Last updated at Mon, 26 Feb 2024 12:16:44 GMT
LDAP Capture module
Metasploit now has an LDAP capture module thanks to the work of
JustAnda7. This work was completed as part of the Google Summer of Code program.
When the module runs it will by default require privileges to listen on port 389. The module implements a default implementation for BindRequest
, SearchRequest
, UnbindRequest
, and will capture both plaintext credentials and NTLM hashes which can be brute-forced offline. Upon receiving a successful Bind Request, a ldap_bind: Authentication method not supported (7)
error is sent to the connecting client.
The module can be with run:
msf6 > use auxiliary/server/capture/ldap
msf6 auxiliary(server/capture/ldap) > run
Incoming requests will have their credentials stored for later use:
[+] LDAP Login attempt => From:10.0.2.15:48198 Username:User Password:Pass
[+] LDAP Login Attempt => From:127.0.0.1:55566 Username:admin ntlm_hash::8aa0e517cd547b4032ff7e9c5359c200879aa5a8031d3d74 Domain:DOMAIN
These values will be stored in the database for later retrieval:
msf6 auxiliary(server/capture/ldap) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
10.0.2.15 10.0.2.15 389/tcp (ldap) User Pass example.com Password
Ivanti exploit module
Another honorable mention for this week’s Metasploit release is a module by sfewer-r7 that chains two recently disclosed vulnerabilities(CVE-2024-21893 and CVE-2024-21887) in Ivanti gateways to achieve remote code execution on a vulnerable target. The vulnerabilities are both being widely exploited in the wild. Read Rapid7’s full technical analysis of the exploit chain in AttackerKB.
New module content (4)
Authentication Capture: LDAP
Author: JustAnda7
Type: Auxiliary
Pull request: #18678 contributed by jmartin-tech
Path: server/capture/ldap
Description: Adds a new auxiliary/server/capture/ldap
module that emulates an LDAP Server. The server accepts a user's bind request, and the user credentials or NTLM hash is then captured, logged, and persisted to the currently active database. An ldap_bind: Authentication method not supported (7)
error is sent to the connecting client.
Ivanti Connect Secure Unauthenticated Remote Code Execution
Author: sfewer-r7
Type: Exploit
Pull request: #18792 contributed by sfewer-r7
Path: linux/http/ivanti_connect_secure_rce_cve_2024_21893
AttackerKB references: CVE-2024-21887, CVE-2023-36661, CVE-2024-21893
Description: This module exploits the recently disclosed SSRF vulnerability (CVE-2024-21893) in Ivanti Connect Secure and Ivanti Policy Secure. The SSRF is chained to a command injection vulnerability (CVE-2024-21887) to achieve unauthenticated RCE.
Kafka UI Unauthenticated Remote Command Execution via the Groovy Filter option.
Authors: BobTheShopLifter and Thingstad and h00die-gr3y h00die.gr3y@gmail.com
Type: Exploit
Pull request: #18700 contributed by h00die-gr3y
Path: linux/http/kafka_ui_unauth_rce_cve_2023_52251
AttackerKB reference: CVE-2023-52251
Description: This PR adds an exploit module for a command injection vulnerability that exists in Kafka-ui between v0.4.0 and v0.7.1 that allows an attacker to inject and execute arbitrary shell commands via the groovy filter parameter at the topic section.
QNAP QTS and QuTS Hero Unauthenticated Remote Code Execution in quick.cgi
Authors: Spencer McIntyre, jheysel-r7, and sfewer-r7
Type: Exploit
Pull request: #18832 contributed by sfewer-r7
Path: linux/http/qnap_qts_rce_cve_2023_47218
AttackerKB reference: CVE-2023-47218
Description: The PR adds a module targeting CVE-2023-47218, an unauthenticated command injection vulnerability affecting QNAP QTS and QuTH Hero devices. CVE-2023-47218 was discovered and disclosed by Stephen Fewer.
Enhanced Modules (2)
Modules which have either been enhanced, or renamed:
- #18125 from JustAnda7 - This PR adds a module to launch an LDAP service supporting capture and storage of
Simple Authentication
attempts. When launching this module with default options users must have permissions to bind to port389
. - #18681 from h00die - This PR updates the pre-existing apache_ofbiz_deserialization module to include functionality that will bypass authentication by using the newly discovered auth-bypass vulnerability: CVE-2023-51467.
Enhancements and features (8)
- #18376 from JustAnda7 - This PR adds support for LDAP capture of NTLM authentication and adds a default implementation for LDAP
BindRequest
,SearchRequest
,UnbindRequest
, as well as a default action for unsupported requests. - #18817 from dwelch-r7 - This PR adds support to now bucket module options that are output after running the
options
command. This will be for modules that support either anRHOST
or aSESSION
connection to show that only one or the other is required when using the new session type features for SMB/MSSQL/MYSQL/PostgreSQL sessions. - #18847 from sjanusz-r7 - This PR adds proxy support for getting a PostgreSQL session via the
postgres_login
module. - #18848 from sjanusz-r7 - This PR adds proxy support for getting a MSSQL session via the
mssql_login
module. - #18854 from sjanusz-r7 - This PR adds proxy support for getting a MySQL session via the
mysql_login
module. - #18855 from sjanusz-r7 - This PR removes the
cwd
convention from SQL-based sessions, and instead uses a more appropriatedef database_name
computed value rather than a cached variable. - #18863 from sjanusz-r7 - This PR adds in the
ENVCHANGE
types to the MSSQL client mixin, and uses those to fetch the initial DB name received from the server. - #18864 from cgranleese-r7 - Adds an alias for
ls
anddir
inside SMB sessions.
Bugs fixed (5)
- #18770 from dwelch-r7 - Fixes a bug when multiple new session types (SMB, PostgreSQL, MSSQL, MySQL) were enabled with the
features set postgresql_session_type true
command. - #18842 from upsidedwn - Updates the Metasploit Dockerfile to correctly honor user provided bundler config arguments.
- #18850 from adfoster-r7 - Fixes failing ldap server tests.
- #18861 from cgranleese-r7 - Removes SessionType values from modules with OptionalSession mixin.
- #18871 from adfoster-r7 - Fixes a crash when using the webconsole.
Documentation added (1)
- #18857 from jlownie - Updates the Wiki documentation on running the Metasploit database to be more clear.
You can always find more documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro