From ddb5d54c95fe7b914df41bb577a4a19ddfda6154 Mon Sep 17 00:00:00 2001 From: Marshall Hallenbeck Date: Thu, 23 Mar 2023 23:21:43 -0400 Subject: [PATCH] update nopac module to catch error connecting to Kerberos and fix formatting --- cme/modules/nopac.py | 54 +++++++++++++++++++++++++++++--------------- 1 file changed, 36 insertions(+), 18 deletions(-) diff --git a/cme/modules/nopac.py b/cme/modules/nopac.py index 4acd8c4b..e5fd3eb0 100644 --- a/cme/modules/nopac.py +++ b/cme/modules/nopac.py @@ -8,31 +8,49 @@ from binascii import unhexlify from impacket.krb5.kerberosv5 import getKerberosTGT from impacket.krb5 import constants from impacket.krb5.types import Principal +import logging + class CMEModule: - name = 'nopac' + name = "nopac" description = "Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user" - supported_protocols = ['smb'] + supported_protocols = ["smb"] opsec_safe = True multiple_hosts = True def options(self, context, module_options): - ''' - ''' + """ + """ def on_login(self, context, connection): - - userName = Principal(connection.username, type=constants.PrincipalNameType.NT_PRINCIPAL.value) - tgt_with_pac, cipher, oldSessionKey, sessionKey = getKerberosTGT(userName, connection.password, connection.domain, - unhexlify(connection.lmhash), unhexlify(connection.nthash), connection.aesKey, - connection.host, requestPAC=True) - context.log.highlight("TGT with PAC size " + str(len(tgt_with_pac))) - tgt_no_pac, cipher, oldSessionKey, sessionKey = getKerberosTGT(userName, connection.password, connection.domain, - unhexlify(connection.lmhash), unhexlify(connection.nthash), connection.aesKey, - connection.host, requestPAC=False) - context.log.highlight("TGT without PAC size " + str(len(tgt_no_pac))) - if len(tgt_no_pac) < len(tgt_with_pac): - context.log.highlight("") - context.log.highlight("VULNERABLE") - context.log.highlight("Next step: https://github.com/Ridter/noPac") + user_name = Principal(connection.username, type=constants.PrincipalNameType.NT_PRINCIPAL.value) + try: + tgt_with_pac, cipher, old_session_key, session_key = getKerberosTGT( + user_name, + connection.password, + connection.domain, + unhexlify(connection.lmhash), + unhexlify(connection.nthash), + connection.aesKey, + connection.host, + requestPAC=True + ) + context.log.highlight("TGT with PAC size " + str(len(tgt_with_pac))) + tgt_no_pac, cipher, old_session_key, session_key = getKerberosTGT( + user_name, + connection.password, + connection.domain, + unhexlify(connection.lmhash), + unhexlify(connection.nthash), + connection.aesKey, + connection.host, + requestPAC=False + ) + context.log.highlight("TGT without PAC size " + str(len(tgt_no_pac))) + if len(tgt_no_pac) < len(tgt_with_pac): + context.log.highlight("") + context.log.highlight("VULNERABLE") + context.log.highlight("Next step: https://github.com/Ridter/noPac") + except OSError as e: + logging.debug(f"Error connecting to Kerberos (port 88) on {connection.host}")