Add support for cache credentials in the mixin
parent
0a61e108ea
commit
f325d2f60e
|
@ -9,11 +9,13 @@ module Msf
|
||||||
require 'msf/kerberos/microsoft/client/as_request'
|
require 'msf/kerberos/microsoft/client/as_request'
|
||||||
require 'msf/kerberos/microsoft/client/as_response'
|
require 'msf/kerberos/microsoft/client/as_response'
|
||||||
require 'msf/kerberos/microsoft/client/tgs_request'
|
require 'msf/kerberos/microsoft/client/tgs_request'
|
||||||
|
require 'msf/kerberos/microsoft/client/cache_credential'
|
||||||
|
|
||||||
include Msf::Kerberos::Microsoft::Client::Base
|
include Msf::Kerberos::Microsoft::Client::Base
|
||||||
include Msf::Kerberos::Microsoft::Client::AsRequest
|
include Msf::Kerberos::Microsoft::Client::AsRequest
|
||||||
include Msf::Kerberos::Microsoft::Client::AsResponse
|
include Msf::Kerberos::Microsoft::Client::AsResponse
|
||||||
include Msf::Kerberos::Microsoft::Client::TgsRequest
|
include Msf::Kerberos::Microsoft::Client::TgsRequest
|
||||||
|
include Msf::Kerberos::Microsoft::Client::CacheCredential
|
||||||
|
|
||||||
# @!attribute client
|
# @!attribute client
|
||||||
# @return [Rex::Proto::Kerberos::Client] The kerberos client
|
# @return [Rex::Proto::Kerberos::Client] The kerberos client
|
||||||
|
|
|
@ -0,0 +1,100 @@
|
||||||
|
# -*- coding: binary -*-
|
||||||
|
require 'rex/proto/kerberos'
|
||||||
|
|
||||||
|
module Msf
|
||||||
|
module Kerberos
|
||||||
|
module Microsoft
|
||||||
|
module Client
|
||||||
|
module CacheCredential
|
||||||
|
def create_cache(opts = {})
|
||||||
|
version = opts[:version] || 0x0504
|
||||||
|
headers = opts[:headers] || ["\x00\x08\xff\xff\xff\xff\x00\x00\x00\x00"]
|
||||||
|
primary_principal = opts[:primary_principal] || create_cache_principal(opts)
|
||||||
|
credentials = opts[:credentials] || [create_cache_credential(opts)]
|
||||||
|
|
||||||
|
cache = Rex::Proto::Kerberos::CredentialCache::Cache.new(
|
||||||
|
version: version,
|
||||||
|
headers: headers,
|
||||||
|
primary_principal: primary_principal,
|
||||||
|
credentials: credentials
|
||||||
|
)
|
||||||
|
|
||||||
|
cache
|
||||||
|
end
|
||||||
|
|
||||||
|
def create_cache_principal(opts = {})
|
||||||
|
name_type = opts[:name_type]
|
||||||
|
realm = opts[:realm]
|
||||||
|
components = opts[:components]
|
||||||
|
|
||||||
|
principal = Rex::Proto::Kerberos::CredentialCache::Principal.new(
|
||||||
|
name_type: name_type,
|
||||||
|
realm: realm,
|
||||||
|
components:components
|
||||||
|
)
|
||||||
|
|
||||||
|
principal
|
||||||
|
end
|
||||||
|
|
||||||
|
def create_cache_key_block(opts = {})
|
||||||
|
key_type = opts[:key_type]
|
||||||
|
e_type = opts[:e_type] || 0
|
||||||
|
key_value = opts[:key_value]
|
||||||
|
|
||||||
|
key_block = Rex::Proto::Kerberos::CredentialCache::KeyBlock.new(
|
||||||
|
key_type: key_type,
|
||||||
|
e_type: e_type,
|
||||||
|
key_value: key_value
