# -*- coding: binary -*- module Msf class Post module Windows # # @see # http://msdn.microsoft.com/en-us/library/windows/desktop/aa366961(v=vs.85).aspx # MSDN: Lightweight Directory Access Protocol module LDAP include Msf::Post::Windows::Error include Msf::Post::Windows::ExtAPI include Msf::Post::Windows::Accounts LDAP_SIZELIMIT_EXCEEDED = 0x04 LDAP_OPT_SIZELIMIT = 0x03 LDAP_AUTH_NEGOTIATE = 0x0486 DEFAULT_PAGE_SIZE = 500 ERROR_CODE_TO_CONSTANT = { 0x0b => 'LDAP_ADMIN_LIMIT_EXCEEDED', 0x47 => 'LDAP_AFFECTS_MULTIPLE_DSAS', 0x24 => 'LDAP_ALIAS_DEREF_PROBLEM', 0x21 => 'LDAP_ALIAS_PROBLEM', 0x44 => 'LDAP_ALREADY_EXISTS', 0x14 => 'LDAP_ATTRIBUTE_OR_VALUE_EXISTS', 0x07 => 'LDAP_AUTH_METHOD_NOT_SUPPORTED', 0x56 => 'LDAP_AUTH_UNKNOWN', 0x33 => 'LDAP_BUSY', 0x60 => 'LDAP_CLIENT_LOOP', 0x05 => 'LDAP_COMPARE_FALSE', 0x06 => 'LDAP_COMPARE_TRUE', 0x0d => 'LDAP_CONFIDENTIALITY_REQUIRED', 0x5b => 'LDAP_CONNECT_ERROR', 0x13 => 'LDAP_CONSTRAINT_VIOLATION', 0x5d => 'LDAP_CONTROL_NOT_FOUND', 0x54 => 'LDAP_DECODING_ERROR', 0x53 => 'LDAP_ENCODING_ERROR', 0x57 => 'LDAP_FILTER_ERROR', 0x30 => 'LDAP_INAPPROPRIATE_AUTH', 0x12 => 'LDAP_INAPPROPRIATE_MATCHING', 0x32 => 'LDAP_INSUFFICIENT_RIGHTS', 0x31 => 'LDAP_INVALID_CREDENTIALS', 0x22 => 'LDAP_INVALID_DN_SYNTAX', 0x15 => 'LDAP_INVALID_SYNTAX', 0x23 => 'LDAP_IS_LEAF', 0x52 => 'LDAP_LOCAL_ERROR', 0x36 => 'LDAP_LOOP_DETECT', 0x5f => 'LDAP_MORE_RESULTS_TO_RETURN', 0x40 => 'LDAP_NAMING_VIOLATION', 0x5a => 'LDAP_NO_MEMORY', 0x45 => 'LDAP_NO_OBJECT_CLASS_MODS', 0x5e => 'LDAP_NO_RESULTS_RETURNED', 0x10 => 'LDAP_NO_SUCH_ATTRIBUTE', 0x20 => 'LDAP_NO_SUCH_OBJECT', 0x42 => 'LDAP_NOT_ALLOWED_ON_NONLEAF', 0x43 => 'LDAP_NOT_ALLOWED_ON_RDN', 0x5c => 'LDAP_NOT_SUPPORTED', 0x41 => 'LDAP_OBJECT_CLASS_VIOLATION', 0x01 => 'LDAP_OPERATIONS_ERROR', 0x50 => 'LDAP_OTHER', 0x59 => 'LDAP_PARAM_ERROR', 0x09 => 'LDAP_PARTIAL_RESULTS', 0x02 => 'LDAP_PROTOCOL_ERROR', 0x0a => 'LDAP_REFERRAL', 0x61 => 'LDAP_REFERRAL_LIMIT_EXCEEDED', # 0x09 => 'LDAP_REFERRAL_V2', alias for LDAP_PARTIAL_RESULTS 0x46 => 'LDAP_RESULTS_TOO_LARGE', 0x51 => 'LDAP_SERVER_DOWN', 0x04 => 'LDAP_SIZELIMIT_EXCEEDED', 0x08 => 'LDAP_STRONG_AUTH_REQUIRED', 0x00 => 'LDAP_SUCCESS', 0x03 => 'LDAP_TIMELIMIT_EXCEEDED', 0x55 => 'LDAP_TIMEOUT', 0x34 => 'LDAP_UNAVAILABLE', 0x0c => 'LDAP_UNAVAILABLE_CRIT_EXTENSION', 0x11 => 'LDAP_UNDEFINED_TYPE', 0x35 => 'LDAP_UNWILLING_TO_PERFORM', 0x58 => 'LDAP_USER_CANCELLED', 0x4c => 'LDAP_VIRTUAL_LIST_VIEW_ERROR' } def initialize(info = {}) super( update_info( info, 'Compat' => { 'Meterpreter' => { 'Commands' => %w[ extapi_adsi_domain_query stdapi_railgun_api stdapi_railgun_memread ] } } ) ) register_options( [ OptString.new('DOMAIN', [false, 'The domain to query or distinguished name (e.g. DC=test,DC=com)', nil]), OptInt.new('MAX_SEARCH', [true, 'Maximum values to retrieve, 0 for all.', 500]), ], self.class ) end # Converts a Distinguished Name to DNS name # # @param dn [String] Distinguished Name # @return [String] DNS name def dn_to_domain(dn) if dn.include? 'DC=' return dn.gsub(',', '').split('DC=')[1..-1].join('.') else return dn end end # Performs an ldap query # # @param filter [String] LDAP search filter # @param max_results [Integer] Maximum results # @param fields [Array] Attributes to retrieve # @param domain [String] Optional domain or distinguished name # @return [Hash] Entries found # @raise [RuntimeError] Raised when the default naming context isn't # specified as distinguished name. def query(filter, max_results, fields, domain = nil) domain ||= datastore['DOMAIN'] domain ||= get_domain if domain.blank? raise 'Unable to find the domain to query.' end if session.commands.include?(Rex::Post::Meterpreter::Extensions::Extapi::COMMAND_ID_EXTAPI_ADSI_DOMAIN_QUERY) return session.extapi.adsi.domain_query(domain, filter, max_results, DEFAULT_PAGE_SIZE, fields) else if domain and domain.include? 