Class: Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Base

Inherits:

Object

• Object
• Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Base

Extended by:

Forwardable

Includes:

Auxiliary::Report, Client, Rex::Proto::Gss::Asn1

Defined in:

lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb

Overview

This class acts as standalone authenticator for Kerberos

Direct Known Subclasses

HTTP, LDAP, MSSQL, SMB

Defined Under Namespace

Modules: Delegation

Constant Summary

GSS_DELEGATE =

Flags - datatracker.ietf.org/doc/html/rfc4121#section-4.1.1.1

0x01

GSS_MUTUAL =

0x02

GSS_REPLAY_DETECT =

0x04

GSS_SEQUENCE =

0x08

GSS_CONFIDENTIAL =

0x10

GSS_INTEGRITY =

0x20

GSS_DCE_STYLE =

0x1000

Constants included from Client

Client::NEG_TOKEN_ACCEPT_COMPLETED, Client::NEG_TOKEN_ACCEPT_INCOMPLETE, Client::NEG_TOKEN_REJECT, Client::NEG_TOKEN_REQUEST_MIC, Client::TOK_ID_KRB_AP_REP, Client::TOK_ID_KRB_AP_REQ, Client::TOK_ID_KRB_ERROR

Constants included from Client::ApRequest

Client::ApRequest::AP_MUTUAL_REQUIRED, Client::ApRequest::AP_USE_SESSION_KEY

Instance Attribute Summary

• #dce_style ⇒ Object readonly

  Returns the value of attribute dce_style.

• #framework ⇒ Object readonly

  Returns the value of attribute framework.

• #framework_module ⇒ Object readonly

  Returns the value of attribute framework_module.

• #host ⇒ String^? readonly

  The proxy directive to use for the socket.

• #hostname ⇒ Object readonly

  Returns the value of attribute hostname.

• #key ⇒ Object readonly

  Returns the value of attribute key.

• #mechanism ⇒ Object readonly

  Returns the value of attribute mechanism.

• #mutual_auth ⇒ Object readonly

  Returns the value of attribute mutual_auth.

• #offered_etypes ⇒ Object readonly
• #password ⇒ Object readonly

  Returns the value of attribute password.

• #pfx ⇒ Object readonly

  Returns the value of attribute pfx.

• #port ⇒ Object readonly

  Returns the value of attribute port.

• #proxies ⇒ Object readonly

  Returns the value of attribute proxies.

• #realm ⇒ Object readonly

  Returns the value of attribute realm.

• #send_delegated_creds ⇒ Object readonly

  Returns the value of attribute send_delegated_creds.

• #ticket_storage ⇒ Object readonly

  Returns the value of attribute ticket_storage.

• #timeout ⇒ Object readonly

  Returns the value of attribute timeout.

• #use_gss_checksum ⇒ Object readonly

  Returns the value of attribute use_gss_checksum.

• #username ⇒ Object readonly

  Returns the value of attribute username.

Attributes included from Client

#client, #kerberos_client

Instance Method Summary

• #authenticate(options = {}) ⇒ Hash

  The security_blob SPNEGO GSS and TGS session key.

• #authenticate_via_kdc(options = {}) ⇒ Object

  Authenticate with credentials to the key distribution center (KDC).

• #build_spn(options = {}) ⇒ Object
• #connect(options = {}) ⇒ Object
• #get_message_encryptor(key, client_sequence_number, server_sequence_number, use_acceptor_subkey: true, rc4_pad_style: :single_byte) ⇒ Object
• #initialize(realm: nil, hostname: nil, username: nil, password: nil, host: nil, proxies: nil, port: 88, timeout: 25, framework: nil, framework_module: nil, mutual_auth: false, use_gss_checksum: false, mechanism: Rex::Proto::Gss::Mechanism::SPNEGO, send_delegated_creds: Delegation::ALWAYS, dce_style: false, cache_file: nil, ticket_storage: nil, key: nil, offered_etypes: nil, pfx: nil) ⇒ Base constructor

  A new instance of Base.

• #parse_gss_init_response(token, session_key) ⇒ Object
• #request_tgs_only(credential, options = {}) ⇒ Rex::Proto::Kerberos::CredentialCache::Krb5CcacheCredential

  The ccache credential.

• #request_tgt_only(options = {}) ⇒ Rex::Proto::Kerberos::CredentialCache::Krb5CcacheCredential

  The ccache credential.

• #rhost ⇒ String

  Returns the target host.

• #rport ⇒ Integer

  Returns the remote port.

• #s4u2proxy(credential, options = {}) ⇒ Array

  Request a service ticket to another service on behalf of a user.

• #s4u2self(credential, options = {}) ⇒ Array

  Request a service ticket to itself on behalf of a user.

• #u2uself(credential, options = {}) ⇒ Object

  Request a service ticket to a user on behalf of themselves This is mostly useful for PKINIT to recover the NT hash Can combine this with S4U2Self by providing an :impersonate option to retrieve a PAC for any account, i.e.

• #validate_response!(security_blob, accept_incomplete: false) ⇒ Object

Methods included from Rex::Proto::Gss::Asn1

#unwrap_pseudo_asn1, #wrap_pseudo_asn1

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Methods included from Client

#cleanup, #disconnect, #peer, #select_cipher, #send_request_as, #send_request_tgs, #send_request_tgt, #send_request_tgt_pkinit

Methods included from Client::Pkinit

#build_dh, #build_pa_pk_as_req, #calculate_shared_key, #extract_user_and_realm, #k_truncate, #sign_auth_pack

Methods included from Client::Pac

#build_empty_auth_data, #build_pa_pac_request, #build_pac, #build_pac_authorization_data

Methods included from Client::TgsResponse

#decrypt_kdc_tgs_rep_enc_part, #extract_kerb_creds

Methods included from Client::TgsRequest

#build_ap_req, #build_authenticator, #build_enc_auth_data, #build_pa_for_user, #build_subkey, #build_tgs_body_checksum, #build_tgs_request, #build_tgs_request_body

Methods included from Client::AsResponse

#decrypt_kdc_as_rep_enc_part, #extract_logon_time, #extract_session_key, #format_as_rep_to_john_hash

Methods included from Client::AsRequest

#build_as_pa_time_stamp, #build_as_request, #build_as_request_body

Methods included from Client::ApRequest

#build_service_ap_request, #encode_gss_kerberos_ap_request, #encode_gss_spnego_ap_request

Methods included from Client::Base

#build_client_name, #build_server_name

Constructor Details

#initialize(realm: nil, hostname: nil, username: nil, password: nil, host: nil, proxies: nil, port: 88, timeout: 25, framework: nil, framework_module: nil, mutual_auth: false, use_gss_checksum: false, mechanism: Rex::Proto::Gss::Mechanism::SPNEGO, send_delegated_creds: Delegation::ALWAYS, dce_style: false, cache_file: nil, ticket_storage: nil, key: nil, offered_etypes: nil, pfx: nil) ⇒ Base

Returns a new instance of Base.

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 111

def initialize(
    realm: nil,
    hostname: nil,
    username: nil,
    password: nil,
    host: nil,
    proxies: nil,
    port: 88,
    timeout: 25,
    framework: nil,
    framework_module: nil,
    mutual_auth: false,
    use_gss_checksum: false,
    mechanism: Rex::Proto::Gss::Mechanism::SPNEGO,
    send_delegated_creds: Delegation::ALWAYS,
    dce_style: false,
    cache_file: nil,
    ticket_storage: nil,
    key: nil,
    offered_etypes: nil,
    pfx: nil
)
  @realm = realm
  @hostname = hostname
  @host = host
  @proxies = proxies
  @port = port
  @timeout = timeout
  @username = username
  @password = password
  @pfx = pfx
  @framework = framework
  @framework_module = framework_module
  @mutual_auth = mutual_auth
  @use_gss_checksum = use_gss_checksum
  @mechanism = mechanism
  @send_delegated_creds = send_delegated_creds
  @dce_style = dce_style
  @ticket_storage = ticket_storage || Msf::Exploit::Remote::Kerberos::Ticket::Storage::ReadWrite.new(
    framework: framework,
    framework_module: framework_module
  )
  @key = key
  @offered_etypes = offered_etypes