|
||||||
|
)
|
||||||
|
|
||||||
|
key_block
|
||||||
|
end
|
||||||
|
|
||||||
|
def create_cache_times(opts = {})
|
||||||
|
auth_time = opts[:auth_time]
|
||||||
|
start_time = opts[:start_time] || 0
|
||||||
|
end_time = opts[:end_time] || 0
|
||||||
|
renew_till = opts[:renew_till] || 0
|
||||||
|
|
||||||
|
time = Rex::Proto::Kerberos::CredentialCache::Time.new(
|
||||||
|
auth_time: auth_time.to_i,
|
||||||
|
start_time: start_time.to_i,
|
||||||
|
end_time: end_time.to_i,
|
||||||
|
renew_till: renew_till.to_i
|
||||||
|
)
|
||||||
|
|
||||||
|
time
|
||||||
|
end
|
||||||
|
|
||||||
|
def create_cache_credential(opts = {})
|
||||||
|
client = opts[:client]
|
||||||
|
server = opts[:server]
|
||||||
|
key = opts[:key]
|
||||||
|
time = opts[:time]
|
||||||
|
is_skey = opts[:is_skey] || 0
|
||||||
|
tkt_flags = opts[:flags]
|
||||||
|
addrs = opts[:addrs] || []
|
||||||
|
auth_data = opts[:auth_data] || []
|
||||||
|
ticket = opts[:ticket]
|
||||||
|
second_ticket = opts[:second_ticket] || ''
|
||||||
|
|
||||||
|
cred = Rex::Proto::Kerberos::CredentialCache::Credential.new(
|
||||||
|
client: client,
|
||||||
|
server: server,
|
||||||
|
key: key,
|
||||||
|
time: time,
|
||||||
|
is_skey: is_skey,
|
||||||
|
tkt_flags:tkt_flags,
|
||||||
|
addrs: addrs,
|
||||||
|
auth_data: auth_data,
|
||||||
|
ticket: ticket,
|
||||||
|
second_ticket: second_ticket
|
||||||
|
)
|
||||||
|
|
||||||
|
cred
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -9,4 +9,5 @@ require 'rex/proto/kerberos/crypto'
|
||||||
require 'rex/proto/kerberos/pac'
|
require 'rex/proto/kerberos/pac'
|
||||||
require 'rex/proto/kerberos/model'
|
require 'rex/proto/kerberos/model'
|
||||||
require 'rex/proto/kerberos/client'
|
require 'rex/proto/kerberos/client'
|
||||||
|
require 'rex/proto/kerberos/credential_cache'
|
||||||
|
|
||||||
|
|
|
@ -2,17 +2,14 @@ module Rex
|
||||||
module Proto
|
module Proto
|
||||||
module Kerberos
|
module Kerberos
|
||||||
module CredentialCache
|
module CredentialCache
|
||||||
=begin
|
|
||||||
ccache {
|
|
||||||
uint16_t file_format_version; /* 0x0504 */
|
|
||||||
uint16_t headerlen; /* only if version is 0x0504 */
|
|
||||||
header headers[]; /* only if version is 0x0504 */
|
|
||||||
principal primary_principal;
|
|
||||||
credential credentials[*];
|
|
||||||
};
|
|
||||||
=end
|
|
||||||
class Cache < Element
|
class Cache < Element
|
||||||
|
# Fixnum
|
||||||
|
attr_accessor :version
|
||||||
|
# Array
|
||||||
|
attr_accessor :headers
|
||||||
|
# Principal
|
||||||
attr_accessor :primary_principal
|
attr_accessor :primary_principal
|
||||||
|
# Array
|
||||||
attr_accessor :credentials
|
attr_accessor :credentials
|
||||||
|
|
||||||
def encode
|
def encode
|
||||||
|
@ -26,14 +23,19 @@ ccache {
|
||||||
private
|
private
|
||||||
|
|
||||||
def encode_version
|
def encode_version
|
||||||
