Only retrieve cached credentials that match the requested KrbOfferedEncryptionTypes

lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb

@@ -1036,7 +1036,8 @@ def get_cached_credential(options = {})
       host: options.fetch(:host) { rhost },
       client: options.fetch(:username) { self.username },
       server: options.fetch(:sname, nil),
-      realm: options.fetch(:realm) { self.realm }
+      realm: options.fetch(:realm) { self.realm },
+      offered_etypes: options.fetch(:offered_etypes) { self.offered_etypes }
     )
   end
 

lib/msf/core/exploit/remote/kerberos/ticket/storage/read_mixin.rb

@@ -6,9 +6,19 @@ def load_credential(options = {})
       return nil unless active_db?
 
       now = Time.now.utc
-      tickets(options) do |ticket|
-        next if ticket.expired?(now)
-
+      available_tickets = tickets(options).select do |ticket|
+        !ticket.expired?(now)
+      end
+      if options[:offered_etypes].present?
+        # Prefer etypes mentioned first
+        options[:offered_etypes].each do |etype|
+          available_tickets.each do |t|
+            if t.enctype == etype
+              return t.ccache.credentials.first
+            end
+          end
+        end
+      else
         return ticket.ccache.credentials.first
       end
 
@@ -17,10 +27,18 @@ def load_credential(options = {})
 
     # (see Base#tickets)
     def tickets(options = {}, &block)
-      objects(options).map do |stored_loot|
+      mapped = objects(options).map do |stored_loot|
         stored_ticket = StoredTicket.new(stored_loot)
-        block.call(stored_ticket) if block_given?
-        stored_ticket
+      end
+
+      mapped.select do |stored_ticket|
+        # If we were provided a set of etypes to look for, restrict to that
+        if options[:offered_etypes].nil? || options[:offered_etypes].include?(stored_ticket.enctype)
+          block.call(stored_ticket) if block_given?
+          true
+        else
+          false
+        end
       end
     end
   end

lib/msf/core/exploit/remote/kerberos/ticket/storage/stored_ticket.rb

@@ -34,6 +34,10 @@ def starttime
       credential.starttime
     end
 
+    def enctype
+      credential.keyblock.enctype
+    end
+
     # @return [Rex::Proto::Kerberos::CredentialCache::Krb5Ccache]
     def ccache
       @ccache ||= Rex::Proto::Kerberos::CredentialCache::Krb5Ccache.read(loot.data)

lib/msf/ui/console/command_dispatcher/db/klist.rb

@@ -100,7 +100,7 @@ def cmd_klist(*args)
     else
       tbl = Rex::Text::Table.new(
         {
-          'Columns' => ['id', 'host', 'principal', 'sname', 'issued', 'status', 'path'],
+          'Columns' => ['id', 'host', 'principal', 'sname', 'enctype', 'issued', 'status', 'path'],
           'SortIndex' => -1,
           # For now, don't perform any word wrapping on the table as it breaks the workflow of
           # copying file paths and pasting them into applications
@@ -111,6 +111,7 @@ def cmd_klist(*args)
               ticket.host_address,
               ticket.principal,
               ticket.sname,
+              Rex::Proto::Kerberos::Crypto::Encryption.const_name(ticket.enctype),
               ticket.starttime,
               ticket_status(ticket),
               ticket.path