  credential = nil
  if cache_file.present?
    # the cache file is only used for loading credentials, it is *not* written to
    credential = load_credential_from_file(cache_file, sname: nil, sname_hostname: @hostname)
    serviceclass = build_spn.name_string.first
    if credential && credential.server.components[0] != serviceclass
      old_sname = credential.server.components.snapshot.join('/')
      credential.server.components[0] = serviceclass
      new_sname = credential.server.components.snapshot.join('/')
      print_status("Patching sname from #{old_sname} to #{new_sname}")
      ticket = Rex::Proto::Kerberos::Model::Ticket.decode(credential.ticket.value)
      ticket.sname.name_string[0] = serviceclass
      credential.ticket = ticket.encode
    elsif credential.nil? && hostname.present?
      credential = load_credential_from_file(cache_file, sname: "krbtgt/#{hostname.split('.', 2).last}")
    end
    if credential.nil?
      raise ::Rex::Proto::Kerberos::Model::Error::KerberosError.new("Failed to load a usable credential from ticket file: #{cache_file}")
    end
    print_status("Loaded a credential from ticket file: #{cache_file}")
  end
  @credential = credential
end

Instance Attribute Details

#dce_style ⇒ Object (readonly)

Returns the value of attribute dce_style.

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 74

def dce_style
  @dce_style
end

#framework ⇒ Object (readonly)

Returns the value of attribute framework.

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 50

def framework
  @framework
end

#framework_module ⇒ Object (readonly)

Returns the value of attribute framework_module.

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 54

def framework_module
  @framework_module
end

#host ⇒ String^? (readonly)

Returns The proxy directive to use for the socket.

Returns:

• (String, nil) —

  The proxy directive to use for the socket

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 34

def host
  @host
end

#hostname ⇒ Object (readonly)

Returns the value of attribute hostname.

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 30

def hostname
  @hostname
end

#key ⇒ Object (readonly)

Returns the value of attribute key.

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 82

def key
  @key
end

#mechanism ⇒ Object (readonly)

Returns the value of attribute mechanism.

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 66

def mechanism
  @mechanism
end

#mutual_auth ⇒ Object (readonly)

Returns the value of attribute mutual_auth.

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 58

def mutual_auth
  @mutual_auth
end

#offered_etypes ⇒ Object (readonly)

See Also:

• Rex::Proto::Kerberos::Crypto::Encryption::DefaultOfferedEtypes

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 87

def offered_etypes
  @offered_etypes
end

#password ⇒ Object (readonly)

Returns the value of attribute password.

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 22

def password
  @password
end

#pfx ⇒ Object (readonly)

Returns the value of attribute pfx.

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 26

def pfx
  @pfx
end

#port ⇒ Object (readonly)

Returns the value of attribute port.

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 38

def port
  @port
end

#proxies ⇒ Object (readonly)

Returns the value of attribute proxies.

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 42

def proxies
  @proxies
end

#realm ⇒ Object (readonly)

Returns the value of attribute realm.

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 14

def realm
  @realm
end

#send_delegated_creds ⇒ Object (readonly)

Returns the value of attribute send_delegated_creds.

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 70

def send_delegated_creds
  @send_delegated_creds
end

#ticket_storage ⇒ Object (readonly)

Returns the value of attribute ticket_storage.

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 78

def ticket_storage
  @ticket_storage
end

#timeout ⇒ Object (readonly)

Returns the value of attribute timeout.

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 46

def timeout
  @timeout
end

#use_gss_checksum ⇒ Object (readonly)

Returns the value of attribute use_gss_checksum.

