CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/kerberos/ticket_converter.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  def initialize(info = {})

8
    super(

9
      update_info(

10
        info,

11
        'Name' => 'Kerberos ticket converter',

12
        'Description' => %q{

13
          This module converts tickets to the ccache format from the kirbi format and vice versa.

14
        },

15
        'Author' => [

16
          'Zer1t0', # Impacket Implementation https://github.com/Zer1t0

17
          'Dean Welch', # Metasploit Module

18
        ],

19
        'References' => [

20
          ['URL', 'https://github.com/SecureAuthCorp/impacket/blob/3c6713e309cae871d685fa443d3e21b7026a2155/examples/ticketConverter.py'],

21
          ['URL', 'https://tools.ietf.org/html/rfc4120'],

22
          ['URL', 'http://web.mit.edu/KERBEROS/krb5-devel/doc/formats/ccache_file_format.html'],

23
          ['URL', 'https://github.com/gentilkiwi/kekeo'],

24
          ['URL', 'https://github.com/rvazarkar/KrbCredExport'],

25
        ],

26
        'License' => MSF_LICENSE,

27
        'Notes' => {

28
          'Stability' => [],

29
          'Reliability' => [],

30
          'SideEffects' => []

31
        }

32
      )

33
    )

34
    register_options(

35
      [

36
        OptPath.new('InputPath', [ true, 'The file path to ticket in kirbi (KRB-CRED) or ccache format.' ]),

37
        OptString.new('OutputPath', [ true, 'The output path to save the converted ticket.' ]),

38
      ]

39
    )

40
  end

41


42
  def run

43
    header = File.binread(datastore['InputPath'], 2)

44
    if ccache?(header)

45
      print_status('Converting from ccache to kirbi')

46
      output = ccache_to_kirbi(File.binread(datastore['InputPath']))

47
    elsif kirbi?(header)

48
      print_status('Converting from kirbi to ccache')

49
      output = kirbi_to_ccache(File.binread(datastore['InputPath']))

50
    else

51
      fail_with(Msf::Module::Failure::BadConfig, 'Unknown file format')

52
    end

53
    path = File.expand_path(datastore['OutputPath'])

54
    File.binwrite(path, output.encode)

55
    print_status("File written to #{path}")

56
  end

57


58
  def ccache_to_kirbi(input)

59
    ccache = Rex::Proto::Kerberos::CredentialCache::Krb5Ccache.read(input)

60
    Msf::Exploit::Remote::Kerberos::TicketConverter.ccache_to_kirbi(ccache)

61
  end

62


63
  def kirbi_to_ccache(input)

64
    krb_cred = Rex::Proto::Kerberos::Model::KrbCred.decode(input)

65
    Msf::Exploit::Remote::Kerberos::TicketConverter.kirbi_to_ccache(krb_cred)

66
  end

67


68
  private

69


70
  def kirbi?(header)

71
    header[0] == "\x76"

72
  end

73


74
  def ccache?(header)

75
    header[0..1] == "\x05\x04"

76
  end

77
end

78


79