Module: Msf::Exploit::Remote::Kerberos::Client::TgsRequest
- Included in:
- Msf::Exploit::Remote::Kerberos::Client
- Defined in:
- lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb
Instance Method Summary collapse
-
#build_ap_req(opts = {}) ⇒ Rex::Proto::Kerberos::Model::EncryptionKey
Builds a KRB_AP_REQ message.
-
#build_authenticator(opts = {}) ⇒ Rex::Proto::Kerberos::Model::Authenticator
Builds a kerberos authenticator for a TGS request.
-
#build_enc_auth_data(opts = {}) ⇒ Rex::Proto::Kerberos::Model::EncryptedData
Builds the encrypted TGS authorization data.
-
#build_pa_for_user(opts = {}) ⇒ Rex::Proto::Kerberos::Model::PreAuthDataEntry
Builds a Kerberos PA-FOR-USER pa-data.
-
#build_subkey(opts = {}) ⇒ Rex::Proto::Kerberos::Model::EncryptionKey
Builds an encryption key to protect the data sent in the TGS request.
-
#build_tgs_body_checksum(opts = {}) ⇒ Rex::Proto::Kerberos::Model::Checksum
Builds a Kerberos TGS Request body checksum.
-
#build_tgs_request(opts = {}) ⇒ Rex::Proto::Kerberos::Model::KdcRequest
Builds the encrypted Kerberos TGS request.
-
#build_tgs_request_body(opts = {}) ⇒ Rex::Proto::Kerberos::Model::KdcRequestBody
Builds a kerberos TGS request body.
Instance Method Details
#build_ap_req(opts = {}) ⇒ Rex::Proto::Kerberos::Model::EncryptionKey
Builds a KRB_AP_REQ message
130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 |
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 130 def build_ap_req(opts = {}) pvno = opts.fetch(:pvno) { Rex::Proto::Kerberos::Model::VERSION } msg_type = opts.fetch(:msg_type) { Rex::Proto::Kerberos::Model::AP_REQ } = opts.fetch(:ap_req_options) { 0 } ticket = opts[:ticket] authenticator = opts.fetch(:authenticator) do build_authenticator(opts.merge( authenticator_enc_key_usage: Rex::Proto::Kerberos::Crypto::KeyUsage::AP_REQ_AUTHENTICATOR )) end session_key = opts.fetch(:session_key) { build_subkey(opts) } if ticket.nil? raise ::Rex::Proto::Kerberos::Model::Error::KerberosError, 'Building a AP-REQ without ticket not supported' end enc_authenticator = Rex::Proto::Kerberos::Model::EncryptedData.new( etype: session_key.type, cipher: authenticator.encrypt(session_key.type, session_key.value) ) ap_req = Rex::Proto::Kerberos::Model::ApReq.new( pvno: pvno, msg_type: msg_type, options: , ticket: ticket, authenticator: enc_authenticator ) ap_req end |
#build_authenticator(opts = {}) ⇒ Rex::Proto::Kerberos::Model::Authenticator
Builds a kerberos authenticator for a TGS request
176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 |
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 176 def build_authenticator(opts = {}) cname = opts.fetch(:cname) { build_client_name(opts) } realm = opts.fetch(:realm) { '' } ctime = opts.fetch(:ctime) { Time.now.utc } cusec = opts.fetch(:cusec) { ctime&.usec || 0 } sequence_number = opts.fetch(:sequence_number) { rand(1 << 32) } checksum = opts.fetch(:checksum) { build_tgs_body_checksum(opts) } subkey = opts.fetch(:subkey) { build_subkey(opts) } authenticator_enc_key_usage = opts.fetch(:authenticator_enc_key_usage) do Rex::Proto::Kerberos::Crypto::KeyUsage::TGS_REQ_PA_TGS_REQ_AP_REQ_AUTHENTICATOR end authenticator = Rex::Proto::Kerberos::Model::Authenticator.new( vno: 5, crealm: realm, cname: cname, checksum: checksum, cusec: cusec, ctime: ctime, subkey: subkey, enc_key_usage: authenticator_enc_key_usage, sequence_number: sequence_number ) authenticator end |
#build_enc_auth_data(opts = {}) ⇒ Rex::Proto::Kerberos::Model::EncryptedData
Builds the encrypted TGS authorization data
97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 |
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 97 def build_enc_auth_data(opts = {}) auth_data = opts[:auth_data] if auth_data.nil? raise ::Rex::Proto::Kerberos::Model::Error::KerberosError, 'auth_data option required on #build_enc_auth_data' end subkey = opts[:subkey] || build_subkey(opts) encrypted = auth_data.encrypt(subkey.type, subkey.value) e_data = Rex::Proto::Kerberos::Model::EncryptedData.new( etype: subkey.type, cipher: encrypted ) e_data end |
#build_pa_for_user(opts = {}) ⇒ Rex::Proto::Kerberos::Model::PreAuthDataEntry
Builds a Kerberos PA-FOR-USER pa-data
300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 |
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 300 def build_pa_for_user(opts = {}) auth_package = 'Kerberos'.b checksum_data = [Rex::Proto::Kerberos::Model::NameType::NT_PRINCIPAL].pack('I<') checksum_data << opts[:username].b checksum_data << opts[:realm].b checksum_data << auth_package checksummer = Rex::Proto::Kerberos::Crypto::Checksum.from_checksum_type( Rex::Proto::Kerberos::Crypto::Checksum::HMAC_MD5 ) checksum = Rex::Proto::Kerberos::Model::Checksum.new checksum.type = Rex::Proto::Kerberos::Crypto::Checksum::HMAC_MD5 checksum.checksum = checksummer.checksum( opts[:session_key].value, Rex::Proto::Kerberos::Crypto::KeyUsage::KERB_NON_KERB_CKSUM_SALT, checksum_data ) pa_for_user = Rex::Proto::Kerberos::Model::PreAuthForUser.new pa_for_user.user_name = Rex::Proto::Kerberos::Model::PrincipalName.new( name_type: Rex::Proto::Kerberos::Model::NameType::NT_PRINCIPAL, name_string: [ opts[:username] ] ) pa_for_user.user_realm = opts[:realm] pa_for_user.cksum = checksum pa_for_user.auth_package = auth_package Rex::Proto::Kerberos::Model::PreAuthDataEntry.new( type: Rex::Proto::Kerberos::Model::PreAuthType::PA_FOR_USER, value: pa_for_user.encode ) end |
#build_subkey(opts = {}) ⇒ Rex::Proto::Kerberos::Model::EncryptionKey
Builds an encryption key to protect the data sent in the TGS request.
