Land rapid7#19539, Keep LDAP sessions alive

Author: dwelch-r7

lib/msf/base/sessions/ldap.rb

@@ -14,18 +14,30 @@ class Msf::Sessions::LDAP
   # @return [Rex::Proto::LDAP::Client] The LDAP client
   attr_accessor :client
 
+  attr_accessor :keep_alive_thread
+  
+  # @return [Integer] Seconds between keepalive requests
+  attr_accessor :keepalive_seconds
+
   attr_accessor :platform, :arch
   attr_reader :framework
 
   # @param[Rex::IO::Stream] rstream
   # @param [Hash] opts
   # @option opts [Rex::Proto::LDAP::Client] :client
+  # @option opts [Integer] :keepalive
   def initialize(rstream, opts = {})
     @client = opts.fetch(:client)
+    @keepalive_seconds = opts.fetch(:keepalive_seconds)
     self.console = Rex::Post::LDAP::Ui::Console.new(self)
     super(rstream, opts)
   end
 
+  def cleanup
+    stop_keep_alive_loop
+    super
+  end
+
   def bootstrap(datastore = {}, handler = nil)
     session = self
     session.init_ui(user_input, user_output)
@@ -139,4 +151,31 @@ def _interact_stream
     raise EOFError if (console.stopped? == true)
   end
 
+  def on_registered
+    start_keep_alive_loop
+  end
+
+  # Start a background thread for regularly sending a no-op command to keep the connection alive
+  def start_keep_alive_loop
+    self.keep_alive_thread = framework.threads.spawn("LDAP-shell-keepalive-#{sid}", false) do
+      loop do
+        if client.last_interaction.nil?
+          remaining_sleep = @keepalive_seconds
+        else
+          remaining_sleep = @keepalive_seconds - (Process.clock_gettime(Process::CLOCK_MONOTONIC) - client.last_interaction)
+        end
+        sleep(remaining_sleep)
+        if (Process.clock_gettime(Process::CLOCK_MONOTONIC) - client.last_interaction) > @keepalive_seconds
+          client.search_root_dse
+        end
+        # This should have moved last_interaction forwards
+        fail if (Process.clock_gettime(Process::CLOCK_MONOTONIC) - client.last_interaction) > @keepalive_seconds
+      end
+    end
+  end
+
+  # Stop the background thread
+  def stop_keep_alive_loop
+    keep_alive_thread.kill
+  end
 end

lib/msf/core/exploit/remote/ldap.rb

@@ -177,13 +177,15 @@ def ldap_new(opts = {})
       # "Note that disabling the anonymous bind mechanism does not prevent anonymous
       # access to the directory."
       # Bug created for Net:LDAP at https://github.com/ruby-ldap/ruby-net-ldap/issues/375
+      # Also used to support multi-threading (used for keep-alive)
       #
       # @yieldparam conn [Rex::Proto::LDAP::Client] The LDAP connection handle to use for connecting to
       #   the target LDAP server.
       # @param args [Hash] A hash containing options for the ldap connection
       def ldap.use_connection(args)
         if @open_connection
           yield @open_connection
+          register_interaction
         else
           begin
             conn = new_connection

lib/rex/proto/ldap/client.rb

@@ -11,11 +11,23 @@ class Client < Net::LDAP
         # @return [Rex::Socket]
         attr_reader :socket
 
+        # [Time] The last time an interaction occurred on the connection (for keep-alive purposes)
+        attr_reader :last_interaction
+
+        # [Mutex] Control access to the connection. One at a time.
+        attr_reader :connection_use_mutex
+
         def initialize(args)
           @base_dn = args[:base]
+          @last_interaction = nil
+          @connection_use_mutex = Mutex.new
           super
         end
 
+        def register_interaction
+          @last_interaction = Process.clock_gettime(Process::CLOCK_MONOTONIC)
+        end
+
         # @return [Array<String>] LDAP servers naming contexts
         def naming_contexts
           @naming_contexts ||= search_root_dse[:namingcontexts]
@@ -46,6 +58,14 @@ def peerinfo
           "#{peerhost}:#{peerport}"
         end
 
+        def use_connection(args)
+          @connection_use_mutex.synchronize do
+            return super(args)
+          ensure
+            register_interaction
+          end
+        end
+
         # https://github.com/ruby-ldap/ruby-net-ldap/issues/11
         # We want to keep the ldap connection open to use later
         # but there's no built in way within the `Net::LDAP` library to do that
@@ -65,6 +85,7 @@ def _open
             @socket = @open_connection.socket
             payload[:connection] = @open_connection
             payload[:bind] = @result = @open_connection.bind(@auth)
+            register_interaction
             return self
           end
         end

modules/auxiliary/scanner/ldap/ldap_login.rb

@@ -36,7 +36,8 @@ def initialize(info = {})
         OptBool.new(
           'APPEND_DOMAIN', [true, 'Appends `@<DOMAIN> to the username for authentication`', false],
           conditions: ['LDAP::Auth', 'in', [Msf::Exploit::Remote::AuthOption::AUTO, Msf::Exploit::Remote::AuthOption::PLAINTEXT]]
-        )
+        ),
+        OptInt.new('SessionKeepalive', [true, 'Time (in seconds) for sending protocol-level keepalive messages', 10 * 60])
       ]
     )
 
@@ -48,6 +49,7 @@ def initialize(info = {})
     else
       # Don't give the option to create a session unless ldap sessions are enabled
       options_to_deregister << 'CreateSession'
+      options_to_deregister << 'SessionKeepalive'
     end
 
     deregister_options(*options_to_deregister)
@@ -175,7 +177,7 @@ def session_setup(result)
     return unless result.connection && result.proof
 
     # Create a new session
-    my_session = Msf::Sessions::LDAP.new(result.connection, { client: result.proof })
+    my_session = Msf::Sessions::LDAP.new(result.connection, { client: result.proof, keepalive_seconds: datastore['SessionKeepalive'] })
 
     merge_me = {
       'USERPASS_FILE' => nil,

spec/lib/msf/base/sessions/ldap_spec.rb

@@ -4,7 +4,7 @@
 
 RSpec.describe Msf::Sessions::LDAP do
   let(:client) { instance_double(Rex::Proto::LDAP::Client) }
-  let(:opts) { { client: client } }
+  let(:opts) { { client: client, keepalive_seconds: 600 } }
   let(:console_class) { Rex::Post::LDAP::Ui::Console }
   let(:user_input) { instance_double(Rex::Ui::Text::Input::Readline) }
   let(:user_output) { instance_double(Rex::Ui::Text::Output::Stdio) }