Module: Msf::Exploit::Remote::Kerberos::Client::AsRequest

Included in:
Msf::Exploit::Remote::Kerberos::Client
Defined in:
lib/msf/core/exploit/remote/kerberos/client/as_request.rb

Instance Method Summary collapse

Instance Method Details

#build_as_pa_time_stamp(opts = {}) ⇒ Rex::Proto::Kerberos::Model::PreAuthDataEntry

Builds a kerberos PA-ENC-TIMESTAMP pre authenticated structure

Parameters:

  • opts (Hash{Symbol => <Time, Integer, String>}) (defaults to: {})

Options Hash (opts):

  • :time_stamp (Time)
  • :pausec (Integer)
  • :etype (Integer)
  • :key (String)

Returns:

See Also:



43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
 
# File 'lib/msf/core/exploit/remote/kerberos/client/as_request.rb', line 43

def build_as_pa_time_stamp(opts = {})
  time_stamp = opts[:time_stamp] || Time.now
  pausec = opts[:pausec] || time_stamp&.usec || 0
  etype = opts[:etype] || Rex::Proto::Kerberos::Crypto::Encryption::DefaultEncryptionType
  key = opts[:key] || OpenSSL::Random.random_bytes(16)

  pa_time_stamp = Rex::Proto::Kerberos::Model::PreAuthEncTimeStamp.new(
      pa_time_stamp: time_stamp,
      pausec: pausec
  )

  enc_time_stamp = Rex::Proto::Kerberos::Model::EncryptedData.new(
      etype: etype,
      cipher: pa_time_stamp.encrypt(etype, key)
  )

  pa_enc_time_stamp = Rex::Proto::Kerberos::Model::PreAuthDataEntry.new(
      type: Rex::Proto::Kerberos::Model::PreAuthType::PA_ENC_TIMESTAMP,
      value: enc_time_stamp.encode
  )

  pa_enc_time_stamp
end

#build_as_request(opts = {}) ⇒ Rex::Proto::Kerberos::Model::KdcRequest

Builds a kerberos AS request

Parameters:

Options Hash (opts):

Returns:

See Also:



18
19
20
21
22
23
24
25
26
27
28
29
30
 
# File 'lib/msf/core/exploit/remote/kerberos/client/as_request.rb', line 18

def build_as_request(opts = {})
  pa_data = opts[:pa_data] || build_as_pa_time_stamp(opts)
  body = opts[:body] || build_as_request_body(opts)

  request = Rex::Proto::Kerberos::Model::KdcRequest.new(
    pvno: 5,
    msg_type: Rex::Proto::Kerberos::Model::AS_REQ,
    pa_data: pa_data,
    req_body: body
  )

  request
end

#build_as_request_body(opts = {}) ⇒ Rex::Proto::Kerberos::Model::KdcRequestBody

Builds a kerberos AS request body

Parameters:

Options Hash (opts):

Returns:

See Also:



83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
 
# File 'lib/msf/core/exploit/remote/kerberos/client/as_request.rb', line 83

def build_as_request_body(opts = {})
  options = opts.fetch(:options) { 0x50800000 } # Forwardable, Proxiable, Renewable
  from = opts.fetch(:from) { Time.at(0).utc }
  till = opts.fetch(:till) { Time.at(0).utc }
  rtime = opts.fetch(:rtime) { Time.at(0).utc }
  nonce = opts.fetch(:nonce) { rand(1 << 24) }
  etype = opts.fetch(:etype) { Rex::Proto::Kerberos::Crypto::Encryption::DefaultOfferedEtypes }
  cname = opts.fetch(:cname) { build_client_name(opts) }
  realm = opts.fetch(:realm) { '' }
  sname = opts.fetch(:sname) { build_server_name(opts) }

  body = Rex::Proto::Kerberos::Model::KdcRequestBody.new(
    options: options,
    cname: cname,
    realm: realm,
    sname: sname,
    from: from,
    till: till,
    rtime: rtime,
    nonce: nonce,
    etype: etype
  )

  body
end