[0x0504].pack('n')
|
[version].pack('n')
|
||||||
end
|
end
|
||||||
|
|
||||||
def encode_headers
|
def encode_headers
|
||||||
header = "\x00\x01\x00\x08\xff\xff\xff\xff\x00\x00\x00\x00"
|
headers_encoded = ''
|
||||||
|
headers_encoded << [headers.length].pack('n')
|
||||||
|
headers.each do |h|
|
||||||
|
headers_encoded << h
|
||||||
|
end
|
||||||
|
|
||||||
encoded = ''
|
encoded = ''
|
||||||
encoded << [header.length].pack('n')
|
encoded << [headers_encoded.length].pack('n')
|
||||||
encoded << header
|
encoded << headers_encoded
|
||||||
|
|
||||||
encoded
|
encoded
|
||||||
end
|
end
|
||||||
|
|
|
@ -35,7 +35,7 @@ module Rex
|
||||||
encoded << encode_addrs
|
encoded << encode_addrs
|
||||||
encoded << encode_auth_data
|
encoded << encode_auth_data
|
||||||
encoded << encode_ticket
|
encoded << encode_ticket
|
||||||
encoded << second_ticket
|
encoded << encode_second_ticket
|
||||||
end
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
|
@ -20,7 +20,7 @@ module Rex
|
||||||
def encode
|
def encode
|
||||||
encoded = ''
|
encoded = ''
|
||||||
encoded << encode_name_type
|
encoded << encode_name_type
|
||||||
encoded << [components.length].pack('n')
|
encoded << [components.length].pack('N')
|
||||||
encoded << encode_realm
|
encoded << encode_realm
|
||||||
encoded << encode_components
|
encoded << encode_components
|
||||||
|
|
||||||
|
@ -31,19 +31,22 @@ module Rex
|
||||||
|
|
||||||
def encode_name_type
|
def encode_name_type
|
||||||
#NT_PRINCIPAL = 1
|
#NT_PRINCIPAL = 1
|
||||||
[name_type].pack('n')
|
[name_type].pack('N')
|
||||||
end
|
end
|
||||||
|
|
||||||
def encode_realm
|
def encode_realm
|
||||||
encoded << [realm.length].pack('n')
|
encoded = ''
|
||||||
|
encoded << [realm.length].pack('N')
|
||||||
encoded << realm
|
encoded << realm
|
||||||
|
|
||||||
|
encoded
|
||||||
end
|
end
|
||||||
|
|
||||||
def encode_components
|
def encode_components
|
||||||
encoded = ''
|
encoded = ''
|
||||||
|
|
||||||
components.each do |c|
|
components.each do |c|
|
||||||
encoded << [c.length].pack('n')
|
encoded << [c.length].pack('N')
|
||||||
encoded << c
|
encoded << c
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -78,12 +78,110 @@ include Msf::Kerberos::Microsoft::Client
|
||||||
|
|
||||||
pp res
|
pp res
|
||||||
|
|
||||||
|
|
||||||
decrypt_res = res.enc_part.decrypt("AAAABBBBCCCCDDDD", 9)
|
decrypt_res = res.enc_part.decrypt("AAAABBBBCCCCDDDD", 9)
|
||||||
enc_kdc_res = Rex::Proto::Kerberos::Model::EncKdcResponse.decode(decrypt_res)
|
enc_res = Rex::Proto::Kerberos::Model::EncKdcResponse.decode(decrypt_res)
|
||||||
|
|
||||||
print_good("Decrypted!")
|
print_good("Decrypted!")
|
||||||
pp enc_kdc_res
|
pp enc_res
|
||||||
|
|
||||||
|
client = create_cache_principal(
|
||||||
|
name_type: res.cname.name_type,
|
||||||
|
realm: res.crealm,
|
||||||
|
components: res.cname.name_string
|
||||||
|
)
|
