-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add pkcs12 private data type #169
Add pkcs12 private data type #169
Conversation
b7c0e31
to
9817db7
Compare
9817db7
to
e2f9901
Compare
db/migrate/20221209005658_create_index_on_private_data_and_type_for_pkcs12.rb
Outdated
Show resolved
Hide resolved
6905ffd
to
19611a9
Compare
def up | ||
# Drop the existing index created by 20161107153145_recreate_index_on_private_data_and_type.rb, and recreate it | ||
# with Metasploit::Credential::Pkcs12 ignored | ||
remove_index :metasploit_credential_privates, [:type, :data], if_exists: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cc @jmartin-r7 - I Believe we sync'd up on this and we were happy with this approach
Is this a PR that we could merge in ahead of time before going live with 6.3 to derisk things? Or do you think it would be safe enough to merge together with the Kerberos effort
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need to do a scaling test but should be reasonable to land early.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With ~25k entries the migration takes no time at all:
-- remove_index(:metasploit_credential_privates, [:type, :data], {:if_exists=>true})
-> 0.0080s
-- change_table(:metasploit_credential_privates)
-> 0.5110s
-- remove_index(:metasploit_credential_privates, {:name=>:index_metasploit_credential_privates_on_type_and_data_pkcs12, :if_exists=>true})
-> 0.0043s
That seems good to me to go ahead with, unless the creds number isn't high enough and we want a second verification with a larger number of creds
Count:
=> select count(*) from metasploit_credential_privates;
24665
Groupings:
=> select type, count(*) from metasploit_credential_privates group by type;
type | count
-- | --
Metasploit::Credential::NTLMHash | 12341
Metasploit::Credential::KrbEncKey | 6168
Metasploit::Credential::SSHKey | 6155
Metasploit::Credential::Password | 1
Created with a quick rc file:
<ruby>
def report_creds(
user, hash, type: :ntlm_hash, jtr_format: '', realm_key: nil, realm_value: nil,
rhost: nil, service_name: 'smb', rport: '445', myworkspace_id: nil, module_fullname: nil
)
rhost ||= "192.168.#{rand(5..240)}.#{rand(5..240)}"
service_data = {
address: rhost,
port: rport,
service_name: service_name,
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
module_fullname: module_fullname,
origin_type: :service,
private_data: hash,
private_type: type,
jtr_format: jtr_format,
username: user
}.merge(service_data)
credential_data[:realm_key] = realm_key if realm_key
credential_data[:realm_value] = realm_value if realm_value
cl = framework.db.create_credential_and_login(credential_data)
cl.respond_to?(:core_id) ? cl.core_id : nil
end
require 'securerandom'
myworkspace_id = framework.db.default_workspace.id
module_fullname = 'exploit/multi/http/gitlab_file_read_rce'
def rand_crypto(char_len)
SecureRandom.hex(char_len)
end
(1..2500).each do |i|
$stderr.puts "#{i}"
report_creds(
"user_#{i}_without_realm",
"aad3b435b51404eeaad3b435b51404ee:#{rand_crypto(16)}",
type: :ntlm_hash, module_fullname: module_fullname, myworkspace_id: myworkspace_id
)
report_creds(
"user#{i}_with_realm", "aad3b435b51404eeaad3b435b51404ee:#{rand_crypto(16)}",
type: :ntlm_hash, module_fullname: module_fullname, myworkspace_id: myworkspace_id,
realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN, realm_value: 'example.local'
)
krb_key = {
enctype: Rex::Proto::Kerberos::Crypto::Encryption::AES256,
salt: "DEMO.LOCALuser_#{i}_with_krbkey".b,
key: rand_crypto(64)
}
report_creds(
"user_#{i}_with_realm", Metasploit::Credential::KrbEncKey.build_data(**krb_key),
type: :krb_enc_key, module_fullname: module_fullname, myworkspace_id: myworkspace_id,
realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN, realm_value: 'demo.local'
)
ssh_key = OpenSSL::PKey::RSA.generate(1024).to_s
report_creds(
"user_#{i}_with_realm", ssh_key,
type: :ssh_key, module_fullname: module_fullname, myworkspace_id: myworkspace_id,
realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN, realm_value: 'demo.local',
rport: 22,
service_name: 'ssh'
)
end
</ruby>
19611a9
to
8c8c21d
Compare
… entries are already present when attempting a rollback
Adding support to metasploit-credential to persist pkcs12 files
Generating example pfx file:
Or ruby with ruby
ruby example.rb > user.pfx
Importing:
Viewing:
Exporting, note that the output is b64
Verifying icpr module: