2016-10-26 19:56:41 +00:00
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2016-10-26 19:56:41 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
class MetasploitModule < Msf::Auxiliary
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
include Msf::Exploit::Remote::Kerberos::Client
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Kerberos Domain User Enumeration',
|
2016-10-27 20:50:17 +00:00
|
|
|
'Description' => %q(
|
2017-08-27 01:01:10 +00:00
|
|
|
This module will enumerate valid Domain Users via Kerberos from an unauthenticated perspective. It utilizes
|
2016-10-26 19:56:41 +00:00
|
|
|
the different responses returned by the service for valid and invalid users.
|
2016-10-27 20:50:17 +00:00
|
|
|
),
|
2016-10-26 19:56:41 +00:00
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Matt Byrne <attackdebris[at]gmail.com>' # Metasploit module
|
|
|
|
],
|
|
|
|
'References' =>
|
|
|
|
[
|
2016-10-27 20:50:17 +00:00
|
|
|
[ 'URL', 'https://nmap.org/nsedoc/scripts/krb5-enum-users.html']
|
2016-10-26 19:56:41 +00:00
|
|
|
],
|
2016-10-27 20:50:17 +00:00
|
|
|
'License' => MSF_LICENSE
|
|
|
|
)
|
|
|
|
)
|
2016-10-26 19:56:41 +00:00
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('DOMAIN', [ true, 'The Domain Eg: demo.local' ]),
|
|
|
|
OptPath.new(
|
|
|
|
'USER_FILE',
|
2016-10-27 20:50:17 +00:00
|
|
|
[true, 'Files containing usernames, one per line', nil]
|
|
|
|
)
|
|
|
|
],
|
|
|
|
self.class
|
|
|
|
)
|
2016-10-26 19:56:41 +00:00
|
|
|
end
|
2016-10-27 20:50:17 +00:00
|
|
|
|
2016-10-26 19:56:41 +00:00
|
|
|
def user_list
|
|
|
|
users = nil
|
|
|
|
if File.readable? datastore['USER_FILE']
|
|
|
|
users = File.new(datastore['USER_FILE']).read.split
|
2016-10-27 20:50:17 +00:00
|
|
|
users.each { |u| u.downcase! }
|
2016-10-26 19:56:41 +00:00
|
|
|
users.uniq!
|
|
|
|
else
|
|
|
|
raise ArgumentError, "Cannot read file #{datastore['USER_FILE']}"
|
2016-10-27 20:50:17 +00:00
|
|
|
end
|
2016-10-26 19:56:41 +00:00
|
|
|
users
|
|
|
|
end
|
2016-10-27 20:50:17 +00:00
|
|
|
|
2016-10-26 19:56:41 +00:00
|
|
|
def run
|
|
|
|
print_status("Validating options...")
|
|
|
|
|
|
|
|
domain = datastore['DOMAIN'].upcase
|
|
|
|
user_file = datastore['USER_FILE']
|
|
|
|
|
|
|
|
print_status("Using domain: #{domain}...")
|
|
|
|
|
|
|
|
pre_auth = []
|
|
|
|
pre_auth << build_pa_pac_request
|
|
|
|
pre_auth
|
|
|
|
|
|
|
|
user_list.each do |user|
|
|
|
|
print_status("#{peer} - Testing User: \"#{user}\"...")
|
|
|
|
res = send_request_as(
|
|
|
|
client_name: "#{user}",
|
|
|
|
server_name: "krbtgt/#{domain}",
|
|
|
|
realm: "#{domain}",
|
|
|
|
pa_data: pre_auth
|
2016-10-27 20:50:17 +00:00
|
|
|
)
|
|
|
|
print_status("#{peer} - #{warn_error(res)}") if res.msg_type == Rex::Proto::Kerberos::Model::KRB_ERROR
|
|
|
|
test = Rex::Proto::Kerberos::Model::ERROR_CODES[res.error_code]
|
|
|
|
if test == ["KDC_ERR_PREAUTH_REQUIRED", "Additional pre-authentication required"]
|
|
|
|
print_good("#{peer} - User: \"#{user}\" is present")
|
|
|
|
report_cred(
|
|
|
|
host: datastore['RHOST'],
|
|
|
|
port: rport,
|
2016-11-01 17:59:51 +00:00
|
|
|
creds_name: 'Kerberos',
|
2016-10-27 20:50:17 +00:00
|
|
|
user: user
|
|
|
|
)
|
|
|
|
elsif test == ["KDC_ERR_CLIENT_REVOKED", "Clients credentials have been revoked"]
|
|
|
|
print_error("#{peer} - User: \"#{user}\" account disabled or locked out")
|
|
|
|
else
|
|
|
|
print_status("#{peer} - User: \"#{user}\" does not exist")
|
|
|
|
end
|
2016-10-26 19:56:41 +00:00
|
|
|
end
|
|
|
|
end
|
2016-10-27 20:50:17 +00:00
|
|
|
|
|
|
|
def report_cred(opts)
|
|
|
|
service_data = {
|
|
|
|
address: opts[:host],
|
|
|
|
port: opts[:port],
|
|
|
|
protocol: 'udp',
|
|
|
|
workspace_id: myworkspace.id,
|
|
|
|
service_name: opts[:creds_name]
|
|
|
|
}
|
|
|
|
|
|
|
|
credential_data = {
|
|
|
|
username: opts[:user],
|
|
|
|
origin_type: :service,
|
|
|
|
module_fullname: self.fullname
|
|
|
|
}.merge(service_data)
|
|
|
|
|
|
|
|
login_data = {
|
|
|
|
core: create_credential(credential_data),
|
|
|
|
status: Metasploit::Model::Login::Status::UNTRIED
|
|
|
|
}.merge(service_data)
|
|
|
|
|
|
|
|
create_credential_login(login_data)
|
2016-10-26 19:56:41 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def warn_error(res)
|
|
|
|
msg = ''
|
|
|
|
|
2016-10-27 20:50:17 +00:00
|
|
|
if Rex::Proto::Kerberos::Model::ERROR_CODES.key?(res.error_code)
|
2016-10-26 19:56:41 +00:00
|
|
|
error_info = Rex::Proto::Kerberos::Model::ERROR_CODES[res.error_code]
|
|
|
|
msg = "#{error_info[0]} - #{error_info[1]}"
|
|
|
|
else
|
|
|
|
msg = 'Wrong DOMAIN Name? Check DOMAIN and retry...'
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|