Module: Msf::Exploit::Remote::Kerberos::Client::TgsResponse

Included in:

Msf::Exploit::Remote::Kerberos::Client

Defined in:

lib/msf/core/exploit/remote/kerberos/client/tgs_response.rb

Overview

Methods for processing TGS responses.

Instance Method Summary

• #decrypt_kdc_tgs_rep_enc_part(res, key, msg_type:) ⇒ Rex::Proto::Kerberos::Model::EncKdcResponse

  Extracts the Kerberos credentials, building a MIT Cache Credential, from a Kerberos TGS response.

• #extract_kerb_creds(res, key, msg_type: Rex::Proto::Kerberos::Crypto::KeyUsage::TGS_REP_ENCPART_AUTHENTICATOR_SUB_KEY) ⇒ Rex::Proto::Kerberos::CredentialCache::Krb5Ccache

  Extracts the Kerberos credentials, building a MIT Cache Credential, from a Kerberos TGS response.

• #format_tgs_rep_to_john_hash(tgsrep, user) ⇒ String

  Format from github.com/hashcat/hashcat/blob/6fce6fb3ff120ed16b300af97cf2144b36edcbe8/src/modules/module_18200.c#L126-L132.

Instance Method Details

#decrypt_kdc_tgs_rep_enc_part(res, key, msg_type:) ⇒ Rex::Proto::Kerberos::Model::EncKdcResponse

Extracts the Kerberos credentials, building a MIT Cache Credential, from a Kerberos TGS response.

Parameters:

• res (Rex::Proto::Kerberos::Model::KdcResponse)
• key (String)
• msg_type (Rex::Proto::Kerberos::Crypto::KeyUsage)

Returns:

• (Rex::Proto::Kerberos::Model::EncKdcResponse)

See Also:

• Rex::Proto::Kerberos::Model::EncKdcResponse
• Rex::Proto::Kerberos::Model::EncKdcResponse.decode
• Rex::Proto::Kerberos::CredentialCache::Krb5Ccache

# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_response.rb', line 21

def decrypt_kdc_tgs_rep_enc_part(res, key, msg_type:)
  decrypt_res = res.enc_part.decrypt_asn1(key, msg_type)
  Rex::Proto::Kerberos::Model::EncKdcResponse.decode(decrypt_res)
end

#extract_kerb_creds(res, key, msg_type: Rex::Proto::Kerberos::Crypto::KeyUsage::TGS_REP_ENCPART_AUTHENTICATOR_SUB_KEY) ⇒ Rex::Proto::Kerberos::CredentialCache::Krb5Ccache

Extracts the Kerberos credentials, building a MIT Cache Credential, from a Kerberos TGS response.

Parameters:

• res (Rex::Proto::Kerberos::Model::KdcResponse)
• key (String)

Returns:

• (Rex::Proto::Kerberos::CredentialCache::Krb5Ccache)

See Also:

• Rex::Proto::Kerberos::Model::EncKdcResponse
• Rex::Proto::Kerberos::Model::EncKdcResponse.decode
• Kerberos::Client::CacheCredential
• Rex::Proto::Kerberos::CredentialCache::Cache

# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_response.rb', line 36

def extract_kerb_creds(res, key, msg_type: Rex::Proto::Kerberos::Crypto::KeyUsage::TGS_REP_ENCPART_AUTHENTICATOR_SUB_KEY)
  enc_res = decrypt_kdc_tgs_rep_enc_part(res, key, msg_type: msg_type)

  Rex::Proto::Kerberos::CredentialCache::Krb5Ccache.from_responses(res, enc_res)
end

#format_tgs_rep_to_john_hash(tgsrep, user) ⇒ String

Format from

https://github.com/hashcat/hashcat/blob/6fce6fb3ff120ed16b300af97cf2144b36edcbe8/src/modules/module_18200.c#L126-L132

Parameters:

• tgsrep (Rex::Proto::Kerberos::Model::KdcResponse) —

  The krb5 tgsrep response

• user (String) —

  The username who requested the TGS

Returns:

• (String) —

  A valid string format which can be cracked offline

# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_response.rb', line 47

def format_tgs_rep_to_john_hash(tgsrep, user)
  realm = tgsrep.realm.sub(':','~')
  etype = Rex::Proto::Kerberos::Crypto::Encryption.from_etype(tgsrep.enc_part.etype)
  mac_size = etype.class::MAC_SIZE
  cipher = tgsrep.enc_part.cipher
  if [Rex::Proto::Kerberos::Crypto::Encryption::AES128, Rex::Proto::Kerberos::Crypto::Encryption::AES256].include?(tgsrep.enc_part.etype)
    user_part = "#{user}$#{realm}$*#{tgsrep.sname.name_string.join('/')}*"
    # Checksum is at the end
    checksum = cipher.last(mac_size)
    cipher_part = cipher.first(cipher.length - mac_size)
  else
    user_part = "*#{user}$#{realm}$#{tgsrep.sname.name_string.join('/')}*"
    # Checksum is at the start
    checksum = cipher[0..mac_size-1]
    cipher_part = cipher[mac_size..]
  end
  "$krb5tgs$#{tgsrep.enc_part.etype}$#{user_part}$#{checksum.unpack1('H*')}$#{cipher_part.unpack1('H*')}"
end