'DC=' default_naming_context = domain domain = dn_to_domain(domain) else default_naming_context = get_default_naming_context(domain) end bind_default_ldap_server(max_results, domain) do |session_handle| return query_ldap(session_handle, default_naming_context, 2, filter, fields) end end end # Performs a query to retrieve the default naming context # # @param domain [String] Optional domain or distinguished name # @return [String] def get_default_naming_context(domain = nil) bind_default_ldap_server(1, domain) do |session_handle| print_status('Querying default naming context') query_result = query_ldap(session_handle, '', 0, '(objectClass=computer)', ['defaultNamingContext']) first_entry_fields = query_result[:results].first # Value from First Attribute of First Entry default_naming_context = first_entry_fields.first[:value] vprint_status("Default naming context #{default_naming_context}") return default_naming_context end end # Performs a query on the LDAP session # # @param session_handle [Handle] LDAP Session Handle # @param base [Integer] Pointer to string that contains distinguished # name of entry to start the search # @param scope [Integer] Search Scope # @param filter [String] Search Filter # @param fields [Array] Attributes to retrieve # @return [Hash] Entries found def query_ldap(session_handle, base, scope, filter, fields) vprint_status('Searching LDAP directory') search = wldap32.ldap_search_sA(session_handle, base, scope, filter, nil, 0, 4) if search['return'] == LDAP_SIZELIMIT_EXCEEDED print_error('LDAP_SIZELIMIT_EXCEEDED, parsing what we retrieved, try increasing the MAX_SEARCH value [0:LDAP_NO_LIMIT]') elsif search['return'] != Error::SUCCESS print_error("Search returned LDAP error #{search['return']} (#{ERROR_CODE_TO_CONSTANT.fetch(search['return'], 'Unknown')})") wldap32.ldap_msgfree(search['res']) return end search_count = wldap32.ldap_count_entries(session_handle, search['res'])['return'] if search_count == 0 print_error('No entries retrieved') wldap32.ldap_msgfree(search['res']) return end vprint_status("Entries retrieved: #{search_count}") if datastore['MAX_SEARCH'] == 0 max_search = search_count else max_search = [datastore['MAX_SEARCH'], search_count].min end entry = wldap32.ldap_first_entry(session_handle, search['res'])['return'] entry_results = [] while entry != 0 && (entry_results.length < max_search) field_results = [] fields.each do |field| values_result = '' values = wldap32.ldap_get_values(session_handle, entry, field) if values['return'] != 0 count_values = wldap32.ldap_count_values(values['return']) if count_values['return'] != 0 if client.native_arch == ARCH_X64 value_pointers = client.railgun.memread(values['return'], 8 * count_values['return']).unpack('Q*') else value_pointers = client.railgun.memread(values['return'], 4 * count_values['return']).unpack('V*') end values_result = value_pointers.map { |ptr| client.railgun.util.read_string(ptr) }.join(',') end wldap32.ldap_value_free(values['return']) end field_results << { type: 'unknown', value: values_result } end entry_results << field_results entry = wldap32.ldap_next_entry(session_handle, entry)['return'] end wldap32.ldap_msgfree(search['res']) return { fields: fields, results: entry_results } end # Shortcut to the WLDAP32 Railgun Object # @return [Object] wldap32 def wldap32 unless session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_RAILGUN_API) raise "Can't load wldap32: Session doesn't support Railgun!" end client.railgun.wldap32 end # Binds to the default LDAP Server # @param size_limit [Integer] Maximum number of results to return in a query # @param domain [String] Optional domain or distinguished name # @return LDAP session handle def bind_default_ldap_server(size_limit, domain = nil) vprint_status('Initializing LDAP connection.') # If domain is still null the API may be able to handle it... init_result = wldap32.ldap_sslinitA(domain, 389, 0) session_handle = init_result['return'] if session_handle == 0 raise "Unable to initialize ldap server: #{init_result['ErrorMessage']}" end vprint_status("LDAP Handle: 0x#{session_handle.to_s(16)}") vprint_status('Setting the size limit option') wldap32.ldap_set_option(session_handle, LDAP_OPT_SIZELIMIT, [size_limit].pack('V')) vprint_status('Binding to LDAP server') bind_result = wldap32.ldap_bind_sA(session_handle, nil, nil, LDAP_AUTH_NEGOTIATE) bind = bind_result['return'] unless bind == 0 wldap32.ldap_unbind(session_handle) raise "Unable to bind to ldap server: #{ERROR_CODE_TO_CONSTANT[bind]}" end if block_given? begin yield session_handle ensure vprint_status('Unbinding from LDAP service') wldap32.ldap_unbind(session_handle) end else return session_handle end return session_handle end end end end end