Module: Msf::Exploit::Remote::Kerberos::Client::TgsResponse
- Included in:
- Msf::Exploit::Remote::Kerberos::Client
- Defined in:
- lib/msf/core/exploit/remote/kerberos/client/tgs_response.rb
Overview
Methods for processing TGS responses.
Instance Method Summary collapse
-
#decrypt_kdc_tgs_rep_enc_part(res, key, msg_type:) ⇒ Rex::Proto::Kerberos::Model::EncKdcResponse
Extracts the Kerberos credentials, building a MIT Cache Credential, from a Kerberos TGS response.
-
#extract_kerb_creds(res, key, msg_type: Rex::Proto::Kerberos::Crypto::KeyUsage::TGS_REP_ENCPART_AUTHENTICATOR_SUB_KEY) ⇒ Rex::Proto::Kerberos::CredentialCache::Krb5Ccache
Extracts the Kerberos credentials, building a MIT Cache Credential, from a Kerberos TGS response.
- #format_tgs_rep_to_john_hash(tgsrep, user) ⇒ String
Instance Method Details
#decrypt_kdc_tgs_rep_enc_part(res, key, msg_type:) ⇒ Rex::Proto::Kerberos::Model::EncKdcResponse
Extracts the Kerberos credentials, building a MIT Cache Credential, from a Kerberos TGS response.
21 22 23 24 |
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_response.rb', line 21 def decrypt_kdc_tgs_rep_enc_part(res, key, msg_type:) decrypt_res = res.enc_part.decrypt_asn1(key, msg_type) Rex::Proto::Kerberos::Model::EncKdcResponse.decode(decrypt_res) end |
#extract_kerb_creds(res, key, msg_type: Rex::Proto::Kerberos::Crypto::KeyUsage::TGS_REP_ENCPART_AUTHENTICATOR_SUB_KEY) ⇒ Rex::Proto::Kerberos::CredentialCache::Krb5Ccache
Extracts the Kerberos credentials, building a MIT Cache Credential, from a Kerberos TGS response.
36 37 38 39 40 |
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_response.rb', line 36 def extract_kerb_creds(res, key, msg_type: Rex::Proto::Kerberos::Crypto::KeyUsage::TGS_REP_ENCPART_AUTHENTICATOR_SUB_KEY) enc_res = decrypt_kdc_tgs_rep_enc_part(res, key, msg_type: msg_type) Rex::Proto::Kerberos::CredentialCache::Krb5Ccache.from_responses(res, enc_res) end |
#format_tgs_rep_to_john_hash(tgsrep, user) ⇒ String
Format from
https://github.com/hashcat/hashcat/blob/6fce6fb3ff120ed16b300af97cf2144b36edcbe8/src/modules/module_18200.c#L126-L132
47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_response.rb', line 47 def format_tgs_rep_to_john_hash(tgsrep, user) realm = tgsrep.realm.sub(':','~') etype = Rex::Proto::Kerberos::Crypto::Encryption.from_etype(tgsrep.enc_part.etype) mac_size = etype.class::MAC_SIZE cipher = tgsrep.enc_part.cipher if [Rex::Proto::Kerberos::Crypto::Encryption::AES128, Rex::Proto::Kerberos::Crypto::Encryption::AES256].include?(tgsrep.enc_part.etype) user_part = "#{user}$#{realm}$*#{tgsrep.sname.name_string.join('/')}*" # Checksum is at the end checksum = cipher.last(mac_size) cipher_part = cipher.first(cipher.length - mac_size) else user_part = "*#{user}$#{realm}$#{tgsrep.sname.name_string.join('/')}*" # Checksum is at the start checksum = cipher[0..mac_size-1] cipher_part = cipher[mac_size..] end "$krb5tgs$#{tgsrep.enc_part.etype}$#{user_part}$#{checksum.unpack1('H*')}$#{cipher_part.unpack1('H*')}" end |