Metasploit Weekly Wrap-Up 02/23/2024

Metasploit Weekly Wrap-Up 02/23/2024

LDAP Capture module

Metasploit now has an LDAP capture module thanks to the work ofJustAnda7. This work was completed as part of the Google Summer of Code program.

When the module runs it will by default require privileges to listen on port 389. The module implements a default implementation for BindRequest, SearchRequest, UnbindRequest, and will capture both plaintext credentials and NTLM hashes which can be brute-forced offline. Upon receiving a successful Bind Request, a ldap_bind: Authentication method not supported (7) error is sent to the connecting client.

The module can be with run:

msf6 > use auxiliary/server/capture/ldap
msf6 auxiliary(server/capture/ldap) > run

Incoming requests will have their credentials stored for later use:

[+] LDAP Login attempt => From: Username:User Password:Pass
[+] LDAP Login Attempt => From: Username:admin ntlm_hash::8aa0e517cd547b4032ff7e9c5359c200879aa5a8031d3d74 Domain:DOMAIN

These values will be stored in the database for later retrieval:

msf6 auxiliary(server/capture/ldap) > creds
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ---------- 389/tcp (ldap) User Pass Password

Ivanti exploit module

Another honorable mention for this week’s Metasploit release is a module by sfewer-r7 that chains two recently disclosed vulnerabilities(CVE-2024-21893 and CVE-2024-21887) in Ivanti gateways to achieve remote code execution on a vulnerable target. The vulnerabilities are both being widely exploited in the wild. Read Rapid7’s full technical analysis of the exploit chai ..

Support the originator by clicking the read the rest link below.