Module: Msf::Exploit::Remote::Kerberos::Client::TgsRequest

Included in:
Msf::Exploit::Remote::Kerberos::Client
Defined in:
lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb

Instance Method Summary collapse

Instance Method Details

#build_ap_req(opts = {}) ⇒ Rex::Proto::Kerberos::Model::EncryptionKey

Builds a KRB_AP_REQ message



130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 130

def build_ap_req(opts = {})
  pvno = opts.fetch(:pvno) { Rex::Proto::Kerberos::Model::VERSION }
  msg_type = opts.fetch(:msg_type) { Rex::Proto::Kerberos::Model::AP_REQ }
  options = opts.fetch(:ap_req_options) { 0 }
  ticket = opts[:ticket]
  authenticator = opts.fetch(:authenticator) do
    build_authenticator(opts.merge(
      authenticator_enc_key_usage: Rex::Proto::Kerberos::Crypto::KeyUsage::AP_REQ_AUTHENTICATOR
    ))
  end
  session_key = opts.fetch(:session_key) { build_subkey(opts) }

  if ticket.nil?
    raise ::Rex::Proto::Kerberos::Model::Error::KerberosError, 'Building a AP-REQ without ticket not supported'
  end

  enc_authenticator = Rex::Proto::Kerberos::Model::EncryptedData.new(
    etype: session_key.type,
    cipher: authenticator.encrypt(session_key.type, session_key.value)
  )

  ap_req = Rex::Proto::Kerberos::Model::ApReq.new(
    pvno: pvno,
    msg_type: msg_type,
    options: options,
    ticket: ticket,
    authenticator: enc_authenticator
  )

  ap_req
end

#build_authenticator(opts = {}) ⇒ Rex::Proto::Kerberos::Model::Authenticator

Builds a kerberos authenticator for a TGS request



176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 176

def build_authenticator(opts = {})
  cname = opts.fetch(:cname) { build_client_name(opts) }
  realm = opts.fetch(:realm) { '' }
  ctime = opts.fetch(:ctime) { Time.now.utc }
  cusec = opts.fetch(:cusec) { ctime&.usec || 0 }
  sequence_number = opts.fetch(:sequence_number) { rand(1 << 32) }
  checksum = opts.fetch(:checksum) { build_tgs_body_checksum(opts) }
  subkey = opts.fetch(:subkey) { build_subkey(opts) }
  authenticator_enc_key_usage = opts.fetch(:authenticator_enc_key_usage) do
    Rex::Proto::Kerberos::Crypto::KeyUsage::TGS_REQ_PA_TGS_REQ_AP_REQ_AUTHENTICATOR
  end

  authenticator = Rex::Proto::Kerberos::Model::Authenticator.new(
    vno: 5,
    crealm: realm,
    cname: cname,
    checksum: checksum,
    cusec: cusec,
    ctime: ctime,
    subkey: subkey,
    enc_key_usage: authenticator_enc_key_usage,
    sequence_number: sequence_number
  )

  authenticator
end

#build_enc_auth_data(opts = {}) ⇒ Rex::Proto::Kerberos::Model::EncryptedData

Builds the encrypted TGS authorization data



97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 97

def build_enc_auth_data(opts = {})
  auth_data = opts[:auth_data]

  if auth_data.nil?
    raise ::Rex::Proto::Kerberos::Model::Error::KerberosError, 'auth_data option required on #build_enc_auth_data'
  end

  subkey = opts[:subkey] || build_subkey(opts)

  encrypted = auth_data.encrypt(subkey.type, subkey.value)

  e_data = Rex::Proto::Kerberos::Model::EncryptedData.new(
    etype: subkey.type,
    cipher: encrypted
  )

  e_data
end

#build_pa_for_user(opts = {}) ⇒ Rex::Proto::Kerberos::Model::PreAuthDataEntry

Builds a Kerberos PA-FOR-USER pa-data

Parameters:

  • opts (Hash) (defaults to: {})

Options Hash (opts):

  • :username (String)

    The name of the user on whose behalf the service requests the service ticket

  • :realm (String)

    The realm in which the user account is located

  • :session_key (Rex::Proto::Kerberos::Model::EncryptionKey)

    The session key of the TGT

Returns:

See Also:



300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 300

def build_pa_for_user(opts = {})
  auth_package = 'Kerberos'.b

  checksum_data = [Rex::Proto::Kerberos::Model::NameType::NT_PRINCIPAL].pack('I<')
  checksum_data << opts[:username].b
  checksum_data << opts[:realm].b
  checksum_data << auth_package

  checksummer = Rex::Proto::Kerberos::Crypto::Checksum.from_checksum_type(
    Rex::Proto::Kerberos::Crypto::Checksum::HMAC_MD5
  )
  checksum = Rex::Proto::Kerberos::Model::Checksum.new
  checksum.type = Rex::Proto::Kerberos::Crypto::Checksum::HMAC_MD5
  checksum.checksum = checksummer.checksum(
    opts[:session_key].value,
    Rex::Proto::Kerberos::Crypto::KeyUsage::KERB_NON_KERB_CKSUM_SALT,
    checksum_data
  )

  pa_for_user = Rex::Proto::Kerberos::Model::PreAuthForUser.new
  pa_for_user.user_name = Rex::Proto::Kerberos::Model::PrincipalName.new(
    name_type: Rex::Proto::Kerberos::Model::NameType::NT_PRINCIPAL,
    name_string: [ opts[:username] ]
  )
  pa_for_user.user_realm = opts[:realm]
  pa_for_user.cksum = checksum
  pa_for_user.auth_package = auth_package

  Rex::Proto::Kerberos::Model::PreAuthDataEntry.new(
    type: Rex::Proto::Kerberos::Model::PreAuthType::PA_FOR_USER,
    value: pa_for_user.encode
  )
end

#build_subkey(opts = {}) ⇒ Rex::Proto::Kerberos::Model::EncryptionKey

Builds an encryption key to protect the data sent in the TGS request.

