Organization: Metasploit
Project: LDAP Capture Capabilities
Mentor: Op3n4M3
Contributor: JustAnda7
Proposal: GSoC'23 Proposal
I spent a total of 4 months getting myself familiar with the Metasploit codebase. I completed the Metasploit Unleashed course in Offensive Security to get a good idea about the architecture and usage of the framework. This was further enhanced by fixing bugs and implementing code improvements over the course of several months. My contributions to the framework have ranged from updating libraries and modules, adding commands to the Meterpreter to fixing database issues.
The Metasploit Framework is an open-source penetration testing platform that is widely used by security professionals to evaluate the security of their systems. It provides a wide range of functionalities, including network discovery, vulnerability assessment, and exploitation. The platform's modular architecture and powerful API make it easy for developers to create new modules and extensions to extend the platform's capabilities.
LDAP is a widely used protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. It is commonly used for authentication and authorization purposes and is a crucial component of many enterprise systems.
At present, many of the LDAP modules in Metasploit are implemented with a focus on acting as a client. There are very few options for acting as a server with the present implementation being bare minimum to support attacking the Log4Shell vulnerability. There are basic modules to act as LDAP servers like Auxiliary::Server::LDAP.
The primary objective of this project is to create a new module for the Metasploit Framework that can capture and log the captured LDAP traffic. Currently, there exists no module to perform these actions so, the addition of this feature will increase the ways to work around LDAP protocol. The utimate aim of this project is to enhance the Metasploit Framework's LDAP capture capabilities by developing a new module that can capture and log the LDAP traffic and Enhancement/Extension of the mixin to enable various additional LDAP features would enable extended usage of this service for additional tasks which mainly include support for various protocol level authentication methods would allow Metasploit to intercept and log authentication information.
The solution that I proposed is to first create a Metasploit Capture Module that captures and analyse LDAP information such as SourceIP, LDAP message, type of request, authentication information, etc from the client's request while acting as an LDAP server and logging the LDAP information into the database for future use. This information can be used by modules like auxiliary modules, post-exploit modules to gain access to the services.
The current implementation of the service is incapable of providing the required functionality. So after discussing with my mentor, I decided that it would be suitable to first implement the necessary functionality into the capture module itself and then based on recurrent functionality of the features the required code should be shifted to the Rex::Proto::LDAP::Server mixin rather than Msf::Remote::Exploit::LDAP as it the base service mixin which handles the requests.
After developing the necessary functionality to handle Bind Requests and Search Request from the clients. We realized that code for handling the different types of User Authentication was a bit too much to push into the Rex::Proto::LDAP::Server mixin clogging the mixin. So we decided to create Rex::Proto::LDAP::Auth mixin which will be responsible for processing the client authentication and returning an processed_data hash containing the necessary authentication information.
Currently, the mixin handles all the authentication and processing of the client request and gives the required LDAP information to the modules that use the service mixin to handle the requests received. The module that uses the mixin (For Eg. The Capture Module) only needs to specify what needs to be done with the received Client LDAP Information. This feature allows us to have different LDAP processes running simultaneously perform multiple actions with/on the same LDAP Client. This idea is still in its infancy and requires further discussion.
- A Metasploit Capture Module which mocks an LDAP service to receive the Client request and respond with an appropriate response instead of an error response. This is done with the intention of reducing the attention received making it harder for detection.
- Create a
Rex::Proto::LDAP::Authmixin which extends the functionality of the existing service mixin by adding features to support different authentication types(Anonymous, Simple, SASL) used during a bind request to increase the scope of requests captured while listening on the service. - Update the way of handling search requests such that if an
LDIFfile is provided generate a result from theLDIFfile else generate a result randomly to respond with to avoid suspicion from the client machine. - Enhance the existing mixin's feature to improve it's flexibility in handling the requests and client information such that different modules can perform different actions simultaneously with the same client.
The GSoC journey has been exciting throughout the span of 5 months. I had the opportunity to work with a very supportive organization and some of the best infosec personel in field on widely used real world project. My project was full of extensive research, followed by coding and testing. The best part about the project is that it could be used by others to develop some mind-boggling things. When I first started the work I thought this would be a simple project that would be done in 9 weeks. But working through the project, tackling the challenges that showed up actually and addition of few new features to the project and also my examinations on the academic side made me get a deadline extension of 4 weeks. This made me realize that working in real world projects is intricate where even the slightest change in the code must be followed up by proper reasoning.
There will always be challenges arising while working on the code, no matter how simple it is. Communication with the Mentor and community members of the Organization is the best way to tackle them. The community bonding period was a great help for me to bond with my mentor and the fellow community members of the organization.
I extend my heartfelt thanks to my mentor Op3n4M3 for his guidance and support throughout the project. I am also very grateful of him being constantly available throughout the project for addressing my queries be it debugging or brainstorming over the challenges. Apart from the project, he is a great mentor who always tried to instill me with the experience of working in a real world organization of by giving instances of how things should be handled ideally. I would also like to extend my heartfelt thanks to the entire community, for their exceptional help in finding the optimal solution and testing the code throughout the project. Finally, my heartfelt thanks to Google for carrying out this program every year and giving me a chance of serving the Open Source world with the best of my knowledge.
I will be constantly in touch with my mentor and the community members of the organization. I will always be looking forward to working on a new bug fix, or submitting an exploit or even guiding new members for their contribution. Few of the improvements that I am planning to do after GSoC is:
- Writing spec tests for
Rex::Proto::LDAP::Authas it is an essential part of the codebase and does not have spec tests currently. - Expand the authentication protocols supported by the
LDAPservice.