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 62

def use_gss_checksum
  @use_gss_checksum
end

#username ⇒ Object (readonly)

Returns the value of attribute username.

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 18

def username
  @username
end

Instance Method Details

#authenticate(options = {}) ⇒ Hash

Returns The security_blob SPNEGO GSS and TGS session key.

Parameters:

• options (Hash) (defaults to: {})

Options Hash (options):

• :credential (String) —

  An explicit credential object to use for authentication.

• :sname (Rex::Proto::Kerberos::Model::PrincipalName) —

  The target service principal name.

• :mechanism (String) —

  The authentication mechanism. One of the Rex::Proto::Gss::Mechanism constants.

Returns:

• (Hash) —

  The security_blob SPNEGO GSS and TGS session key

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 216

def authenticate(options = {})
  options[:sname] = options.fetch(:sname) { build_spn(options) }

  unless options[:credential]
    if @credential
      # use an explicit credential
      options[:credential] = @credential
    else
      # load a cached TGS
      options[:credential] = get_cached_credential(options)
      tgt_sname = Rex::Proto::Kerberos::Model::PrincipalName.new(
        name_type: Rex::Proto::Kerberos::Model::NameType::NT_SRV_INST,
        name_string: [
          "krbtgt",
          realm
        ]
      )
      unless options[:credential]
        # load a cached TGT (specific host)
        options[:credential] = get_cached_credential(
          options.merge(sname: tgt_sname)
        )
      end
      unless options[:credential]
        # load a cached TGT (any host)
        options[:credential] = get_cached_credential(
          options.merge(sname: tgt_sname, host: nil)
        )
      end
      if options[:credential]
        print_status("Using cached credential for #{options[:credential].server} #{options[:credential].client}")
      end
    end
  end

  if options[:credential] && options[:credential].server.to_s.start_with?('krbtgt/')
    auth_context = authenticate_via_krb5_ccache_credential_tgt(options[:credential], options)
  elsif options[:credential]
    auth_context = authenticate_via_krb5_ccache_credential_tgs(options[:credential], options)
  else
    auth_context = authenticate_via_kdc(options)
    auth_context = authenticate_via_krb5_ccache_credential_tgt(auth_context[:credential], options)
  end

  ap_request_asn1 = auth_context.delete(:service_ap_request).to_asn1

  mechanism = options.fetch(:mechanism) { self.mechanism }
  if mechanism == Rex::Proto::Gss::Mechanism::SPNEGO
    security_blob = encode_gss_spnego_ap_request(ap_request_asn1)
  elsif mechanism == Rex::Proto::Gss::Mechanism::KERBEROS
    security_blob = encode_gss_kerberos_ap_request(ap_request_asn1)
  else
    raise RuntimeError, "Unknown GSS mechanism: #{mechanism}"
  end

  auth_context[:security_blob] = security_blob
  auth_context
end

#authenticate_via_kdc(options = {}) ⇒ Object

Authenticate with credentials to the key distribution center (KDC). This will request a TGT only.

Parameters:

• options (Hash) (defaults to: {})

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 574

def authenticate_via_kdc(options = {})
  realm = self.realm.upcase
  client_name = username
  server_name = "krbtgt/#{realm}"

  ticket_options = Rex::Proto::Kerberos::Model::KdcOptionFlags.from_flags(
    [
      Rex::Proto::Kerberos::Model::KdcOptionFlags::FORWARDABLE,
      Rex::Proto::Kerberos::Model::KdcOptionFlags::RENEWABLE,
      Rex::Proto::Kerberos::Model::KdcOptionFlags::CANONICALIZE,
      Rex::Proto::Kerberos::Model::KdcOptionFlags::RENEWABLE_OK
    ]
  )

  if (pfx = options.fetch(:pfx) { self.pfx })
    offered_etypes = options.fetch(:offered_etypes) do
      self.offered_etypes || Rex::Proto::Kerberos::Crypto::Encryption::PkinitEtypes
    end

