Module: Msf::Exploit::Remote::Kerberos::Client::AsResponse

Included in:
Msf::Exploit::Remote::Kerberos::Client
Defined in:
lib/msf/core/exploit/remote/kerberos/client/as_response.rb

Instance Method Summary collapse

Instance Method Details

#decrypt_kdc_as_rep_enc_part(res, key) ⇒ Rex::Proto::Kerberos::Model::EncKdcResponse

Extracts the session key from a Kerberos AS Response

Parameters:

Returns:

See Also:



20
21
22
23
24
 
# File 'lib/msf/core/exploit/remote/kerberos/client/as_response.rb', line 20

def decrypt_kdc_as_rep_enc_part(res, key)
  decrypt_res = res.enc_part.decrypt_asn1(key, Rex::Proto::Kerberos::Crypto::KeyUsage::AS_REP_ENCPART)
  enc_res = Rex::Proto::Kerberos::Model::EncKdcResponse.decode(decrypt_res)
  enc_res
end

#extract_logon_time(res, key) ⇒ Time

Extracts the logon time from a Kerberos AS Response

Parameters:

Returns:

  • (Time)

See Also:



50
51
52
53
 
# File 'lib/msf/core/exploit/remote/kerberos/client/as_response.rb', line 50

def extract_logon_time(res, key)
  kdc_res = decrypt_kdc_as_rep_enc_part(res, key)
  kdc_res.auth_time
end

#extract_session_key(res, key) ⇒ Rex::Proto::Kerberos::Model::EncryptionKey

Extracts the session key from a Kerberos AS Response

Parameters:

Returns:

See Also:



36
37
38
39
 
# File 'lib/msf/core/exploit/remote/kerberos/client/as_response.rb', line 36

def extract_session_key(res, key)
  kdc_res = decrypt_kdc_as_rep_enc_part(res, key)
  kdc_res.key
end

#format_as_rep_to_john_hash(asrep) ⇒ String

Format from

https://github.com/hashcat/hashcat/blob/6fce6fb3ff120ed16b300af97cf2144b36edcbe8/src/modules/module_18200.c#L126-L132

Parameters:

Returns:

  • (String)

    A valid string format which can be cracked offline



59
60
61
 
# File 'lib/msf/core/exploit/remote/kerberos/client/as_response.rb', line 59

def format_as_rep_to_john_hash(asrep)
  "$krb5asrep$#{asrep.enc_part.etype}$#{asrep.cname.name_string.join('/')}@#{asrep.ticket.realm}:#{asrep.enc_part.cipher[0...16].unpack1('H*')}$#{asrep.enc_part.cipher[16..].unpack1('H*')}"
end