Class: Metasploit::Framework::LoginScanner::Kerberos

Inherits:
Object
  • Object
show all
Includes:
Base, Msf::Exploit::Remote::Kerberos::Client
Defined in:
lib/metasploit/framework/login_scanner/kerberos.rb

Overview

Kerberos User scanner

Constant Summary collapse

DEFAULT_PORT = 
88
REALM_KEY = 
Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
DEFAULT_REALM = 
nil
LIKELY_PORTS = 
[ DEFAULT_PORT ].freeze
LIKELY_SERVICE_NAMES = 
[ 'kerberos', 'kerberos5', 'krb5', 'kerberos-sec' ].freeze
PRIVATE_TYPES = 
%i[ password ].freeze
CAN_GET_SESSION = 
true

Constants included from Msf::Exploit::Remote::Kerberos::Client

Msf::Exploit::Remote::Kerberos::Client::NEG_TOKEN_ACCEPT_COMPLETED, Msf::Exploit::Remote::Kerberos::Client::NEG_TOKEN_ACCEPT_INCOMPLETE, Msf::Exploit::Remote::Kerberos::Client::NEG_TOKEN_REJECT, Msf::Exploit::Remote::Kerberos::Client::NEG_TOKEN_REQUEST_MIC, Msf::Exploit::Remote::Kerberos::Client::TOK_ID_KRB_AP_REP, Msf::Exploit::Remote::Kerberos::Client::TOK_ID_KRB_AP_REQ, Msf::Exploit::Remote::Kerberos::Client::TOK_ID_KRB_ERROR

Constants included from Msf::Exploit::Remote::Kerberos::Client::ApRequest

Msf::Exploit::Remote::Kerberos::Client::ApRequest::AP_MUTUAL_REQUIRED, Msf::Exploit::Remote::Kerberos::Client::ApRequest::AP_USE_SESSION_KEY

Instance Attribute Summary collapse

Attributes included from Msf::Exploit::Remote::Kerberos::Client

#client, #kerberos_client

Class Method Summary collapse

Instance Method Summary collapse

Methods included from Msf::Exploit::Remote::Kerberos::Client

#cleanup, #connect, #disconnect, #framework_module, #initialize, #peer, #proxies, #select_cipher, #send_request_as, #send_request_tgs, #send_request_tgt, #send_request_tgt_pkinit

Methods included from Msf::Exploit::Remote::Kerberos::Client::Pkinit

#build_dh, #build_pa_pk_as_req, #calculate_shared_key, #extract_user_and_realm, #k_truncate, #sign_auth_pack

Methods included from Msf::Exploit::Remote::Kerberos::Client::Pac

#build_empty_auth_data, #build_pa_pac_request, #build_pac, #build_pac_authorization_data

Methods included from Msf::Exploit::Remote::Kerberos::Client::TgsResponse

#decrypt_kdc_tgs_rep_enc_part, #extract_kerb_creds

Methods included from Msf::Exploit::Remote::Kerberos::Client::TgsRequest

#build_ap_req, #build_authenticator, #build_enc_auth_data, #build_pa_for_user, #build_subkey, #build_tgs_body_checksum, #build_tgs_request, #build_tgs_request_body

Methods included from Msf::Exploit::Remote::Kerberos::Client::AsResponse

#decrypt_kdc_as_rep_enc_part, #extract_logon_time, #extract_session_key, #format_as_rep_to_john_hash

Methods included from Msf::Exploit::Remote::Kerberos::Client::AsRequest

#build_as_pa_time_stamp, #build_as_request, #build_as_request_body

Methods included from Msf::Exploit::Remote::Kerberos::Client::ApRequest

#build_service_ap_request, #encode_gss_kerberos_ap_request, #encode_gss_spnego_ap_request

Methods included from Msf::Exploit::Remote::Kerberos::Client::Base

#build_client_name, #build_server_name

Instance Attribute Details

#server_nameObject

Returns the value of attribute server_name.

