LDAP Authentication Improvements
This week, in Metasploit v6.4.9, the team has added multiple improvements for LDAP related attacks. Two improvements relating to authentication is the new support for Signing and Channel Binding. Microsoft has been making changes to harden the communications to Domain Controllers. Organizations are incorporating these policies which are making LDAP tools without the necessary features unable to operate. The intention behind these changes are to protect communications with Domain Controllers from relay attacks. There are however plenty of scenarios when users may want to authenticate to a domain controller directly with known credentials to perform a variety of tasks.
The new improvements allow Metasploit users to authenticate via either NTLM or Kerberos to LDAP servers with these hardening settings in place. Signing will be performed opportunistically (LDAP::Signing=auto), however it can be either disabled entirely by setting LDAP::Signing to disabled or required with required. Note that setting it to required will raise exceptions with configurations that are incompatible with signing, e.g. connecting over SSL (LDAPS) or using plaintext / simple authentication. At this time channel binding is automatically enabled and can not be disabled in the same way. When connecting over SSL, and authenticating with either NTLM or Kerberos, the binding information is provided to the server.
For users that are unfamiliar with the semi-recent authentication configuration changes introduced in Metasploit v6.3, LDAP modules have an LDAP::Auth option that can be set to one of ..
Support the originator by clicking the read the rest link below.
