Module: Msf::Exploit::Remote::Kerberos::Client::TgsRequest

Included in:
Msf::Exploit::Remote::Kerberos::Client
Defined in:
lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb

Instance Method Summary collapse

Instance Method Details

#build_ap_req(opts = {}) ⇒ Rex::Proto::Kerberos::Model::EncryptionKey

Builds a KRB_AP_REQ message

Parameters:

Options Hash (opts):

Returns:

Raises:

See Also:



160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
 
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 160

def build_ap_req(opts = {})
  pvno = opts.fetch(:pvno) { Rex::Proto::Kerberos::Model::VERSION }
  msg_type = opts.fetch(:msg_type) { Rex::Proto::Kerberos::Model::AP_REQ }
  options = opts.fetch(:ap_req_options) { 0 }
  ticket = opts[:ticket]
  authenticator = opts.fetch(:authenticator) do
    build_authenticator(opts.merge(
      authenticator_enc_key_usage: Rex::Proto::Kerberos::Crypto::KeyUsage::AP_REQ_AUTHENTICATOR
    ))
  end
  session_key = opts.fetch(:session_key) { build_subkey(opts) }

  if ticket.nil?
    raise ::Rex::Proto::Kerberos::Model::Error::KerberosError, 'Building a AP-REQ without ticket not supported'
  end

  enc_authenticator = Rex::Proto::Kerberos::Model::EncryptedData.new(
    etype: session_key.type,
    cipher: authenticator.encrypt(session_key.type, session_key.value)
  )

  ap_req = Rex::Proto::Kerberos::Model::ApReq.new(
    pvno: pvno,
    msg_type: msg_type,
    options: options,
    ticket: ticket,
    authenticator: enc_authenticator
  )

  ap_req
end

#build_authenticator(opts = {}) ⇒ Rex::Proto::Kerberos::Model::Authenticator

Builds a kerberos authenticator for a TGS request

Parameters:

Options Hash (opts):

Returns:

See Also:



206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
 
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 206

def build_authenticator(opts = {})
  cname = opts.fetch(:cname) { build_client_name(opts) }
  realm = opts.fetch(:realm) { '' }
  ctime = opts.fetch(:ctime) { kerberos_time }
  cusec = opts.fetch(:cusec) { ctime&.usec || 0 }
  sequence_number = opts.fetch(:sequence_number) { rand(1 << 32) }
  checksum = opts.fetch(:checksum) { build_tgs_body_checksum(opts) }
  subkey = opts.fetch(:subkey) { build_subkey(opts) }
  authenticator_enc_key_usage = opts.fetch(:authenticator_enc_key_usage) do
    Rex::Proto::Kerberos::Crypto::KeyUsage::TGS_REQ_PA_TGS_REQ_AP_REQ_AUTHENTICATOR
  end

  authenticator = Rex::Proto::Kerberos::Model::Authenticator.new(
    vno: 5,
    crealm: realm,
    cname: cname,
    checksum: checksum,
    cusec: cusec,
    ctime: ctime,
    subkey: subkey,
    enc_key_usage: authenticator_enc_key_usage,
    sequence_number: sequence_number
  )

  authenticator
end

#build_enc_auth_data(opts = {}) ⇒ Rex::Proto::Kerberos::Model::EncryptedData

Builds the encrypted TGS authorization data

Parameters:

Options Hash (opts):

Returns:

Raises:

See Also:



127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
 
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 127

def build_enc_auth_data(opts = {})
  auth_data = opts[:auth_data]

  if auth_data.nil?
    raise ::Rex::Proto::Kerberos::Model::Error::KerberosError, 'auth_data option required on #build_enc_auth_data'
  end

  subkey = opts[:subkey] || build_subkey(opts)

  encrypted = auth_data.encrypt(subkey.type, subkey.value)

  e_data = Rex::Proto::Kerberos::Model::EncryptedData.new(
    etype: subkey.type,
    cipher: encrypted
  )

  e_data
end

#build_pa_for_user(opts = {}) ⇒ Rex::Proto::Kerberos::Model::PreAuthDataEntry

Builds a Kerberos PA-FOR-USER pa-data

Parameters:

  • opts (Hash) (defaults to: {})

Options Hash (opts):

  • :username (String)

    The name of the user on whose behalf the service requests the service ticket

  • :realm (String)

