LDAP Authentication Improvements
This week, in Metasploit v6.4.9, the team has added multiple improvements for LDAP related attacks. Two improvements relating to authentication is the new support for Signing and Channel Binding. Microsoft has been making changes to harden the communications to Domain Controllers. Organizations are incorporating these policies which are making LDAP tools without the necessary features unable to operate. The intention behind these changes are to protect communications with Domain Controllers from relay attacks. There are however plenty of scenarios when users may want to authenticate to a domain controller directly with known credentials to perform a variety of tasks.
The new improvements allow Metasploit users to authenticate via either NTLM or Kerberos to LDAP servers with these hardening settings in place. Signing will be performed opportunistically (LDAP::Signing=auto), however it can be either disabled entirely by setting LDAP::Signing to disabled or required with required. Note that setting it to required will raise exceptions with configurations that are incompatible with signing, e.g. connecting over SSL (LDAPS) or using plaintext / simple authentication. At this time channel binding is automatically enabled and can not be disabled in the same way. When connecting over SSL, and authenticating with either NTLM or Kerberos, the binding information is provided to the server.
For users that are unfamiliar with the semi-recent authentication configuration changes introduced in Metasploit v6.3, LDAP modules have an LDAP::Auth option that can be set to one of auto, ntlm, kerberos, schannel, or plaintext.
LDAP Session
In addition to the new LDAP authentication improvements, Metasploit added the latest session type; LDAP sessions this week. Metasploit v6.4 added new protocol-based sessions that allow modules to be run against persistent connections for a variety of services including SMB, MSSQL and MySQL. Once the feature is enabled by running features set ldap_session_type true, users can open sessions with the auxiliary/scanner/ldap/ldap_login module and CreateSession option. These new sessions allow a users to authenticate once and interact with the connection, running queries or modules such as:
auxiliary/admin/ldap/rbcd– Role Based Constrained Delegationauxiliary/admin/ldap/shadow_credentials– Shadow Credentialsauxiliary/gather/asrep– Find Users Without Pre-Auth Required (ASREP-roast)auxiliary/gather/ldap_esc_vulnerable_cert_finder– Misconfigured Certificate Template Finderauxiliary/admin/ldap/ad_cs_cert_template– AD CS Certificate Template Managementauxiliary/gather/ldap_hashdump– LDAP Information Disclosureauxiliary/gather/ldap_query– LDAP Query and Enumeration Module
By interacting with the session, the query command becomes available to run queries interactively. It has a few options allowing the scope, attributes and filter to be set.
LDAP (192.0.2.197) > query -h
Usage: query -f -a
Run the query against the session.
OPTIONS:
-a, --attributes Comma separated list of attributes for the query
-b, --base-dn Base dn for the query
-f, --filter Filter string for the query (default: (objectclass=*))
-h, --help Help menu
-o, --output-format Output format: `table`, `csv` or `json` (default: table)
-s, --scope Scope for the query: `base`, `single`, `whole` (default: whole)
As an example, basic information about the domain can be queried:
LDAP (192.0.2.197) > query -a ms-DS-MachineAccountQuota,objectSID,name -f '(objectClass=domain)'
DC=labs1collabu0,DC=local
=========================
Name Attributes
---- ----------
ms-ds-machineaccountquota 10
name labs1collabu0
objectsid S-1-5-21-795503-3050334394-3644400624
New module content (2)
Windows Registry Security Descriptor Utility
Author: Christophe De La Fuente
Type: Auxiliary
Pull request: #19115 contributed by cdelafuente-r7
Path: admin/registry_security_descriptor
Description: This adds a module to read and write the security descriptor of Windows registry keys.
Kemp LoadMaster Local sudo privilege escalation
Authors: Dave Yesland with Rhino Security Labs and bwatters-r7
Type: Exploit
Pull request: #19100 contributed by bwatters-r7
Path: linux/local/progress_kemp_loadmaster_sudo_privesc_2024
Description: This adds a privilege escalation exploit module for LoadMaster that abuses the configuration of the sudo command combined with weak file system permissions. There is no CVE for this vulnerability.
Enhancements and features (2)
- #19058 from dwelch-r7 - This adds an LDAP session type allowing users and modules to interact directly with LDAP servers without uploading a payload.
- #19132 from zeroSteiner - Add channel binding information to Metasploit's NTLM and Kerberos authentication for the LDAP protocol. This enables users to authenticate to domain controllers where the hardened security configuration setting is in place.
- #19172 from cgranleese-r7 - Updates the
debugcommand to export the currently enabled user features.
Bugs fixed (1)
- #19183 from adfoster-r7 - Fix windows platform detection bug when running on a UCRT compiled environment.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro
Source: Rapid7
Source Link: https://blog.rapid7.com/2024/05/17/metasploit-wrap-up-05-17-2024/