Class: Metasploit::Framework::LoginScanner::Kerberos

Inherits:

Object

• Object
• Metasploit::Framework::LoginScanner::Kerberos

Includes:

Base, Msf::Exploit::Remote::Kerberos::Client

Defined in:

lib/metasploit/framework/login_scanner/kerberos.rb

Overview

Kerberos User scanner

Constant Summary

DEFAULT_PORT =

88

REALM_KEY =

Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN

DEFAULT_REALM =

nil

Constants included from Msf::Exploit::Remote::Kerberos::Client

Msf::Exploit::Remote::Kerberos::Client::NEG_TOKEN_ACCEPT_COMPLETED, Msf::Exploit::Remote::Kerberos::Client::NEG_TOKEN_ACCEPT_INCOMPLETE, Msf::Exploit::Remote::Kerberos::Client::NEG_TOKEN_REJECT, Msf::Exploit::Remote::Kerberos::Client::NEG_TOKEN_REQUEST_MIC, Msf::Exploit::Remote::Kerberos::Client::TOK_ID_KRB_AP_REP, Msf::Exploit::Remote::Kerberos::Client::TOK_ID_KRB_AP_REQ, Msf::Exploit::Remote::Kerberos::Client::TOK_ID_KRB_ERROR

Constants included from Msf::Exploit::Remote::Kerberos::Client::ApRequest

Msf::Exploit::Remote::Kerberos::Client::ApRequest::AP_MUTUAL_REQUIRED, Msf::Exploit::Remote::Kerberos::Client::ApRequest::AP_USE_SESSION_KEY

Instance Attribute Summary

• #server_name ⇒ Object

  Returns the value of attribute server_name.

Attributes included from Msf::Exploit::Remote::Kerberos::Client

#client

Class Method Summary

• .login_status_for_kerberos_error(krb_err) ⇒ Object

Instance Method Summary

• #attempt_login(credential) ⇒ Object

Methods included from Msf::Exploit::Remote::Kerberos::Client

#cleanup, #connect, #disconnect, #framework_module, #initialize, #peer, #proxies, #select_cipher, #send_request_as, #send_request_tgs, #send_request_tgt, #send_request_tgt_pkinit

Methods included from Msf::Exploit::Remote::Kerberos::Client::Pkinit

#build_dh, #build_pa_pk_as_req, #calculate_shared_key, #extract_user_and_realm, #k_truncate, #sign_auth_pack

Methods included from Msf::Exploit::Remote::Kerberos::Client::Pac

#build_empty_auth_data, #build_pa_pac_request, #build_pac, #build_pac_authorization_data

Methods included from Msf::Exploit::Remote::Kerberos::Client::TgsResponse

#decrypt_kdc_tgs_rep_enc_part, #extract_kerb_creds

Methods included from Msf::Exploit::Remote::Kerberos::Client::TgsRequest

#build_ap_req, #build_authenticator, #build_enc_auth_data, #build_pa_for_user, #build_subkey, #build_tgs_body_checksum, #build_tgs_request, #build_tgs_request_body

Methods included from Msf::Exploit::Remote::Kerberos::Client::AsResponse

#decrypt_kdc_as_rep_enc_part, #extract_logon_time, #extract_session_key, #format_as_rep_to_john_hash

Methods included from Msf::Exploit::Remote::Kerberos::Client::AsRequest

#build_as_pa_time_stamp, #build_as_request, #build_as_request_body

Methods included from Msf::Exploit::Remote::Kerberos::Client::ApRequest

#build_service_ap_request, #encode_gss_kerberos_ap_request, #encode_gss_spnego_ap_request

Methods included from Msf::Exploit::Remote::Kerberos::Client::Base

#build_client_name, #build_server_name

Instance Attribute Details

#server_name ⇒ Object

Returns the value of attribute server_name.

