Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't require Username and Password for every RHost auth: allows Scha… #19551

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Don't require Username and Password for every RHost auth: allows Scha… #19551

wants to merge 1 commit into from
+1 −1

Conversation

smashery
Copy link
Contributor

This fixes a datastore options bug for LDAP modules. With the new optional session functionality enabled, if using RHOST, the system forced the use of Username and Password. However several valid configurations exist that do not require these settings (e.g. Schannel, or cached Kerberos creds).

msf6 auxiliary(gather/ldap_query) > run rhost=4.200.16.98 ssl=true ldap::certfile=/home/smash/.msf4/loot/20241008165417_default_4.200.16.98_windows.ad.cs_371440.pfx ldap::auth=schannel

[-] Msf::OptionValidateError The following options failed to validate:
[-] Invalid option PASSWORD: PASSWORD must be specified
[-] Invalid option USERNAME: USERNAME must be specified

msf6 auxiliary(gather/ldap_query) > run rhost=4.200.16.98 ldap::auth=kerberos ldap::RHostname=dc22 domain=msf.local domaincontrollerrhost=4.200.16.98 username=AzureAdmin

[-] Msf::OptionValidateError The following options failed to validate:
[-] Invalid option PASSWORD: PASSWORD must be specified

This PR resolves the issue by only initially requiring RHOST runs to have the bare minimum settings (host and port), and then let each auth provider do its own checks (schannel for certfile, kerberos for... all of its various possible settings).

Verification

List the steps needed to make sure this thing works

  • Procure a domain controller
  • Start msfconsole
  • features set ldap_session_type true
  • Obtain a valid pfx file (e.g. using an ADCS module)
  • Auth to the system using Kerberos (e.g. by using ldap_query with ldap::auth set to kerberos
  • Validate you have the cached cred by running klist
  • use use auxiliary/gather/ldap_query
  • Auth to the system using ldap::auth=schannel and the certfile set
  • Verify that it runs the query successfully
  • Auth to the system using ldap::auth=kerberos, with a username (so that it picks the correct cached cred), but no passward
  • Verify that it runs the query successfully

Test runs

After fix:

msf6 auxiliary(gather/ldap_query) > run rhost=4.200.16.98 ssl=true ldap::certfile=/home/smash/.msf4/loot/20241008165417_default_4.200.16.98_windows.ad.cs_371440.pfx ldap::auth=schannel
[*] Running module against 4.200.16.98
[*] 4.200.16.98:389 Discovered base DN: DC=msf,DC=local
CN=Administrators,CN=Builtin,DC=msf,DC=local
============================================
...


msf6 auxiliary(gather/ldap_query) > run rhost=4.200.16.98 ldap::auth=kerberos ldap::RHostname=dc22 domain=msf.local domaincontrollerrhost=4.200.16.98 username=AzureAdmin
[*] Running module against 4.200.16.98
[*] Using cached credential for ldap/[email protected] [email protected]
[+] 4.200.16.98:88 - Received AP-REQ. Extracting session key...
[*] 4.200.16.98:389 Discovered base DN: DC=msf,DC=local
CN=Administrators,CN=Builtin,DC=msf,DC=local
============================================
...

@cdelafuente-r7
Copy link
Contributor

Note to the reviewer, please check if the required options are being checked by the respective providers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@smashery @cdelafuente-r7