Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix ldap auto authentication #18935

Merged
1 commit merged into from
Mar 28, 2024
Merged

Fix ldap auto authentication #18935

1 commit merged into from
Mar 28, 2024

Conversation

zeroSteiner
Copy link
Contributor

@zeroSteiner zeroSteiner commented Mar 7, 2024
edited by jheysel-r7
Loading

This fixes a common user mistake when authenticating with LDAP modules. Most modules, when set to the default authentication mechanism of auto use NTLM. LDAP however uses the simple plaintext mechanism in this case. If the user is expecting to authenticate to a domain controller, the username will need to be in the UPN format ([email protected]), however, through muscle memory they might specific the DOMAIN datastore option. In this case, their authentication attempt will fail.

This updates the LDAP library to check if a domain was specified, and if it was, it'll use NTLM as the authentication mechanism instead of LDAP. Now users can set the DOMAIN datastore option, along with the USERNAME and PASSWORD and things should just work.

Verification

  • Start msfconsole
  • use auxiliary/gather/ldap_query
  • set LDAP::Auth auto (the default)
  • Set the PASSWORD datastore option
  • Set the USERNAME datastore option to a UPN, see the module works
  • Set the USERNAME datastore option to a normal username and the DOMAIN option to the domain, see the module works

@zeroSteiner
Fix ldap auto authentication
fc2d5c2 
When the auth method is set to auto and a domain is specific, use NTLM.
zeroSteiner
zeroSteiner commented Mar 7, 2024
View reviewed changes
lib/metasploit/framework/ldap/client.rb
Comment on lines +37 to +38
if opts[:username].present? && opts[:domain].present?
connect_opts.merge!(ldap_auth_opts_ntlm(opts))
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the core of the fix right here. When the username and domain are both specified, use NTLM instead of plaintext.

The other code was moved around so the NTLM code didn't have to be duplicated. Since the NTLM code was placed into a method, and the simple code was already duplicated, it seemed like a good time to refactor everything into their own methods.

@jheysel-r7 jheysel-r7 self-assigned this Mar 28, 2024
@jheysel-r7
Copy link
Contributor

Changes look great, thanks for fixing this @zeroSteiner!

✅ Set the USERNAME datastore option to a UPN, see the module works

msf6 auxiliary(gather/ldap_query) > set password N0tpassword!
password => N0tpassword!
msf6 auxiliary(gather/ldap_query) > set username [email protected]
username => [email protected]
msf6 auxiliary(gather/ldap_query) > set rhosts 172.16.199.200
rhosts => 172.16.199.200
msf6 auxiliary(gather/ldap_query) > run
[*] Running module against 172.16.199.200

[*] Discovering base DN automatically
[+] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
[+] 172.16.199.200:389 Discovered schema DN: DC=kerberos,DC=issue
CN=Administrator,CN=Users,DC=kerberos,DC=issue
==============================================

 Name                Attributes
 ----                ----------
 badpwdcount         0
 description         Built-in account for administering the computer/domain
 lastlogoff          1601-01-01 00:00:00 UTC
 lastlogon           2024-03-28 17:55:39 UTC
 logoncount          94
 memberof            CN=Group Policy Creator Owners,CN=Users,DC=kerberos,DC=issue
 \_                  CN=Domain Admins,CN=Users,DC=kerberos,DC=issue
 \_                  CN=Enterprise Admins,CN=Users,DC=kerberos,DC=issue
 \_                  CN=Schema Admins,CN=Users,DC=kerberos,DC=issue
 \_                  CN=Administrators,CN=Builtin,DC=kerberos,DC=issue
 name                Administrator
 objectsid           S-1-5-21-2324486357-3075865580-3606784161-500
 pwdlastset
 samaccountname      Administrator
 useraccountcontrol  66048

✅ Set the USERNAME datastore option to a normal username and the DOMAIN option to the domain, see the module works

msf6 auxiliary(gather/ldap_query) > set username Administrator
username => Administrator
msf6 auxiliary(gather/ldap_query) > set domain kerberos.issue
domain => kerberos.issue
msf6 auxiliary(gather/ldap_query) > run
[*] Running module against 172.16.199.200

[*] Discovering base DN automatically
[+] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
[+] 172.16.199.200:389 Discovered schema DN: DC=kerberos,DC=issue
CN=Administrator,CN=Users,DC=kerberos,DC=issue
==============================================

 Name                Attributes
 ----                ----------
 badpwdcount         0
 description         Built-in account for administering the computer/domain
 lastlogoff          1601-01-01 00:00:00 UTC
 lastlogon           2024-03-28 17:55:39 UTC
 logoncount          94
 memberof            CN=Group Policy Creator Owners,CN=Users,DC=kerberos,DC=issue
 \_                  CN=Domain Admins,CN=Users,DC=kerberos,DC=issue
 \_                  CN=Enterprise Admins,CN=Users,DC=kerberos,DC=issue
 \_                  CN=Schema Admins,CN=Users,DC=kerberos,DC=issue
 \_                  CN=Administrators,CN=Builtin,DC=kerberos,DC=issue
 name                Administrator
 objectsid           S-1-5-21-2324486357-3075865580-3606784161-500
 pwdlastset
 samaccountname      Administrator
 useraccountcontrol  66048

CN=Guest,CN=Users,DC=kerberos,DC=issue
======================================

@jheysel-r7 jheysel-r7 added enhancement rn-fix release notes fix and removed enhancement labels Mar 28, 2024
@jheysel-r7 jheysel-r7 closed this pull request by merging all changes into rapid7:master in 0cd2bc5 Mar 28, 2024
@jheysel-r7
Copy link
Contributor

Release Notes

This PR fixes a common user mistake when authenticating with LDAP modules. Now users can specify either the USERNAME (user) and DOMAIN (domain.local) datastore options or the original format of just the USERNAME in the UPN format ([email protected]). This fix updates the LDAP library.

@smcintyre-r7 smcintyre-r7 mentioned this pull request Apr 5, 2024
Merged
18 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jheysel-r7 jheysel-r7

Labels
rn-fix release notes fix
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zeroSteiner @jheysel-r7