    tgt_result = send_request_tgt_pkinit(
      server_name: server_name,
      client_name: client_name,
      pfx: pfx,
      realm: realm,
      options: ticket_options,
      offered_etypes: offered_etypes
    )
  else
    offered_etypes = options.fetch(:offered_etypes) do
      self.offered_etypes || Rex::Proto::Kerberos::Crypto::Encryption::DefaultOfferedEtypes
    end

    tgt_result = send_request_tgt(
      server_name: server_name,
      client_name: client_name,
      password: password,
      key: key,
      realm: realm,
      options: ticket_options,
      offered_etypes: offered_etypes
    )
  end

  if tgt_result.decrypted_part.nil? && !tgt_result.preauth_required
    raise ::Rex::Proto::Kerberos::Model::Error::KerberosError.new(
      'Kerberos ticket does not require preauthentication. It is not possible to decrypt the encrypted message to request further TGS tickets. Try cracking the password via AS-REP Roasting techniques.',
    )
  end

  print_good("#{peer} - Received a valid TGT-Response")

  ccache = Rex::Proto::Kerberos::CredentialCache::Krb5Ccache.from_responses(tgt_result.as_rep, tgt_result.decrypted_part)
  options.fetch(:ticket_storage, @ticket_storage).store_ccache(ccache, host: rhost)

  credential = ccache.credentials.first
  session_key = Rex::Proto::Kerberos::Model::EncryptionKey.new(
    type: credential.keyblock.enctype.value,
    value: credential.keyblock.data.value
  )

  { credential: credential, session_key: session_key, krb_enc_key: tgt_result.krb_enc_key }
end

#build_spn(options = {}) ⇒ Object

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 340

def build_spn(options = {})
  nil
end

#connect(options = {}) ⇒ Object

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 194

def connect(options = {})
  unless options[:rhost]
    unless (host = @host)
      vprint_status("Using DNS to lookup the KDC for #{realm}...")
      host = ::Rex::Socket.getresources("_kerberos._tcp.#{realm}", :SRV)&.sample
      if host.nil?
        raise ::Rex::Proto::Kerberos::Model::Error::KerberosError.new("Failed to lookup the KDC")
      end
      print_status("Using KDC #{host} for realm #{realm}")
      @host = host
    end
    options[:rhost] = host
  end

  super(options)
end

#get_message_encryptor(key, client_sequence_number, server_sequence_number, use_acceptor_subkey: true, rc4_pad_style: :single_byte) ⇒ Object

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 275

def get_message_encryptor(key, client_sequence_number, server_sequence_number, use_acceptor_subkey: true, rc4_pad_style: :single_byte)
  Rex::Proto::Gss::Kerberos::MessageEncryptor.new(key,
                                          client_sequence_number,
                                          server_sequence_number,
                                          is_initiator: true,
                                          use_acceptor_subkey: use_acceptor_subkey,
                                          dce_style: @dce_style,
                                          rc4_pad_style: rc4_pad_style)
end

#parse_gss_init_response(token, session_key) ⇒ Object

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 285

def parse_gss_init_response(token, session_key)
  mech_id, encapsulated_token = unwrap_pseudo_asn1(token)

  if mech_id.value == Rex::Proto::Gss::OID_KERBEROS_5.value
    tok_id = encapsulated_token[0,2]
    data = encapsulated_token[2, encapsulated_token.length]
    case tok_id
    when TOK_ID_KRB_AP_REP
      ap_rep = Rex::Proto::Kerberos::Model::ApRep.decode(data)
      print_good("#{peer} - Received AP-REQ. Extracting session key...")

