*] Sending single query (&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192)) to the LDAP server...
[+] Successfully queried LDAP server!
[*] CN=WIN-3MSP8K2LCGC OU=Domain Controllers DC=msflab DC=local
===========================================================

 Name         Attributes
 ----         ----------
 dnshostname  WIN-3MSP8K2LCGC.msflab.local

[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_query) > set QUERY_FILTER (&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192)
QUERY_FILTER => (&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192)
msf6 auxiliary(gather/ldap_query) > run
[*] Running module against 192.168.159.10

[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[*] 192.168.159.10:389 Getting root DSE
dn: 
namingcontexts: DC=msflab,DC=local
namingcontexts: CN=Configuration,DC=msflab,DC=local
namingcontexts: CN=Schema,CN=Configuration,DC=msflab,DC=local
namingcontexts: DC=DomainDnsZones,DC=msflab,DC=local
namingcontexts: DC=ForestDnsZones,DC=msflab,DC=local
supportedcapabilities: 1.2.840.113556.1.4.800
supportedcapabilities: 1.2.840.113556.1.4.1670
supportedcapabilities: 1.2.840.113556.1.4.1791
supportedcapabilities: 1.2.840.113556.1.4.1935
supportedcapabilities: 1.2.840.113556.1.4.2080
supportedcapabilities: 1.2.840.113556.1.4.2237
supportedcontrol: 1.2.840.113556.1.4.319
supportedcontrol: 1.2.840.113556.1.4.801
supportedcontrol: 1.2.840.113556.1.4.473
supportedcontrol: 1.2.840.113556.1.4.528
supportedcontrol: 1.2.840.113556.1.4.417
supportedcontrol: 1.2.840.113556.1.4.619
supportedcontrol: 1.2.840.113556.1.4.841
supportedcontrol: 1.2.840.113556.1.4.529
supportedcontrol: 1.2.840.113556.1.4.805
supportedcontrol: 1.2.840.113556.1.4.521
supportedcontrol: 1.2.840.113556.1.4.970
supportedcontrol: 1.2.840.113556.1.4.1338
supportedcontrol: 1.2.840.113556.1.4.474
supportedcontrol: 1.2.840.113556.1.4.1339
supportedcontrol: 1.2.840.113556.1.4.1340
supportedcontrol: 1.2.840.113556.1.4.1413
supportedcontrol: 2.16.840.1.113730.3.4.9
supportedcontrol: 2.16.840.1.113730.3.4.10
supportedcontrol: 1.2.840.113556.1.4.1504
supportedcontrol: 1.2.840.113556.1.4.1852
supportedcontrol: 1.2.840.113556.1.4.802
supportedcontrol: 1.2.840.113556.1.4.1907
supportedcontrol: 1.2.840.113556.1.4.1948
supportedcontrol: 1.2.840.113556.1.4.1974
supportedcontrol: 1.2.840.113556.1.4.1341
supportedcontrol: 1.2.840.113556.1.4.2026
supportedcontrol: 1.2.840.113556.1.4.2064
supportedcontrol: 1.2.840.113556.1.4.2065
supportedcontrol: 1.2.840.113556.1.4.2066
supportedcontrol: 1.2.840.113556.1.4.2090
supportedcontrol: 1.2.840.113556.1.4.2205
supportedcontrol: 1.2.840.113556.1.4.2204
supportedcontrol: 1.2.840.113556.1.4.2206
supportedcontrol: 1.2.840.113556.1.4.2211
supportedcontrol: 1.2.840.113556.1.4.2239
supportedcontrol: 1.2.840.113556.1.4.2255
supportedcontrol: 1.2.840.113556.1.4.2256
supportedcontrol: 1.2.840.113556.1.4.2309
supportedcontrol: 1.2.840.113556.1.4.2330
supportedcontrol: 1.2.840.113556.1.4.2354
supportedextension: 1.3.6.1.4.1.1466.20037
supportedextension: 1.3.6.1.4.1.1466.101.119.1
supportedextension: 1.2.840.113556.1.4.1781
supportedextension: 1.3.6.1.4.1.4203.1.11.3
supportedextension: 1.2.840.113556.1.4.2212
supportedldapversion: 3
supportedldapversion: 2
supportedsaslmechanisms: GSSAPI
supportedsaslmechanisms: GSS-SPNEGO
supportedsaslmechanisms: EXTERNAL
supportedsaslmechanisms: DIGEST-MD5

