Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge 6.2.31 into kerberos feature branch #17379

Merged
merged 402 commits into from
Dec 14, 2022
Merged

Merge 6.2.31 into kerberos feature branch #17379

merged 402 commits into from
Dec 14, 2022

Conversation

adfoster-r7
Copy link
Contributor

@adfoster-r7 adfoster-r7 commented Dec 13, 2022
edited

Merging Metasploit 6.2.31 into the kerberos feature branch. This is useful in preparation to releasing 6.3.0, as well as gaining access to

Verification

Verify the ldap_query, windows/smb/psexec, smb_login (#17175) - similar to #17079

krastanoel and others added 30 commits November 8, 2022 14:14
@krastanoel
fix msftidy
f0b67c8
@zeroSteiner
Update metasploit-payloads gem to 2.0.99
299a4c4
@smcintyre-r7
Land rapid7#17221, Fix crash with payload sizes
65e4e1b 
Fix crash when generating payload sizes
@msjenkins-r7
automatic module_metadata_base.json update
a0d813e
@adfoster-r7
Land rapid7#17238, add the shutdown command to windows python meterpr…
57db4fe 
…eter
@krastanoel
add more custom error exception
c980f4f
@gwillcox-r7
Land rapid7#17223, Improves the reload_lib -a commands ability to tra…
be12004 
…ck modified files
@krastanoel
follow Ruby coding convetions
52d867b 
- combine gitea_version into get_gitea_version for the check method
- validate empty username
@krastanoel
remove cookie_jar manipulation
a50cca2
@krastanoel
Update module
bca5138 
- move cleanup process to its own method and handle the response
- remove timeout and http delay option
- adjust target type location as code review suggestion
@krastanoel
Update module
13bb31f 
- move repository migration to execute_command.
NOTE: the stageless payload is still unsuccessfull but keep this anyway for christophe to review.
@krastanoel
Update module
639afeb 
- handle cleanup method on manual `check`
- adjust targets flavour option
- add :win_dropper target and handle the payload delivery
NOTE: the Windows dropper target is still unsuccessfull but keep this for further review
@krastanoel
Update method documentation and indentation
645a1c2
@adfoster-r7
Land rapid7#17229, add post/multi/recon/reverse_lookup module
3599221
@adfoster-r7
Improve tlv packet logging for railgun
db3d8f1
@msjenkins-r7
automatic module_metadata_base.json update
5892093
@zeroSteiner
Fix an error when a hostname fails to resolve
83b3bfa
@nzdjb @gwillcox-r7
fix: Handle search terms ending in colons.
f7b37a5
@nzdjb @gwillcox-r7
Add spec tests.
78afc01
@gwillcox-r7
Update code to use .blank? to simplify logic, and to also strip multi…
0be10c5 
…ple trailing :'s. Update specs accordingly.
@gwillcox-r7
Land rapid7#17177, fix: Handle search terms ending in colons.
e2a463e
@zeroSteiner
Don't bother with the address type
7fa29c4 
The address is returned in the packed format so it's always a string of
either length 0 (resolution failed), length 4 (IPv4) or length 16
(IPv6).

Anything else is invalid and will actually cause Rex::Socket.addr_ntoa
to throw an error. All meterpreters today return the IP address in one
of those three correct lengths.
@gwillcox-r7
Land rapid7#17244, Fix an error when a hostname fails to resolve
02e35a1
@msjenkins-r7
Bump version of framework to 6.2.27
bcf8c96
@cgranleese-r7
Adds error handling for users who do not have git available on their …
ef28a96 
…machine
@adfoster-r7
Land rapid7#17252, Adds error handling for users who do not have git …
54cb34a 
…available on their environment
@h00die
update wordpress plugins and themes lists
4c95854
@space-r7
add check and exploit methods
8e59cac
@h00die-gr3y @cdelafuente-r7
Update modules/exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021…
967388e 
…_39144.rb


Agreed !

Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
@h00die-gr3y @cdelafuente-r7
Update modules/exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021…
e38138d 
…_39144.rb

Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
adfoster-r7 and others added 22 commits December 12, 2022 17:19
@adfoster-r7
Add enckrbkey database persistence support
431bfdf
@adfoster-r7
Bump docs ruby version to 3.0.5
1855306
@gwillcox-r7
Land rapid7#17355, Update the creds command to allow viewing ssh key …
2cb66a5 
…contents
@dwelch-r7
Land rapid7#17363, Add enckrbkey database persistence support
c9aab12
@rbowes-r7
Merge pull request #2 from smcintyre-r7/pr/collab/17272
5b1e37b 
Store service credentials in the database
@smcintyre-r7
Land rapid7#17272, Add F5 MCP post module
024fc87 
Add F5 MCP post module
@msjenkins-r7
automatic module_metadata_base.json update
f534168
@adfoster-r7
Fix slow msfvenom payload generation for large payloads
8013be1
@smcintyre-r7
Fix check methods by using #present?
5a66666
@space-r7
support 2021 version of software
13a5570 
specifically, the exploit will now search
for com.acronis.helpertool in addtion to the
2020 helper tool name. This also updates the
check() method to return CheckCode::Detected
for when we find the vulnerable service but
can't detect the build number
@space-r7
use 2021 helper name in objective-c code too
cf9e549
@space-r7
add note about uninstalling the helper tool
6885e57
@smcintyre-r7
Land rapid7#17350, Remove unnecesary sleep
d09aef7 
Remove unnecesary sleep in several bypassuac modules
@msjenkins-r7
automatic module_metadata_base.json update
69f47aa
@gwillcox-r7
Land rapid7#17364, Bump docs ruby version to 3.0.5
5aaf159
@gwillcox-r7
Land rapid7#17368, Fix slow msfvenom payload generation for large pay…
c7ed5f4 
…loads when outputting as hex format
@space-r7 @cdelafuente-r7
Update modules/exploits/osx/local/acronis_trueimage_xpc_privesc.rb
0596620 
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
@adfoster-r7
Extract db command helpers to standalone module
f6ed9ef
@cgranleese-r7
Land rapid7#17376, Extract db command helpers to standalone module
9b1513f
@cdelafuente-r7
Land rapid7#17265, Add Exploit for CVE-2020-25736
d6a5590
@msjenkins-r7
automatic module_metadata_base.json update
a653dbd
@adfoster-r7
Merge branch 'upstream-master' into merge-msf-6.2.31-into-kerberos-fe…
a9ccfe3 
…ature-branch
@adfoster-r7 adfoster-r7 changed the base branch from master to feature-kerberos-authentication December 13, 2022 19:45
@cgranleese-r7 cgranleese-r7 self-assigned this Dec 14, 2022
@cgranleese-r7
Copy link
Contributor

Everything seems to be working as expected 👍

windows/smb/psexec

Command:

run rhosts=192.168.175.135 smbuser=Administrator smbpass=Password1 smbauth=kerberos smbrhostname=dc1.vb.local domaincontrollerrhost=192.168.175.135 smbdomain=vb.local

image

scanner/smb/smb_login

Command:

run rhosts=192.168.175.135 smbuser=Administrator smbpass=Password1 smbauth=kerberos smbrhostname=dc1.vb.local domaincontrollerrhost=192.168.175.135 smbdomain=vb.local

image

gather/ldap_query

Command:

enum_accounts rhosts=192.168.175.135 username=Administrator password=Password1 ldapauth=kerberos ldaprhostname=dc1.vb.local domaincontrollerrhost=192.168.175.135 domain=vb.local

image

Full command output 
msf6 auxiliary(gather/ldap_query) > enum_accounts rhosts=192.168.175.135 username=Administrator password=Password1 ldapauth=kerberos ldaprhostname=dc1.vb.local domaincontrollerrhost=192.168.175.135 domain=vb.local
[*] Running module against 192.168.175.135

[*] 192.168.175.135:88 - Using cached credential for krbtgt/VB.LOCAL@VB.LOCAL Administrator@VB.LOCAL
[+] 192.168.175.135:88 - Received a valid TGS-Response
[*] 192.168.175.135:88 - TGS MIT Credential Cache saved to /Users/cgranleese/.msf4/loot/20221214132010_default_192.168.175.135_mit.kerberos.cca_522639.bin
[+] 192.168.175.135:88 - Received a valid delegation TGS-Response
[*] Discovering base DN automatically
[+] 192.168.175.135:389 Discovered base DN: DC=vb,DC=local
CN=Administrator CN=Users DC=vb DC=local
========================================

 Name                Attributes
 ----                ----------
 badpwdcount         0
 description         Built-in account for administering the computer/domain
 lastlogoff          1601-01-01 00:00:00 UTC
 lastlogon           2022-12-14 13:19:31 UTC
 logoncount          79
 memberof            CN=Group Policy Creator Owners,CN=Users,DC=vb,DC=local || CN=Domain Admins,CN=Users,DC=vb,DC=local || CN=Enterprise Admins,CN=Users,DC=vb,DC=local || CN=Schema Admins
                     ,CN=Users,DC=vb,DC=local || CN=Administrators,CN=Builtin,DC=vb,DC=local
 name                Administrator
 pwdlastset          133077245773368214
 samaccountname      Administrator
 useraccountcontrol  66048