      raise ::Rex::Proto::Kerberos::Model::Error::KerberosError, 'Mismatching etypes' if session_key.type != ap_rep.enc_part.etype

      decrypted = ap_rep.decrypt_enc_part(session_key.value)

      result = {
        ap_rep_subkey: decrypted.subkey,
        server_sequence_number: decrypted.sequence_number,
        etype: ap_rep.enc_part.etype
      }
    when TOK_ID_KRB_ERROR
      krb_err = Rex::Proto::Kerberos::Model::KrbError.decode(data)
      print_error("#{peer} - Received KRB-ERR.")

      raise ::Rex::Proto::Kerberos::Model::Error::KerberosError.new(res: krb_err)
    else
      raise ::Rex::Proto::Kerberos::Model::Error::KerberosError, "Unknown token id: #{tok_id.inspect}"
    end
  else
    raise ::NotImplementedError, "Parsing mechtype #{mech_id.value} not supported"
  end

end

#request_tgs_only(credential, options = {}) ⇒ Rex::Proto::Kerberos::CredentialCache::Krb5CcacheCredential

Returns The ccache credential.

Parameters:

• options (Hash) (defaults to: {})
• :credential (Rex::Proto::Kerberos::CredentialCache::Krb5CcacheCredential) —

  The ccache credential from the TGT

Options Hash (options):

• :ticket_storage (Msf::Exploit::Remote::Kerberos::Ticket::Storage::Base) —

  Override the @ticket_storage attribute

Returns:

• (Rex::Proto::Kerberos::CredentialCache::Krb5CcacheCredential) —

  The ccache credential

See Also:

• Options dcoumentation
• Other options dcoumentation

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 382

def request_tgs_only(credential, options = {})
  # load a cached TGS
  if (ccache = get_cached_credential(options))
    print_status("Using cached credential for #{ccache.server} #{ccache.client}")
    return ccache
  end

  auth_context = authenticate_via_krb5_ccache_credential_tgt(credential, options)
  auth_context[:credential]
end

#request_tgt_only(options = {}) ⇒ Rex::Proto::Kerberos::CredentialCache::Krb5CcacheCredential

Returns The ccache credential.

Parameters:

• options (Hash) (defaults to: {})

Options Hash (options):

• :ticket_storage (Msf::Exploit::Remote::Kerberos::Ticket::Storage::Base) —

  Override the @ticket_storage attribute

Returns:

• (Rex::Proto::Kerberos::CredentialCache::Krb5CcacheCredential) —

  The ccache credential

See Also:

• Options documentation
• Other options documentation

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 349

def request_tgt_only(options = {})
  if options[:cache_file]
    credential = load_credential_from_file(options[:cache_file])
  else
    credential = get_cached_credential(
      options.merge(
        sname: Rex::Proto::Kerberos::Model::PrincipalName.new(
          name_type: Rex::Proto::Kerberos::Model::NameType::NT_SRV_INST,
          name_string: [
            "krbtgt",
            realm
          ]
        )
      )
    )
  end

  if credential
    print_status("Using cached credential for #{credential.server} #{credential.client}")
    return credential
  end

  auth_context = authenticate_via_kdc(options)
  return auth_context[:credential]
end

#rhost ⇒ String

Returns the target host

Returns:

• (String)

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 183

def rhost
  host
end

#rport ⇒ Integer

Returns the remote port

Returns:

• (Integer)

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 190

def rport
  port
end

#s4u2proxy(credential, options = {}) ⇒ Array

Request a service ticket to another service on behalf of a user

Parameters:

• credential (Rex::Proto::Kerberos::CredentialCache::Krb5CcacheCredential) —

  The ccache credential from the TGT

• options (Hash) (defaults to: {})

Options Hash (options):

• :sname (Rex::Proto::Kerberos::Model::PrincipalName) —

  The target service principal name.

• :tgs_ticket (Rex::Proto::Kerberos::Model::Ticket) —

  The service ticket to the first service. It must have the forwardable flag set. This ticket can be obtained with #s4u2self.

