Heyya!!! Welcome Back! How have y'all been? It's been a while since the previous blog. I am happy to announce that I have successfully passed my mid-term evaluations. That calls for celebrations!!! ๐ฅณ In this blog, I will describe my journey with my GSoC Project till the Mid-term evals. This is about to get a bit technical, so brace yourselves.
Intro
Hopefully, you know about my Project for GSoC'23 from my previous blog. For those who are new or don't know about it, let me briefly introduce my project for GSoC'23.
The project I undertook to work with, is to provide new LDAP Capture Capabilities (i.e. the capability to capture user information during an LDAP request) to the framework and enhance the existing LDAP Service Mixin to support the capabilities.
Week 1
So in the first week of the coding period, I understood the mechanisms under work when handling an LDAP request and also examined the structure of the following service mixin's
Rex::Proto::LDAP::Server
Msf::Exploit::Remote::LDAP::Server
I also identified the method that should be adjusted accordingly to support the capturing of the request. After discussing with the Mentor, we decided that it is better to add all the functionality to the Metasploit capture module and then shift the recurrent features to the Mixin.
Week 2 & Week 3
So the next two weeks were spent developing the Metasploit capture module to capture Simple authentication requests where the user information is in the form of PLAINTEXT and logging the information into the Msf Database. This mainly involves handling the incoming request data from the Client (i.e. Rex Socket established to communicate with the Client) and parsing it using the methods pre-defined in the mixin, and creating a PDU object from the data using the built-in features of the Net::LDAP gem to access the data. The PDU object will contain all the required information of the LDAP Request like the type of request in the form of apptag, etc. An example of that would be the following:
def on_dispatch_request(client, data)
return if data.strip.empty? || data.strip.nil?
data.extend(Net::BER::Extensions::String)
begin
pdu = Net::LDAP::PDU.new(data.read_ber!(Net::LDAP::AsnSyntax))
res = case pdu.app_tag
when Net::LDAP::PDU::BindRequest
# Handle the pdu object
Week 4
This week, I worked on logging the processed information like the Username, Password, Domain, etc into the Msf Database using a method like report_creds. Any Example would be:
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
# Other information like Username, Password, etc
}
create_credential_login(login_data)
We also came to the conclusion through discussion that logging the info to a file in Cain&Abel format or JOHN format was not required as most of the credentials are stored in the Database.
Also wrote Documentation for the capture module containing details related to provided module options and the way the module can be used.
Week 5
This week, I didn't develop anything new. I just polished the documentation for the module and test out the module with a variety of LDAP requests. The main testing tool I used to verify the working of the module was ldapsearch and some personalized LDAP scripts to test a few edge cases. An example of a ldapsearch request would be ldapsearch -LLL -H ldap://10.0.2.15 -D cn=User,dc=example,dc=com -W Based on the testing, I fixed a few bugs in the code and opened a pull request to merge my code into the framework. You can check the PR here
Week 6
I had my exams so could not do any significant work and also had finished the projected work for Mid-term evaluations. Since I had a nice mentor, I had no worries about passing the evaluations. ๐
Conclusion
It has been an amazing journey so far into the program, learning about LDAP, security protocols like NTLM, and Kerberos, and developing a module to capture user authentication details. In the upcoming weeks, I aim to understand and implement features to support different protocols as mentioned above.
I will end this blog here, without consuming any more of your time. See you in the next blog :) โ๏ธ
Github: JustAnda7
LinkedIn: Nishant Desai