[View on GitHub]

68
69
70
 
# File 'lib/metasploit/framework/login_scanner/kerberos.rb', line 68

def server_name
  @server_name
end

Class Method Details

.login_status_for_kerberos_error(krb_err) ⇒ Object

Parameters:

[View source] [View on GitHub]

76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
 
# File 'lib/metasploit/framework/login_scanner/kerberos.rb', line 76

def self.(krb_err)
  error_code = krb_err.error_code
  case error_code
  when Rex::Proto::Kerberos::Model::Error::ErrorCodes::KDC_ERR_KEY_EXPIRED, Rex::Proto::Kerberos::Model::Error::ErrorCodes::KRB_AP_ERR_SKEW
    # Correct password, but either password needs resetting or clock is skewed
    Metasploit::Model::Login::Status::SUCCESSFUL
  when Rex::Proto::Kerberos::Model::Error::ErrorCodes::KDC_ERR_C_PRINCIPAL_UNKNOWN
    # The username doesn't exist
    Metasploit::Model::Login::Status::INVALID_PUBLIC_PART
  when Rex::Proto::Kerberos::Model::Error::ErrorCodes::KDC_ERR_CLIENT_REVOKED
    # Locked out, disabled or expired
    # It doesn't appear to be documented anywhere, but Microsoft gives us a bit
    # of extra information in the e-data section
    begin
      pa_data_entry = krb_err.res.e_data_as_pa_data_entry
      if pa_data_entry && pa_data_entry.type == Rex::Proto::Kerberos::Model::PreAuthType::PA_PW_SALT
        pw_salt = pa_data_entry.decoded_value
        if pw_salt.nt_status
          case pw_salt.nt_status.value
          when ::WindowsError::NTStatus::STATUS_ACCOUNT_LOCKED_OUT
            Metasploit::Model::Login::Status::LOCKED_OUT
          when ::WindowsError::NTStatus::STATUS_ACCOUNT_DISABLED
            Metasploit::Model::Login::Status::DISABLED
          when ::WindowsError::NTStatus::STATUS_ACCOUNT_EXPIRED
            # Actually expired, which is effectively Disabled
            Metasploit::Model::Login::Status::DISABLED
          else
            # Unknown - maintain existing behaviour
            Metasploit::Model::Login::Status::DISABLED
          end
        else
          Metasploit::Model::Login::Status::DISABLED
        end
      else
          Metasploit::Model::Login::Status::DISABLED
      end
    rescue Rex::Proto::Kerberos::Model::Error::KerberosDecodingError
      # Could be a non-MS implementation?
      Metasploit::Model::Login::Status::DISABLED
    end
  else
    Metasploit::Model::Login::Status::INCORRECT
  end
end

Instance Method Details

#attempt_login(credential) ⇒ Object

[View source] [View on GitHub]

20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
 
# File 'lib/metasploit/framework/login_scanner/kerberos.rb', line 20

def (credential)
  result_options = {
    credential: credential,
    host: host,
    port: port,
    protocol: 'tcp',
    service_name: 'kerberos'
  }

  begin
    res = send_request_tgt(
      server_name: server_name,
      client_name: credential.public,
      password: credential.private,
      realm: credential.realm
    )
    unless res.preauth_required
      # Pre-auth not required - let's get an RC4-HMAC ticket, since it's more easily crackable
      begin
        res = send_request_tgt(
          server_name: server_name,
          client_name: credential.public,
          password: credential.private,
          realm: credential.realm,
          offered_etypes: [Rex::Proto::Kerberos::Crypto::Encryption::RC4_HMAC]
        )
      rescue Rex::Proto::Kerberos::Model::Error::KerberosEncryptionNotSupported => e
        # RC4 likely disabled - let's just use the initial response
      end
    end

    result_options = result_options.merge(
      {
        status: Metasploit::Model::Login::Status::SUCCESSFUL,
        proof: res
      }
    )
    return Metasploit::Framework::LoginScanner::Result.new(result_options)
  rescue ::EOFError => e
    result_options = result_options.merge({ status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e })
    return Metasploit::Framework::LoginScanner::Result.new(result_options)
  rescue Rex::Proto::Kerberos::Model::Error::KerberosError => e
    status = self.class.(e)
    result_options = result_options.merge({ status: status, proof: e })
    return Metasploit::Framework::LoginScanner::Result.new(result_options)
  end
end