dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Don't store passwords to creds if the password wasn't needed for the auth type

This commit is contained in:
Dean Welch 2023-09-20 13:52:06 +01:00
parent 09c757513f
commit 1609836ea2
5 changed files with 21 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
lib/metasploit/framework/login_scanner/ldap.rb
View File

@ -58,6 +58,13 @@ module Metasploit
# so make sure that whatever it is, we end up with a Credential.
credential = raw_cred.to_credential
if (opts[:ldap_auth] == Msf::Exploit::Remote::AuthOption::KERBEROS && opts[:ldap_krb5_cname]) ||
opts[:ldap_auth] == Msf::Exploit::Remote::AuthOption::SCHANNEL
# If we're using kerberos auth with a ccache or doing schannel auth then the password is irrelevant
# Remove it from the credential so we don't store it
credential.private = nil
end
if credential.realm.present? && realm_key.present?
credential.realm_key = realm_key
elsif credential.realm.present? && realm_key.blank?

1
lib/msf/core/auxiliary/auth_brute.rb
View File

@ -27,6 +27,7 @@ module Auxiliary::AuthBrute
OptBool.new('DB_ALL_PASS', [false,"Add all passwords in the current database to the list",false]),
OptEnum.new('DB_SKIP_EXISTING', [false,"Skip existing credentials stored in the current database", 'none', %w[ none user user&realm ]]),
OptBool.new('STOP_ON_SUCCESS', [ true, "Stop guessing when a credential works for a host", false]),
OptBool.new('ANONYMOUS_LOGIN', [ true, "Attempt to login with a blank username and password", false])
], Auxiliary::AuthBrute)
register_advanced_options([

6
modules/auxiliary/scanner/ldap/ldap_login.rb
View File

@ -57,7 +57,7 @@ class MetasploitModule < Msf::Auxiliary
username: datastore['USERNAME'],
password: datastore['PASSWORD'],
realm: datastore['DOMAIN'],
anonymous_login: false,
anonymous_login: datastore['ANONYMOUS_LOGIN'],
blank_passwords: false
)
@ -71,7 +71,9 @@ class MetasploitModule < Msf::Auxiliary
ldap_cert_file: datastore['LDAP::CertFile'],
ldap_rhostname: datastore['Ldap::Rhostname'],
ldap_krb_offered_enc_types: datastore['Ldap::KrbOfferedEncryptionTypes'],
ldap_krb5_cname: datastore['Ldap::Krb5Ccname']
ldap_krb5_cname: datastore['Ldap::Krb5Ccname'],
# Write only cache so we keep all gathered tickets but don't reuse them for auth while running the module
kerberos_ticket_storage: kerberos_ticket_storage({ read: false, write: true })
}
realm_key = nil

3
modules/auxiliary/scanner/smb/smb_login.rb
View File

@ -87,7 +87,8 @@ class MetasploitModule < Msf::Auxiliary
framework: framework,
framework_module: self,
cache_file: datastore['Smb::Krb5Ccname'].blank? ? nil : datastore['Smb::Krb5Ccname'],
ticket_storage: kerberos_ticket_storage
# Write only cache so we keep all gathered tickets but don't reuse them for auth while running the module
ticket_storage: kerberos_ticket_storage({ read: false, write: true })
)
end
end

10
spec/lib/metasploit/framework/login_scanner/ldap_spec.rb
View File

@ -1,7 +1,7 @@
require 'spec_helper'
require 'metasploit/framework/login_scanner/ldap'
RSpec.shared_examples_for 'Metasploit::Framework::LoginScanner::LDAP' do
RSpec.shared_examples_for 'Metasploit::Framework::LoginScanner::LDAP' do |ldap_auth_type|
let(:mock_credential) do
Metasploit::Framework::Credential.new(
public: 'mock_public',
@ -11,7 +11,11 @@ RSpec.shared_examples_for 'Metasploit::Framework::LoginScanner::LDAP' do
end
let(:public) { 'root' }
let(:private) { 'toor' }
let(:private) do
# SChannel auth doesn't use a password
ldap_auth_type == Msf::Exploit::Remote::AuthOption::SCHANNEL ? nil : 'toor'
end
let(:realm) { 'myrealm' }
let(:realm_key) { Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN }
@ -129,7 +133,7 @@ RSpec.describe Metasploit::Framework::LoginScanner::LDAP do
described_class.new(opts: { ldap_auth: auth_type })
end
it_behaves_like 'Metasploit::Framework::LoginScanner::LDAP'
it_behaves_like 'Metasploit::Framework::LoginScanner::LDAP', auth_type
end
end
end