Module: Msf::Exploit::Remote::Kerberos::Ticket::Storage::ReadMixin

Included in:
ReadOnly, ReadWrite
Defined in:
lib/msf/core/exploit/remote/kerberos/ticket/storage/read_mixin.rb

Overview

A mixin providing the ability to read previously stored tickets.

Instance Method Summary collapse

Instance Method Details

#load_credential(options = {}) ⇒ Rex::Proto::Kerberos::CredentialCache::Krb5CcacheCredential?

Load a stored credential object that is suitable for authentication.

Parameters:

  • options (Hash) (defaults to: {})

    See the options description in #tickets.

Returns:



5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# File 'lib/msf/core/exploit/remote/kerberos/ticket/storage/read_mixin.rb', line 5

def load_credential(options = {})
  return nil unless active_db?

  now = Time.now.utc
  available_tickets = tickets(options).select do |ticket|
    !ticket.expired?(now)
  end
  return unless available_tickets.any?

  if options[:offered_etypes].present?
    # Prefer etypes mentioned first
    options[:offered_etypes].each do |etype|
      available_tickets.each do |t|
        if t.enctype == etype
          return t.ccache.credentials.first
        end
      end
    end
  else
    return available_tickets.first.ccache.credentials.first
  end

  nil
end

#tickets(options = {}, &block) ⇒ Array<StoredTicket>

Get stored tickets matching the options query.

Parameters:

  • options (Hash) (defaults to: {})

    The options for matching tickets. The :realm, :server, :client and :status options are all processed as a group. If any one or more of them are specified, they are all used for filtering. It can not for example specify client and fetch all tickets for a particular client where the server is different.

Options Hash (options):

  • :id (Integer, Array<Integer>)

    The identifier of the ticket (optional)

  • :host (String)

    The host for the ticket (optional)

  • :realm (String)

    The realm of the ticket (optional)

  • :server (String)

    The service name of the ticket (optional)

  • :client (String)

    The client username of the ticket (optional)

  • :status (Symbol)

    The ticket status, defaults to valid (optional)

Returns:



31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# File 'lib/msf/core/exploit/remote/kerberos/ticket/storage/read_mixin.rb', line 31

def tickets(options = {}, &block)
  mapped = objects(options).map do |stored_loot|
    stored_ticket = StoredTicket.new(stored_loot)
  end

  mapped.select do |stored_ticket|
    # If we were provided a set of etypes to look for, restrict to that
    if options[:offered_etypes].nil? || options[:offered_etypes].include?(stored_ticket.enctype)
      block.call(stored_ticket) if block_given?
      true
    else
      false
    end
  end
end