Module: Msf::Exploit::Remote::Kerberos::Client::TgsResponse

Included in:
Msf::Exploit::Remote::Kerberos::Client
Defined in:
lib/msf/core/exploit/remote/kerberos/client/tgs_response.rb

Overview

Methods for processing TGS responses.

Instance Method Summary collapse

Instance Method Details

#decrypt_kdc_tgs_rep_enc_part(res, key, msg_type:) ⇒ Rex::Proto::Kerberos::Model::EncKdcResponse

Extracts the Kerberos credentials, building a MIT Cache Credential, from a Kerberos TGS response.



21
22
23
24
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_response.rb', line 21

def decrypt_kdc_tgs_rep_enc_part(res, key, msg_type:)
  decrypt_res = res.enc_part.decrypt_asn1(key, msg_type)
  Rex::Proto::Kerberos::Model::EncKdcResponse.decode(decrypt_res)
end

#extract_kerb_creds(res, key, msg_type: Rex::Proto::Kerberos::Crypto::KeyUsage::TGS_REP_ENCPART_AUTHENTICATOR_SUB_KEY) ⇒ Rex::Proto::Kerberos::CredentialCache::Krb5Ccache

Extracts the Kerberos credentials, building a MIT Cache Credential, from a Kerberos TGS response.

Parameters:

Returns:

See Also:



36
37
38
39
40
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_response.rb', line 36

def extract_kerb_creds(res, key, msg_type: Rex::Proto::Kerberos::Crypto::KeyUsage::TGS_REP_ENCPART_AUTHENTICATOR_SUB_KEY)
  enc_res = decrypt_kdc_tgs_rep_enc_part(res, key, msg_type: msg_type)

  Rex::Proto::Kerberos::CredentialCache::Krb5Ccache.from_responses(res, enc_res)
end

#format_tgs_rep_to_john_hash(tgsrep, user) ⇒ String

Format from

https://github.com/hashcat/hashcat/blob/6fce6fb3ff120ed16b300af97cf2144b36edcbe8/src/modules/module_18200.c#L126-L132

Parameters:

Returns:

  • (String)

    A valid string format which can be cracked offline



47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_response.rb', line 47

def format_tgs_rep_to_john_hash(tgsrep, user)
  realm = tgsrep.realm.sub(':','~')
  etype = Rex::Proto::Kerberos::Crypto::Encryption.from_etype(tgsrep.enc_part.etype)
  mac_size = etype.class::MAC_SIZE
  cipher = tgsrep.enc_part.cipher
  if [Rex::Proto::Kerberos::Crypto::Encryption::AES128, Rex::Proto::Kerberos::Crypto::Encryption::AES256].include?(tgsrep.enc_part.etype)
    user_part = "#{user}$#{realm}$*#{tgsrep.sname.name_string.join('/')}*"
    # Checksum is at the end
    checksum = cipher.last(mac_size)
    cipher_part = cipher.first(cipher.length - mac_size)
  else
    user_part = "*#{user}$#{realm}$#{tgsrep.sname.name_string.join('/')}*"
    # Checksum is at the start
    checksum = cipher[0..mac_size-1]
    cipher_part = cipher[mac_size..]
  end
  "$krb5tgs$#{tgsrep.enc_part.etype}$#{user_part}$#{checksum.unpack1('H*')}$#{cipher_part.unpack1('H*')}"
end