Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure identify hashes helper is accessible to modules #17872

Merged
merged 1 commit into from
Apr 13, 2023
Merged

Ensure identify hashes helper is accessible to modules #17872

merged 1 commit into from
Apr 13, 2023

Conversation

adfoster-r7
Copy link
Contributor

@adfoster-r7 adfoster-r7 commented Apr 12, 2023
edited
Loading

Fixes a crash when modules relied on a hash identifying method that wasn't always available. This method is now available as expected and modules will no longer crash.

>> Metasploit::Framework::Hashes.identify_hash('$2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6')
(irb):1:in `<main>': uninitialized constant Metasploit::Framework::Hashes (NameError)

Spotted as part of #17353 (comment)

Verification

Ensure the hashes helper is available from within Metasploit console:

msf6 exploit(multi/handler) > irb
[*] Starting IRB shell...
[*] You are in exploit/multi/handler
>> Metasploit::Framework::Hashes.identify_hash('$2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6')
=> "bf"

@adfoster-r7 adfoster-r7 force-pushed the ensure-identify-hashes-helper-is-accessible-to-modules branch from dff1640 to 8e2169e Compare April 12, 2023 12:29
adfoster-r7
adfoster-r7 commented Apr 12, 2023
View reviewed changes
modules/auxiliary/gather/ldap_hashdump.rb
@@ -212,7 +210,7 @@ def pillage(ldif, base_dn)
ltype.gsub!(/ /, '_')
ltype.gsub!(/,/, '.')
ltype.gsub!(/(ou=|fn=|cn=|o=|dc=|c=)/i, '')
ltype.gsub!(/[^a-z0-9._\-]+/i, '')
ltype.gsub!(/[^a-z0-9._-]+/i, '')
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unrelated automated rubocop change

== modules/auxiliary/gather/ldap_hashdump.rb ==
C:213: 28: [Correctable] Style/RedundantRegexpEscape: Redundant escape inside regexp literal

1 file inspected, 1 offense detected, 1 offense autocorrectable
modules/auxiliary/gather/ldap_hashdump.rb - [ERROR] Rubocop failed. Please run rubocop -a modules/auxiliary/gather/ldap_hashdump.rb and verify all issues are resolved

adfoster-r7
adfoster-r7 commented Apr 12, 2023
View reviewed changes
lib/msf_autoload.rb
@@ -333,3 +333,6 @@ def finalize_loader(loader)
autoload :RubySMB, 'ruby_smb'

require 'rexml/document'

# XXX: Should be removed once the `lib/metasploit` folder is loaded by Zeitwerk
require 'metasploit/framework/hashes'
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will probably look something like:

diff --git a/lib/msf_autoload.rb b/lib/msf_autoload.rb
index 7bb1da35af..0b697e6ae0 100644
--- a/lib/msf_autoload.rb
+++ b/lib/msf_autoload.rb
@@ -298,6 +298,7 @@ class MsfAutoload
     [
       { path: "#{__dir__}/msf/", namespace: Msf },
       { path: "#{__dir__}/rex/", namespace: Rex },
+      { path: "#{__dir__}/metasploit/", namespace: Metasploit }
     ]
   end

But it would require more testing/fixing than the cycles currently available

@dwelch-r7 dwelch-r7 self-assigned this Apr 12, 2023
@dwelch-r7
Copy link
Contributor

Fixed my issue with certifried will land

msf6 auxiliary(admin/dcerpc/cve_2022_26923_certifried) > run
[*] Running module against 192.168.176.3