210 211 212 213 214 215 216 217 218 219 220 |
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 210 def build_subkey(opts={}) subkey_type = opts.fetch(:subkey_type) { Rex::Proto::Kerberos::Crypto::Encryption::DefaultEncryptionType } subkey_value = opts.fetch(:subkey_value) { Rex::Proto::Kerberos::Crypto::Encryption::from_etype(subkey_type).string_to_key(Rex::Text.rand_text_alphanumeric(16), '') } subkey = Rex::Proto::Kerberos::Model::EncryptionKey.new( type: subkey_type, value: subkey_value ) subkey end |
#build_tgs_body_checksum(opts = {}) ⇒ Rex::Proto::Kerberos::Model::Checksum
Builds a Kerberos TGS Request body checksum
276 277 278 279 280 281 282 283 284 285 286 287 288 289 |
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 276 def build_tgs_body_checksum(opts = {}) body = opts.fetch(:body) { build_tgs_request_body(opts) } checksum_type = Rex::Proto::Kerberos::Crypto::Checksum::RSA_MD5 key = nil cksum_key_usage = opts.fetch(:cksum_key_usage) checksum_body = body.checksum(checksum_type, key, cksum_key_usage) checksum = Rex::Proto::Kerberos::Model::Checksum.new( type: checksum_type, checksum: checksum_body ) checksum end |
#build_tgs_request(opts = {}) ⇒ Rex::Proto::Kerberos::Model::KdcRequest
Builds the encrypted Kerberos TGS request
28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 |
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 28 def build_tgs_request(opts = {}) subkey = opts.fetch(:subkey) { build_subkey(opts) } if opts[:enc_auth_data] enc_auth_data = opts[:enc_auth_data] elsif opts[:auth_data] enc_auth_data = build_enc_auth_data( auth_data: opts[:auth_data], subkey: subkey ) else enc_auth_data = nil end body = opts.fetch(:body) do build_tgs_request_body(opts.merge( enc_auth_data: enc_auth_data )) end checksum = opts.fetch(:checksum) do build_tgs_body_checksum(body: body, session_key: opts[:session_key], cksum_key_usage: Rex::Proto::Kerberos::Crypto::KeyUsage::TGS_REQ_PA_TGS_REQ_AP_REQ_AUTHENTICATOR_CHKSUM) end authenticator = opts.fetch(:authenticator) do build_authenticator(opts.merge( subkey: subkey, checksum: checksum, body: body, authenticator_enc_key_usage: Rex::Proto::Kerberos::Crypto::KeyUsage::TGS_REQ_PA_TGS_REQ_AP_REQ_AUTHENTICATOR )) end ap_req = opts.fetch(:ap_req) { build_ap_req(opts.merge(authenticator: authenticator)) } pa_ap_req = Rex::Proto::Kerberos::Model::PreAuthDataEntry.new( type: Rex::Proto::Kerberos::Model::PreAuthType::PA_TGS_REQ, value: ap_req.encode ) pa_data = [] pa_data.push(pa_ap_req) if opts[:pa_data] opts[:pa_data].each { |pa| pa_data.push(pa) } end request = Rex::Proto::Kerberos::Model::KdcRequest.new( pvno: 5, msg_type: Rex::Proto::Kerberos::Model::TGS_REQ, pa_data: pa_data, req_body: body ) request end |
#build_tgs_request_body(opts = {}) ⇒ Rex::Proto::Kerberos::Model::KdcRequestBody
Builds a kerberos TGS request body
239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 |
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 239 def build_tgs_request_body(opts = {}) = opts.fetch(:options) { 0x50800000 } # Forwardable, Proxiable, Renewable from = opts.fetch(:from) { Time.at(0).utc } till = opts.fetch(:till) { Time.at(0).utc } rtime = opts.fetch(:rtime) { Time.at(0).utc } nonce = opts.fetch(:nonce) { Rex::Text.rand_text_numeric(6).to_i } etype = opts.fetch(:etype) { [Rex::Proto::Kerberos::Crypto::Encryption::DefaultEncryptionType] } cname = opts.fetch(:cname) { build_client_name(opts) } realm = opts.fetch(:realm) { '' } sname = opts.fetch(:sname) { build_server_name(opts) } enc_auth_data = opts[:enc_auth_data] || nil additional_tickets = opts[:additional_tickets] || nil body = Rex::Proto::Kerberos::Model::KdcRequestBody.new( options: , cname: cname, realm: realm, sname: sname, from: from, till: till, rtime: rtime, nonce: nonce, etype: etype, enc_auth_data: enc_auth_data, additional_tickets: additional_tickets ) body end |