Don’t miss Spencer McIntyre’s talk on the Help Net Security’s blog. Spencer is the Lead Security Researcher at Rapid7 and speaks about how Metasploit has evolved since its creation back in 2003. He also explains how the Framework is addressing today’s offensive security challenges and how important is the partnership with the community.
This week, our very own @gwillcox-r7 added an auxiliary module that will likely help you to dump useful information from LDAP servers. This module allows you to remotely retrieve data using either your own custom query or a set of LDAP queries under a specific category. In addition to the available predefined queries, the user can also provide a JSON or YAML file containing custom queries to be executed.
Here are the available predefined queries:
msf6 auxiliary(gather/ldap_query) > show actions
Auxiliary actions:
Name Description
---- -----------
ENUM_ACCOUNTS Dump info about all known user accounts in the domain.
ENUM_ALL_OBJECT_CATEGORY Dump all objects containing any objectCategory field.
ENUM_ALL_OBJECT_CLASS Dump all objects containing any objectClass field.
ENUM_COMPUTERS Dump all objects containing an objectCategory of Computer.
ENUM_DOMAIN_CONTROLLERS Dump all known domain controllers.
ENUM_EXCHANGE_RECIPIENTS Dump info about all known Exchange recipients.
ENUM_EXCHANGE_SERVERS Dump info about all known Exchange servers.
ENUM_GROUPS Dump info about all known groups in the LDAP environment.
ENUM_ORGROLES Dump info about all known organizational roles in the LDAP environment.
ENUM_ORGUNITS Dump info about all known organization units in the LDAP environment.
RUN_QUERY_FILE Execute a custom set of LDAP queries from the JSON or YAML file specified by QUERY_FILE.
RUN_SINGLE_QUERY Execute a single LDAP query using the QUERY_FILTER and QUERY_ATTRIBUTES options.
Here is how you can dump information about users in a Windows domain:
msf6 auxiliary(gather/ldap_query) > set action ENUM_ACCOUNTS
action => ENUM_ACCOUNTS
msf6 auxiliary(gather/ldap_query) > run RHOSTS=10.0.0.33 BIND_DN=MYDOMAIN\\Administrator BIND_PW=123456
[*] Running module against 10.0.0.33
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[+] 10.0.0.33:389 Discovered base DN: DC=mydomain,DC=local
[*] CN=DC02 OU=Domain Controllers DC=mydomain DC=local
===============================================
Name Attributes
---- ----------
displayname DC02$
name DC02
samaccountname DC02$
useraccountcontrol 532480
[*] CN=Administrator CN=Users DC=mylab DC=local
===========================================
Name Attributes
---- ----------
name Administrator
samaccountname Administrator
useraccountcontrol 512
...[SNIP]...
For those nostalgic about old Windows systems, bcoles did a great cleanup of old modules targeting Win2k. He breathed life back into modules such as ms01_023_printer
, ms02_065_msadc
and ms03_007_ntdll_webdav
by fixing many issues and adding offsets to support many more Win2k flavors.
set cmdstager::flavor ftp_http.
./scripts/meterpreter/checkvm.rb
has been removed and post/windows/gather/checkvm.rb
now replaces it. Additionally, the post/windows/gather/checkvm.rb
script has been updated to include missing features from ./scripts/meterpreter/checkvm.rb
to ensure backwards compatibility.debug
command.scanner/mssql/mssql_login
module with the tdsencryption
and USE_WINDOWS_AUTHENT
options set to true.
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).