# File 'lib/metasploit/framework/login_scanner/kerberos.rb', line 64

def server_name
  @server_name
end

Class Method Details

.login_status_for_kerberos_error(krb_err) ⇒ Object

Parameters:

• krb_err (Rex::Proto::Kerberos::Model::Error::KerberosError) —

  The kerberos error

# File 'lib/metasploit/framework/login_scanner/kerberos.rb', line 72

def self.login_status_for_kerberos_error(krb_err)
  error_code = krb_err.error_code
  case error_code
  when Rex::Proto::Kerberos::Model::Error::ErrorCodes::KDC_ERR_KEY_EXPIRED, Rex::Proto::Kerberos::Model::Error::ErrorCodes::KRB_AP_ERR_SKEW
    # Correct password, but either password needs resetting or clock is skewed
    Metasploit::Model::Login::Status::SUCCESSFUL
  when Rex::Proto::Kerberos::Model::Error::ErrorCodes::KDC_ERR_C_PRINCIPAL_UNKNOWN
    # The username doesn't exist
    Metasploit::Model::Login::Status::INVALID_PUBLIC_PART
  when Rex::Proto::Kerberos::Model::Error::ErrorCodes::KDC_ERR_CLIENT_REVOKED
    # Locked out, disabled or expired
    # It doesn't appear to be documented anywhere, but Microsoft gives us a bit
    # of extra information in the e-data section
    begin
      pa_data_entry = krb_err.res.e_data_as_pa_data_entry
      if pa_data_entry && pa_data_entry.type == Rex::Proto::Kerberos::Model::PreAuthType::PA_PW_SALT
        pw_salt = pa_data_entry.decoded_value
        if pw_salt.nt_status
          case pw_salt.nt_status.value
          when ::WindowsError::NTStatus::STATUS_ACCOUNT_LOCKED_OUT
            Metasploit::Model::Login::Status::LOCKED_OUT
          when ::WindowsError::NTStatus::STATUS_ACCOUNT_DISABLED
            Metasploit::Model::Login::Status::DISABLED
          when ::WindowsError::NTStatus::STATUS_ACCOUNT_EXPIRED
            # Actually expired, which is effectively Disabled
            Metasploit::Model::Login::Status::DISABLED
          else
            # Unknown - maintain existing behaviour
            Metasploit::Model::Login::Status::DISABLED
          end
        else
          Metasploit::Model::Login::Status::DISABLED
        end
      else
          Metasploit::Model::Login::Status::DISABLED
      end
    rescue Rex::Proto::Kerberos::Model::Error::KerberosDecodingError
      # Could be a non-MS implementation?
      Metasploit::Model::Login::Status::DISABLED
    end
  else
    Metasploit::Model::Login::Status::INCORRECT
  end
end

Instance Method Details

#attempt_login(credential) ⇒ Object

# File 'lib/metasploit/framework/login_scanner/kerberos.rb', line 16

def attempt_login(credential)
  result_options = {
    credential: credential,
    host: host,
    port: port,
    protocol: 'tcp',
    service_name: 'kerberos'
  }

  begin
    res = send_request_tgt(
      server_name: server_name,
      client_name: credential.public,
      password: credential.private,
      realm: credential.realm
    )
    unless res.preauth_required
      # Pre-auth not required - let's get an RC4-HMAC ticket, since it's more easily crackable
      begin
        res = send_request_tgt(
          server_name: server_name,
          client_name: credential.public,
          password: credential.private,
          realm: credential.realm,
          offered_etypes: [Rex::Proto::Kerberos::Crypto::Encryption::RC4_HMAC]
        )
      rescue Rex::Proto::Kerberos::Model::Error::KerberosEncryptionNotSupported => e
        # RC4 likely disabled - let's just use the initial response
      end
    end

    result_options = result_options.merge(
      {
        status: Metasploit::Model::Login::Status::SUCCESSFUL,
        proof: res
      }
    )
    return Metasploit::Framework::LoginScanner::Result.new(result_options)
  rescue ::EOFError => e
    result_options = result_options.merge({ status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e })
    return Metasploit::Framework::LoginScanner::Result.new(result_options)
  rescue Rex::Proto::Kerberos::Model::Error::KerberosError => e
    status = self.class.login_status_for_kerberos_error(e)
    result_options = result_options.merge({ status: status, proof: e })
    return Metasploit::Framework::LoginScanner::Result.new(result_options)
  end
end