LDAP Query and Enumeration Module - Metasploit
This page contains detailed information about how to use the auxiliary/gather/ldap_query metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: LDAP Query and Enumeration Module
Module: auxiliary/gather/ldap_query
Source code: modules/auxiliary/gather/ldap_query.rb
Disclosure date: 2022-05-19
Last modification time: 2022-10-28 14:16:49 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 389
List of CVEs: -
This module allows users to query an LDAP server using either a custom LDAP query, or a set of LDAP queries under a specific category. Users can also specify a JSON or YAML file containing custom queries to be executed using the RUN_QUERY_FILE action. If this action is specified, then QUERY_FILE_PATH must be a path to the location of this JSON/YAML file on disk. Users can also run a single query by using the RUN_SINGLE_QUERY option and then setting the QUERY_FILTER datastore option to the filter to send to the LDAP server and QUERY_ATTRIBUTES to a comma seperated string containing the list of attributes they are interested in obtaining from the results. As a third option can run one of several predefined queries by setting ACTION to the appropriate value. These options will be loaded from the ldap_queries_default.yaml file located in the MSF configuration directory, located by default at ~/.msf4/ldap_queries_default.yaml. All results will be returned to the user in table, CSV or JSON format, depending on the value of the OUTPUT_FORMAT datastore option. The characters || will be used as a delimiter should multiple items exist within a single column.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
Basic Usage
msf > use auxiliary/gather/ldap_query
msf auxiliary(ldap_query) > show targets
... a list of targets ...
msf auxiliary(ldap_query) > set TARGET target-id
msf auxiliary(ldap_query) > show options
... show and set options ...
msf auxiliary(ldap_query) > exploit
Required Options
- RHOSTS: The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
Knowledge Base
Vulnerable Application
This module allows users to query an LDAP server using either a custom LDAP query, or
a set of LDAP queries under a specific category. Users can also specify a JSON or YAML
file containing custom queries to be executed using the RUN_QUERY_FILE
action.
If this action is specified, then QUERY_FILE_PATH
must be a path to the location
of this JSON/YAML file on disk.
Users can also run a single query by using the RUN_SINGLE_QUERY
option and then setting
the QUERY_FILTER
datastore option to the filter to send to the LDAP server and QUERY_ATTRIBUTES
to a comma seperated string containing the list of attributes they are interested in obtaining
from the results.
As a third option can run one of several predefined queries by setting ACTION
to the
appropriate value. These options will be loaded from the ldap_queries_default.yaml
file
located in the MSF configuration directory, located by default at ~/.msf4/ldap_queries_default.yaml
.
Note that you can override the default query settings in this way by defining a query with an
action name that is the same as one of existing actions in the file at
data/auxiliary/gather/ldap_query/ldap_queries_default.yaml
. This will however prevent any updates
for that action that may be made to the data/auxiliary/gather/ldap_query/ldap_queries_default.yaml
file, which may occur as part of Metasploit updates/upgrades, from being used though, so keep this
in mind when using the ~/.msf4/ldap_queries_default.yaml
file.
All results will be returned to the user in table, CSV or JSON format, depending on the value
of the OUTPUT_FORMAT
datastore option. The characters ||
will be used as a delimiter
should multiple items exist within a single column.
Verification Steps
- Do:
use auxiliary/gather/ldap_query
- Do:
set ACTION <target action>
- Do:
set RHOSTS <target IP(s)>
- Optional:
set RPORT <target port>
if target port is non-default. 5: Optional:set SSL true
if the target port is SSL enabled. 6: Do:run
Options
OUTPUT_FORMAT
The output format to use. Can be either csv
, table
or json
for
CSV, Rex table output, or JSON output respectively.
BASE_DN
The LDAP base DN if already obtained. If not supplied, the module will automatically attempt to find the base DN for the target LDAP server.
QUERY_FILE_PATH
If the ACTION
is set to RUN_QUERY_FILE
, then this option is required and
must be set to the full path to the JSON or YAML file containing the queries to
be run.
The file format must follow the following convention:
queries:
- action: THE ACTION NAME
description: "THE ACTION DESCRIPTION"
filter: "THE LDAP FILTER"
attributes:
- dn
- displayName
- name
- description
Where queries
is an array of queries to be run, each containing an action
field
containing the name of the action to be run, a description
field describing the
action, a filter
field containing the filter to send to the LDAP server
(aka what to search on), and the list of attributes that we are interested in from
the results as an array.
QUERY_FILTER
Used only when the RUN_SINGLE_QUERY
action is used. This should be set to the filter
aka query that you want to send to the target LDAP server.
QUERY_ATTRIBUTES
Used only when the RUN_SINGLE_QUERY
action is used. Should be a comma separated list
of attributes to display from the full result set for each entry that was returned by the
target LDAP server. Used to filter the results down to manageable sets of data.
Scenarios
RUN_SINGLE_QUERY with Table Output
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/ldap_query
msf6 auxiliary(gather/ldap_query) > set BIND_DN [email protected]
BIND_DN => [email protected]
msf6 auxiliary(gather/ldap_query) > set BIND_PW thePassword123
BIND_PW => thePassword123
msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.27.51.83
RHOSTS => 172.27.51.83
msf6 auxiliary(gather/ldap_query) > set ACTION RUN_SINGLE_QUERY
ACTION => RUN_SINGLE_QUERY
msf6 auxiliary(gather/ldap_query) > set QUERY_ATTRIBUTES dn,displayName,name
QUERY_ATTRIBUTES => dn,displayName,name
msf6 auxiliary(gather/ldap_query) > set QUERY_FILTER (objectClass=*)
QUERY_FILTER => (objectClass=*)
msf6 auxiliary(gather/ldap_query) > run
[*] Running module against 172.27.51.83
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[+] 172.27.51.83:389 Discovered base DN: DC=daforest,DC=com
[*] Sending single query (objectClass=*) to the LDAP server...