[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
[-] Auxiliary aborted due to failure: bad-config: Could not compile the filter (&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192). Error was Invalid filter syntax.
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_query) > set BASE_DN DC=msflab,DC=local
BASE_DN => DC=msflab,DC=local
msf6 auxiliary(gather/ldap_query) > run
[*] Running module against 192.168.159.10

[+] Successfully bound to the LDAP server!
[*] User-specified base DN: DC=msflab,DC=local
[-] Auxiliary aborted due to failure: bad-config: Could not compile the filter (&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192). Error was Invalid filter syntax.
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_query) > set QUERY_FILTER (&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))
QUERY_FILTER => (&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))
msf6 auxiliary(gather/ldap_query) > run
[*] Running module against 192.168.159.10

[+] Successfully bound to the LDAP server!
[*] User-specified base DN: DC=msflab,DC=local
[*] Sending single query (&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192)) to the LDAP server...
[+] Successfully queried LDAP server!
[*] CN=WIN-3MSP8K2LCGC OU=Domain Controllers DC=msflab DC=local
===========================================================

 Name         Attributes
 ----         ----------
 dnshostname  WIN-3MSP8K2LCGC.msflab.local

[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_query) > run OUTPUT_FORMAT=csv
[*] Running module against 192.168.159.10

[+] Successfully bound to the LDAP server!
[*] User-specified base DN: DC=msflab,DC=local
[*] Sending single query (&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192)) to the LDAP server...
[+] Successfully queried LDAP server!
[*] Name,Attributes
"dn","CN=WIN-3MSP8K2LCGC,OU=Domain Controllers,DC=msflab,DC=local"
"dnshostname","WIN-3MSP8K2LCGC.msflab.local"

[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_query) > run OUTPUT_FORMAT=json
[*] Running module against 192.168.159.10

[+] Successfully bound to the LDAP server!
[*] User-specified base DN: DC=msflab,DC=local
[*] Sending single query (&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192)) to the LDAP server...
[+] Successfully queried LDAP server!
[*] CN=WIN-3MSP8K2LCGC OU=Domain Controllers DC=msflab DC=local
{
  "dn": "CN=WIN-3MSP8K2LCGC,OU=Domain Controllers,DC=msflab,DC=local",
  "dnshostname": "WIN-3MSP8K2LCGC.msflab.local"
}
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_query) > set ACTION RUN_QUERY_FILE 
ACTION => RUN_QUERY_FILE
msf6 auxiliary(gather/ldap_query) > set QUERY_FILE_PATH /tmp/enum_accounts.yaml
QUERY_FILE_PATH => /tmp/enum_accounts.yaml
msf6 auxiliary(gather/ldap_query) > run
[*] Running module against 192.168.159.10

[+] Successfully bound to the LDAP server!
[*] User-specified base DN: DC=msflab,DC=local
[*] Loading queries from /tmp/enum_accounts.yaml...
[*] Running ENUM_COMPUTERS...
[+] Successfully queried LDAP server!
[*] CN=WIN-3MSP8K2LCGC OU=Domain Controllers DC=msflab DC=local
===========================================================

 Name                    Attributes
 ----                    ----------
 distinguishedname       CN=WIN-3MSP8K2LCGC,OU=Domain Controllers,DC=msflab,DC=local
 dnshostname             WIN-3MSP8K2LCGC.msflab.local
 name                    WIN-3MSP8K2LCGC
 operatingsystemversion  10.0 (17763)

[*] CN=EXCHANGE CN=Computers DC=msflab DC=local
===========================================

 Name                    Attributes
 ----                    ----------
 distinguishedname       CN=EXCHANGE,CN=Computers,DC=msflab,DC=local
 dnshostname             exchange.msflab.local
 name                    EXCHANGE
 operatingsystemversion  6.3 (9600)

[*] CN=SERVER2012 CN=Computers DC=msflab DC=local
=============================================

 Name                    Attributes
 ----                    ----------
 distinguishedname       CN=SERVER2012,CN=Computers,DC=msflab,DC=local
 dnshostname             SERVER2012.msflab.local
 name                    SERVER2012
 operatingsystemversion  6.3 (9600)

[*] CN=SHRPNT2019 CN=Computers DC=msflab DC=local
=============================================

 Name                    Attributes
 ----                    ----------
 distinguishedname       CN=SHRPNT2019,CN=Computers,DC=msflab,DC=local
 dnshostname             SHRPNT2019.msflab.local
 name                    SHRPNT2019
 operatingsystemversion  10.0 (14393)