[+] [2023.04.13-16:18:59] 192.168.176.3:445 - Successfully authenticated to LDAP (192.168.176.3:636)
[+] [2023.04.13-16:19:02] 192.168.176.3:445 - Successfully created windomain.local\DESKTOP-VX7E6A0Y$
[+] [2023.04.13-16:19:02] 192.168.176.3:445 -   Password: WtPBKGlrsyigOqwmyUW1aaisI2m3uE35
[+] [2023.04.13-16:19:02] 192.168.176.3:445 -   SID:      S-1-5-21-2380665626-1154582258-49301182-1150
[+] [2023.04.13-16:19:02] 192.168.176.3:445 - Successfully authenticated to LDAP (192.168.176.3:636)
[*] [2023.04.13-16:19:02] 192.168.176.3:445 - Attempting to set the DNS hostname for the computer DESKTOP-VX7E6A0Y$ to the DNS hostname for the DC: dc2019
[+] [2023.04.13-16:19:02] 192.168.176.3:445 - Successfully changed the DNS hostname
[+] [2023.04.13-16:19:04] 192.168.176.3:445 - The requested certificate was issued.
[*] [2023.04.13-16:19:04] 192.168.176.3:445 - Certificate SID: S-1-5-21-2380665626-1154582258-49301182-1150
[*] [2023.04.13-16:19:04] 192.168.176.3:445 - Certificate stored at: /Users/dwelch/.msf4/loot/20230413161904_default_192.168.176.3_windows.ad.cs_413063.pfx
[*] [2023.04.13-16:19:04] 192.168.176.3:445 - Attempting PKINIT login for dc2019$@windomain.local
[+] [2023.04.13-16:19:04] 192.168.176.3:445 - Successfully authenticated with certificate
[*] [2023.04.13-16:19:04] 192.168.176.3:445 - 192.168.176.3:445 - TGT MIT Credential Cache ticket saved to /Users/dwelch/.msf4/loot/20230413161904_default_192.168.176.3_mit.kerberos.cca_842292.bin
[*] [2023.04.13-16:19:04] 192.168.176.3:445 - Trying to retrieve NT hash for dc2019$
[+] [2023.04.13-16:19:04] 192.168.176.3:445 - 192.168.176.3:88 - Received a valid TGS-Response
[*] [2023.04.13-16:19:04] 192.168.176.3:445 - 192.168.176.3:445 - TGS MIT Credential Cache ticket saved to /Users/dwelch/.msf4/loot/20230413161904_default_192.168.176.3_mit.kerberos.cca_517418.bin
[+] [2023.04.13-16:19:04] 192.168.176.3:445 - Found NTLM hash for dc2019$: aad3b435b51404eeaad3b435b51404ee:ab60af0d9ee0336f8cc7df44c9f7caed
[*] [2023.04.13-16:19:04] 192.168.176.3:445 - Getting TGS impersonating Administrator@windomain.local (SPN: cifs/dc2019.windomain.local)
[+] [2023.04.13-16:19:04] 192.168.176.3:445 - 192.168.176.3:88 - Received a valid TGS-Response
[*] [2023.04.13-16:19:04] 192.168.176.3:445 - 192.168.176.3:445 - TGS MIT Credential Cache ticket saved to /Users/dwelch/.msf4/loot/20230413161904_default_192.168.176.3_mit.kerberos.cca_251003.bin
[*] [2023.04.13-16:19:04] 192.168.176.3:445 - Deleting the computer account DESKTOP-VX7E6A0Y$
[*] [2023.04.13-16:19:04] 192.168.176.3:445 - 192.168.176.3:88 - Using cached credential for cifs/dc2019.windomain.local@WINDOMAIN.LOCAL Administrator@WINDOMAIN.LOCAL
[+] [2023.04.13-16:19:05] 192.168.176.3:445 - The specified computer has been deleted.
[*] Auxiliary module execution completed

@dwelch-r7 dwelch-r7 merged commit f9d5459 into rapid7:master Apr 13, 2023
@dwelch-r7 dwelch-r7 added the rn-fix release notes fix label Apr 13, 2023
@dwelch-r7
Copy link
Contributor

Release Notes

Fixes a crash when modules relied on a hash identifying method that wasn't always available. This method is now available as expected and modules will no longer crash.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@dwelch-r7 dwelch-r7

Labels
rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@adfoster-r7 @dwelch-r7