[*] DC=daforest DC=com
==================
Name Attributes
---- ----------
name daforest
[*] CN=Users DC=daforest DC=com
===========================
Name Attributes
---- ----------
name Users
[*] CN=Computers DC=daforest DC=com
===============================
Name Attributes
---- ----------
name Computers
*cut for brevity*
[*] CN=WAPPS1000022 OU=TST OU=Tier 1 DC=daforest DC=com
===================================================
Name Attributes
---- ----------
displayname WAPPS1000022
name WAPPS1000022
[*] CN=WLPT1000014 OU=AZR OU=Stage DC=daforest DC=com
=================================================
Name Attributes
---- ----------
displayname WLPT1000014
name WLPT1000014
[*] CN=WWKS1000016 OU=T1-Roles OU=Tier 1 OU=Admin DC=daforest DC=com
================================================================
Name Attributes
---- ----------
displayname WWKS1000016
name WWKS1000016
[*] CN=WVIR1000013 OU=Test OU=BDE OU=Tier 2 DC=daforest DC=com
==========================================================
Name Attributes
---- ----------
displayname WVIR1000013
name WVIR1000013
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_query) >
RUN_QUERY_FILE with Table Output
Here is the sample query file we will be using:
$ cat test.yaml
---
queries:
- action: ENUM_USERS
description: "Enumerate users"
filter: "(|(objectClass=inetOrgPerson)(objectClass=user)(sAMAccountType=805306368)(objectClass=posixAccount))"
columns:
- dn
- displayName
- name
- description
- action: ENUM_ORGUNITS
description: "Enumerate organizational units"
filter: "(objectClass=organizationalUnit)"
columns:
- dn
- displayName
- name
- description
- action: ENUM_GROUPS
description: "Enumerate groups"
filter: "(|(objectClass=group)(objectClass=groupOfNames)(groupType:1.2.840.113556.1.4.803:=2147483648)(objectClass=posixGroup))"
columns:
- dn
- name
- groupType
- memberof
Here is the results of using this file with the RUN_QUERY_FILE
action which will
run all queries within the file one after another.
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/ldap_query
msf6 auxiliary(gather/ldap_query) > set BIND_DN [email protected]
BIND_DN => [email protected]
msf6 auxiliary(gather/ldap_query) > set BIND_PW thePassword123
BIND_PW => thePassword123
msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.27.51.83
RHOSTS => 172.27.51.83
msf6 auxiliary(gather/ldap_query) > set ACTION RUN_QUERY_FILE
ACTION => RUN_QUERY_FILE
msf6 auxiliary(gather/ldap_query) > set QUERY_FILE_PATH /home/gwillcox/git/metasploit-framework/test.yaml
QUERY_FILE_PATH => /home/gwillcox/git/metasploit-framework/test.yaml
msf6 auxiliary(gather/ldap_query) > show options
Module options (auxiliary/gather/ldap_query):
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
BIND_DN [email protected] no The username to authenticate to LDAP server
BIND_PW thePassword123 no Password for the BIND_DN
OUTPUT_FORMAT table yes The output format to use (Accepted: csv, table, json)
QUERY_FILE_PATH /home/gwillcox/git/metasploit-fram no Path to the JSON or YAML file to load and run queries from
ework/test.yaml
RHOSTS 172.27.51.83 yes The target host(s), see https://github.com/rapid7/metasploit-f
ramework/wiki/Using-Metasploit
RPORT 389 yes The target port
SSL false no Enable SSL on the LDAP connection
Auxiliary action:
Name Description
---- -----------
RUN_QUERY_FILE Execute a custom set of LDAP queries from the JSON or YAML file specified by QUERY_FILE.
msf6 auxiliary(gather/ldap_query) > run
[*] Running module against 172.27.51.83
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[+] 172.27.51.83:389 Discovered base DN: DC=daforest,DC=com
[*] Loading queries from /home/gwillcox/git/metasploit-framework/test.yaml...
[*] Running ENUM_USERS...
[*] CN=Administrator CN=Users DC=daforest DC=com
============================================
Name Attributes
---- ----------
description Built-in account for administering the computer/domain
name Administrator
[*] CN=Guest CN=Users DC=daforest DC=com
====================================
Name Attributes
---- ----------
description Built-in account for guest access to the computer/domain
name Guest
*cut for brevity*
[*] Running ENUM_ORGUNITS...
[*] OU=Domain Controllers DC=daforest DC=com
========================================
Name Attributes
---- ----------
description Default container for domain controllers
name Domain Controllers
[*] OU=Admin DC=daforest DC=com
===========================
Name Attributes
---- ----------
name Admin
[*] OU=Tier 0 OU=Admin DC=daforest DC=com
=====================================
Name Attributes
---- ----------
name Tier 0
*cut for brevity*
[*] Running ENUM_GROUPS...
[*] CN=Administrators CN=Builtin DC=daforest DC=com
===============================================
Name Attributes
---- ----------
grouptype -2147483643
name Administrators
[*] CN=Users CN=Builtin DC=daforest DC=com
======================================
Name Attributes
---- ----------
grouptype -2147483643
name Users
[*] CN=Guests CN=Builtin DC=daforest DC=com
=======================================
Name Attributes
---- ----------
grouptype -2147483643
name Guests
[*] CN=Print Operators CN=Builtin DC=daforest DC=com
================================================
Name Attributes
---- ----------
grouptype -2147483643
name Print Operators
[*] CN=Backup Operators CN=Builtin DC=daforest DC=com
=================================================
Name Attributes
---- ----------
grouptype -2147483643
name Backup Operators
*cut for brevity*
[*] CN=EL-chu-distlist1 OU=T2-Roles OU=Tier 2 OU=Admin DC=daforest DC=com
=====================================================================
Name Attributes
---- ----------
grouptype -2147483646
name EL-chu-distlist1
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_query) >
ENUM_COMPUTERS with Table Output
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/ldap_query
msf6 auxiliary(gather/ldap_query) > show options
Module options (auxiliary/gather/ldap_query):
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
BIND_DN no The username to authenticate to LDAP server
BIND_PW no Password for the BIND_DN
OUTPUT_FORMAT table yes The output format to use (Accepted: csv, table, json)
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
etasploit
RPORT 389 yes The target port
SSL false no Enable SSL on the LDAP connection
msf6 auxiliary(gather/ldap_query) > set ACTION
set ACTION ENUM_ACCOUNTS set ACTION ENUM_DOMAIN_CONTROLLERS set ACTION ENUM_ORGROLES
set ACTION ENUM_ALL_OBJECT_CATEGORY set ACTION ENUM_EXCHANGE_RECIPIENTS set ACTION ENUM_ORGUNITS
set ACTION ENUM_ALL_OBJECT_CLASS set ACTION ENUM_EXCHANGE_SERVERS set ACTION RUN_QUERY_FILE
set ACTION ENUM_COMPUTERS set ACTION ENUM_GROUPS
msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_COMPUTERS
ACTION => ENUM_COMPUTERS
msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.20.161.209
RHOSTS => 172.20.161.209
msf6 auxiliary(gather/ldap_query) > set BIND_PW thePassword123
BIND_PW => thePassword123
msf6 auxiliary(gather/ldap_query) > set BIND_DN [email protected]
BIND_DN => [email protected]
msf6 auxiliary(gather/ldap_query) > run
[*] Running module against 172.20.161.209
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[+] 172.20.161.209:389 Discovered base DN: DC=daforest,DC=com
[*] CN=WIN-F7DQC9SR0HD OU=Domain Controllers DC=daforest DC=com
===========================================================
Name Attributes
---- ----------
distinguishedname CN=WIN-F7DQC9SR0HD,OU=Domain Controllers,DC=daforest,DC=com
dnshostname WIN-F7DQC9SR0HD.daforest.com
name WIN-F7DQC9SR0HD
operatingsystemversion 10.0 (20348)
[*] CN=FSRWLPT1000000 OU=Testing DC=daforest DC=com
===============================================
Name Attributes
---- ----------
description Created with secframe.com/badblood.
