Merge pull request rapid7#19736 from cdelafuente-r7/enh/pkcs12/add_metadata

Report CA, ADCS Template and Password along with Pkcs12 in the database

Author: jheysel-r7

.github/workflows/command_shell_acceptance.yml

@@ -132,6 +132,7 @@ jobs:
         run: git config --system core.longpaths true
 
       - name: Setup Ruby
+        run: git config --system core.longpaths true
         env:
           BUNDLE_FORCE_RUBY_PLATFORM: true
         uses: ruby/setup-ruby@v1

.github/workflows/shared_meterpreter_acceptance.yml

@@ -196,6 +196,7 @@ jobs:
         run: git config --system core.longpaths true
 
       - name: Setup Ruby
+        run: git config --system core.longpaths true
         env:
           BUNDLE_FORCE_RUBY_PLATFORM: true
           # Required for macos13 pg gem compilation

Gemfile.lock

@@ -293,7 +293,7 @@ GEM
       activesupport (~> 7.0)
       railties (~> 7.0)
       zeitwerk
-    metasploit-credential (6.0.12)
+    metasploit-credential (6.0.14)
       metasploit-concern
       metasploit-model
       metasploit_data_models (>= 5.0.0)
@@ -303,12 +303,12 @@ GEM
       rex-socket
       rubyntlm
       rubyzip
-    metasploit-model (5.0.2)
+    metasploit-model (5.0.3)
       activemodel (~> 7.0)
       activesupport (~> 7.0)
       railties (~> 7.0)
     metasploit-payloads (2.0.189)
-    metasploit_data_models (6.0.6)
+    metasploit_data_models (6.0.9)
       activerecord (~> 7.0)
       activesupport (~> 7.0)
       arel-helpers

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.0].define(version: 2022_12_09_005658) do
+ActiveRecord::Schema[7.0].define(version: 2025_02_04_172657) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
 
@@ -314,6 +314,7 @@
     t.datetime "created_at", precision: nil, null: false
     t.datetime "updated_at", precision: nil, null: false
     t.string "jtr_format"
+    t.jsonb "metadata", default: {}, null: false
     t.index "type, decode(md5(data), 'hex'::text)", name: "index_metasploit_credential_privates_on_type_and_data_pkcs12", unique: true, where: "((type)::text = 'Metasploit::Credential::Pkcs12'::text)"
     t.index "type, decode(md5(data), 'hex'::text)", name: "index_metasploit_credential_privates_on_type_and_data_sshkey", unique: true, where: "((type)::text = 'Metasploit::Credential::SSHKey'::text)"
     t.index ["type", "data"], name: "index_metasploit_credential_privates_on_type_and_data", unique: true, where: "(NOT (((type)::text = 'Metasploit::Credential::SSHKey'::text) OR ((type)::text = 'Metasploit::Credential::Pkcs12'::text)))"

lib/msf/core/exploit/remote/ms_icpr.rb

@@ -251,8 +251,8 @@ def do_request_cert(icpr, opts)
       workspace_id: myworkspace_id,
       username: upn || datastore['SMBUser'],
       private_type: :pkcs12,
-      # pkcs12 is a binary format, but for persisting we Base64 encode it
       private_data: Base64.strict_encode64(pkcs12.to_der),
+      private_metadata: { adcs_ca: datastore['CA'], adcs_template: cert_template },
       origin_type: :service,
       module_fullname: fullname
     }

