Module: Msf::Exploit::Remote::Kerberos::Client::TgsResponse

Included in:
Msf::Exploit::Remote::Kerberos::Client
Defined in:
lib/msf/core/exploit/kerberos/client/tgs_response.rb

Instance Method Summary collapse

Instance Method Details

#extract_kerb_creds(res, key) ⇒ Rex::Proto::Kerberos::CredentialCache::Cache

Extracts the Kerberos credentials, buildint a MIT Cache Credential, from a Kerberos TGS response.

Parameters:

Returns:

See Also:


21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# File 'lib/msf/core/exploit/kerberos/client/tgs_response.rb', line 21

def extract_kerb_creds(res, key)
  decrypt_res = res.enc_part.decrypt(key, Rex::Proto::Kerberos::Crypto::ENC_TGS_RESPONSE)
  enc_res = Rex::Proto::Kerberos::Model::EncKdcResponse.decode(decrypt_res)

  client = create_cache_principal(
      name_type: res.cname.name_type,
      realm: res.crealm,
      components: res.cname.name_string
  )

  server = create_cache_principal(
      name_type: enc_res.sname.name_type,
      realm: enc_res.srealm,
      components: enc_res.sname.name_string
  )

  key = create_cache_key_block(
      key_type: enc_res.key.type,
      key_value: enc_res.key.value
  )

  times = create_cache_times(
      auth_time: enc_res.auth_time,
      start_time: enc_res.start_time,
      end_time: enc_res.end_time,
      renew_till: enc_res.renew_till
  )

  credential = create_cache_credential(
      client: client,
      server: server,
      key: key,
      time: times,
      ticket: res.ticket.encode,
      flags: enc_res.flags
  )

  cache_principal = create_cache_principal(
      name_type: res.cname.name_type, # NT_PRINCIPAL
      #realm: realm,# opts[:realm],
      realm: res.crealm,
      #components: user # [opts[:cname]]
      components: res.cname.name_string
  )

  cache = create_cache(
      primary_principal: cache_principal,
      credentials: [credential]
  )

  cache
end