LDAP Capture module
Metasploit now has an LDAP capture module thanks to the work ofJustAnda7. This work was completed as part of the Google Summer of Code program.
When the module runs it will by default require privileges to listen on port 389. The module implements a default implementation for BindRequest, SearchRequest, UnbindRequest, and will capture both plaintext credentials and NTLM hashes which can be brute-forced offline. Upon receiving a successful Bind Request, a ldap_bind: Authentication method not supported (7) error is sent to the connecting client.
The module can be with run:
msf6 > use auxiliary/server/capture/ldap
msf6 auxiliary(server/capture/ldap) > run
Incoming requests will have their credentials stored for later use:
[+] LDAP Login attempt => From:10.0.2.15:48198 Username:User Password:Pass
[+] LDAP Login Attempt => From:127.0.0.1:55566 Username:admin ntlm_hash::8aa0e517cd547b4032ff7e9c5359c200879aa5a8031d3d74 Domain:DOMAIN
These values will be stored in the database for later retrieval:
msf6 auxiliary(server/capture/ldap) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
10.0.2.15 10.0.2.15 389/tcp (ldap) User Pass example.com Password
Ivanti exploit module
Another honorable mention for this week’s Metasploit release is a module by sfewer-r7 that chains two recently disclosed vulnerabilities(CVE-2024-21893 and CVE-2024-21887) in Ivanti gateways to achieve remote code execution on a vulnerable target. The vulnerabilities are both being widely exploited in the wild. Read Rapid7’s full technical analysis of the exploit chai ..
Support the originator by clicking the read the rest link below.
