Module: Msf::Exploit::Remote::Kerberos::Ticket::Storage::WriteMixin

Included in:

ReadWrite, WriteOnly

Defined in:

lib/msf/core/exploit/remote/kerberos/ticket/storage/write_mixin.rb

Overview

A mixin providing the ability to store new and delete existing tickets.

Instance Method Summary

• #activate_ccache(ids:) ⇒ Array<StoredTicket>

  Mark ccache(s) as active.

• #deactivate_ccache(ids:) ⇒ Array<StoredTicket>

  Mark ccache(s) as inactive.

• #delete_tickets(options = {}) ⇒ Array<StoredTicket>

  Delete tickets matching the options query.

• #store_ccache(ccache, options = {}) ⇒ Hash

  Store the specified object.

Instance Method Details

#activate_ccache(ids:) ⇒ Array<StoredTicket>

Mark ccache(s) as active

Parameters:

• ids (Array<Integer>) —

  The list of ccache IDs.

Returns:

• (Array<StoredTicket>)

# File 'lib/msf/core/exploit/remote/kerberos/ticket/storage/write_mixin.rb', line 50

def activate_ccache(ids:)
  set_ccache_status(ids: ids, status: 'active')
end

#deactivate_ccache(ids:) ⇒ Array<StoredTicket>

Mark ccache(s) as inactive

Parameters:

• ids (Array<Integer>) —

  The list of ccache IDs.

Returns:

• (Array<StoredTicket>)

# File 'lib/msf/core/exploit/remote/kerberos/ticket/storage/write_mixin.rb', line 45

def deactivate_ccache(ids:)
  set_ccache_status(ids: ids, status: 'inactive')
end

#delete_tickets(options = {}) ⇒ Array<StoredTicket>

Delete tickets matching the options query.

Parameters:

• options (Hash) (defaults to: {}) —

  See the options hash description in #tickets.

Options Hash (options):

• :ids (Array<Integer>) —

  The identifiers of the tickets to delete (optional)

Returns:

• (Array<StoredTicket>)

# File 'lib/msf/core/exploit/remote/kerberos/ticket/storage/write_mixin.rb', line 5

def delete_tickets(options = {})
  if options.keys == [:ids]
    # skip calling #objects which issues a query when the IDs are specified
    ids = options[:ids]
  else
    ids = objects(options).map(&:id)
  end

  framework.db.delete_loot(ids: ids).map do |stored_loot|
    StoredTicket.new(stored_loot)
  end
end

#store_ccache(ccache, options = {}) ⇒ Hash

Store the specified object.

Parameters:

• ccache (Rex::Proto::Kerberos::CredentialCache::Krb5Ccache) —

  The credential cache object to store.

• options (Hash) (defaults to: {}) —

  The information associated with the stored object. See the options hash description in #tickets.

Returns:

• (Hash) —

  • :path [String] The path to the persisted ccache file if successful

# File 'lib/msf/core/exploit/remote/kerberos/ticket/storage/write_mixin.rb', line 19

def store_ccache(ccache, options = {})
  realm = options.fetch(:realm) { ccache.default_principal.realm }
  # use #components.to_a.join('/') to omit the realm that #to_s includes
  client = options.fetch(:client) { ccache.credentials.first&.client&.components.to_a.join('/') }
  server = options.fetch(:server) { ccache.credentials.first&.server&.components.to_a.join('/') }
  info = generate_info_string(realm: realm, client: client, server: server)
  loot = nil
  path = store_loot('mit.kerberos.ccache', 'application/octet-stream', options[:host], ccache.encode, nil, info) do |mdm_loot|
    loot = mdm_loot
  end
  message = ''
  if @framework_module.respond_to?(:peer) && @framework_module.peer.present? && @framework_module.peer != ':'
    message << "#{@framework_module.peer} - "
  end
  if server && server.to_s.downcase.start_with?('krbtgt/')
    message << 'TGT '
  else
    message << 'TGS '
  end
  message << "MIT Credential Cache ticket saved to #{path}"
  print_status(message)

  { path: path, loot: loot }
end