• :ticket_storage (Msf::Exploit::Remote::Kerberos::Ticket::Storage::Base) —

  Override the @ticket_storage attribute

• :impersonate (String) —

  The name of the user to request a ticket on behalf of

Returns:

• (Array) —

  The new TGS ticket and the decrypted TGS credentials as a MIT Cache Credential

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 454

def s4u2proxy(credential, options = {})
  realm = self.realm.upcase
  sname = options.fetch(:sname)
  client_name = username

  now = Time.now.utc
  expiry_time = now + 1.day

  ticket = Rex::Proto::Kerberos::Model::Ticket.decode(credential.ticket.value)
  session_key = Rex::Proto::Kerberos::Model::EncryptionKey.new(
    type: credential.keyblock.enctype.value,
    value: credential.keyblock.data.value
  )

  pa_pac_options_flags = Rex::Proto::Kerberos::Model::PreAuthPacOptionsFlags.from_flags(
    [
      Rex::Proto::Kerberos::Model::PreAuthPacOptionsFlags::RESOURCE_BASED_CONSTRAINED_DELEGATION
    ]
  )
  pa_pac_options = Rex::Proto::Kerberos::Model::PreAuthPacOptions.new(
    flags: pa_pac_options_flags
  )
  pa_data_entry = Rex::Proto::Kerberos::Model::PreAuthDataEntry.new(
    type: Rex::Proto::Kerberos::Model::PreAuthType::PA_PAC_OPTIONS,
    value: pa_pac_options.encode
  )

  etypes = Set.new([credential.keyblock.enctype.value])
  etypes << Rex::Proto::Kerberos::Crypto::Encryption::RC4_HMAC
  etypes << Rex::Proto::Kerberos::Crypto::Encryption::DES_CBC_MD5
  etypes << Rex::Proto::Kerberos::Crypto::Encryption::DES3_CBC_SHA1

  tgs_options = {
    pa_data: pa_data_entry,
    additional_flags: [Rex::Proto::Kerberos::Model::KdcOptionFlags::CNAME_IN_ADDL_TKT],
    additional_tickets: [options[:tgs_ticket]],
    ticket_storage: options.fetch(:ticket_storage, @ticket_storage),
    credential_cache_username: options[:impersonate]
  }

  request_service_ticket(
    session_key,
    ticket,
    realm,
    client_name,
    etypes,
    expiry_time,
    now,
    sname,
    tgs_options
  )
end

#s4u2self(credential, options = {}) ⇒ Array

Request a service ticket to itself on behalf of a user

Parameters:

• :credential (Rex::Proto::Kerberos::CredentialCache::Krb5CcacheCredential) —

  The ccache credential from the TGT

• options (Hash) (defaults to: {})

Options Hash (options):

• :sname (Rex::Proto::Kerberos::Model::PrincipalName) —

  The target service principal name.

• :ticket_storage (Msf::Exploit::Remote::Kerberos::Ticket::Storage::Base) —

  Override the @ticket_storage attribute

• :impersonate (String) —

  The name of the user to request a ticket on behalf of

Returns:

• (Array) —

  The TGS ticket and the decrypted TGS credentials as a MIT Cache Credential

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 402

def s4u2self(credential, options = {})
  realm = self.realm.upcase
  sname = options.fetch(:sname)
  client_name = username

  now = Time.now.utc
  expiry_time = now + 1.day

  ticket = Rex::Proto::Kerberos::Model::Ticket.decode(credential.ticket.value)
  session_key = Rex::Proto::Kerberos::Model::EncryptionKey.new(
    type: credential.keyblock.enctype.value,
    value: credential.keyblock.data.value
  )

  etypes = Set.new([credential.keyblock.enctype.value])
  etypes << Rex::Proto::Kerberos::Crypto::Encryption::RC4_HMAC

  tgs_options = {
    ticket_storage: options.fetch(:ticket_storage, @ticket_storage),
    credential_cache_username: options[:impersonate],
    pa_data: build_pa_for_user(
      {
        username: options[:impersonate],
        session_key: session_key,
        realm: realm
      }
    )
  }

  request_service_ticket(
    session_key,
    ticket,
    realm,
    client_name,
    etypes,
    expiry_time,
    now,
    sname,
    tgs_options
  )
end

