Module: Msf::Exploit::Remote::Kerberos::Client::TgsRequest

Included in:

Msf::Exploit::Remote::Kerberos::Client

Defined in:

lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb

Instance Method Summary

• #build_ap_req(opts = {}) ⇒ Rex::Proto::Kerberos::Model::EncryptionKey

  Builds a KRB_AP_REQ message.

• #build_authenticator(opts = {}) ⇒ Rex::Proto::Kerberos::Model::Authenticator

  Builds a kerberos authenticator for a TGS request.

• #build_enc_auth_data(opts = {}) ⇒ Rex::Proto::Kerberos::Model::EncryptedData

  Builds the encrypted TGS authorization data.

• #build_subkey(opts = {}) ⇒ Rex::Proto::Kerberos::Model::EncryptionKey

  Builds an encryption key to protect the data sent in the TGS request.

• #build_tgs_body_checksum(opts = {}) ⇒ Rex::Proto::Kerberos::Model::Checksum

  Builds a Kerberos TGS Request body checksum.

• #build_tgs_request(opts = {}) ⇒ Rex::Proto::Kerberos::Model::KdcRequest

  Builds the encrypted Kerberos TGS request.

• #build_tgs_request_body(opts = {}) ⇒ Rex::Proto::Kerberos::Model::KdcRequestBody

  Builds a kerberos TGS request body.

Instance Method Details

#build_ap_req(opts = {}) ⇒ Rex::Proto::Kerberos::Model::EncryptionKey

Builds a KRB_AP_REQ message

Parameters:

• opts (Hash{Symbol => <Integer, Rex::Proto::Kerberos::Model::Ticket, Rex::Proto::Kerberos::Model::EncryptedData, Rex::Proto::Kerberos::Model::EncryptionKey>}) (defaults to: {})

Options Hash (opts):

• :pvno (Integer)
• :msg_type (Integer)
• :ap_req_options (Integer)
• :ticket (Rex::Proto::Kerberos::Model::Ticket)
• :authenticator (Rex::Proto::Kerberos::Model::EncryptedData)
• :session_key (Rex::Proto::Kerberos::Model::EncryptionKey)

Returns:

• (Rex::Proto::Kerberos::Model::EncryptionKey)

Raises:

• (Rex::Proto::Kerberos::Model::Error::KerberosError) —

  if ticket option isn't provided

See Also:

• Rex::Proto::Kerberos::Model::Ticket
• Rex::Proto::Kerberos::Model::EncryptedData
• Rex::Proto::Kerberos::Model::EncryptionKey

# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 127

def build_ap_req(opts = {})
  pvno = opts[:pvno] || Rex::Proto::Kerberos::Model::VERSION
  msg_type = opts[:msg_type] || Rex::Proto::Kerberos::Model::AP_REQ
  options = opts[:ap_req_options] || 0
  ticket = opts[:ticket]
  authenticator = opts[:authenticator] || build_authenticator(opts)
  session_key = opts[:session_key] || build_subkey(opts)

  if ticket.nil?
    raise ::Rex::Proto::Kerberos::Model::Error::KerberosError, 'Building a AP-REQ without ticket not supported'
  end

  enc_authenticator = Rex::Proto::Kerberos::Model::EncryptedData.new(
    etype: session_key.type,
    cipher: authenticator.encrypt(session_key.type, session_key.value)
  )

  ap_req = Rex::Proto::Kerberos::Model::ApReq.new(
    pvno: pvno,
    msg_type: msg_type,
    options: options,
    ticket: ticket,
    authenticator: enc_authenticator
  )

  ap_req
end

#build_authenticator(opts = {}) ⇒ Rex::Proto::Kerberos::Model::Authenticator

Builds a kerberos authenticator for a TGS request

Parameters:

• opts (Hash{Symbol => <Rex::Proto::Kerberos::Model::PrincipalName, String, Time, Rex::Proto::Kerberos::Model::EncryptionKey>}) (defaults to: {})

Options Hash (opts):

• :cname (Rex::Proto::Kerberos::Model::PrincipalName)
• :realm (String)
• :ctime (Time)
• :cusec (Integer)
• :checksum (Rex::Proto::Kerberos::Model::Checksum)
• :subkey (Rex::Proto::Kerberos::Model::EncryptionKey)

Returns:

• (Rex::Proto::Kerberos::Model::Authenticator)

See Also:

• Rex::Proto::Kerberos::Model::PrincipalName
• Rex::Proto::Kerberos::Model::Checksum
• Rex::Proto::Kerberos::Model::EncryptionKey
• Rex::Proto::Kerberos::Model::Authenticator

# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 169

def build_authenticator(opts = {})
  cname = opts[:cname] || build_client_name(opts)
  realm = opts[:realm] || ''
  ctime = opts[:ctime] || Time.now
  cusec = opts[:cusec] || ctime.usec
  checksum = opts[:checksum] || build_tgs_body_checksum(opts)
  subkey = opts[:subkey] || build_subkey(opts)

  authenticator = Rex::Proto::Kerberos::Model::Authenticator.new(
    vno: 5,
    crealm: realm,
    cname: cname,
    checksum: checksum,
    cusec: cusec,
    ctime: ctime,
    subkey: subkey
  )

  authenticator
end

#build_enc_auth_data(opts = {}) ⇒ Rex::Proto::Kerberos::Model::EncryptedData

Builds the encrypted TGS authorization data

Parameters:

• opts (Hash{Symbol => <Rex::Proto::Kerberos::Model::AuthorizationData, Rex::Proto::Kerberos::Model::EncryptionKey>}) (defaults to: {})

Options Hash (opts):

• :auth_data (Rex::Proto::Kerberos::Model::AuthorizationData)
• :subkey (Rex::Proto::Kerberos::Model::EncryptionKey)

Returns:

• (Rex::Proto::Kerberos::Model::EncryptedData)

Raises:

• (Rex::Proto::Kerberos::Model::Error::KerberosError) —

  if auth_data option isn't provided

See Also:

• Rex::Proto::Kerberos::Model::AuthorizationData
• Rex::Proto::Kerberos::Model::EncryptionKey
• Rex::Proto::Kerberos::Model::EncryptedData

# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 94

def build_enc_auth_data(opts = {})
  auth_data = opts[:auth_data]

  if auth_data.nil?
    raise ::Rex::Proto::Kerberos::Model::Error::KerberosError, 'auth_data option required on #build_enc_auth_data'
  end

  subkey = opts[:subkey] || build_subkey(opts)

  encrypted = auth_data.encrypt(subkey.type, subkey.value)

  e_data = Rex::Proto::Kerberos::Model::EncryptedData.new(
    etype: subkey.type,
    cipher: encrypted
  )

  e_data
end

#build_subkey(opts = {}) ⇒ Rex::Proto::Kerberos::Model::EncryptionKey

Builds an encryption key to protect the data sent in the TGS request.

Parameters:

• opts (Hash{Symbol => <Integer, String>}) (defaults to: {})

Options Hash (opts):

• :subkey_type (Integer)
• :subkey_value (String)

Returns:

• (Rex::Proto::Kerberos::Model::EncryptionKey)

See Also:

• Rex::Proto::Kerberos::Model::EncryptionKey

# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 197

def build_subkey(opts={})
  subkey_type = opts[:subkey_type] || Rex::Proto::Kerberos::Crypto::RC4_HMAC
  subkey_value = opts[:subkey_value] || Rex::Text.rand_text(16)

  subkey = Rex::Proto::Kerberos::Model::EncryptionKey.new(
    type: subkey_type,
    value: subkey_value
  )

  subkey
end

#build_tgs_body_checksum(opts = {}) ⇒ Rex::Proto::Kerberos::Model::Checksum

Builds a Kerberos TGS Request body checksum

Parameters:

• opts (Hash{Symbol => <Rex::Proto::Kerberos::Model::KdcRequestBody, Integer>}) (defaults to: {})

Options Hash (opts):

• :body (Rex::Proto::Kerberos::Model::KdcRequestBody)

Returns:

• (Rex::Proto::Kerberos::Model::Checksum)

See Also:

• #build_tgs_request_body
• Rex::Proto::Kerberos::Model::Checksum

# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 261

def build_tgs_body_checksum(opts = {})
  body = opts[:body] || build_tgs_request_body(opts)
  checksum_body = body.checksum(Rex::Proto::Kerberos::Crypto::RSA_MD5)
  checksum = Rex::Proto::Kerberos::Model::Checksum.new(
    type: 7,
    checksum: checksum_body
  )

  checksum
end

#build_tgs_request(opts = {}) ⇒ Rex::Proto::Kerberos::Model::KdcRequest

Builds the encrypted Kerberos TGS request

Parameters:

• opts (Hash{Symbol => <Rex::Proto::Kerberos::Model::Element>}) (defaults to: {})

Options Hash (opts):

