-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make the DomainControllerRhost optional #18446
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -86,6 +86,7 @@ class Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Base | |
:print_status, | ||
:print_good, | ||
:vprint_error, | ||
:vprint_status, | ||
:workspace | ||
|
||
# Flags - https://datatracker.ietf.org/doc/html/rfc4121#section-4.1.1.1 | ||
|
@@ -183,6 +184,23 @@ def rport | |
port | ||
end | ||
|
||
def connect(options = {}) | ||
unless options[:rhost] | ||
unless (host = @host) | ||
vprint_status("Using DNS to lookup the KDC for #{realm}...") | ||
host = ::Rex::Socket.getresources("_kerberos._tcp.#{realm}", :SRV)&.sample | ||
if host.nil? | ||
raise ::Rex::Proto::Kerberos::Model::Error::KerberosError.new("Failed to lookup the KDC") | ||
end | ||
print_status("Using KDC #{host} for realm #{realm}") | ||
@host = host | ||
end | ||
options[:rhost] = host | ||
end | ||
|
||
super(options) | ||
end | ||
|
||
# @param [Hash] options | ||
# @option options [String] :credential An explicit credential object to use for authentication. | ||
# @option options [Rex::Proto::Kerberos::Model::PrincipalName] :sname The target service principal name. | ||
|
@@ -213,7 +231,7 @@ def authenticate(options = {}) | |
) | ||
end | ||
if options[:credential] | ||
print_status("#{peer} - Using cached credential for #{options[:credential].server} #{options[:credential].client}") | ||
print_status("Using cached credential for #{options[:credential].server} #{options[:credential].client}") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I removed the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You know... now that we have intrinsic name lookup facilities in our socket library, maybe we could start treating valid hostnames as peers? |
||
end | ||
end | ||
end | ||
|
@@ -325,7 +343,7 @@ def request_tgt_only(options = {}) | |
end | ||
|
||
if credential | ||
print_status("#{peer} - Using cached credential for #{credential.server} #{credential.client}") | ||
print_status("Using cached credential for #{credential.server} #{credential.client}") | ||
return credential | ||
end | ||
|
||
|
@@ -343,7 +361,7 @@ def request_tgt_only(options = {}) | |
def request_tgs_only(credential, options = {}) | ||
# load a cached TGS | ||
if (ccache = get_cached_credential(options)) | ||
print_status("#{peer} - Using cached credential for #{ccache.server} #{ccache.client}") | ||
print_status("Using cached credential for #{ccache.server} #{ccache.client}") | ||
return ccache | ||
end | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Placeholder comment: For something like a kerberos smb login bruteforcer, will this end making hundreds of DNS requests
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CachedResolver
doesn't care how many requests you make, so long as you're within the record's TTL (or create a static entry after the first lookup in the brute mixin) it'll pull from the cache.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I was thinking that caching should be the resolvers responsibility if it needs to be implemented.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/dns/cached_resolver.rb#L13 :)