Parameters:

  • opts (Hash{Symbol => <Integer, String>}) (defaults to: {})

Options Hash (opts):

  • :subkey_type (Integer)
  • :subkey_value (String)

Returns:

See Also:



210
211
212
213
214
215
216
217
218
219
220
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 210

def build_subkey(opts={})
  subkey_type = opts.fetch(:subkey_type) { Rex::Proto::Kerberos::Crypto::Encryption::DefaultEncryptionType }
  subkey_value = opts.fetch(:subkey_value) { Rex::Proto::Kerberos::Crypto::Encryption::from_etype(subkey_type).string_to_key(Rex::Text.rand_text_alphanumeric(16), '') }

  subkey = Rex::Proto::Kerberos::Model::EncryptionKey.new(
    type: subkey_type,
    value: subkey_value
  )

  subkey
end

#build_tgs_body_checksum(opts = {}) ⇒ Rex::Proto::Kerberos::Model::Checksum

Builds a Kerberos TGS Request body checksum



276
277
278
279
280
281
282
283
284
285
286
287
288
289
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 276

def build_tgs_body_checksum(opts = {})
  body = opts.fetch(:body) { build_tgs_request_body(opts) }
  checksum_type = Rex::Proto::Kerberos::Crypto::Checksum::RSA_MD5
  key = nil
  cksum_key_usage = opts.fetch(:cksum_key_usage)

  checksum_body = body.checksum(checksum_type, key, cksum_key_usage)
  checksum = Rex::Proto::Kerberos::Model::Checksum.new(
    type: checksum_type,
    checksum: checksum_body
  )

  checksum
end

#build_tgs_request(opts = {}) ⇒ Rex::Proto::Kerberos::Model::KdcRequest

Builds the encrypted Kerberos TGS request



28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 28

def build_tgs_request(opts = {})
  subkey = opts.fetch(:subkey) { build_subkey(opts) }

  if opts[:enc_auth_data]
    enc_auth_data = opts[:enc_auth_data]
  elsif opts[:auth_data]
    enc_auth_data = build_enc_auth_data(
      auth_data: opts[:auth_data],
      subkey: subkey
    )
  else
    enc_auth_data = nil
  end

  body = opts.fetch(:body) do
    build_tgs_request_body(opts.merge(
      enc_auth_data: enc_auth_data
    ))
  end

  checksum = opts.fetch(:checksum) do

    build_tgs_body_checksum(body: body,
                            session_key: opts[:session_key],
                            cksum_key_usage: Rex::Proto::Kerberos::Crypto::KeyUsage::TGS_REQ_PA_TGS_REQ_AP_REQ_AUTHENTICATOR_CHKSUM)
  end

  authenticator = opts.fetch(:authenticator) do
    build_authenticator(opts.merge(
      subkey: subkey,
      checksum: checksum,
      body: body,
      authenticator_enc_key_usage: Rex::Proto::Kerberos::Crypto::KeyUsage::TGS_REQ_PA_TGS_REQ_AP_REQ_AUTHENTICATOR
    ))
  end

  ap_req = opts.fetch(:ap_req) { build_ap_req(opts.merge(authenticator: authenticator)) }

  pa_ap_req = Rex::Proto::Kerberos::Model::PreAuthDataEntry.new(
    type: Rex::Proto::Kerberos::Model::PreAuthType::PA_TGS_REQ,
    value: ap_req.encode
  )

  pa_data = []
  pa_data.push(pa_ap_req)
  if opts[:pa_data]
    opts[:pa_data].each { |pa| pa_data.push(pa) }
  end

  request = Rex::Proto::Kerberos::Model::KdcRequest.new(
    pvno: 5,
    msg_type: Rex::Proto::Kerberos::Model::TGS_REQ,
    pa_data: pa_data,
    req_body: body
  )

  request
end

#build_tgs_request_body(opts = {}) ⇒ Rex::Proto::Kerberos::Model::KdcRequestBody

Builds a kerberos TGS request body

Parameters:

Options Hash (opts):

Returns:

See Also:



239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
# File 'lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb', line 239

def build_tgs_request_body(opts = {})
  options = opts.fetch(:options) { 0x50800000 } # Forwardable, Proxiable, Renewable
  from = opts.fetch(:from) { Time.at(0).utc }
  till = opts.fetch(:till) { Time.at(0).utc }
  rtime = opts.fetch(:rtime) { Time.at(0).utc }
  nonce = opts.fetch(:nonce) { Rex::Text.rand_text_numeric(6).to_i }
  etype = opts.fetch(:etype) { [Rex::Proto::Kerberos::Crypto::Encryption::DefaultEncryptionType] }
  cname = opts.fetch(:cname) { build_client_name(opts) }
  realm = opts.fetch(:realm) { '' }
  sname = opts.fetch(:sname) { build_server_name(opts) }
  enc_auth_data = opts[:enc_auth_data] || nil
  additional_tickets = opts[:additional_tickets] || nil

  body = Rex::Proto::Kerberos::Model::KdcRequestBody.new(
    options: options,
    cname: cname,
    realm: realm,
    sname: sname,
    from: from,
    till: till,
    rtime: rtime,
    nonce: nonce,
    etype: etype,
    enc_auth_data: enc_auth_data,
    additional_tickets: additional_tickets
  )

  body
end