Skip to content

Commit

Permalink
Persist icpr cert as pkcs12 credential
Browse files Browse the repository at this point in the history
  • Loading branch information
@adfoster-r7
adfoster-r7 committed Feb 3, 2023
1 parent 8732313 commit e6e6c41
Show file tree
Hide file tree
Showing 4 changed files with 51 additions and 21 deletions.
3 changes: 3 additions & 0 deletions Gemfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ source 'https://rubygems.org'
# spec.add_runtime_dependency '<name>', [<version requirements>]
gemspec name: 'metasploit-framework'

# gem 'metasploit-credential', path: '../metasploit-credential'
gem 'metasploit-credential', git: 'https://github.com/adfoster-r7/metasploit-credential.git', branch: 'add-pkcs12-private-data-type'

# separate from test as simplecov is not run on travis-ci
group :coverage do
# code coverage for tests
Expand Down
29 changes: 18 additions & 11 deletions Gemfile.lock
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,19 @@
GIT
remote: https://github.com/adfoster-r7/metasploit-credential.git
revision: 19611a905f4ca4ee47ab06b89952d4f027e01325
branch: add-pkcs12-private-data-type
specs:
metasploit-credential (6.0.2)
metasploit-concern
metasploit-model
metasploit_data_models (>= 5.0.0)
net-ssh
pg
railties
rex-socket
rubyntlm
rubyzip

PATH
remote: .
specs:
Expand Down Expand Up @@ -235,16 +251,6 @@ GEM
activesupport (~> 7.0)
railties (~> 7.0)
zeitwerk
metasploit-credential (6.0.2)
metasploit-concern
metasploit-model
metasploit_data_models (>= 5.0.0)
net-ssh
pg
railties
rex-socket
rubyntlm
rubyzip
metasploit-model (5.0.1)
activemodel (~> 7.0)
activesupport (~> 7.0)
Expand Down Expand Up @@ -510,6 +516,7 @@ DEPENDENCIES
factory_bot_rails
fivemat
memory_profiler
metasploit-credential!
metasploit-framework!
octokit
pry-byebug
Expand All @@ -524,4 +531,4 @@ DEPENDENCIES
yard

BUNDLED WITH
2.1.4
2.2.33
5 changes: 3 additions & 2 deletions db/schema.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
#
# It's strongly recommended that you check this file into your version control system.

ActiveRecord::Schema[7.0].define(version: 2019_05_07_120211) do
ActiveRecord::Schema[7.0].define(version: 2022_12_09_005658) do
# These are extensions that must be enabled in order to support this database
enable_extension "plpgsql"

Expand Down Expand Up @@ -314,8 +314,9 @@
t.datetime "created_at", precision: nil, null: false
t.datetime "updated_at", precision: nil, null: false
t.string "jtr_format"
t.index "type, decode(md5(data), 'hex'::text)", name: "index_metasploit_credential_privates_on_type_and_data_pkcs12", unique: true, where: "((type)::text = 'Metasploit::Credential::Pkcs12'::text)"
t.index "type, decode(md5(data), 'hex'::text)", name: "index_metasploit_credential_privates_on_type_and_data_sshkey", unique: true, where: "((type)::text = 'Metasploit::Credential::SSHKey'::text)"
t.index ["type", "data"], name: "index_metasploit_credential_privates_on_type_and_data", unique: true, where: "(NOT ((type)::text = 'Metasploit::Credential::SSHKey'::text))"
t.index ["type", "data"], name: "index_metasploit_credential_privates_on_type_and_data", unique: true, where: "(NOT (((type)::text = 'Metasploit::Credential::SSHKey'::text) OR ((type)::text = 'Metasploit::Credential::Pkcs12'::text)))"
end

create_table "metasploit_credential_publics", id: :serial, force: :cascade do |t|
Expand Down
35 changes: 27 additions & 8 deletions lib/msf/core/exploit/remote/ms_icpr.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,14 +116,7 @@ def connect_ipc
rescue Rex::Proto::SMB::Exceptions::Error, RubySMB::Error::RubySMBError => e
raise MsIcprAuthenticationError, "Unable to authenticate ([#{e.class}] #{e})."
end
report_service(
host: rhost,
port: rport,
host_name: simple.client.default_name,
proto: 'tcp',
name: 'smb',
info: "Module: #{fullname}, last negotiated version: SMBv#{simple.client.negotiated_smb_version} (dialect = #{simple.client.dialect})"
)
report_service(icpr_service_data)

begin
simple.client.tree_connect("\\\\#{sock.peerhost}\\IPC$")
Expand Down Expand Up @@ -222,6 +215,22 @@ def do_request_cert(icpr, opts)
pkcs12 = OpenSSL::PKCS12.create('', '', private_key, response[:certificate])
# see: https://pki-tutorial.readthedocs.io/en/latest/mime.html#mime-types
info = "#{simple.client.default_domain}\\#{datastore['SMBUser']} Certificate"

credential_data = {
**service_data,
address: service_data[:host],
port: rport,
protocol: service_data[:proto],
service_name: service_data[:name],
workspace_id: myworkspace_id,
username: upn || datastore['SMBUser'],
private_type: :pkcs12,
private_data: Base64.strict_encode64(pkcs12.to_der),
origin_type: :service,
module_fullname: fullname
}
create_credential(credential_data)

stored_path = store_loot('windows.ad.cs', 'application/x-pkcs12', rhost, pkcs12.to_der, 'certificate.pfx', info)
print_status("Certificate stored at: #{stored_path}")

Expand Down Expand Up @@ -366,5 +375,15 @@ def get_cert_ext_property(cert, ext_oid, key)
nil
end

def icpr_service_data
{
host: rhost,
port: rport,
host_name: simple.client.default_name,
proto: 'tcp',
name: 'smb',
info: "Module: #{fullname}, last negotiated version: SMBv#{simple.client.negotiated_smb_version} (dialect = #{simple.client.dialect})"
}
end
end
end

0 comments on commit e6e6c41

Please sign in to comment.