displayname FSRWLPT1000000
distinguishedname CN=FSRWLPT1000000,OU=Testing,DC=daforest,DC=com
name FSRWLPT1000000
[*] CN=TSTWVIR1000000 OU=FSR OU=People DC=daforest DC=com
=====================================================
Name Attributes
---- ----------
description Created with secframe.com/badblood.
displayname TSTWVIR1000000
distinguishedname CN=TSTWVIR1000000,OU=FSR,OU=People,DC=daforest,DC=com
name TSTWVIR1000000
*cut for brevity*
[*] CN=WVIR1000013 OU=Test OU=BDE OU=Tier 2 DC=daforest DC=com
==========================================================
Name Attributes
---- ----------
description Created with secframe.com/badblood.
displayname WVIR1000013
distinguishedname CN=WVIR1000013,OU=Test,OU=BDE,OU=Tier 2,DC=daforest,DC=com
name WVIR1000013
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_query) >
ENUM_COMPUTERS with CSV Output
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/ldap_query
msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_COMPUTERS
ACTION => ENUM_COMPUTERS
msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.20.161.209
RHOSTS => 172.20.161.209
msf6 auxiliary(gather/ldap_query) > set BIND_PW thePassword123
BIND_PW => thePassword123
msf6 auxiliary(gather/ldap_query) > set BIND_DN [email protected]
BIND_DN => [email protected]
msf6 auxiliary(gather/ldap_query) > set OUTPUT_FORMAT csv
OUTPUT_FORMAT => csv
msf6 auxiliary(gather/ldap_query) > show options
Module options (auxiliary/gather/ldap_query):
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
BIND_DN [email protected] no The username to authenticate to LDAP server
BIND_PW thePassword123 no Password for the BIND_DN
OUTPUT_FORMAT csv yes The output format to use (Accepted: csv, table, json)
RHOSTS 172.20.161.209 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Usi
ng-Metasploit
RPORT 389 yes The target port
SSL false no Enable SSL on the LDAP connection
Auxiliary action:
Name Description
---- -----------
ENUM_COMPUTERS Dump all objects containing an objectCategory of Computer.
msf6 auxiliary(gather/ldap_query) > run
[*] Running module against 172.20.161.209
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[+] 172.20.161.209:389 Discovered base DN: DC=daforest,DC=com
[*] Name,Attributes
"dn","CN=WIN-F7DQC9SR0HD,OU=Domain Controllers,DC=daforest,DC=com"
"distinguishedname","CN=WIN-F7DQC9SR0HD,OU=Domain Controllers,DC=daforest,DC=com"
"name","WIN-F7DQC9SR0HD"
"operatingsystemversion","10.0 (20348)"
"dnshostname","WIN-F7DQC9SR0HD.daforest.com"
[*] Name,Attributes
"dn","CN=FSRWLPT1000000,OU=Testing,DC=daforest,DC=com"
"description","Created with secframe.com/badblood."
"distinguishedname","CN=FSRWLPT1000000,OU=Testing,DC=daforest,DC=com"
"displayname","FSRWLPT1000000"
"name","FSRWLPT1000000"
[*] Name,Attributes
"dn","CN=TSTWVIR1000000,OU=FSR,OU=People,DC=daforest,DC=com"
"description","Created with secframe.com/badblood."
"distinguishedname","CN=TSTWVIR1000000,OU=FSR,OU=People,DC=daforest,DC=com"
"displayname","TSTWVIR1000000"
"name","TSTWVIR1000000"
*cut for brevity*
[*] Name,Attributes
"dn","CN=WVIR1000013,OU=Test,OU=BDE,OU=Tier 2,DC=daforest,DC=com"
"description","Created with secframe.com/badblood."
"distinguishedname","CN=WVIR1000013,OU=Test,OU=BDE,OU=Tier 2,DC=daforest,DC=com"
"displayname","WVIR1000013"
"name","WVIR1000013"
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_query) >
ENUM_COMPUTERS with JSON Output
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/ldap_query
msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_COMPUTERS
ACTION => ENUM_COMPUTERS
msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.20.161.209
RHOSTS => 172.20.161.209
msf6 auxiliary(gather/ldap_query) > set BIND_PW thePassword123
BIND_PW => thePassword123
msf6 auxiliary(gather/ldap_query) > set BIND_DN [email protected]
BIND_DN => [email protected]
msf6 auxiliary(gather/ldap_query) > set OUTPUT_FORMAT json
OUTPUT_FORMAT => json
msf6 auxiliary(gather/ldap_query) > show options
Module options (auxiliary/gather/ldap_query):
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
BIND_DN [email protected] no The username to authenticate to LDAP server
BIND_PW thePassword123 no Password for the BIND_DN
OUTPUT_FORMAT json yes The output format to use (Accepted: csv, table, json)
RHOSTS 172.20.161.209 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Usi
ng-Metasploit
RPORT 389 yes The target port
SSL false no Enable SSL on the LDAP connection
Auxiliary action:
Name Description
---- -----------
ENUM_COMPUTERS Dump all objects containing an objectCategory of Computer.
msf6 auxiliary(gather/ldap_query) > run
[*] Running module against 172.20.161.209
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[+] 172.20.161.209:389 Discovered base DN: DC=daforest,DC=com
[*] CN=WIN-F7DQC9SR0HD OU=Domain Controllers DC=daforest DC=com
{
"dn": "CN=WIN-F7DQC9SR0HD,OU=Domain Controllers,DC=daforest,DC=com",
"distinguishedname": "CN=WIN-F7DQC9SR0HD,OU=Domain Controllers,DC=daforest,DC=com",
"name": "WIN-F7DQC9SR0HD",
"operatingsystemversion": "10.0 (20348)",
"dnshostname": "WIN-F7DQC9SR0HD.daforest.com"
}
[*] CN=FSRWLPT1000000 OU=Testing DC=daforest DC=com
{
"dn": "CN=FSRWLPT1000000,OU=Testing,DC=daforest,DC=com",
"description": "Created with secframe.com/badblood.",
"distinguishedname": "CN=FSRWLPT1000000,OU=Testing,DC=daforest,DC=com",
"displayname": "FSRWLPT1000000",
"name": "FSRWLPT1000000"
}
[*] CN=TSTWVIR1000000 OU=FSR OU=People DC=daforest DC=com
{
"dn": "CN=TSTWVIR1000000,OU=FSR,OU=People,DC=daforest,DC=com",
"description": "Created with secframe.com/badblood.",
"distinguishedname": "CN=TSTWVIR1000000,OU=FSR,OU=People,DC=daforest,DC=com",
"displayname": "TSTWVIR1000000",
"name": "TSTWVIR1000000"
}
*cut for brevity*
[*] CN=WLPT1000014 OU=AZR OU=Stage DC=daforest DC=com
{
"dn": "CN=WLPT1000014,OU=AZR,OU=Stage,DC=daforest,DC=com",
"description": "Created with secframe.com/badblood.",
"distinguishedname": "CN=WLPT1000014,OU=AZR,OU=Stage,DC=daforest,DC=com",
"displayname": "WLPT1000014",
"name": "WLPT1000014"
}
[*] CN=WWKS1000016 OU=T1-Roles OU=Tier 1 OU=Admin DC=daforest DC=com
{
"dn": "CN=WWKS1000016,OU=T1-Roles,OU=Tier 1,OU=Admin,DC=daforest,DC=com",
"description": "Created with secframe.com/badblood.",
"distinguishedname": "CN=WWKS1000016,OU=T1-Roles,OU=Tier 1,OU=Admin,DC=daforest,DC=com",
"displayname": "WWKS1000016",
"name": "WWKS1000016"
}
[*] CN=WVIR1000013 OU=Test OU=BDE OU=Tier 2 DC=daforest DC=com
{
"dn": "CN=WVIR1000013,OU=Test,OU=BDE,OU=Tier 2,DC=daforest,DC=com",
"description": "Created with secframe.com/badblood.",
"distinguishedname": "CN=WVIR1000013,OU=Test,OU=BDE,OU=Tier 2,DC=daforest,DC=com",
"displayname": "WVIR1000013",
"name": "WVIR1000013"
}
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_query) >
Go back to menu.
Msfconsole Usage
Here is how the gather/ldap_query auxiliary module looks in the msfconsole:
msf6 > use auxiliary/gather/ldap_query
msf6 auxiliary(gather/ldap_query) > show info
Name: LDAP Query and Enumeration Module
Module: auxiliary/gather/ldap_query
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2022-05-19
Provided by:
Grant Willcox
Module side effects:
ioc-in-logs
Module stability:
crash-safe
Available actions:
Name Description
---- -----------
ENUM_ACCOUNTS Dump info about all known user accounts in the domain.
ENUM_ALL_OBJECT_CATEGORY Dump all objects containing any objectCategory field.
ENUM_ALL_OBJECT_CLASS Dump all objects containing any objectClass field.
ENUM_COMPUTERS Dump all objects containing an objectCategory of Computer.
ENUM_DOMAIN_CONTROLLERS Dump all known domain controllers.
ENUM_EXCHANGE_RECIPIENTS Dump info about all known Exchange recipients.
ENUM_EXCHANGE_SERVERS Dump info about all known Exchange servers.
ENUM_GROUPS Dump info about all known groups in the LDAP environment.
ENUM_ORGROLES Dump info about all known organization units in the LDAP environment.
ENUM_ORGUNITS Dump info about all known organizational roles in the LDAP environment.
RUN_QUERY_FILE Execute a custom set of LDAP queries from the JSON or YAML file specified by QUERY_FILE.
RUN_SINGLE_QUERY Execute a single LDAP query using the QUERY_FILTER and QUERY_ATTRIBUTES options.
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
BIND_DN no The username to authenticate to LDAP server
BIND_PW no Password for the BIND_DN
OUTPUT_FORMAT table yes The output format to use (Accepted: csv, table, json)
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 389 yes The target port
SSL false no Enable SSL on the LDAP connection
Description:
This module allows users to query an LDAP server using either a
custom LDAP query, or a set of LDAP queries under a specific
category. Users can also specify a JSON or YAML file containing
custom queries to be executed using the RUN_QUERY_FILE action. If
this action is specified, then QUERY_FILE_PATH must be a path to the
location of this JSON/YAML file on disk. Users can also run a single
query by using the RUN_SINGLE_QUERY option and then setting the
QUERY_FILTER datastore option to the filter to send to the LDAP
server and QUERY_ATTRIBUTES to a comma seperated string containing
the list of attributes they are interested in obtaining from the
results. As a third option can run one of several predefined queries
by setting ACTION to the appropriate value. These options will be
loaded from the ldap_queries_default.yaml file located in the MSF
configuration directory, located by default at
~/.msf4/ldap_queries_default.yaml. All results will be returned to
the user in table, CSV or JSON format, depending on the value of the
OUTPUT_FORMAT datastore option. The characters || will be used as a
delimiter should multiple items exist within a single column.
Module Options
This is a complete list of options available in the gather/ldap_query auxiliary module:
msf6 auxiliary(gather/ldap_query) > show options
Module options (auxiliary/gather/ldap_query):
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
BIND_DN no The username to authenticate to LDAP server
BIND_PW no Password for the BIND_DN
OUTPUT_FORMAT table yes The output format to use (Accepted: csv, table, json)
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 389 yes The target port
SSL false no Enable SSL on the LDAP connection
Auxiliary action:
Name Description
---- -----------
ENUM_ACCOUNTS Dump info about all known user accounts in the domain.
Advanced Options
Here is a complete list of advanced options supported by the gather/ldap_query auxiliary module:
msf6 auxiliary(gather/ldap_query) > show advanced
Module advanced options (auxiliary/gather/ldap_query):
Name Current Setting Required Description
---- --------------- -------- -----------
LDAP::ConnectTimeout 10.0 yes Timeout for LDAP connect
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the gather/ldap_query module can do:
msf6 auxiliary(gather/ldap_query) > show actions
Auxiliary actions:
Name Description
---- -----------
ENUM_ACCOUNTS Dump info about all known user accounts in the domain.
ENUM_ALL_OBJECT_CATEGORY Dump all objects containing any objectCategory field.
ENUM_ALL_OBJECT_CLASS Dump all objects containing any objectClass field.
ENUM_COMPUTERS Dump all objects containing an objectCategory of Computer.
ENUM_DOMAIN_CONTROLLERS Dump all known domain controllers.
ENUM_EXCHANGE_RECIPIENTS Dump info about all known Exchange recipients.
ENUM_EXCHANGE_SERVERS Dump info about all known Exchange servers.
ENUM_GROUPS Dump info about all known groups in the LDAP environment.
ENUM_ORGROLES Dump info about all known organization units in the LDAP environment.
ENUM_ORGUNITS Dump info about all known organizational roles in the LDAP environment.
RUN_QUERY_FILE Execute a custom set of LDAP queries from the JSON or YAML file specified by QUERY_FILE.
RUN_SINGLE_QUERY Execute a single LDAP query using the QUERY_FILTER and QUERY_ATTRIBUTES options.
Evasion Options
Here is the full list of possible evasion options supported by the gather/ldap_query auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(gather/ldap_query) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Couldn't parse <FILENAME>
- Could not perform query <FILTER>. Its likely the query requires authentication!
- errorMessage
- Query <FILTER> failed with error: <VALUE>
- No results found for <FILTER>.
- Invalid format <FORMAT> passed to generate_rex_tables!
- Supported OUTPUT_FORMAT values are csv, table and json
- Each query in the query file must at least contain a 'action', 'filter' and 'attributes' attribute!
- At least one attribute needs to be specified per query in the query file for entries to work!
- Query <FILTER> from <ACTION> didn't return any results!
- An operational error occurred, perhaps due to lack of authorization. The error was: <VALUE>
- Target does not support the simple authentication mechanism!
- Server requires a stronger form of authentication than we can provide! The error was: <VALUE>
- Server requires additional information to complete the bind. Error was: <VALUE>
- Target doesn't support the requested authentication type we sent. Try binding to the same user without a password, or providing credentials if you were doing anonymous authentication.
- Invalid credentials provided!
- Unknown error occurred whilst binding: <VALUE>
- Couldn't discover base DN!
- When using the RUN_QUERY_FILE action, one must specify the path to the JASON/YAML file containing the queries via QUERY_FILE_PATH!
- No queries loaded from <QUERY_FILE_PATH>!
- When using the RUN_SINGLE_QUERY action, one must supply the QUERY_FILTER and QUERY_ATTRIBUTE datastore options!
- Could not compile the filter <QUERY_FILTER>. Error was <E>
- Attributes list is empty as we could not find at least one attribute to filter on!
- No entries could be found for <QUERY_FILTER>!
- Invalid action: <ACTION>
- Could not compile the filter <FILTER>. Error was <E>
- Couldn't reach <RHOST>!
- Could not query <RHOST>! Error was: <E.MESSAGE>
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Couldn't parse <FILENAME>
Here is a relevant code snippet related to the "Couldn't parse <FILENAME>" error message:
125:
126: def safe_load_queries(filename)
127: begin
128: settings = YAML.safe_load(File.binread(filename))
129: rescue StandardError => e
130: elog("Couldn't parse #{filename}", error: e)
131: return
132: end
133:
134: return unless settings['queries'].is_a? Array
135:
Could not perform query <FILTER>. Its likely the query requires authentication!
Here is a relevant code snippet related to the "Could not perform query <FILTER>. Its likely the query requires authentication!" error message:
141: query_result = ldap.as_json['result']['ldap_result']
142: case query_result['resultCode']
143: when 0
144: vprint_good('Successfully queried LDAP server!')
145: when 1
146: print_error("Could not perform query #{filter}. Its likely the query requires authentication!")
147: fail_with(Failure::NoAccess, query_result['errorMessage'])
148: else
149: fail_with(Failure::UnexpectedReply, "Query #{filter} failed with error: #{query_result['errorMessage']}")
150: end
151: if returned_entries.nil? || returned_entries.empty?
errorMessage
Here is a relevant code snippet related to the "errorMessage" error message:
142: case query_result['resultCode']
143: when 0
144: vprint_good('Successfully queried LDAP server!')
145: when 1
146: print_error("Could not perform query #{filter}. Its likely the query requires authentication!")
147: fail_with(Failure::NoAccess, query_result['errorMessage'])
148: else
149: fail_with(Failure::UnexpectedReply, "Query #{filter} failed with error: #{query_result['errorMessage']}")
150: end
151: if returned_entries.nil? || returned_entries.empty?
152: print_error("No results found for #{filter}.")
Query <FILTER> failed with error: <VALUE>
Here is a relevant code snippet related to the "Query <FILTER> failed with error: <VALUE>" error message:
144: vprint_good('Successfully queried LDAP server!')
145: when 1
146: print_error("Could not perform query #{filter}. Its likely the query requires authentication!")
147: fail_with(Failure::NoAccess, query_result['errorMessage'])
148: else
149: fail_with(Failure::UnexpectedReply, "Query #{filter} failed with error: #{query_result['errorMessage']}")
150: end
151: if returned_entries.nil? || returned_entries.empty?
152: print_error("No results found for #{filter}.")
153: nil
154: else
No results found for <FILTER>.
Here is a relevant code snippet related to the "No results found for <FILTER>." error message:
147: fail_with(Failure::NoAccess, query_result['errorMessage'])
148: else
149: fail_with(Failure::UnexpectedReply, "Query #{filter} failed with error: #{query_result['errorMessage']}")
150: end
151: if returned_entries.nil? || returned_entries.empty?
152: print_error("No results found for #{filter}.")
153: nil
154: else
155: returned_entries
156: end
157: end
Invalid format <FORMAT> passed to generate_rex_tables!
Here is a relevant code snippet related to the "Invalid format <FORMAT> passed to generate_rex_tables!" error message:
176: when 'table'
177: print_status(tbl.to_s)
178: when 'csv'
179: print_status(tbl.to_csv)
180: else
181: fail_with(Failure::BadConfig, "Invalid format #{format} passed to generate_rex_tables!")
182: end
183: end
184: end
185:
186: def output_json_data(entries)
Supported OUTPUT_FORMAT values are csv, table and json
Here is a relevant code snippet related to the "Supported OUTPUT_FORMAT values are csv, table and json" error message:
212: when 'table'
213: output_data_table(entries)
214: when 'json'
215: output_json_data(entries)
216: else
217: fail_with(Failure::BadConfig, 'Supported OUTPUT_FORMAT values are csv, table and json')
218: end
219: end
220:
221: def run_queries_from_file(ldap, queries)
222: queries.each do |query|
Each query in the query file must at least contain a 'action', 'filter' and 'attributes' attribute!
Here is a relevant code snippet related to the "Each query in the query file must at least contain a 'action', 'filter' and 'attributes' attribute!" error message:
219: end
220:
221: def run_queries_from_file(ldap, queries)
222: queries.each do |query|
223: unless query['action'] && query['filter'] && query['attributes']
224: fail_with(Failure::BadConfig, "Each query in the query file must at least contain a 'action', 'filter' and 'attributes' attribute!")
225: end
226: attributes = query['attributes']
227: if attributes.nil? || attributes.empty?
228: print_warning('At least one attribute needs to be specified per query in the query file for entries to work!')
229: break
At least one attribute needs to be specified per query in the query file for entries to work!
Here is a relevant code snippet related to the "At least one attribute needs to be specified per query in the query file for entries to work!" error message:
223: unless query['action'] && query['filter'] && query['attributes']
224: fail_with(Failure::BadConfig, "Each query in the query file must at least contain a 'action', 'filter' and 'attributes' attribute!")
225: end
226: attributes = query['attributes']
227: if attributes.nil? || attributes.empty?
228: print_warning('At least one attribute needs to be specified per query in the query file for entries to work!')
229: break
230: end
231: filter = Net::LDAP::Filter.construct(query['filter'])
232: print_status("Running #{query['action']}...")
233: entries = perform_ldap_query(ldap, filter, attributes)
Query <FILTER> from <ACTION> didn't return any results!
Here is a relevant code snippet related to the "Query <FILTER> from <ACTION> didn't return any results!" error message:
231: filter = Net::LDAP::Filter.construct(query['filter'])
232: print_status("Running #{query['action']}...")
233: entries = perform_ldap_query(ldap, filter, attributes)
234:
235: if entries.nil?
236: print_warning("Query #{query['filter']} from #{query['action']} didn't return any results!")
237: next
238: end
239:
240: show_output(entries)
241: end
An operational error occurred, perhaps due to lack of authorization. The error was: <VALUE>
Here is a relevant code snippet related to the "An operational error occurred, perhaps due to lack of authorization. The error was: <VALUE>" error message:
250: # Codes taken from https://ldap.com/ldap-result-code-reference-core-ldapv3-result-codes
251: case bind_result['resultCode']
252: when 0
253: print_good('Successfully bound to the LDAP server!')
254: when 1
255: fail_with(Failure::NoAccess, "An operational error occurred, perhaps due to lack of authorization. The error was: #{bind_result['errorMessage']}")
256: when 7
257: fail_with(Failure::NoTarget, 'Target does not support the simple authentication mechanism!')
258: when 8
259: fail_with(Failure::NoTarget, "Server requires a stronger form of authentication than we can provide! The error was: #{bind_result['errorMessage']}")
260: when 14
Target does not support the simple authentication mechanism!
Here is a relevant code snippet related to the "Target does not support the simple authentication mechanism!" error message:
252: when 0
253: print_good('Successfully bound to the LDAP server!')
254: when 1
255: fail_with(Failure::NoAccess, "An operational error occurred, perhaps due to lack of authorization. The error was: #{bind_result['errorMessage']}")
256: when 7
257: fail_with(Failure::NoTarget, 'Target does not support the simple authentication mechanism!')
258: when 8
259: fail_with(Failure::NoTarget, "Server requires a stronger form of authentication than we can provide! The error was: #{bind_result['errorMessage']}")
260: when 14
261: fail_with(Failure::NoTarget, "Server requires additional information to complete the bind. Error was: #{bind_result['errorMessage']}")
262: when 48
Server requires a stronger form of authentication than we can provide! The error was: <VALUE>
Here is a relevant code snippet related to the "Server requires a stronger form of authentication than we can provide! The error was: <VALUE>" error message:
254: when 1
255: fail_with(Failure::NoAccess, "An operational error occurred, perhaps due to lack of authorization. The error was: #{bind_result['errorMessage']}")
256: when 7
257: fail_with(Failure::NoTarget, 'Target does not support the simple authentication mechanism!')
258: when 8
259: fail_with(Failure::NoTarget, "Server requires a stronger form of authentication than we can provide! The error was: #{bind_result['errorMessage']}")
260: when 14
261: fail_with(Failure::NoTarget, "Server requires additional information to complete the bind. Error was: #{bind_result['errorMessage']}")
262: when 48
263: fail_with(Failure::NoAccess, "Target doesn't support the requested authentication type we sent. Try binding to the same user without a password, or providing credentials if you were doing anonymous authentication.")
264: when 49
Server requires additional information to complete the bind. Error was: <VALUE>
Here is a relevant code snippet related to the "Server requires additional information to complete the bind. Error was: <VALUE>" error message:
256: when 7
257: fail_with(Failure::NoTarget, 'Target does not support the simple authentication mechanism!')
258: when 8
259: fail_with(Failure::NoTarget, "Server requires a stronger form of authentication than we can provide! The error was: #{bind_result['errorMessage']}")
260: when 14
261: fail_with(Failure::NoTarget, "Server requires additional information to complete the bind. Error was: #{bind_result['errorMessage']}")
262: when 48
263: fail_with(Failure::NoAccess, "Target doesn't support the requested authentication type we sent. Try binding to the same user without a password, or providing credentials if you were doing anonymous authentication.")
264: when 49
265: fail_with(Failure::NoAccess, 'Invalid credentials provided!')
266: else
Target doesn't support the requested authentication type we sent. Try binding to the same user without a password, or providing credentials if you were doing anonymous authentication.
Here is a relevant code snippet related to the "Target doesn't support the requested authentication type we sent. Try binding to the same user without a password, or providing credentials if you were doing anonymous authentication." error message:
258: when 8
259: fail_with(Failure::NoTarget, "Server requires a stronger form of authentication than we can provide! The error was: #{bind_result['errorMessage']}")
260: when 14
261: fail_with(Failure::NoTarget, "Server requires additional information to complete the bind. Error was: #{bind_result['errorMessage']}")
262: when 48
263: fail_with(Failure::NoAccess, "Target doesn't support the requested authentication type we sent. Try binding to the same user without a password, or providing credentials if you were doing anonymous authentication.")
264: when 49
265: fail_with(Failure::NoAccess, 'Invalid credentials provided!')
266: else
267: fail_with(Failure::Unknown, "Unknown error occurred whilst binding: #{bind_result['errorMessage']}")
268: end
Invalid credentials provided!
Here is a relevant code snippet related to the "Invalid credentials provided!" error message:
260: when 14
261: fail_with(Failure::NoTarget, "Server requires additional information to complete the bind. Error was: #{bind_result['errorMessage']}")
262: when 48
263: fail_with(Failure::NoAccess, "Target doesn't support the requested authentication type we sent. Try binding to the same user without a password, or providing credentials if you were doing anonymous authentication.")
264: when 49
265: fail_with(Failure::NoAccess, 'Invalid credentials provided!')
266: else
267: fail_with(Failure::Unknown, "Unknown error occurred whilst binding: #{bind_result['errorMessage']}")
268: end
269: if (@base_dn = datastore['BASE_DN'])
270: print_status("User-specified base DN: #{@base_dn}")
Unknown error occurred whilst binding: <VALUE>
Here is a relevant code snippet related to the "Unknown error occurred whilst binding: <VALUE>" error message:
262: when 48
263: fail_with(Failure::NoAccess, "Target doesn't support the requested authentication type we sent. Try binding to the same user without a password, or providing credentials if you were doing anonymous authentication.")
264: when 49
265: fail_with(Failure::NoAccess, 'Invalid credentials provided!')
266: else
267: fail_with(Failure::Unknown, "Unknown error occurred whilst binding: #{bind_result['errorMessage']}")
268: end
269: if (@base_dn = datastore['BASE_DN'])
270: print_status("User-specified base DN: #{@base_dn}")
271: else
272: print_status('Discovering base DN automatically')
Couldn't discover base DN!
Here is a relevant code snippet related to the "Couldn't discover base DN!" error message:
270: print_status("User-specified base DN: #{@base_dn}")
271: else
272: print_status('Discovering base DN automatically')
273:
274: unless (@base_dn = discover_base_dn(ldap))
275: print_warning("Couldn't discover base DN!")
276: end
277: end
278:
279: case action.name
280: when 'RUN_QUERY_FILE'
When using the RUN_QUERY_FILE action, one must specify the path to the JASON/YAML file containing the queries via QUERY_FILE_PATH!
Here is a relevant code snippet related to the "When using the RUN_QUERY_FILE action, one must specify the path to the JASON/YAML file containing the queries via QUERY_FILE_PATH!" error message:
277: end
278:
279: case action.name
280: when 'RUN_QUERY_FILE'
281: unless datastore['QUERY_FILE_PATH']
282: fail_with(Failure::BadConfig, 'When using the RUN_QUERY_FILE action, one must specify the path to the JASON/YAML file containing the queries via QUERY_FILE_PATH!')
283: end
284: print_status("Loading queries from #{datastore['QUERY_FILE_PATH']}...")
285:
286: parsed_queries = safe_load_queries(datastore['QUERY_FILE_PATH']) || []
287: if parsed_queries.empty?
No queries loaded from <QUERY_FILE_PATH>!
Here is a relevant code snippet related to the "No queries loaded from <QUERY_FILE_PATH>!" error message:
283: end
284: print_status("Loading queries from #{datastore['QUERY_FILE_PATH']}...")
285:
286: parsed_queries = safe_load_queries(datastore['QUERY_FILE_PATH']) || []
287: if parsed_queries.empty?
288: fail_with(Failure::BadConfig, "No queries loaded from #{datastore['QUERY_FILE_PATH']}!")
289: end
290:
291: run_queries_from_file(ldap, parsed_queries)
292: return
293: when 'RUN_SINGLE_QUERY'
When using the RUN_SINGLE_QUERY action, one must supply the QUERY_FILTER and QUERY_ATTRIBUTE datastore options!
Here is a relevant code snippet related to the "When using the RUN_SINGLE_QUERY action, one must supply the QUERY_FILTER and QUERY_ATTRIBUTE datastore options!" error message:
290:
291: run_queries_from_file(ldap, parsed_queries)
292: return
293: when 'RUN_SINGLE_QUERY'
294: unless datastore['QUERY_FILTER'] && datastore['QUERY_ATTRIBUTES']
295: fail_with(Failure::BadConfig, 'When using the RUN_SINGLE_QUERY action, one must supply the QUERY_FILTER and QUERY_ATTRIBUTE datastore options!')
296: end
297:
298: begin
299: filter = Net::LDAP::Filter.construct(datastore['QUERY_FILTER'])
300: rescue StandardError => e
Could not compile the filter <QUERY_FILTER>. Error was <E>
Here is a relevant code snippet related to the "Could not compile the filter <QUERY_FILTER>. Error was <E>" error message:
296: end
297:
298: begin
299: filter = Net::LDAP::Filter.construct(datastore['QUERY_FILTER'])
300: rescue StandardError => e
301: fail_with(Failure::BadConfig, "Could not compile the filter #{datastore['QUERY_FILTER']}. Error was #{e}")
302: end
303:
304: print_status("Sending single query #{datastore['QUERY_FILTER']} to the LDAP server...")
305: attributes = datastore['QUERY_ATTRIBUTES'].split(',')
306: if attributes.empty?
Attributes list is empty as we could not find at least one attribute to filter on!
Here is a relevant code snippet related to the "Attributes list is empty as we could not find at least one attribute to filter on!" error message:
302: end
303:
304: print_status("Sending single query #{datastore['QUERY_FILTER']} to the LDAP server...")
305: attributes = datastore['QUERY_ATTRIBUTES'].split(',')
306: if attributes.empty?
307: fail_with(Failure::BadConfig, 'Attributes list is empty as we could not find at least one attribute to filter on!')
308: end
309: entries = perform_ldap_query(ldap, filter, attributes)
310: print_error("No entries could be found for #{datastore['QUERY_FILTER']}!") if entries.nil? || entries.empty?
311: else
312: query = @loaded_queries[datastore['ACTION']]
No entries could be found for <QUERY_FILTER>!
Here is a relevant code snippet related to the "No entries could be found for <QUERY_FILTER>!" error message:
305: attributes = datastore['QUERY_ATTRIBUTES'].split(',')
306: if attributes.empty?
307: fail_with(Failure::BadConfig, 'Attributes list is empty as we could not find at least one attribute to filter on!')
308: end
309: entries = perform_ldap_query(ldap, filter, attributes)
310: print_error("No entries could be found for #{datastore['QUERY_FILTER']}!") if entries.nil? || entries.empty?
311: else
312: query = @loaded_queries[datastore['ACTION']]
313: fail_with(Failure::BadConfig, "Invalid action: #{datastore['ACTION']}") unless query
314:
315: begin
Invalid action: <ACTION>
Here is a relevant code snippet related to the "Invalid action: <ACTION>" error message:
308: end
309: entries = perform_ldap_query(ldap, filter, attributes)
310: print_error("No entries could be found for #{datastore['QUERY_FILTER']}!") if entries.nil? || entries.empty?
311: else
312: query = @loaded_queries[datastore['ACTION']]
313: fail_with(Failure::BadConfig, "Invalid action: #{datastore['ACTION']}") unless query
314:
315: begin
316: filter = Net::LDAP::Filter.construct(query['filter'])
317: rescue StandardError => e
318: fail_with(Failure::BadConfig, "Could not compile the filter #{query['filter']}. Error was #{e}")
Could not compile the filter <FILTER>. Error was <E>
Here is a relevant code snippet related to the "Could not compile the filter <FILTER>. Error was <E>" error message:
313: fail_with(Failure::BadConfig, "Invalid action: #{datastore['ACTION']}") unless query
314:
315: begin
316: filter = Net::LDAP::Filter.construct(query['filter'])
317: rescue StandardError => e
318: fail_with(Failure::BadConfig, "Could not compile the filter #{query['filter']}. Error was #{e}")
319: end
320:
321: entries = perform_ldap_query(ldap, filter, query['attributes'])
322: end
323: end
Couldn't reach <RHOST>!
Here is a relevant code snippet related to the "Couldn't reach <RHOST>!" error message:
320:
321: entries = perform_ldap_query(ldap, filter, query['attributes'])
322: end
323: end
324: rescue Rex::ConnectionTimeout
325: fail_with(Failure::Unreachable, "Couldn't reach #{datastore['RHOST']}!")
326: rescue Net::LDAP::Error => e
327: fail_with(Failure::UnexpectedReply, "Could not query #{datastore['RHOST']}! Error was: #{e.message}")
328: end
329: return if entries.nil? || entries.empty?
330:
Could not query <RHOST>! Error was: <E.MESSAGE>
Here is a relevant code snippet related to the "Could not query <RHOST>! Error was: <E.MESSAGE>" error message:
322: end
323: end
324: rescue Rex::ConnectionTimeout
325: fail_with(Failure::Unreachable, "Couldn't reach #{datastore['RHOST']}!")
326: rescue Net::LDAP::Error => e
327: fail_with(Failure::UnexpectedReply, "Could not query #{datastore['RHOST']}! Error was: #{e.message}")
328: end
329: return if entries.nil? || entries.empty?
330:
331: show_output(entries)
332: end
Go back to menu.
Related Pull Requests
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/gather/ldap_esc_vulnerable_cert_finder
- auxiliary/gather/ldap_hashdump
- auxiliary/admin/ldap/rbcd
- auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass
- exploit/windows/ldap/imail_thc
- exploit/windows/ldap/pgp_keyserver7
- auxiliary/dos/wireshark/cldap
- auxiliary/dos/wireshark/ldap
- auxiliary/gather/vmware_vcenter_vmdir_ldap
- auxiliary/gather/xerox_workcentre_5xxx_ldap
- auxiliary/scanner/http/symantec_brightmail_ldapcreds
- auxiliary/server/ldap
- auxiliary/scanner/http/blind_sql_query
- auxiliary/scanner/llmnr/query
- auxiliary/scanner/mdns/query
- auxiliary/scanner/wsdd/wsdd_query
- auxiliary/vsploit/malware/dns/dns_query
- auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow
- exploit/multi/browser/firefox_queryinterface
- exploit/multi/http/phpldapadmin_query_engine
- exploit/windows/isapi/w3who_query
- payload/cmd/windows/powershell/dns_txt_query_exec
- payload/windows/dns_txt_query_exec
- post/multi/manage/dbvis_query
- exploit/unix/webapp/jquery_file_upload
- exploit/windows/http/amlibweb_webquerydll_app
- exploit/linux/http/pineapp_ldapsyncnow_exec
- exploit/linux/misc/jenkins_ldap_deserialize
- exploit/windows/http/apache_mod_rewrite_ldap
Authors
- Grant Willcox
Version
This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.