CN=Guest CN=Users DC=vb DC=local
================================

 Name                Attributes
 ----                ----------
 badpwdcount         0
 description         Built-in account for guest access to the computer/domain
 lastlogoff          1601-01-01 00:00:00 UTC
 lastlogon           1601-01-01 00:00:00 UTC
 logoncount          0
 memberof            CN=Guests,CN=Builtin,DC=vb,DC=local
 name                Guest
 pwdlastset          0
 samaccountname      Guest
 useraccountcontrol  66082

CN=foo CN=Users DC=vb DC=local
==============================

 Name                Attributes
 ----                ----------
 badpwdcount         4
 lastlogoff          1601-01-01 00:00:00 UTC
 lastlogon           2022-09-20 13:02:55 UTC
 logoncount          18
 memberof            CN=Users,CN=Builtin,DC=vb,DC=local || CN=Administrators,CN=Builtin,DC=vb,DC=local
 name                foo
 pwdlastset          133077244197159106
 samaccountname      foo
 useraccountcontrol  544

CN=DC1 OU=Domain Controllers DC=vb DC=local
===========================================

 Name                Attributes
 ----                ----------
 badpwdcount         0
 lastlogoff          1601-01-01 00:00:00 UTC
 lastlogon           2022-12-14 13:13:30 UTC
 logoncount          279
 name                DC1
 pwdlastset          133139135796977432
 samaccountname      DC1$
 useraccountcontrol  532480

CN=krbtgt CN=Users DC=vb DC=local
=================================

 Name                Attributes
 ----                ----------
 badpwdcount         0
 description         Key Distribution Center Service Account
 lastlogoff          1601-01-01 00:00:00 UTC
 lastlogon           1601-01-01 00:00:00 UTC
 logoncount          0
 memberof            CN=Denied RODC Password Replication Group,CN=Users,DC=vb,DC=local
 name                krbtgt
 pwdlastset          133077251997412893
 samaccountname      krbtgt
 useraccountcontrol  514

CN=Joe Bloggs OU=Users OU=UK DC=vb DC=local
===========================================

 Name                Attributes
 ----                ----------
 badpwdcount         0
 displayname         Joe Bloggs
 lastlogoff          1601-01-01 00:00:00 UTC
 lastlogon           1601-01-01 00:00:00 UTC
 logoncount          0
 memberof            CN=Production,OU=Groups,OU=UK,DC=vb,DC=local
 name                Joe Bloggs
 pwdlastset          0
 samaccountname      j.bloggs
 useraccountcontrol  512
 userprincipalname   j.bloggs@vb.local

CN=wîth.dìáçriticš OU=Users OU=UK DC=vb DC=local
================================================

 Name                Attributes
 ----                ----------
 badpwdcount         0
 displayname         w\xc3\xaeth.d\xc3\xac\xc3\xa1\xc3\xa7ritic\xc5\xa1
 lastlogoff          1601-01-01 00:00:00 UTC
 lastlogon           1601-01-01 00:00:00 UTC
 logoncount          0
 memberof            CN=Production,OU=Groups,OU=UK,DC=vb,DC=local
 name                w\xc3\xaeth.d\xc3\xac\xc3\xa1\xc3\xa7ritic\xc5\xa1
 pwdlastset          0
 samaccountname      w\xc3\xaeth.d\xc3\xac\xc3\xa1\xc3\xa7ritic\xc5\xa1
 useraccountcontrol  512
 userprincipalname   w\xc3\xaeth.d\xc3\xac\xc3\xa1\xc3\xa7ritic\xc5\xa1@vb.local

[*] Auxiliary module execution completed

scanner/winrm/winrm_login

Command:

run rhosts=192.168.175.135 username=Administrator password=Password1 winrmauth=kerberos winrmrhostname=dc1.vb.local domaincontrollerrhost=192.168.175.135 domain=vb.local

image

@cgranleese-r7 cgranleese-r7 added rn-no-release-notes no release notes feature-kerberos-authentication Adds Kerberos Authentication support to framework labels Dec 14, 2022
@cgranleese-r7 cgranleese-r7 merged commit 7face44 into rapid7:feature-kerberos-authentication Dec 14, 2022
@adfoster-r7 adfoster-r7 mentioned this pull request Dec 28, 2022
Merged
@adfoster-r7 adfoster-r7 mentioned this pull request Jan 13, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@cgranleese-r7 cgranleese-r7

Labels
feature-kerberos-authentication Adds Kerberos Authentication support to framework rn-no-release-notes no release notes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet