CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/lib/metasploit/framework/login_scanner/kerberos.rb
Views: 1904
require 'metasploit/framework/login_scanner/base'12module Metasploit3module Framework4module LoginScanner56# Kerberos User scanner7class Kerberos8include Metasploit::Framework::LoginScanner::Base9include Msf::Exploit::Remote::Kerberos::Client1011DEFAULT_PORT = 8812REALM_KEY = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN13DEFAULT_REALM = nil14LIKELY_PORTS = [ DEFAULT_PORT ].freeze15LIKELY_SERVICE_NAMES = [ 'kerberos', 'kerberos5', 'krb5', 'kerberos-sec' ].freeze16PRIVATE_TYPES = %i[ password ].freeze17CAN_GET_SESSION = true1819def attempt_login(credential)20result_options = {21credential: credential,22host: host,23port: port,24protocol: 'tcp',25service_name: 'kerberos'26}2728begin29res = send_request_tgt(30server_name: server_name,31client_name: credential.public,32password: credential.private,33realm: credential.realm34)35unless res.preauth_required36# Pre-auth not required - let's get an RC4-HMAC ticket, since it's more easily crackable37begin38res = send_request_tgt(39server_name: server_name,40client_name: credential.public,41password: credential.private,42realm: credential.realm,43offered_etypes: [Rex::Proto::Kerberos::Crypto::Encryption::RC4_HMAC]44)45rescue Rex::Proto::Kerberos::Model::Error::KerberosEncryptionNotSupported => e46# RC4 likely disabled - let's just use the initial response47end48end4950result_options = result_options.merge(51{52status: Metasploit::Model::Login::Status::SUCCESSFUL,53proof: res54}55)56return Metasploit::Framework::LoginScanner::Result.new(result_options)57rescue ::EOFError => e58result_options = result_options.merge({ status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e })59return Metasploit::Framework::LoginScanner::Result.new(result_options)60rescue Rex::Proto::Kerberos::Model::Error::KerberosError => e61status = self.class.login_status_for_kerberos_error(e)62result_options = result_options.merge({ status: status, proof: e })63return Metasploit::Framework::LoginScanner::Result.new(result_options)64end65end6667attr_accessor :server_name6869# Override the kerberos client's methods with the login scanner implementations70alias rhost host71alias rport port72alias timeout connection_timeout7374# @param [Rex::Proto::Kerberos::Model::Error::KerberosError] krb_err The kerberos error75def self.login_status_for_kerberos_error(krb_err)76error_code = krb_err.error_code77case error_code78when Rex::Proto::Kerberos::Model::Error::ErrorCodes::KDC_ERR_KEY_EXPIRED, Rex::Proto::Kerberos::Model::Error::ErrorCodes::KRB_AP_ERR_SKEW79# Correct password, but either password needs resetting or clock is skewed80Metasploit::Model::Login::Status::SUCCESSFUL81when Rex::Proto::Kerberos::Model::Error::ErrorCodes::KDC_ERR_C_PRINCIPAL_UNKNOWN82# The username doesn't exist83Metasploit::Model::Login::Status::INVALID_PUBLIC_PART84when Rex::Proto::Kerberos::Model::Error::ErrorCodes::KDC_ERR_CLIENT_REVOKED85# Locked out, disabled or expired86# It doesn't appear to be documented anywhere, but Microsoft gives us a bit87# of extra information in the e-data section88begin89pa_data_entry = krb_err.res.e_data_as_pa_data_entry90if pa_data_entry && pa_data_entry.type == Rex::Proto::Kerberos::Model::PreAuthType::PA_PW_SALT91pw_salt = pa_data_entry.decoded_value92if pw_salt.nt_status93case pw_salt.nt_status.value94when ::WindowsError::NTStatus::STATUS_ACCOUNT_LOCKED_OUT95Metasploit::Model::Login::Status::LOCKED_OUT96when ::WindowsError::NTStatus::STATUS_ACCOUNT_DISABLED97Metasploit::Model::Login::Status::DISABLED98when ::WindowsError::NTStatus::STATUS_ACCOUNT_EXPIRED99# Actually expired, which is effectively Disabled100Metasploit::Model::Login::Status::DISABLED101else102# Unknown - maintain existing behaviour103Metasploit::Model::Login::Status::DISABLED104end105else106Metasploit::Model::Login::Status::DISABLED107end108else109Metasploit::Model::Login::Status::DISABLED110end111rescue Rex::Proto::Kerberos::Model::Error::KerberosDecodingError112# Could be a non-MS implementation?113Metasploit::Model::Login::Status::DISABLED114end115else116Metasploit::Model::Login::Status::INCORRECT117end118end119120private121122def set_sane_defaults123self.connection_timeout = 10 if self.connection_timeout.nil?124self.port = DEFAULT_PORT unless self.port125end126127def print_status(*args)128framework_module.print_status(*args) if framework_module129end130131def print_good(*args)132framework_module.print_good(*args) if framework_module133end134135def vprint_status(*args)136framework_module.vprint_status(*args) if framework_module137end138end139end140end141end142143144