||||||
|
|
||||||
|
server = create_cache_principal(
|
||||||
|
name_type: enc_res.sname.name_type,
|
||||||
|
realm: enc_res.srealm,
|
||||||
|
components: enc_res.sname.name_string
|
||||||
|
)
|
||||||
|
|
||||||
|
key = create_cache_key_block(
|
||||||
|
key_type: enc_res.key.type,
|
||||||
|
key_value: enc_res.key.value
|
||||||
|
)
|
||||||
|
|
||||||
|
times = create_cache_times(
|
||||||
|
auth_time: enc_res.auth_time,
|
||||||
|
start_time: enc_res.start_time,
|
||||||
|
end_time: enc_res.end_time,
|
||||||
|
renew_till: enc_res.renew_till
|
||||||
|
)
|
||||||
|
|
||||||
|
credential = create_cache_credential(
|
||||||
|
client: client,
|
||||||
|
server: server,
|
||||||
|
key: key,
|
||||||
|
time: times,
|
||||||
|
ticket: res.ticket.encode,
|
||||||
|
flags: enc_res.flags
|
||||||
|
)
|
||||||
|
|
||||||
|
cache_principal = create_cache_principal(
|
||||||
|
name_type: 1, # NT_PRINCIPAL
|
||||||
|
realm: opts[:realm],
|
||||||
|
components: [opts[:cname]]
|
||||||
|
)
|
||||||
|
|
||||||
|
cache = create_cache(
|
||||||
|
primary_principal: cache_principal,
|
||||||
|
credentials: [credential]
|
||||||
|
)
|
||||||
|
|
||||||
|
print_good("cache created")
|
||||||
|
|
||||||
|
pp cache
|
||||||
|
|
||||||
|
f = File.new('/tmp/cache.ticket', 'wb')
|
||||||
|
f.write(cache.encode)
|
||||||
|
f.close
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
=begin
|
||||||
|
"\x61\x82\x03\x81\x30\x82\x03\x7d\xa0\x03\x02\x01\x05\xa1\x0c\x1b\x0a\x44\x45\x4d" +
|
||||||
|
"\x4f\x2e\x4c\x4f\x43\x41\x4c\xa2\x1f\x30\x1d\xa0\x03\x02\x01\x01\xa1\x16\x30\x14" +
|
||||||
|
"\x1b\x06\x6b\x72\x62\x74\x67\x74\x1b\x0a\x44\x45\x4d\x4f\x2e\x4c\x4f\x43\x41\x4c" +
|
||||||
|
"\xa3\x82\x03\x45\x30\x82\x03\x41\xa0\x03\x02\x01\x17\xa1\x03\x02\x01\x02\xa2\x82" +
|
||||||
|
"\x03\x33\x04\x82\x03\x2f\xa3\xda\x11\xc3\xd7\x35\x06\x8f\x70\x67\x52\x08\x71\xce" +
|
||||||
|
"\xf7\x28\xab\x39\x82\x2c\x1b\x8f\x35\x58\x32\xff\x85\x18\x16\x20\x6d\xa1\x38\xb3" +
|
||||||
|
"\x2f\x2f\xc8\x51\x19\x27\x94\x11\xeb\xa2\xa7\xfa\x27\xd0\x50\x72\x93\xb6\x63\x17" +
|
||||||
|
"\x3d\xf5\xf9\x9c\x6c\xc6\xbe\x81\xf3\xf7\x9c\xd0\xb3\xbc\xd1\x01\x9c\x82\x64\x69" +
|
||||||
|
"\x02\x1b\xa1\x36\xe2\x75\xec\xfd\xb8\x77\x53\x20\x36\x74\x93\x54\xa1\x18\xbd\xdb" +
|
||||||
|
"\xfe\x38\x61\x2b\x37\xde\x4f\xbe\x22\x7b\xc5\x79\x91\x6e\xd0\x58\x72\x87\x91\xd2" +
|
||||||
|
"\x65\x7f\xf6\xbe\x6c\xf3\x68\x46\x21\x17\x4f\x5d\xb6\x1f\xc6\xc3\x0e\xf7\x95\xb9" +
|
||||||
|
"\xa8\x62\x9d\x3e\x8d\xcb\x19\xa0\x33\x89\x1d\xe6\xcc\x5e\xc9\x79\x33\x09\x3d\x35" +
|
||||||
|
"\x8d\x48\x06\x44\xbe\x37\x2e\xf1\xbb\xc3\xc9\xd8\xe8\xad\x75\x02\xf9\xa9\xe0\xd5" +
|
||||||
|
"\x56\xeb\xea\xb3\xd4\xa4\x84\x32\x50\xb5\x84\xc1\xcc\x56\x11\xc6\x0e\xe2\x21\xfc" +
|
||||||
|
"\x45\x8f\x53\xea\x79\xc1\x19\x49\x45\xe8\x4b\x90\xc6\x01\xfa\xf3\xa5\x8a\x97\x27" +
|
||||||
|