    The realm in which the user account is located

  • :session_key (Rex::Proto::Kerberos::Model::EncryptionKey)

    The session key of the TGT

Returns:

See Also:



330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
 
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 330

def build_pa_for_user(opts = {})
  auth_package = 'Kerberos'.b

  checksum_data = [Rex::Proto::Kerberos::Model::NameType::NT_PRINCIPAL].pack('I<')
  checksum_data << opts[:username].b
  checksum_data << opts[:realm].b
  checksum_data << auth_package

  checksummer = Rex::Proto::Kerberos::Crypto::Checksum.from_checksum_type(
    Rex::Proto::Kerberos::Crypto::Checksum::HMAC_MD5
  )
  checksum = Rex::Proto::Kerberos::Model::Checksum.new
  checksum.type = Rex::Proto::Kerberos::Crypto::Checksum::HMAC_MD5
  checksum.checksum = checksummer.checksum(
    opts[:session_key].value,
    Rex::Proto::Kerberos::Crypto::KeyUsage::KERB_NON_KERB_CKSUM_SALT,
    checksum_data
  )

  pa_for_user = Rex::Proto::Kerberos::Model::PreAuthForUser.new
  pa_for_user.user_name = Rex::Proto::Kerberos::Model::PrincipalName.new(
    name_type: Rex::Proto::Kerberos::Model::NameType::NT_PRINCIPAL,
    name_string: [ opts[:username] ]
  )
  pa_for_user.user_realm = opts[:realm]
  pa_for_user.cksum = checksum
  pa_for_user.auth_package = auth_package

  Rex::Proto::Kerberos::Model::PreAuthDataEntry.new(
    type: Rex::Proto::Kerberos::Model::PreAuthType::PA_FOR_USER,
    value: pa_for_user.encode
  )
end

#build_subkey(opts = {}) ⇒ Rex::Proto::Kerberos::Model::EncryptionKey

Builds an encryption key to protect the data sent in the TGS request.

Parameters:

  • opts (Hash{Symbol => <Integer, String>}) (defaults to: {})

Options Hash (opts):

  • :subkey_type (Integer)
  • :subkey_value (String)

Returns:

See Also:



240
241
242
243
244
245
246
247
248
249
250
 
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 240

def build_subkey(opts={})
  subkey_type = opts.fetch(:subkey_type) { Rex::Proto::Kerberos::Crypto::Encryption::DefaultEncryptionType }
  subkey_value = opts.fetch(:subkey_value) { Rex::Proto::Kerberos::Crypto::Encryption::from_etype(subkey_type).string_to_key(Rex::Text.rand_text_alphanumeric(16), '') }

  subkey = Rex::Proto::Kerberos::Model::EncryptionKey.new(
    type: subkey_type,
    value: subkey_value
  )

  subkey
end

#build_tgs_body_checksum(opts = {}) ⇒ Rex::Proto::Kerberos::Model::Checksum

Builds a Kerberos TGS Request body checksum

Parameters:

Options Hash (opts):

Returns:

See Also:



306
307
308
309
310
311
312
313
314
315
316
317
318
319
 
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 306

def build_tgs_body_checksum(opts = {})
  body = opts.fetch(:body) { build_tgs_request_body(opts) }
  checksum_type = Rex::Proto::Kerberos::Crypto::Checksum::RSA_MD5
  key = nil
  cksum_key_usage = opts.fetch(:cksum_key_usage)

  checksum_body = body.checksum(checksum_type, key, cksum_key_usage)
  checksum = Rex::Proto::Kerberos::Model::Checksum.new(
    type: checksum_type,
    checksum: checksum_body
  )

  checksum
end

#build_tgs_request(opts = {}) ⇒ Rex::Proto::Kerberos::Model::KdcRequest

Builds the encrypted Kerberos TGS request

Parameters:

Options Hash (opts):

Returns:

Raises:

  • (RuntimeError)

    if ticket isn't available

See Also:



29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
 
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 29

def build_tgs_request(opts = {})
  subkey = opts.fetch(:subkey) { build_subkey(opts) }

  if opts[:enc_auth_data]
    enc_auth_data = opts[:enc_auth_data]
  elsif opts[:auth_data]
    enc_auth_data = build_enc_auth_data(
      auth_data: opts[:auth_data],
      subkey: subkey
    )
  else
    enc_auth_data = nil
  end

  body = opts.fetch(:body) do
    build_tgs_request_body(opts.merge(
      enc_auth_data: enc_auth_data
    ))
  end

  checksum = opts.fetch(:checksum) do

    build_tgs_body_checksum(body: body,
                            session_key: opts[:session_key],
                            cksum_key_usage: Rex::Proto::Kerberos::Crypto::KeyUsage::TGS_REQ_PA_TGS_REQ_AP_REQ_AUTHENTICATOR_CHKSUM)
  end

  authenticator = opts.fetch(:authenticator) do
    build_authenticator(opts.merge(
      subkey: subkey,
      checksum: checksum,
      body: body,
      authenticator_enc_key_usage: Rex::Proto::Kerberos::Crypto::KeyUsage::TGS_REQ_PA_TGS_REQ_AP_REQ_AUTHENTICATOR
    ))
  end

  ap_req = opts.fetch(:ap_req) { build_ap_req(opts.merge(authenticator: authenticator)) }

  pa_ap_req = Rex::Proto::Kerberos::Model::PreAuthDataEntry.new(
    type: Rex::Proto::Kerberos::Model::PreAuthType::PA_TGS_REQ,
    value: ap_req.encode
  )

  pa_data = []
  pa_data.push(pa_ap_req)
  if opts.key?(:impersonate_type) && opts.fetch(:impersonate_type) == 'dmsa'
    x509_user = Rex::Proto::Kerberos::Model::PreAuthS4uX509User.new(opts[:session_key], opts[:impersonate], opts[:impersonate_type], realm, opts[:nonce])

    pa_data_x509_user = Rex::Proto::Kerberos::Model::PreAuthDataEntry.new(
      type: Rex::Proto::Kerberos::Model::PreAuthType::PA_S4U_X509_USER,
      value: x509_user.encode
    )

    pa_data << pa_data_x509_user

    pa_pac_options_flags = Rex::Proto::Kerberos::Model::PreAuthPacOptionsFlags.from_flags(
      [
        Rex::Proto::Kerberos::Model::PreAuthPacOptionsFlags::BRANCH_AWARE
      ]
    )

    pa_pac_options = Rex::Proto::Kerberos::Model::PreAuthPacOptions.new(
      flags: pa_pac_options_flags
    )

    pa_pac = Rex::Proto::Kerberos::Model::PreAuthDataEntry.new(
      type: Rex::Proto::Kerberos::Model::PreAuthType::PA_PAC_OPTIONS,
      value: pa_pac_options.encode
    )

    pa_data << pa_pac
  end


  if opts[:pa_data]
    opts[:pa_data].each { |pa| pa_data.push(pa) }
  end

  request = Rex::Proto::Kerberos::Model::KdcRequest.new(
    pvno: 5,
    msg_type: Rex::Proto::Kerberos::Model::TGS_REQ,
    pa_data: pa_data,
    req_body: body
  )

  request
end

#build_tgs_request_body(opts = {}) ⇒ Rex::Proto::Kerberos::Model::KdcRequestBody

Builds a kerberos TGS request body

Parameters:

Options Hash (opts):

Returns:

See Also:



269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
 
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 269

def build_tgs_request_body(opts = {})
  options = opts.fetch(:options) { 0x50800000 } # Forwardable, Proxiable, Renewable
  from = opts.fetch(:from) { Time.at(0).utc }
  till = opts.fetch(:till) { Time.at(0).utc }
  rtime = opts.fetch(:rtime) { Time.at(0).utc }
  nonce = opts.fetch(:nonce) { Rex::Text.rand_text_numeric(6).to_i }
  etype = opts.fetch(:etype) { [Rex::Proto::Kerberos::Crypto::Encryption::DefaultEncryptionType] }
  cname = opts.fetch(:cname) { build_client_name(opts) }
  realm = opts.fetch(:realm) { '' }
  sname = opts.fetch(:sname) { build_server_name(opts) }
  enc_auth_data = opts[:enc_auth_data] || nil
  additional_tickets = opts[:additional_tickets] || nil

  body = Rex::Proto::Kerberos::Model::KdcRequestBody.new(
    options: options,
    cname: cname,
    realm: realm,
    sname: sname,
    from: from,
    till: till,
    rtime: rtime,
    nonce: nonce,
    etype: etype,
    enc_auth_data: enc_auth_data,
    additional_tickets: additional_tickets
  )

  body
end