[*] CN=SOLARSUCK CN=Computers DC=msflab DC=local
============================================

 Name                    Attributes
 ----                    ----------
 distinguishedname       CN=SOLARSUCK,CN=Computers,DC=msflab,DC=local
 dnshostname             SOLARSUCK.msflab.local
 name                    SOLARSUCK
 operatingsystemversion  6.3 (9600)

[*] CN=HORIZON CN=Computers DC=msflab DC=local
==========================================

 Name                    Attributes
 ----                    ----------
 distinguishedname       CN=HORIZON,CN=Computers,DC=msflab,DC=local
 dnshostname             HORIZON.msflab.local
 name                    HORIZON
 operatingsystemversion  10.0 (17763)

[*] CN=DESKTOP-LG5V486E CN=Computers DC=msflab DC=local
===================================================

 Name               Attributes
 ----               ----------
 distinguishedname  CN=DESKTOP-LG5V486E,CN=Computers,DC=msflab,DC=local
 name               DESKTOP-LG5V486E

[*] CN=DESKTOP-GL7J8D5I CN=Computers DC=msflab DC=local
===================================================

 Name               Attributes
 ----               ----------
 distinguishedname  CN=DESKTOP-GL7J8D5I,CN=Computers,DC=msflab,DC=local
 name               DESKTOP-GL7J8D5I

[*] CN=DESKTOP-BSCMRX5D CN=Computers DC=msflab DC=local
===================================================

 Name               Attributes
 ----               ----------
 distinguishedname  CN=DESKTOP-BSCMRX5D,CN=Computers,DC=msflab,DC=local
 name               DESKTOP-BSCMRX5D

[*] CN=DESKTOP-QI754IN8 CN=Computers DC=msflab DC=local
===================================================

 Name               Attributes
 ----               ----------
 distinguishedname  CN=DESKTOP-QI754IN8,CN=Computers,DC=msflab,DC=local
 name               DESKTOP-QI754IN8

[*] CN=DESKTOP-YAE4ELIV CN=Computers DC=msflab DC=local
===================================================

 Name               Attributes
 ----               ----------
 distinguishedname  CN=DESKTOP-YAE4ELIV,CN=Computers,DC=msflab,DC=local
 name               DESKTOP-YAE4ELIV

[*] CN=MSSQL CN=Computers DC=msflab DC=local
========================================

 Name                    Attributes
 ----                    ----------
 distinguishedname       CN=MSSQL,CN=Computers,DC=msflab,DC=local
 dnshostname             MSSQL.msflab.local
 name                    MSSQL
 operatingsystemversion  10.0 (14393)

[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_DOMAIN_CONTROLLERS 
ACTION => ENUM_DOMAIN_CONTROLLERS
msf6 auxiliary(gather/ldap_query) > run
[*] Running module against 192.168.159.10

[+] Successfully bound to the LDAP server!
[*] User-specified base DN: DC=msflab,DC=local
[+] Successfully queried LDAP server!
[*] CN=WIN-3MSP8K2LCGC OU=Domain Controllers DC=msflab DC=local
===========================================================

 Name                    Attributes
 ----                    ----------
 distinguishedname       CN=WIN-3MSP8K2LCGC,OU=Domain Controllers,DC=msflab,DC=local
 dnshostname             WIN-3MSP8K2LCGC.msflab.local
 name                    WIN-3MSP8K2LCGC
 operatingsystemversion  10.0 (17763)

[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_query) >

smcintyre-r7 added a commit that referenced this pull request Jul 19, 2022
@smcintyre-r7
Land #16598, Add in LDAP Query Module
ebb15ee
@smcintyre-r7 smcintyre-r7 merged commit dcd4caf into rapid7:master Jul 19, 2022
@smcintyre-r7
Copy link
Contributor

Release Notes

This adds a generic module to perform LDAP queries. Users can execute custom queries either through configuration files on disk, or through a combination of datastore options. The module also includes multiple, builtin queries for common operations.

@gwillcox-r7 gwillcox-r7 deleted the ldap-changes branch July 19, 2022 17:22
@zeroSteiner zeroSteiner mentioned this pull request Feb 24, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

@adfoster-r7 adfoster-r7 Awaiting requested review from adfoster-r7

Assignees

@smcintyre-r7 smcintyre-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@gwillcox-r7 @smcintyre-r7 @adfoster-r7