Initial commit of AD DS LDAP mixin

Author: zeroSteiner

lib/msf/core/exploit/remote/ldap.rb

@@ -213,7 +213,7 @@ def ldap.use_connection(args)
     #   bind request failed.
     # @return [Nil] This function does not return any data.
     def validate_bind_success!(ldap)
-      if defined?(:session) && session
+      if respond_to?(:session) && session
         vprint_good('Successfully bound to the LDAP server via existing SESSION!')
         return
       end

lib/msf/core/exploit/remote/ldap/active_directory.rb

@@ -0,0 +1,129 @@
+module Msf
+  ###
+  #
+  # This module exposes methods for querying a remote LDAP service
+  #
+  ###
+  module Exploit::Remote::LDAP
+    module ActiveDirectory
+      include Msf::Exploit::Remote::LDAP
+
+      LDAP_CAP_ACTIVE_DIRECTORY_OID = '1.2.840.113556.1.4.800'.freeze
+
+      # Query the remote server via the provided LDAP connection to determine if it's an Active Directory LDAP server.
+      # More specifically, this ensures that it reports active directory capabilities and the whoami extension.
+      #
+      # @param Net::LDAP::Connection ldap_connection
+      # @rtype Boolean
+      def is_active_directory?(ldap)
+        root_dse = ldap.search(
+          ignore_server_caps: true,
+          base: '',
+          scope: Net::LDAP::SearchScope_BaseObject,
+          attributes: %i[ supportedCapabilities supportedExtension ]
+        )&.first
+
+        return false unless root_dse[:supportedCapabilities].map(&:to_s).include?(LDAP_CAP_ACTIVE_DIRECTORY_OID)
+
+        return false unless root_dse[:supportedExtension].include?(Net::LDAP::WhoamiOid)
+
+        true
+      end
+
+      def adds_query_group_members(ldap, group_dn, base_dn: nil, inherited: true, object_class: nil)
+        return enum_for(:adds_query_group_members, ldap, group_dn, base_dn: base_dn, inherited: inherited, object_class: object_class) unless block_given?
+        results = 0
+
+        member_filter = "memberOf#{inherited ? ':1.2.840.113556.1.4.1941:' : ''}=#{ldap_escape_filter(group_dn)}"
+
+        # Get the member's primaryGroupID
+        group = adds_get_object_by_dn(ldap, group_dn)
+        if group && group[:objectSID]
+          group_sid = Rex::Proto::MsDtyp::MsDtypSid.read(group[:objectSID].first)
+          # if we have a group RID, filter on that when the object has it as it's primaryGroupId to include those goups too
+          member_filter = "|(#{member_filter})(primaryGroupId=#{group_sid.rid})"
+        end
+
+        filters = []
+        filters << "objectClass=#{ldap_escape_filter(object_class)}" if object_class
+        filters << member_filter
+
+        ldap.search(
+          base: base_dn || ldap.base_dn,
+          filter: "(&#{filters.map { "(#{_1})" }.join})",
+          return_result: false # make sure we're streaming because this could be a lot of data
+        ) do |ldap_entry|
+          yield ldap_entry
+          results += 1
+        end
+
+        unless ldap.get_operation_result.code == 0
+          raise "LDAP Error: #{@ldap.get_operation_result.message}"
+        end
+
+        results
+      end
+
+      def adds_query_member_groups(ldap, member_dn, base_dn: nil, inherited: true)
+        return enum_for(:adds_query_member_groups, ldap, member_dn, base_dn: base_dn, inherited: inherited) unless block_given?
+        results = 0
+
+        # Get the member's primaryGroupId
+        member = adds_get_object_by_dn(ldap, member_dn)
+        if member && member[:objectSid] && member[:primaryGroupId] && !member[:primaryGroupId].empty?
+          # if it's found, calculate the SID of the primary group and query it, the primary group is typically 'Domain Users'
+          # and is *not* included in the member query
+          member_sid = Rex::Proto::MsDtyp::MsDtypSid.read(member[:objectSid].first)
+          primary_group_sid = "#{member_sid.to_s.rpartition('-').first}-#{member[:primaryGroupId].first}"
+          primary_group = adds_get_object_by_sid(ldap, primary_group_sid)
+          yield primary_group if primary_group
+        end
+
+        filters = []
+        filters << "objectClass=group"
+        filters << "member#{inherited ? ':1.2.840.113556.1.4.1941:' : ''}=#{ldap_escape_filter(member_dn)}"
+
+        ldap.search(
+          base: base_dn || ldap.base_dn,
+          filter: "(&#{filters.map { "(#{_1})" }.join})",
+          return_result: false
+        ) do |ldap_entry|
+          yield ldap_entry
+          results += 1
+        end
+
+        unless ldap.get_operation_result.code == 0
+          raise "LDAP Error: #{ldap.get_operation_result.message}"
+        end
+
+        results
+      end
+
+      def adds_get_object_by_dn(ldap, object_dn)
+        @ldap_objects ||= []
+        object = @ldap_objects.find { |o| o[:dN]&.first == object_dn }
+        return object if object
+
+        object = ldap.search(base: object_dn, scope: Net::LDAP::SearchScope_BaseObject)&.first
+        validate_query_result!(ldap.get_operation_result.table)
+
+        @ldap_objects << object if object
+        object
+      end
+
+      def adds_get_object_by_sid(ldap, object_sid)
+        @ldap_objects ||= []
+        object_sid = Rex::Proto::MsDtyp::MsDtypSid.new(object_sid)
+        object = @ldap_objects.find { |o| o[:objectSid]&.first == object_sid.to_binary_s }
+        return object if object
+
+        filter = "(objectSID=#{ldap_escape_filter(object_sid.to_s)})"
+        object = ldap.search(base: ldap.base_dn, filter: filter)&.first
+        validate_query_result!(ldap.get_operation_result.table, filter)
+
+        @ldap_objects << object if object
+        object
+      end
+    end
+  end
+end