CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/kerberos/inspect_ticket.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Auxiliary::Report

8
  include Msf::Exploit::Remote::Kerberos::Client

9
  include Msf::Exploit::Remote::Kerberos::Ticket

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Kerberos Ticket Inspecting',

16
        'Description' => %q{

17
          This module outputs the contents of a ccache/kirbi file and optionally (when provided with the appropriate key)

18
          decrypts and displays the encrypted content too.

19
          Can be used for inspecting tickets that aren't working as intended in an effort to debug them.

20
        },

21
        'Author' => [

22
          'Dean Welch' # Metasploit Module

23
        ],

24
        'References' => [],

25
        'License' => MSF_LICENSE,

26
        'Notes' => {

27
          'Stability' => [],

28
          'SideEffects' => [],

29
          'Reliability' => [],

30
          'AKA' => ['klist']

31
        }

32
      )

33
    )

34


35
    register_options(

36
      [

37
        OptString.new('NTHASH', [ false, 'The krbtgt/service nthash' ]),

38
        OptString.new('AES_KEY', [ false, 'The krbtgt/service AES key' ]),

39
        OptString.new('TICKET_PATH', [true, 'Path to the ticket (ccache/kirbi format) you wish to inspect'])

40
      ]

41
    )

42
    deregister_options('RHOSTS', 'RPORT', 'Timeout')

43
  end

44


45
  SECS_IN_DAY = 86400 # 60 * 60 * 24

46


47
  def run

48
    enc_key = get_enc_key

49
    print_contents(datastore['TICKET_PATH'], key: enc_key)

50
  rescue Rex::Proto::Kerberos::Model::Error::KerberosError => e

51
    fail_with(Msf::Exploit::Failure::Unknown, "Could not print ticket contents (#{e})")

52
  end

53


54
  private

55


56
  def get_enc_key

57
    key = validate_key

58
    key.nil? ? nil : [key].pack('H*')

59
  end

60


61
  def validate_key

62
    if datastore['NTHASH'].present? && datastore['AES_KEY'].present?

63
      fail_with(Msf::Exploit::Failure::BadConfig, 'NTHASH and AES_KEY may not both be set for inspecting a ticket')

64
    end

65


66
    if datastore['NTHASH'].present?

67
      key_type = :nthash

68
    elsif datastore['AES_KEY'].present?

69
      key_type = :aes_key

70
    else

71
      key_type = nil

72
    end

73


74
    case key_type

75
    when :nthash

76
      key = validate_nthash(datastore['NTHASH'])

77
    when :aes_key

78
      key = validate_aes_key(datastore['AES_KEY'])

79
    else

80
      print_status('No decryption key provided proceeding without decryption.')

81
      key = nil

82
    end

83


84
    key

85
  end

86


87
  def validate_nthash(nthash)

88
    if nthash.size != 32

89
      fail_with(Msf::Exploit::Failure::BadConfig, "NTHASH length was #{nthash.size}. It should be 32")

90
    else

91
      nthash

92
    end

93
  end

94


95
  def validate_aes_key(aes_key)

96
    if aes_key.size != 32 && aes_key.size != 64

97
      fail_with(Msf::Exploit::Failure::BadConfig, "AES key length was #{aes_key.size}. It should be 32 or 64")

98
    else

99
      aes_key

100
    end

101
  end

102
end

103


104