lib/msf/ui/console/command_dispatcher/creds.rb

@@ -100,16 +100,19 @@ def cmd_creds_help
     print_line "Usage - Adding credentials:"
     print_line "  creds add uses the following named parameters."
     {
-      user:         'Public, usually a username',
-      password:     'Private, private_type Password.',
-      ntlm:         'Private, private_type NTLM Hash.',
-      postgres:     'Private, private_type postgres MD5',
-      pkcs12:       'Private, private_type pkcs12 archive file, must be a file path.',
-      'ssh-key' =>  'Private, private_type SSH key, must be a file path.',
-      hash:         'Private, private_type Nonreplayable hash',
-      jtr:          'Private, private_type John the Ripper hash type.',
-      realm:        'Realm, ',
-      'realm-type'=>"Realm, realm_type (#{Metasploit::Model::Realm::Key::SHORT_NAMES.keys.join(' ')}), defaults to domain."
+      user:                'Public, usually a username',
+      password:            'Private, private_type Password.',
+      ntlm:                'Private, private_type NTLM Hash.',
+      postgres:            'Private, private_type postgres MD5',
+      pkcs12:              'Private, private_type pkcs12 archive file, must be a file path.',
+      'ssh-key'         => 'Private, private_type SSH key, must be a file path.',
+      hash:                'Private, private_type Nonreplayable hash',
+      jtr:                 'Private, private_type John the Ripper hash type.',
+      realm:               'Realm, ',
+      'realm-type'      => "Realm, realm_type (#{Metasploit::Model::Realm::Key::SHORT_NAMES.keys.join(' ')}), defaults to domain.",
+      'adcs-ca'         => 'CA, Certificate Authority that issued the pkcs12 certificate',
+      'adcs-template'   => 'ADCS Template, template used to issue the pkcs12 certificate',
+      'pkcs12-password' => 'The password to decrypt the Pkcs12, defaults to an empty password'
     }.each_pair do |keyword, description|
       print_line "    #{keyword.to_s.ljust 10}:  #{description}"
     end
@@ -206,7 +209,7 @@ def creds_add(*args)
     end
 
     begin
-      params.assert_valid_keys('user','password','realm','realm-type','ntlm','ssh-key','hash','address','port','protocol', 'service-name', 'jtr', 'pkcs12', 'postgres')
+      params.assert_valid_keys('user','password','realm','realm-type','ntlm','ssh-key','hash','address','port','protocol', 'service-name', 'jtr', 'pkcs12', 'postgres', 'adcs-ca', 'adcs-template', 'pkcs12-password')
     rescue ArgumentError => e
       print_error(e.message)
     end
@@ -276,6 +279,10 @@ def creds_add(*args)
       end
       data[:private_type] = :pkcs12
       data[:private_data] = pkcs12_data
+      data[:private_metadata] = {}
+      data[:private_metadata][:adcs_ca] =  params['adcs-ca'] if params['adcs-ca']
+      data[:private_metadata][:adcs_template] =  params['adcs-template'] if params['adcs-template']
+      data[:private_metadata][:pkcs12_password] =  params['pkcs12-password'] if params['pkcs12-password']
     end
 
     if params.key? 'hash'
@@ -305,7 +312,7 @@ def creds_add(*args)
         framework.db.create_credential(data)
       end
     rescue ActiveRecord::RecordInvalid => e
-      print_error("Failed to add #{data['private_type']}: #{e}")
+      print_error("Failed to add #{data[:private_type]}: #{e}")
     end
   end
 
@@ -414,11 +421,13 @@ def creds_search(*args)
              when 'password'
                Metasploit::Credential::Password
              when 'hash'
-               Metasploit::Credential::PasswordHash
+               Metasploit::Credential::NonreplayableHash
              when 'ntlm'
                Metasploit::Credential::NTLMHash
              when 'KrbEncKey'.downcase
                Metasploit::Credential::KrbEncKey
+             when 'pkcs12'
+               Metasploit::Credential::Pkcs12
              when *Metasploit::Credential::NonreplayableHash::VALID_JTR_FORMATS
                opts[:jtr_format] = ptype
                Metasploit::Credential::NonreplayableHash

spec/lib/msf/ui/console/command_dispatcher/creds_spec.rb

@@ -212,32 +212,48 @@
                                realm: nil,
                                workspace: framework.db.workspace)
           end
+          let!(:pkcs12_subject) { '/C=FR/O=MyOrg/OU=MyUnit/CN=SubjectTestName' }
+          let!(:pkcs12_issuer) { '/C=US/O=MyIssuer/OU=MyIssuerUnit/CN=IssuerTestName' }
+          let!(:pkcs12_ca) { 'testCA' }
+          let!(:pkcs12_adcs_template) { 'TestTemplate' }
+          let!(:pkcs12_core) do
+            priv = FactoryBot.create(:metasploit_credential_pkcs12_with_ca_and_adcs_template,
+                                     subject: pkcs12_subject,
+                                     issuer: pkcs12_issuer,
+                                     adcs_ca: pkcs12_ca,
+                                     adcs_template: pkcs12_adcs_template)
+            FactoryBot.create(:metasploit_credential_core,
+                               origin: FactoryBot.create(:metasploit_credential_origin_import),
+                               private: priv,
+                               public: nil,
+                               realm: nil,
+                               workspace: framework.db.workspace)
+          end
 
