WIP: Add certs command & use pkinit if kerberos tickets are not available in cache #19760
+488
−63
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR does two things:
certs
command, similar toklist
, that displays and manages Pkcs12 certificates stored in the database.pkinit
automatically when<protocol>::Auth
option is set tokerberos
and no related kerberos tickets is found in the cache. If a matching certificate is found, it will be used to get a TGT from the KDC using thepkinit
protocol.This PR is based on top of this PR. So, it includes extra commits present in this branch. To review the changes related to this PR only, you can look at the last commit.
certs
commandThis command list the available certificates stored in the
creds
database (usecerts -v
to display verbose output). It can also search a pkcs12 by ID or by username. Note that username can include the domain using the UPN format (e.g.[email protected]
). The command can also be used to delete certificates.Here is the help output:
Automated Pkcs12 authentication
When the user sets
<protocol>::Auth
tokerberos
, the original process will look into the cached tickets and try to find a suitable ticket to authenticate. If no ticket is found, it will use the credentials provided by the user to query fresh new tickets (TGT and TGS). Now, before requesting new tickets using these credentials, the module will look into the database if a pkcs12 certificate can be re-used to request these tickets. The process is transparent to the user. The look up is done based on the provided username and domain.Verification
Request a certificate with the
admin/dcerpc/icpr_cert
module.For example, exploiting the ESC1 vulnerability:
Check the
certs
commandTry to search certificate:
Try to delete a certificate:
Check the automated Pkcs12 authentication
Make sure you don't have any Kerberos ticket in cache:
Use the
scanner/winrm/winrm_cmd
module to execute thewhoami
command on the target:You should see
Using stored certificate for ...
message.Now, verify the ticket were stored in cache:
If you re-run the module with the same options, it should now use the cached ticket instead of the certificate.
You can repeat the operation with the following modules:
scanner/ldap/ldap_login
Make sure the
ldap_session_type
feature is set and set theCreateSession
option totrue
. Note that you will have to pass a fake password otherwise the module won't validate the options (see ldap/ldap_login module requires a password for schannel #19743)Schannel can also be used the same way:
scanner/smb/smb_login
TODO
I noticed the credentials are being saved in the database when using kerberos authentication with the
scanner/ldap/ldap_login
andscanner/smb/smb_login
. This will need to be fixed.