#u2uself(credential, options = {}) ⇒ Object

Request a service ticket to a user on behalf of themselves This is mostly useful for PKINIT to recover the NT hash Can combine this with S4U2Self by providing an :impersonate option to retrieve a PAC for any account, i.e. Sapphire Ticket attack

Parameters:

• credential (Rex::Proto::Kerberos::CredentialCache::Krb5CcacheCredential) —

  The ccache credential from the TGT

• options (Hash) (defaults to: {})

See Also:

• https://learn.microsoft.com/en-us/archive/blogs/openspecification/how-kerberos-user-to-user-authentication-works

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 516

def u2uself(credential, options = {})
  realm = self.realm.upcase
  client_name = options.fetch(:username) { self.username }
  sname = options.fetch(:sname) {
    Rex::Proto::Kerberos::Model::PrincipalName.new(
      name_type: Rex::Proto::Kerberos::Model::NameType::NT_UNKNOWN,
      name_string: [ client_name ]
    )
  }

  now = Time.now.utc
  expiry_time = now + 1.day

  ticket = Rex::Proto::Kerberos::Model::Ticket.decode(credential.ticket.value)
  session_key = Rex::Proto::Kerberos::Model::EncryptionKey.new(
    type: credential.keyblock.enctype.value,
    value: credential.keyblock.data.value
  )

  etypes = Set.new([ticket.enc_part.etype])
  etypes << Rex::Proto::Kerberos::Crypto::Encryption::RC4_HMAC

  tgs_options = {
    ticket_storage: options.fetch(:ticket_storage, @ticket_storage),
    credential_cache_username: client_name,
    additional_flags: [
      Rex::Proto::Kerberos::Model::KdcOptionFlags::ENC_TKT_IN_SKEY,
      Rex::Proto::Kerberos::Model::KdcOptionFlags::RENEWABLE_OK
    ],
    additional_tickets: [ticket]
  }

  if options[:impersonate]
    tgs_options[:pa_data] = build_pa_for_user(
      {
        username: options[:impersonate],
        session_key: session_key,
        realm: self.realm
      }
    )
  end

  request_service_ticket(
    session_key,
    ticket,
    realm,
    client_name,
    etypes,
    expiry_time,
    now,
    sname,
    tgs_options
  )
end

#validate_response!(security_blob, accept_incomplete: false) ⇒ Object

Parameters:

• security_blob (String) —

  SPNEGO GSS Blob

• accept_incomplete (Boolean) (defaults to: false) —

  Whether an Incomplete value is an acceptable response

Raises:

• (Rex::Proto::Kerberos::Model::Error::KerberosError) —

  if the response was not successful

• (Rex::Proto::Kerberos::Model::Error::KerberosDecodingError) —

  if the response was invalid per the Kerberos/GSS protocol

# File 'lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb', line 323

def validate_response!(security_blob, accept_incomplete: false)
  begin
    gss_api = OpenSSL::ASN1.decode(security_blob)
    neg_result = ::RubySMB::Gss.asn1dig(gss_api, 0, 0, 0)&.value.to_i
    supported_neg = ::RubySMB::Gss.asn1dig(gss_api, 0, 1, 0)&.value
  rescue OpenSSL::ASN1::ASN1Error
    raise ::Rex::Proto::Kerberos::Model::Error::KerberosDecodingError.new('Invalid GSS Response')
  end

  is_success = (neg_result == NEG_TOKEN_ACCEPT_COMPLETED || (accept_incomplete && neg_result == NEG_TOKEN_ACCEPT_INCOMPLETE)) &&
    supported_neg == ::Rex::Proto::Gss::OID_MICROSOFT_KERBEROS_5.value

  raise ::Rex::Proto::Kerberos::Model::Error::KerberosError.new('Failed to negotiate Kerberos GSS') unless is_success

  is_success
end