-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Current User Psexec - Kerberos Support (MS14-068) #4357
Conversation
I'll work on it, hopefully today. Tomorrow as late! About the question |
@@ -102,7 +103,13 @@ def exploit | |||
end | |||
|
|||
begin | |||
Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |server| | |||
if datastore['KERBEROS'] | |||
targets = datastore['RHOSTS'].split(', ').map{ |a| a.split(' ') }.flatten |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess it was trying to avoid DNS resolution when authenticating via Kerberos, but I don't think it solves the issue, because DNS resolution already happens on datastore option validation. Right or am I forgetting something?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no matters, after testing, I get the idea here :) yeah, local resolution would waste it when running the module! Tested successfully! Landing!
Tested okey:
|
Currently after importing a Kerberos token with the kiwi extension, attempts to exploit hosts using the current_user_psexec local exploit module will fail. This is due to the Kerberos requirement to associate with the hostname.
This adds a KERBEROS datastore option which will prevent the hostnames being resolved locally, and instead send the hostnames over the remote host. TBH we probably shouldn't be resolving anything locally for 'local' exploits. This should all be done on the remote host?
Verification
Fixes
#4348