Only retrieve cached credentials that match the requested KrbOfferedEncryptionTypes #19553
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
smcintyre-r7
approved these changes
Oct 28, 2024
There was a problem hiding this comment.
These changes all look good to me, I don't have anything to request. Thanks for fixing this.
In the testing excerpt below we can see the different etypes for the different services based on the KrbOfferedEncryptionTypes value at the time the module was run.
metasploit-framework.pr (S:0 J:0) exploit(windows/smb/psexec) > klist
Kerberos Cache
==============
id host principal sname enctype issued status path
-- ---- --------- ----- ------- ------ ------ ----
12 192.168.159.10 [email protected] krbtgt/[email protected] AES256 2024-10-28 09:31:29 -0400 active /home/smcintyre/.msf4/loot/20241028093138_default_192.168.159.10_mit.kerberos.cca_928033.bin
13 192.168.159.10 [email protected] ldap/[email protected] AES256 2024-10-28 09:31:31 -0400 active /home/smcintyre/.msf4/loot/20241028093139_default_192.168.159.10_mit.kerberos.cca_876006.bin
14 192.168.159.10 [email protected] krbtgt/[email protected] AES128 2024-10-28 09:38:14 -0400 active /home/smcintyre/.msf4/loot/20241028093822_default_192.168.159.10_mit.kerberos.cca_707300.bin
15 192.168.159.10 [email protected] ldap/[email protected] AES128 2024-10-28 09:38:14 -0400 active /home/smcintyre/.msf4/loot/20241028093822_default_192.168.159.10_mit.kerberos.cca_264850.bin
16 192.168.159.10 [email protected] krbtgt/[email protected] RC4_HMAC 2024-10-28 09:43:36 -0400 active /home/smcintyre/.msf4/loot/20241028094344_default_192.168.159.10_mit.kerberos.cca_373841.bin
17 192.168.159.10 [email protected] cifs/[email protected] RC4_HMAC 2024-10-28 09:43:36 -0400 active /home/smcintyre/.msf4/loot/20241028094344_default_192.168.159.10_mit.kerberos.cca_252513.bin
metasploit-framework.pr (S:0 J:0) exploit(windows/smb/psexec) > set SMB::KrbOfferedEncryptionTypes AES128
SMB::KrbOfferedEncryptionTypes => AES128
metasploit-framework.pr (S:0 J:0) exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 192.168.250.134:4444
[*] 192.168.159.10:445 - Connecting to the server...
[*] 192.168.159.10:445 - Authenticating to 192.168.159.10:445|msflab.local as user 'smcintyre'...
[*] 192.168.159.10:445 - Using cached credential for krbtgt/[email protected] [email protected]
[+] 192.168.159.10:445 - 192.168.159.10:88 - Received a valid TGS-Response
[*] 192.168.159.10:445 - 192.168.159.10:445 - TGS MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20241028094443_default_192.168.159.10_mit.kerberos.cca_629682.bin
[+] 192.168.159.10:445 - 192.168.159.10:88 - Received a valid delegation TGS-Response
[*] 192.168.159.10:445 - Checking for System32\WindowsPowerShell\v1.0\powershell.exe
[*] 192.168.159.10:445 - PowerShell found
[*] 192.168.159.10:445 - Selecting PowerShell target
[*] 192.168.159.10:445 - Powershell command length: 4362
[*] 192.168.159.10:445 - Executing the payload...
[*] 192.168.159.10:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.159.10[\svcctl] ...
[*] 192.168.159.10:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.159.10[\svcctl] ...
[*] 192.168.159.10:445 - Obtaining a service manager handle...
[*] 192.168.159.10:445 - Creating the service...
[+] 192.168.159.10:445 - Successfully created the service
[*] 192.168.159.10:445 - Starting the service...
[+] 192.168.159.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] 192.168.159.10:445 - Removing the service...
[+] 192.168.159.10:445 - Successfully removed the service
[*] 192.168.159.10:445 - Closing service handle...
[*] Sending stage (176198 bytes) to 192.168.250.59
[*] Meterpreter session 4 opened (192.168.250.134:4444 -> 192.168.250.59:58874) at 2024-10-28 09:44:44 -0400
meterpreter > exit
[*] Shutting down session: 4
[*] 192.168.159.10 - Meterpreter session 4 closed. Reason: User exit
metasploit-framework.pr (S:0 J:0) exploit(windows/smb/psexec) > klist
Kerberos Cache
==============
id host principal sname enctype issued status path
-- ---- --------- ----- ------- ------ ------ ----
12 192.168.159.10 [email protected] krbtgt/[email protected] AES256 2024-10-28 09:31:29 -0400 active /home/smcintyre/.msf4/loot/20241028093138_default_192.168.159.10_mit.kerberos.cca_928033.bin
13 192.168.159.10 [email protected] ldap/[email protected] AES256 2024-10-28 09:31:31 -0400 active /home/smcintyre/.msf4/loot/20241028093139_default_192.168.159.10_mit.kerberos.cca_876006.bin
14 192.168.159.10 [email protected] krbtgt/[email protected] AES128 2024-10-28 09:38:14 -0400 active /home/smcintyre/.msf4/loot/20241028093822_default_192.168.159.10_mit.kerberos.cca_707300.bin
15 192.168.159.10 [email protected] ldap/[email protected] AES128 2024-10-28 09:38:14 -0400 active /home/smcintyre/.msf4/loot/20241028093822_default_192.168.159.10_mit.kerberos.cca_264850.bin
16 192.168.159.10 [email protected] krbtgt/[email protected] RC4_HMAC 2024-10-28 09:43:36 -0400 active /home/smcintyre/.msf4/loot/20241028094344_default_192.168.159.10_mit.kerberos.cca_373841.bin
17 192.168.159.10 [email protected] cifs/[email protected] RC4_HMAC 2024-10-28 09:43:36 -0400 active /home/smcintyre/.msf4/loot/20241028094344_default_192.168.159.10_mit.kerberos.cca_252513.bin
18 192.168.159.10 [email protected] cifs/[email protected] AES128 2024-10-28 09:44:35 -0400 active /home/smcintyre/.msf4/loot/20241028094443_default_192.168.159.10_mit.kerberos.cca_629682.bin
metasploit-framework.pr (S:0 J:0) exploit(windows/smb/psexec) >
Release NotesThis fixes a bug in modules that use Kerberos authentication where when the |
adfoster-r7
reviewed
Nov 5, 2024
| end | ||
| end | ||
| end | ||
| else | ||
| return ticket.ccache.credentials.first |
There was a problem hiding this comment.
Looks like there's a bug here; ticket is no longer in scope
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This resolves #19126. When specifying a particular
KrbOfferedEncryptionTypesvalue, the MSF Kerberos cache now respects the value.Verification
To check this, run any kerberos-supported module. Validate that:
klistcommand still works as normal (it now shows the etype of the cached cred)KrbOfferedEncryptionTypesis set to a specific value, the selection from the cache respects this. You can tell by observing the "Using cached credential" message; but it may also be worth observing directly in Wireshark.KrbOfferedEncryptionTypes, it is used.KrbOfferedEncryptionTypesvalues, MSF goes through the Kerberos procedure...KrbOfferedEncryptionTypespreference (so ifKrbOfferedEncryptionTypesisAES256,RC4-HMAC, it will choose the AES one, and vice versa).