Module: Msf::Exploit::Remote::Kerberos::Client

Includes:

AsRequest, AsResponse, Base, CacheCredential, Pac, TgsRequest, TgsResponse

Defined in:

lib/msf/core/exploit/remote/kerberos/client.rb,
lib/msf/core/exploit/remote/kerberos/client/pac.rb,
lib/msf/core/exploit/remote/kerberos/client/base.rb,
lib/msf/core/exploit/remote/kerberos/client/as_request.rb,
lib/msf/core/exploit/remote/kerberos/client/as_response.rb,
lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb,
lib/msf/core/exploit/remote/kerberos/client/tgs_response.rb,
lib/msf/core/exploit/remote/kerberos/client/cache_credential.rb

Defined Under Namespace

Modules: AsRequest, AsResponse, Base, CacheCredential, Pac, TgsRequest, TgsResponse

Instance Attribute Summary

• #client ⇒ Rex::Proto::Kerberos::Client

  The kerberos client.

Instance Method Summary

• #cleanup ⇒ Object

  Performs cleanup as necessary, disconnecting the Kerberos client if it's still established.

• #connect(opts = {}) ⇒ Rex::Proto::Kerberos::Client

  Creates a kerberos connection.

• #disconnect(kerb_client = client) ⇒ Object

  Disconnects the Kerberos client.

• #initialize(info = {}) ⇒ Object
• #peer ⇒ String

  Returns the kdc peer.

• #rhost ⇒ String

  Returns the target host.

• #rport ⇒ Integer

  Returns the remote port.

• #send_request_as(opts = {}) ⇒ Rex::Proto::Kerberos::Model::KdcResponse

  Sends a kerberos AS request and reads the response.

• #send_request_tgs(opts = {}) ⇒ Rex::Proto::Kerberos::Model::KdcResponse

  Sends a kerberos AS request and reads the response.

• #timeout ⇒ Integer

  Returns the TCP timeout.

Methods included from CacheCredential

#create_cache, #create_cache_credential, #create_cache_key_block, #create_cache_principal, #create_cache_times

Methods included from Pac

#build_pa_pac_request, #build_pac, #build_pac_authorization_data

Methods included from TgsResponse

#extract_kerb_creds

Methods included from TgsRequest

#build_ap_req, #build_authenticator, #build_enc_auth_data, #build_subkey, #build_tgs_body_checksum, #build_tgs_request, #build_tgs_request_body

Methods included from AsResponse

#extract_logon_time, #extract_session_key

Methods included from AsRequest

#build_as_pa_time_stamp, #build_as_request, #build_as_request_body

Methods included from Base

#build_client_name, #build_server_name

Instance Attribute Details

#client ⇒ Rex::Proto::Kerberos::Client

Returns The kerberos client.

Returns:

• (Rex::Proto::Kerberos::Client) —

  The kerberos client

# File 'lib/msf/core/exploit/remote/kerberos/client.rb', line 18

def client
  @client
end

Instance Method Details

#cleanup ⇒ Object

Performs cleanup as necessary, disconnecting the Kerberos client if it's still established.

# File 'lib/msf/core/exploit/remote/kerberos/client.rb', line 98

def cleanup
  super
  disconnect
end

#connect(opts = {}) ⇒ Rex::Proto::Kerberos::Client

Creates a kerberos connection

Parameters:

• opts (Hash{Symbol => <String, Integer>}) (defaults to: {})

Options Hash (opts):

• :rhost (String)
• :rport (<String, Integer>)

Returns:

• (Rex::Proto::Kerberos::Client)

# File 'lib/msf/core/exploit/remote/kerberos/client.rb', line 66

def connect(opts={})
  kerb_client = Rex::Proto::Kerberos::Client.new(
    host: opts[:rhost] || rhost,
    port: (opts[:rport] || rport).to_i,
    timeout: (opts[:timeout] || timeout).to_i,
    context:
      {
        'Msf'        => framework,
        'MsfExploit' => self,
      },
    protocol: 'tcp'
  )

  disconnect if client
  self.client = kerb_client

  kerb_client
end

#disconnect(kerb_client = client) ⇒ Object

Disconnects the Kerberos client

Parameters:

• kerb_client (Rex::Proto::Kerberos::Client) (defaults to: client) —

  the client to disconnect

# File 'lib/msf/core/exploit/remote/kerberos/client.rb', line 88

def disconnect(kerb_client = client)
  kerb_client.close if kerb_client

  if kerb_client == client
    self.client = nil
  end
end

#initialize(info = {}) ⇒ Object

# File 'lib/msf/core/exploit/remote/kerberos/client.rb', line 20

def initialize(info = {})
  super

  register_options(
    [
      Opt::RHOST,
      Opt::RPORT(88),
      OptInt.new('Timeout', [true, 'The TCP timeout to establish connection and read data', 10])
    ], self.class
  )
end

#peer ⇒ String

Returns the kdc peer

Returns:

• (String)

# File 'lib/msf/core/exploit/remote/kerberos/client.rb', line 56

def peer
  "#{rhost}:#{rport}"
end

#rhost ⇒ String

Returns the target host

Returns:

• (String)

# File 'lib/msf/core/exploit/remote/kerberos/client.rb', line 35

def rhost
  datastore['RHOST']
end

#rport ⇒ Integer

Returns the remote port

Returns:

• (Integer)

# File 'lib/msf/core/exploit/remote/kerberos/client.rb', line 42

def rport
  datastore['RPORT']
end

#send_request_as(opts = {}) ⇒ Rex::Proto::Kerberos::Model::KdcResponse

Sends a kerberos AS request and reads the response

Parameters:

• opts (Hash) (defaults to: {})

Returns:

• (Rex::Proto::Kerberos::Model::KdcResponse)

See Also:

• Kerberos::Client::AsRequest#build_as_request
• Rex::Proto::Kerberos::Model::KdcResponse

# File 'lib/msf/core/exploit/remote/kerberos/client.rb', line 109

def send_request_as(opts = {})
  connect(opts)
  req = build_as_request(opts)
  res = client.send_recv(req)
  disconnect
  res
end

#send_request_tgs(opts = {}) ⇒ Rex::Proto::Kerberos::Model::KdcResponse

Sends a kerberos AS request and reads the response

Parameters:

• opts (Hash) (defaults to: {})

Returns:

• (Rex::Proto::Kerberos::Model::KdcResponse)

See Also:

• Kerberos::Client::TgsRequest#build_tgs_request
• Rex::Proto::Kerberos::Model::KdcResponse

# File 'lib/msf/core/exploit/remote/kerberos/client.rb', line 123

def send_request_tgs(opts = {})
  connect(opts)
  req = build_tgs_request(opts)
  res = client.send_recv(req)
  disconnect
  res
end

#timeout ⇒ Integer

Returns the TCP timeout

Returns:

• (Integer)

# File 'lib/msf/core/exploit/remote/kerberos/client.rb', line 49

def timeout
  datastore['Timeout']
end