Skip to content

Commit

Permalink
Merge pull request rapid7#19553 from smashery/offered-etype-fix
Browse files Browse the repository at this point in the history
Only retrieve cached credentials that match the requested KrbOfferedEncryptionTypes
  • Loading branch information
smcintyre-r7 authored Oct 28, 2024
2 parents 1a6cf9d + 6172702 commit b2075e5
Show file tree
Hide file tree
Showing 5 changed files with 76 additions and 52 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -1036,7 +1036,8 @@ def get_cached_credential(options = {})
host: options.fetch(:host) { rhost },
client: options.fetch(:username) { self.username },
server: options.fetch(:sname, nil),
realm: options.fetch(:realm) { self.realm }
realm: options.fetch(:realm) { self.realm },
offered_etypes: options.fetch(:offered_etypes) { self.offered_etypes }
)
end

Expand Down
30 changes: 24 additions & 6 deletions lib/msf/core/exploit/remote/kerberos/ticket/storage/read_mixin.rb
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,19 @@ def load_credential(options = {})
return nil unless active_db?

now = Time.now.utc
tickets(options) do |ticket|
next if ticket.expired?(now)

available_tickets = tickets(options).select do |ticket|
!ticket.expired?(now)
end
if options[:offered_etypes].present?
# Prefer etypes mentioned first
options[:offered_etypes].each do |etype|
available_tickets.each do |t|
if t.enctype == etype
return t.ccache.credentials.first
end
end
end
else
return ticket.ccache.credentials.first
end

Expand All @@ -17,10 +27,18 @@ def load_credential(options = {})

# (see Base#tickets)
def tickets(options = {}, &block)
objects(options).map do |stored_loot|
mapped = objects(options).map do |stored_loot|
stored_ticket = StoredTicket.new(stored_loot)
block.call(stored_ticket) if block_given?
stored_ticket
end

mapped.select do |stored_ticket|
# If we were provided a set of etypes to look for, restrict to that
if options[:offered_etypes].nil? || options[:offered_etypes].include?(stored_ticket.enctype)
block.call(stored_ticket) if block_given?
true
else
false
end
end
end
end
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,10 @@ def starttime
credential.starttime
end

def enctype
credential.keyblock.enctype
end

# @return [Rex::Proto::Kerberos::CredentialCache::Krb5Ccache]
def ccache
@ccache ||= Rex::Proto::Kerberos::CredentialCache::Krb5Ccache.read(loot.data)
Expand Down
3 changes: 2 additions & 1 deletion lib/msf/ui/console/command_dispatcher/db/klist.rb
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ def cmd_klist(*args)
else
tbl = Rex::Text::Table.new(
{
'Columns' => ['id', 'host', 'principal', 'sname', 'issued', 'status', 'path'],
'Columns' => ['id', 'host', 'principal', 'sname', 'enctype', 'issued', 'status', 'path'],
'SortIndex' => -1,
# For now, don't perform any word wrapping on the table as it breaks the workflow of
# copying file paths and pasting them into applications
Expand All @@ -111,6 +111,7 @@ def cmd_klist(*args)
ticket.host_address,
ticket.principal,
ticket.sname,
Rex::Proto::Kerberos::Crypto::Encryption.const_name(ticket.enctype),
ticket.starttime,
ticket_status(ticket),
ticket.path
Expand Down
Loading

0 comments on commit b2075e5

Please sign in to comment.