• :auth_data (Rex::Proto::Kerberos::Model::AuthorizationData)
• :enc_auth_data (Rex::Proto::Kerberos::Model::EncryptedData)
• :subkey (Rex::Proto::Kerberos::Model::EncryptionKey)
• :checksum (Rex::Proto::Kerberos::Model::Checksum)
• :auhtenticator (Rex::Proto::Kerberos::Model::Authenticator)
• :pa_data (Array<Rex::Proto::Kerberos::Model::PreAuthData>)

Returns:

• (Rex::Proto::Kerberos::Model::KdcRequest)

Raises:

• (RuntimeError) —

  if ticket isn't available

See Also:

• Rex::Proto::Kerberos::Model::AuthorizationData
• Rex::Proto::Kerberos::Model::EncryptedData
• Rex::Proto::Kerberos::Model::EncryptionKey
• Rex::Proto::Kerberos::Model::Checksum
• Rex::Proto::Kerberos::Model::Authenticator
• Rex::Proto::Kerberos::Model::PreAuthData
• Rex::Proto::Kerberos::Model::KdcRequest

# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 28

def build_tgs_request(opts = {})
  subkey = opts[:subkey] || build_subkey(opts)

  if opts[:enc_auth_data]
    enc_auth_data = opts[:enc_auth_data]
  elsif opts[:auth_data]
    enc_auth_data = build_enc_auth_data(
      auth_data: opts[:auth_data],
      subkey: subkey
    )
  else
    enc_auth_data = nil
  end

  body = build_tgs_request_body(opts.merge(
    enc_auth_data: enc_auth_data
  ))

  checksum = opts[:checksum] || build_tgs_body_checksum(:body => body)

  if opts[:auhtenticator]
    authenticator = opts[:authenticator]
  else
    authenticator = build_authenticator(opts.merge(
      subkey: subkey,
      checksum: checksum
    ))
  end

  if opts[:ap_req]
    ap_req = opts[:ap_req]
  else
    ap_req = build_ap_req(opts.merge(:authenticator => authenticator))
  end

  pa_ap_req = Rex::Proto::Kerberos::Model::PreAuthData.new(
    type: Rex::Proto::Kerberos::Model::PA_TGS_REQ,
    value: ap_req.encode
  )

  pa_data = []
  pa_data.push(pa_ap_req)
  if opts[:pa_data]
    opts[:pa_data].each { |pa| pa_data.push(pa) }
  end

  request = Rex::Proto::Kerberos::Model::KdcRequest.new(
    pvno: 5,
    msg_type: Rex::Proto::Kerberos::Model::TGS_REQ,
    pa_data: pa_data,
    req_body: body
  )

  request
end

#build_tgs_request_body(opts = {}) ⇒ Rex::Proto::Kerberos::Model::KdcRequestBody

Builds a kerberos TGS request body

Parameters:

• opts (Hash{Symbol => <Integer, Time, String, Rex::Proto::Kerberos::Model::PrincipalName, Rex::Proto::Kerberos::Model::EncryptedData>}) (defaults to: {})

Options Hash (opts):

• :options (Integer)
• :from (Time)
• :till (Time)
• :rtime (Time)
• :nonce (Integer)
• :etype (Integer)
• :cname (Rex::Proto::Kerberos::Model::PrincipalName)
• :realm (String)
• :sname (Rex::Proto::Kerberos::Model::PrincipalName)
• :enc_auth_data (Rex::Proto::Kerberos::Model::EncryptedData)

Returns:

• (Rex::Proto::Kerberos::Model::KdcRequestBody)

See Also:

• Rex::Proto::Kerberos::Model::PrincipalName
• Rex::Proto::Kerberos::Model::KdcRequestBody

# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 226

def build_tgs_request_body(opts = {})
  options = opts[:options] || 0x50800000 # Forwardable, Proxiable, Renewable
  from = opts[:from] || Time.at(0)
  till = opts[:till] || Time.at(0)
  rtime = opts[:rtime] || Time.at(0)
  nonce = opts[:nonce] || Rex::Text.rand_text_numeric(6).to_i
  etype = opts[:etype] || [Rex::Proto::Kerberos::Crypto::RC4_HMAC]
  cname = opts[:cname] || build_client_name(opts)
  realm = opts[:realm] || ''
  sname = opts[:sname] || build_server_name(opts)
  enc_auth_data = opts[:enc_auth_data] || nil

  body = Rex::Proto::Kerberos::Model::KdcRequestBody.new(
    options: options,
    cname: cname,
    realm: realm,
    sname: sname,
    from: from,
    till: till,
    rtime: rtime,
    nonce: nonce,
    etype: etype,
    enc_auth_data: enc_auth_data
  )

  body
end