Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP capture capabilities #18678

Merged
merged 25 commits into from Feb 15, 2024
Merged

LDAP capture capabilities #18678

Show file tree
Hide file tree
Changes from 24 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
e3c9714
Capturing-SimpleBind-Authentication
JustAnda7 Jun 18, 2023
8238241
Documentation-of-Capturing-Simple-Auth
JustAnda7 Jun 18, 2023
8e33bad
Better-parsing-of-dn-and-minor-changes
JustAnda7 Jun 27, 2023
79d3cc8
changes-to-support-nmap-script
JustAnda7 Jul 30, 2023
05d6e98
changes-to-support-nmap
JustAnda7 Aug 20, 2023
6b5fff6
Land #18125, LDAP Capture Simple Authentication
jmartin-tech Sep 1, 2023
6972a91
changes-to-support-ntlm
JustAnda7 Sep 10, 2023
1a3b00e
shifting-appropriate-methods-to-auth-lib
JustAnda7 Sep 27, 2023
ea189d6
Changes-to-the-helper-lib
JustAnda7 Oct 2, 2023
7876912
Changes-as-per-comments
JustAnda7 Oct 5, 2023
70c69f4
Merge pull request #9 from JustAnda7/GSoC/creating-rex-lib-for-auth
JustAnda7 Oct 8, 2023
672d651
Optimization-of-the-libraries-using-Net-NTLM
JustAnda7 Nov 4, 2023
6ba5d03
Addition-of-suitable-tests-for-the-libraries
JustAnda7 Nov 4, 2023
2ab1b7a
adjustments to NTLM LDAP support
jmartin-tech Jan 2, 2024
a09cf64
Merge pull request #11 from jmartin-tech/GSoC/LDAP-NTLM-adjustments
JustAnda7 Jan 6, 2024
a4e8714
Land #18376, NTLM support for the LDAP capture
jmartin-tech Jan 7, 2024
6d298c3
remove unused advanced option
jmartin-tech Jan 7, 2024
5a14575
Adjustment for extra knobs to tweak during auth
jmartin-tech Jan 11, 2024
bcefde2
correct metadata for `Actions` usage
jmartin-tech Jan 23, 2024
d20ef7a
add `LDAP` to capture plugin
jmartin-tech Jan 23, 2024
4cb1848
cleanup LDAP NTLM type2 response
jmartin-tech Jan 25, 2024
e5b5f12
add missing sasl mechanism constant
jmartin-tech Feb 1, 2024
1c334ad
address stack trace noticed in testing
jmartin-tech Feb 1, 2024
bed552d
set error on unsupported LDAP auth
jmartin-tech Feb 2, 2024
40701bf
Fix auhtentication typo in lib/rex/proto/ldap/auth.rb
adfoster-r7 Feb 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 2 additions & 0 deletions data/capture_config.yaml
View file
Open in desktop
Expand Up @@ -16,6 +16,8 @@ services:
enabled: yes
- type: IMAP
enabled: yes
- type: LDAP
enabled: yes
- type: MSSQL
enabled: yes
- type: MySQL
Expand Down
52 changes: 52 additions & 0 deletions documentation/modules/auxiliary/server/capture/ldap.md
View file
Open in desktop
@@ -0,0 +1,52 @@

## Vulnerable Application

This module emulates an LDAP Server which accepts User Bind Request to capture the User Credentials.
Upon receiving successful Bind Request, a `ldap_bind: Authentication method not supported (7)` error is sent to the User

## Verification Steps

1. Start msfconsole
2. Do: `use auxiliary/server/capture/ldap`
3. Do: `run`
4. From a new shell or workstation, perform a ldap bind request involving User credentials.
5. Check the database using `creds` for the user authentication information.

## Options

**Authentication**

The type of LDAP authentication to capture. The default type is `Simple`

## Scenarios

### Metasploit Server

```
msf6 > use auxiliary/server/capture/ldap
msf6 auxiliary(server/capture/ldap) > run

[*] Server started.
[+] LDAP Login attempt => From:10.0.2.15:48198 Username:User Password:Pass
```

### Client

```
└─$ ldapsearch -LLL -H ldap://10.0.2.15 -D cn=User,dc=example,dc=com -W
Enter LDAP Password:
ldap_bind: Auth Method Not Supported (7)
additional info: Auth Method Not Supported
```

**Database**

```
msf6 auxiliary(server/capture/ldap) > creds
Credentials
===========

host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
10.0.2.15 10.0.2.15 389/tcp (ldap) User Pass example.com Password
```
8 changes: 8 additions & 0 deletions lib/msf/core/exploit/remote/ldap/server.rb
View file
Open in desktop
Expand Up @@ -76,6 +76,13 @@ def on_send_response(cli, data)
#
def start_service
comm = _determine_server_comm(bindhost)
auth_handler = Rex::Proto::LDAP::Auth.new(
datastore['CHALLENGE'],
datastore['Domain'],
datastore['Server'],
datastore['DnsName'],
datastore['DnsDomain']
)
self.service = Rex::ServiceManager.start(
Rex::Proto::LDAP::Server,
bindhost,
Expand All @@ -84,6 +91,7 @@ def start_service
datastore['LdapServerTcp'],
read_ldif,
comm,
auth_handler,
{ 'Msf' => framework, 'MsfExploit' => self }
)

Expand Down