"\x32\x17\x9f\x00\xab\x85\x0c\x31\x79\xad\x18\x16\x91\x8c\xfb\x0d\xd6\xd7\x52\x98" +
|
||||||
|
"\x82\x5b\xcb\x16\x0c\x65\x40\x22\xa6\x7b\xad\xaa\xb6\xa3\xc1\xd9\xcc\xbb\xda\xae" +
|
||||||
|
"\x71\xe8\x4c\xab\x48\xaf\x43\x15\x52\xb2\xed\x75\x87\xe0\x96\x29\xd3\x3e\x0e\xfc" +
|
||||||
|
"\xc8\x0f\xc2\x24\x90\x73\xd2\xe3\xa7\xc4\x69\x3d\x1c\x05\xb7\x81\xd1\x1e\x1c\x63" +
|
||||||
|
"\xbc\x34\x3e\x4d\xe8\x63\x22\x28\x01\x6f\xc1\xf3\x35\xb9\xe6\xe0\x4f\xe3\x94\xcf" +
|
||||||
|
"\x67\x14\x20\x8b\x33\xcc\x2e\x5f\xd6\x14\x5b\x15\x34\x56\x64\x9a\xba\xa9\x62\x1a" +
|
||||||
|
"\xb5\x80\xf4\x60\x34\xaf\x86\x9d\x5b\x84\x5a\x28\xbb\x6c\x30\xaa\x4a\xad\xf8\x73" +
|
||||||
|
"\x19\x14\x92\x53\x83\x78\x9e\xb0\xe0\x5f\x69\xa6\x96\xe6\x57\xe4\x20\x0b\x96\x87" +
|
||||||
|
"\xe9\x16\x2c\xba\x9d\x33\x02\xe6\xb6\xb3\x51\xee\xee\x68\x79\x36\xd1\x79\xc3\x1f" +
|
||||||
|
"\xb5\xda\x3a\xe6\x5b\x21\x46\x6e\xac\x6a\x61\xbb\xb3\x6f\x46\x69\xbf\xdc\xa8\x9c" +
|
||||||
|
"\x1a\x5c\x87\x14\x40\x5f\xc4\x39\x11\x2b\xf7\xac\xf9\x55\x2c\x62\xe3\x31\xc9\x8e" +
|
||||||
|
"\x21\x69\xb3\x10\x28\xa6\xeb\xd3\x00\xe8\x9a\xe2\x53\xa4\xe6\x3c\xcb\xa3\x6c\xf4" +
|
||||||
|
"\x6e\x7f\x5e\x3f\x36\xa6\xaa\x25\x6a\x90\x67\xaf\xd7\xf8\x4f\x99\x83\xee\x53\xd0" +
|
||||||
|
"\xcd\x8f\xb8\xa9\xd1\x5b\x81\x0e\x28\x07\x8a\x0d\xce\x70\xaf\x19\xe4\x03\x33\xe2" +
|
||||||
|
"\x1c\x25\xb1\x35\x55\x8b\xd4\x60\xcf\xf3\x64\x21\xa5\x75\x49\x93\xca\x44\xb3\x57" +
|
||||||
|
"\x89\x37\x23\x22\x90\x27\x63\x60\xf8\x5d\x54\x15\x39\x48\x16\x62\xff\x52\x57\x06" +
|
||||||
|
"\xed\x81\x7f\xa8\x4a\xa7\xbb\xbd\xed\x2e\x4f\xdf\x34\x60\x09\xf0\x3e\x45\xf8\x9d" +
|
||||||
|
"\xd7\x13\x71\x53\x3f\x36\x7e\x01\xd1\x0a\xef\xfb\xeb\x75\x7f\xce\x82\x5e\x40\x2e" +
|
||||||
|
"\x0c\x84\xa2\xe3\x60\xc4\x94\x83\x4e\x2a\x54\x94\x41\xa8\xea\xd4\xc5\xd6\x6c\x2b" +
|
||||||
|
"\x33\xef\x31\xf8\x9c\x2c\xcd\xc7\x8a\xfc\xb2\xb4\xcc\x9a\xaf\x94\x9b\xf8\x26\xb7" +
|
||||||
|
"\x6c\x8e\xd8\x9f\x8b\x33\x22\x89\x95\xbd\x3e\x99\x01\x0f\xc3\xa5\x22\xef\xdb\x3b" +
|
||||||
|
"\xff\x16\xf7\x59\x33\xdf\x74\x8b\x10\x4b\xe0\x9f\xaa\x9f\x59\x8a\x7b\xf8\xd2\xd4" +
|
||||||
|
"\x0c\x95\xa3\xeb\xdc\x82\xb5\xc3\xd5\x07\x84\xe0\x34\xb7\x78\x56\x69\xca\x38\x36" +
|
||||||
|
"\x15\x70\x99\x49\xb1\x3c\x1e\xb2\xab\x94\xb4\x0e\xcc\x2a\x26\xd2\xeb\xd2\x9e\x13" +
|
||||||
|
"\x65\x8f\xdf\xa5\x6b\xd1\x49\x10\x74\x4d\x3a\x7e\xec\x34\xb5\x20\xdc\x92\xc6\x7c" +
|
||||||
|
"\x65\x89\x96\x2b\xc9\x6b\x2a\x73\x23\x2b\xbe\xfe\x88\xdc\xc5\x0f\x92\x83\x06\x1d" +
|
||||||
|
"\x66\x8c\xf9\x26\x57\xbf\x4c\x39\xe8\x3b\xf5\xd9\x5a\xc7\xfc\xec\xf8\xd3\x66\x50" +
|
||||||
|
"\x18\x9d\xf4\xdf\xcf\x8f\x1a\x71\x28\x22\xcf\x71\x16\x87\xb6\x04\xb9\x8c\xad\x31" +
|
||||||
|
"\x3b\xed\x78\x14\x97\xc7\xf3\xc4\xc7\xc7\x80\x83\x0f\xe2\xa7\x60\x38\xcb\x65\x26" +
|
||||||
|
"\xb9\x8e\xa1\x20\x49\x6b\x25\x04\x4f\x71\x0f\xdd\xa0\x70\xd4\xb3\xd1\x8b\x7e\x17\xcd"
|
||||||
|
=end
|
Loading…
Reference in New Issue