Module: Msf::Exploit::Remote::Kerberos::Client::AsRequest

Included in:
Msf::Exploit::Remote::Kerberos::Client
Defined in:
lib/msf/core/exploit/kerberos/client/as_request.rb

Instance Method Summary collapse

Instance Method Details

#build_as_pa_time_stamp(opts = {}) ⇒ Rex::Proto::Kerberos::Model::PreAuthData

Builds a kerberos PA-ENC-TIMESTAMP pre authenticated structure

Parameters:

  • opts (Hash{Symbol => <Time, Integer, String>}) (defaults to: {})

Options Hash (opts):

  • :time_stamp (Time)
  • :pausec (Integer)
  • :etype (Integer)
  • :key (String)

Returns:

See Also:


44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# File 'lib/msf/core/exploit/kerberos/client/as_request.rb', line 44

def build_as_pa_time_stamp(opts = {})
  time_stamp = opts[:time_stamp] || Time.now
  pausec = opts[:pausec] || 0
  etype = opts[:etype] || Rex::Proto::Kerberos::Crypto::RC4_HMAC
  key = opts[:key] || ''

  pa_time_stamp = Rex::Proto::Kerberos::Model::PreAuthEncTimeStamp.new(
      pa_time_stamp: time_stamp,
      pausec: pausec
  )

  enc_time_stamp = Rex::Proto::Kerberos::Model::EncryptedData.new(
      etype: etype,
      cipher: pa_time_stamp.encrypt(etype, key)
  )

  pa_enc_time_stamp = Rex::Proto::Kerberos::Model::PreAuthData.new(
      type: Rex::Proto::Kerberos::Model::PA_ENC_TIMESTAMP,
      value: enc_time_stamp.encode
  )

  pa_enc_time_stamp
end

#build_as_request(opts = {}) ⇒ Rex::Proto::Kerberos::Model::KdcRequest

Builds a kerberos AS request

Parameters:

Options Hash (opts):

Returns:

See Also:


19
20
21
22
23
24
25
26
27
28
29
30
31
# File 'lib/msf/core/exploit/kerberos/client/as_request.rb', line 19

def build_as_request(opts = {})
  pa_data = opts[:pa_data] || build_as_pa_time_stamp(opts)
  body = opts[:body] || build_as_request_body(opts)

  request = Rex::Proto::Kerberos::Model::KdcRequest.new(
    pvno: 5,
    msg_type: Rex::Proto::Kerberos::Model::AS_REQ,
    pa_data: pa_data,
    req_body: body
  )

  request
end

#build_as_request_body(opts = {}) ⇒ Rex::Proto::Kerberos::Model::KdcRequestBody

Builds a kerberos AS request body

Parameters:

Options Hash (opts):

Returns:

See Also:


84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# File 'lib/msf/core/exploit/kerberos/client/as_request.rb', line 84

def build_as_request_body(opts = {})
  options = opts[:options] || 0x50800000 # Forwardable, Proxiable, Renewable
  from = opts[:from] || Time.utc('1970-01-01-01 00:00:00')
  till = opts[:till] || Time.utc('1970-01-01-01 00:00:00')
  rtime = opts[:rtime] || Time.utc('1970-01-01-01 00:00:00')
  nonce = opts[:nonce] || Rex::Text.rand_text_numeric(6).to_i
  etype = opts[:etype] || [Rex::Proto::Kerberos::Crypto::RC4_HMAC]
  cname = opts[:cname] || build_client_name(opts)
  realm = opts[:realm] || ''
  sname = opts[:sname] || build_server_name(opts)

  body = Rex::Proto::Kerberos::Model::KdcRequestBody.new(
    options: options,
    cname: cname,
    realm: realm,
    sname: sname,
    from: from,
    till: till,
    rtime: rtime,
    nonce: nonce,
    etype: etype
  )

  body
end