Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ldap/ldap_login module requires a password for schannel #19743

Open
smcintyre-r7 opened this issue Dec 17, 2024 · 1 comment
Open

ldap/ldap_login module requires a password for schannel #19743

smcintyre-r7 opened this issue Dec 17, 2024 · 1 comment
Labels
bug not-stale Label to stop an issue from being auto closed

Comments

@smcintyre-r7
Copy link
Contributor

There's only one way to authenticate to an LDAP server and establish a session AFAIK. That's to use the ldap/ldap_login with LDAP::Auth=schannel RPORT=389 SSL=true LDAP::CertFile=/path/to/your/cert. With these configuration options in place however, Metasploit throws an error that it won't run the login scanner for LDAP because the credentials are blank. This forces the user to set a password for the sake of passing the validation even though they just want to authenticate as one user and open a session. In the following example, foobar is not the password for any user.

metasploit-framework (S:0 J:0) auxiliary(scanner/ldap/ldap_login) > run
[*] Error: 192.168.159.10: Metasploit::Framework::LoginScanner::Invalid Cred details can't be blank, Cred details can't be blank (Metasploit::Framework::LoginScanner::LDAP)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Bruteforce completed, 0 credentials were successful.
[*] 0 LDAP sessions were opened successfully.
[*] Auxiliary module execution completed
metasploit-framework (S:0 J:0) auxiliary(scanner/ldap/ldap_login) > set PASSWORD foobar
PASSWORD => foobar
metasploit-framework (S:0 J:0) auxiliary(scanner/ldap/ldap_login) > run
[+] Success: 'Cert File /home/smcintyre/.msf4/loot/20241217162530_default_192.168.159.10_windows.ad.cs_098266.pfx'
[*] LDAP session 1 opened (127.0.0.1 -> 127.0.0.1) at 2024-12-17 16:26:10 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Bruteforce completed, 1 credential was successful.
[*] 1 LDAP session was opened successfully.
[*] Auxiliary module execution completed
metasploit-framework (S:1 J:0) auxiliary(scanner/ldap/ldap_login) > sessions -i -1
[*] Starting interaction with 1...

LDAP (192.168.159.10) > whoami
[-] Unknown command: whoami. Run the help command for more details.
LDAP (192.168.159.10) > getuid
[*] Server username: MSFLAB\smcintyre
LDAP (192.168.159.10) >
@smcintyre-r7 smcintyre-r7 added the not-stale Label to stop an issue from being auto closed label Dec 18, 2024
@cdelafuente-r7
Copy link
Contributor

I think there is also the case when a user select LDAP::Auth=kerberos and wants to use the cached credentials. The module should accept a run without password. However, the username is required to be able to retrieve the correct ticket from the cache.

@cdelafuente-r7 cdelafuente-r7 mentioned this issue Dec 20, 2024
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug not-stale Label to stop an issue from being auto closed
Projects
Metasploit Kanban
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cdelafuente-r7 @smcintyre-r7