CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/admin/kerberos/inspect_ticket.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Auxiliary::Report7include Msf::Exploit::Remote::Kerberos::Client8include Msf::Exploit::Remote::Kerberos::Ticket910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Kerberos Ticket Inspecting',15'Description' => %q{16This module outputs the contents of a ccache/kirbi file and optionally (when provided with the appropriate key)17decrypts and displays the encrypted content too.18Can be used for inspecting tickets that aren't working as intended in an effort to debug them.19},20'Author' => [21'Dean Welch' # Metasploit Module22],23'References' => [],24'License' => MSF_LICENSE,25'Notes' => {26'Stability' => [],27'SideEffects' => [],28'Reliability' => [],29'AKA' => ['klist']30}31)32)3334register_options(35[36OptString.new('NTHASH', [ false, 'The krbtgt/service nthash' ]),37OptString.new('AES_KEY', [ false, 'The krbtgt/service AES key' ]),38OptString.new('TICKET_PATH', [true, 'Path to the ticket (ccache/kirbi format) you wish to inspect'])39]40)41deregister_options('RHOSTS', 'RPORT', 'Timeout')42end4344SECS_IN_DAY = 86400 # 60 * 60 * 244546def run47enc_key = get_enc_key48print_contents(datastore['TICKET_PATH'], key: enc_key)49rescue Rex::Proto::Kerberos::Model::Error::KerberosError => e50fail_with(Msf::Exploit::Failure::Unknown, "Could not print ticket contents (#{e})")51end5253private5455def get_enc_key56key = validate_key57key.nil? ? nil : [key].pack('H*')58end5960def validate_key61if datastore['NTHASH'].present? && datastore['AES_KEY'].present?62fail_with(Msf::Exploit::Failure::BadConfig, 'NTHASH and AES_KEY may not both be set for inspecting a ticket')63end6465if datastore['NTHASH'].present?66key_type = :nthash67elsif datastore['AES_KEY'].present?68key_type = :aes_key69else70key_type = nil71end7273case key_type74when :nthash75key = validate_nthash(datastore['NTHASH'])76when :aes_key77key = validate_aes_key(datastore['AES_KEY'])78else79print_status('No decryption key provided proceeding without decryption.')80key = nil81end8283key84end8586def validate_nthash(nthash)87if nthash.size != 3288fail_with(Msf::Exploit::Failure::BadConfig, "NTHASH length was #{nthash.size}. It should be 32")89else90nthash91end92end9394def validate_aes_key(aes_key)95if aes_key.size != 32 && aes_key.size != 6496fail_with(Msf::Exploit::Failure::BadConfig, "AES key length was #{aes_key.size}. It should be 32 or 64")97else98aes_key99end100end101end102103104