Module: Msf::Exploit::Remote::Kerberos::Client::Pac

Included in:
Msf::Exploit::Remote::Kerberos::Client
Defined in:
lib/msf/core/exploit/kerberos/client/pac.rb

Instance Method Summary collapse

Instance Method Details

#build_pa_pac_request(opts = {}) ⇒ Rex::Proto::Kerberos::Model::Field::PreAuthData

Builds a kerberos PA-PAC-REQUEST pre authenticated structure

Parameters:

  • opts (Hash{Symbol => Boolean}) (defaults to: {})

Options Hash (opts):

  • :pac_request_value (Boolean)

Returns:

  • (Rex::Proto::Kerberos::Model::Field::PreAuthData)

See Also:


18
19
20
21
22
23
24
25
26
27
# File 'lib/msf/core/exploit/kerberos/client/pac.rb', line 18

def build_pa_pac_request(opts = {})
  value = opts[:pac_request_value] || false
  pac_request = Rex::Proto::Kerberos::Model::PreAuthPacRequest.new(value: value)
  pa_pac_request = Rex::Proto::Kerberos::Model::PreAuthData.new(
    type: Rex::Proto::Kerberos::Model::PA_PAC_REQUEST,
    value: pac_request.encode
  )

  pa_pac_request
end

#build_pac(opts = {}) ⇒ Rex::Proto::Kerberos::Pac::Type

Builds a kerberos PACTYPE structure

Parameters:

  • opts (Hash{Symbol => <String, Integer, Array, Time>}) (defaults to: {})

Options Hash (opts):

  • :client_name (String)
  • :user_id (Integer)

    the user SID Ex: 1000

  • :group_id (Integer)

    Ex: 513 for 'Domain Users'

  • :group_ids (Array<Integer>)
  • :realm (String)
  • :domain_id (String)

    the domain SID Ex: S-1-5-21-1755879683-3641577184-3486455962

  • :logon_time (Time)

Returns:

See Also:


45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# File 'lib/msf/core/exploit/kerberos/client/pac.rb', line 45

def build_pac(opts = {})
  user_name = opts[:client_name] || ''
  user_id = opts[:user_id] || Rex::Proto::Kerberos::Pac::DEFAULT_USER_SID
  primary_group_id = opts[:group_id] || Rex::Proto::Kerberos::Pac::DOMAIN_USERS
  group_ids = opts[:group_ids] || [Rex::Proto::Kerberos::Pac::DOMAIN_USERS]
  domain_name = opts[:realm] || ''
  domain_id = opts[:domain_id] || Rex::Proto::Kerberos::Pac::NT_AUTHORITY_SID
  logon_time = opts[:logon_time] || Time.now
  checksum_type = opts[:checksum_type] || Rex::Proto::Kerberos::Crypto::RSA_MD5

  logon_info = Rex::Proto::Kerberos::Pac::LogonInfo.new(
    logon_time: logon_time,
    effective_name: user_name,
    user_id: user_id,
    primary_group_id: primary_group_id,
    group_ids: group_ids,
    logon_domain_name: domain_name,
    logon_domain_id: domain_id,
  )

  client_info = Rex::Proto::Kerberos::Pac::ClientInfo.new(
    client_id: logon_time,
    name: user_name
  )

  server_checksum = Rex::Proto::Kerberos::Pac::ServerChecksum.new(
    checksum: checksum_type
  )

  priv_srv_checksum = Rex::Proto::Kerberos::Pac::PrivSvrChecksum.new(
    checksum: checksum_type
  )

  pac_type = Rex::Proto::Kerberos::Pac::Type.new(
    buffers: [
      logon_info,
      client_info,
      server_checksum,
      priv_srv_checksum
    ],
    checksum: checksum_type
  )

  pac_type
end

#build_pac_authorization_data(opts = {}) ⇒ Rex::Proto::Kerberos::Model::AuthorizationData

Builds an kerberos AuthorizationData structure containing a PACTYPE

Parameters:

Options Hash (opts):

Returns:

See Also:


97
98
99
100
101
102
103
104
105
106
107
108
# File 'lib/msf/core/exploit/kerberos/client/pac.rb', line 97

def build_pac_authorization_data(opts = {})
  pac = opts[:pac] || build_pac(opts)

  pac_auth_data = Rex::Proto::Kerberos::Model::AuthorizationData.new(
    elements: [{:type => Rex::Proto::Kerberos::Pac::AD_WIN2K_PAC, :data => pac.encode}]
  )
  authorization_data = Rex::Proto::Kerberos::Model::AuthorizationData.new(
    elements: [{:type => Rex::Proto::Kerberos::Model::AD_IF_RELEVANT, :data => pac_auth_data.encode}]
  )

  authorization_data
end