Class: Metasploit::Framework::LoginScanner::Kerberos
- Inherits:
-
Object
- Object
- Metasploit::Framework::LoginScanner::Kerberos
- Includes:
- Base, Msf::Exploit::Remote::Kerberos::Client
- Defined in:
- lib/metasploit/framework/login_scanner/kerberos.rb
Overview
Kerberos User scanner
Constant Summary collapse
- DEFAULT_PORT =
88- REALM_KEY =
Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
- DEFAULT_REALM =
nil
Constants included from Msf::Exploit::Remote::Kerberos::Client
Msf::Exploit::Remote::Kerberos::Client::NEG_TOKEN_ACCEPT_COMPLETED, Msf::Exploit::Remote::Kerberos::Client::NEG_TOKEN_ACCEPT_INCOMPLETE, Msf::Exploit::Remote::Kerberos::Client::NEG_TOKEN_REJECT, Msf::Exploit::Remote::Kerberos::Client::NEG_TOKEN_REQUEST_MIC, Msf::Exploit::Remote::Kerberos::Client::TOK_ID_KRB_AP_REP, Msf::Exploit::Remote::Kerberos::Client::TOK_ID_KRB_AP_REQ, Msf::Exploit::Remote::Kerberos::Client::TOK_ID_KRB_ERROR
Constants included from Msf::Exploit::Remote::Kerberos::Client::ApRequest
Msf::Exploit::Remote::Kerberos::Client::ApRequest::AP_MUTUAL_REQUIRED, Msf::Exploit::Remote::Kerberos::Client::ApRequest::AP_USE_SESSION_KEY
Instance Attribute Summary collapse
-
#server_name ⇒ Object
Returns the value of attribute server_name.
Attributes included from Msf::Exploit::Remote::Kerberos::Client
Class Method Summary collapse
Instance Method Summary collapse
Methods included from Msf::Exploit::Remote::Kerberos::Client
#cleanup, #connect, #disconnect, #framework_module, #initialize, #peer, #proxies, #select_cipher, #send_request_as, #send_request_tgs, #send_request_tgt, #send_request_tgt_pkinit
Methods included from Msf::Exploit::Remote::Kerberos::Client::Pkinit
#build_dh, #build_pa_pk_as_req, #calculate_shared_key, #extract_user_and_realm, #k_truncate, #sign_auth_pack
Methods included from Msf::Exploit::Remote::Kerberos::Client::Pac
#build_empty_auth_data, #build_pa_pac_request, #build_pac, #build_pac_authorization_data
Methods included from Msf::Exploit::Remote::Kerberos::Client::TgsResponse
#decrypt_kdc_tgs_rep_enc_part, #extract_kerb_creds
Methods included from Msf::Exploit::Remote::Kerberos::Client::TgsRequest
#build_ap_req, #build_authenticator, #build_enc_auth_data, #build_pa_for_user, #build_subkey, #build_tgs_body_checksum, #build_tgs_request, #build_tgs_request_body
Methods included from Msf::Exploit::Remote::Kerberos::Client::AsResponse
#decrypt_kdc_as_rep_enc_part, #extract_logon_time, #extract_session_key, #format_as_rep_to_john_hash
Methods included from Msf::Exploit::Remote::Kerberos::Client::AsRequest
#build_as_pa_time_stamp, #build_as_request, #build_as_request_body
Methods included from Msf::Exploit::Remote::Kerberos::Client::ApRequest
#build_service_ap_request, #encode_gss_kerberos_ap_request, #encode_gss_spnego_ap_request
Methods included from Msf::Exploit::Remote::Kerberos::Client::Base
#build_client_name, #build_server_name
Instance Attribute Details
#server_name ⇒ Object
Returns the value of attribute server_name.
50 51 52 |
# File 'lib/metasploit/framework/login_scanner/kerberos.rb', line 50 def server_name @server_name end |
Class Method Details
.login_status_for_kerberos_error(krb_err) ⇒ Object
58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 |
# File 'lib/metasploit/framework/login_scanner/kerberos.rb', line 58 def self.login_status_for_kerberos_error(krb_err) error_code = krb_err.error_code case error_code when Rex::Proto::Kerberos::Model::Error::ErrorCodes::KDC_ERR_KEY_EXPIRED, Rex::Proto::Kerberos::Model::Error::ErrorCodes::KRB_AP_ERR_SKEW # Correct password, but either password needs resetting or clock is skewed Metasploit::Model::Login::Status::SUCCESSFUL when Rex::Proto::Kerberos::Model::Error::ErrorCodes::KDC_ERR_C_PRINCIPAL_UNKNOWN # The username doesn't exist Metasploit::Model::Login::Status::INVALID_PUBLIC_PART when Rex::Proto::Kerberos::Model::Error::ErrorCodes::KDC_ERR_CLIENT_REVOKED # Locked out, disabled or expired # It doesn't appear to be documented anywhere, but Microsoft gives us a bit # of extra information in the e-data section begin pa_data_entry = krb_err.res.e_data_as_pa_data_entry if pa_data_entry && pa_data_entry.type == Rex::Proto::Kerberos::Model::PreAuthType::PA_PW_SALT pw_salt = pa_data_entry.decoded_value if pw_salt.nt_status case pw_salt.nt_status.value when ::WindowsError::NTStatus::STATUS_ACCOUNT_LOCKED_OUT Metasploit::Model::Login::Status::LOCKED_OUT when ::WindowsError::NTStatus::STATUS_ACCOUNT_DISABLED Metasploit::Model::Login::Status::DISABLED when ::WindowsError::NTStatus::STATUS_ACCOUNT_EXPIRED # Actually expired, which is effectively Disabled Metasploit::Model::Login::Status::DISABLED else # Unknown - maintain existing behaviour Metasploit::Model::Login::Status::DISABLED end else Metasploit::Model::Login::Status::DISABLED end else Metasploit::Model::Login::Status::DISABLED end rescue Rex::Proto::Kerberos::Model::Error::KerberosDecodingError # Could be a non-MS implementation? Metasploit::Model::Login::Status::DISABLED end else Metasploit::Model::Login::Status::INCORRECT end end |
Instance Method Details
#attempt_login(credential) ⇒ Object
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 |
# File 'lib/metasploit/framework/login_scanner/kerberos.rb', line 16 def attempt_login(credential) = { credential: credential, host: host, port: port, protocol: 'tcp', service_name: 'kerberos' } begin res = send_request_tgt( server_name: server_name, client_name: credential.public, password: credential.private, realm: credential.realm ) = .merge( { status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: res } ) return Metasploit::Framework::LoginScanner::Result.new() rescue ::EOFError => e = .merge({ status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e }) return Metasploit::Framework::LoginScanner::Result.new() rescue Rex::Proto::Kerberos::Model::Error::KerberosError => e status = self.class.login_status_for_kerberos_error(e) = .merge({ status: status, proof: e }) return Metasploit::Framework::LoginScanner::Result.new() end end |