-          #         # Somehow this is hitting a unique constraint on Cores with the same
-          #         # Public, even though it has a different Private. Skip for now
-          #         let!(:ntlm_core) do
-          #           priv = FactoryBot.create(:metasploit_credential_ntlm_hash, data: ntlm_hash)
-          #           FactoryBot.create(:metasploit_credential_core,
-          #                              origin: FactoryBot.create(:metasploit_credential_origin_import),
-          #                              private: priv,
-          #                              public: pub,
-          #                              realm: nil,
-          #                              workspace: framework.db.workspace)
-          #         end
-          #         let!(:nonreplayable_core) do
-          #           priv = FactoryBot.create(:metasploit_credential_nonreplayable_hash, data: 'asdf')
-          #           FactoryBot.create(:metasploit_credential_core,
-          #                              origin: FactoryBot.create(:metasploit_credential_origin_import),
-          #                              private: priv,
-          #                              public: pub,
-          #                              realm: nil,
-          #                              workspace: framework.db.workspace)
-          #         end
+          let!(:ntlm_core) do
+            priv = FactoryBot.create(:metasploit_credential_ntlm_hash, data: ntlm_hash)
+            FactoryBot.create(:metasploit_credential_core,
+                               origin: FactoryBot.create(:metasploit_credential_origin_import),
+                               private: priv,
+                               public: pub,
+                               realm: nil,
+                               workspace: framework.db.workspace)
+          end
+          let!(:nonreplayable_core) do
+            priv = FactoryBot.create(:metasploit_credential_nonreplayable_hash, data: 'asdf')
+            FactoryBot.create(:metasploit_credential_core,
+                               origin: FactoryBot.create(:metasploit_credential_origin_import),
+                               private: priv,
+                               public: pub,
+                               realm: nil,
+                               workspace: framework.db.workspace)
+          end
 
           after(:example) do
-            # ntlm_core.destroy
+            ntlm_core.destroy
             password_core.destroy
-            # nonreplayable_core.destroy
+            nonreplayable_core.destroy
+            pkcs12_core.destroy
           end
 
           context 'password' do
@@ -283,16 +299,48 @@
 
           context 'ntlm' do
             it 'should show just the ntlm' do
-              skip 'Weird uniqueness constraint on Core (workspace_id, public_id)'
 
               creds.cmd_creds('-t', 'ntlm')
               expect(@output.join("\n")).to match_table <<~TABLE
                 Credentials
                 ===========
 
-                host  origin  service  public         private                                                            realm  private_type  JtR Format  cracked_password
-                ----  ------  -------  ------         -------                                                            -----  ------------  ----------  ----------------
-                                       thisuser       1443d06412d8c0e6e72c57ef50f76a05:27c433245e4763d074d30a05aae0af2c         NTLM hash
+                host  origin  service  public    private                                                            realm  private_type  JtR Format  cracked_password
+                ----  ------  -------  ------    -------                                                            -----  ------------  ----------  ----------------
+                                       thisuser  1443d06412d8c0e6e72c57ef50f76a05:27c433245e4763d074d30a05aae0af2c         NTLM hash
+
+              TABLE
+            end
+          end
+
+          context 'nonreplayable' do
+            it 'should show just the ntlm' do
+
+              creds.cmd_creds('-t', 'hash')
+              expect(@output.join("\n")).to match_table <<~TABLE
+                Credentials
+                ===========
+
+                host  origin  service  public    private  realm  private_type        JtR Format  cracked_password
+                ----  ------  -------  ------    -------  -----  ------------        ----------  ----------------
+                                       thisuser  asdf            Nonreplayable hash
+
+              TABLE
+            end
+          end
+
+          context 'pkcs12' do
+            it 'should show just the pkcs12' do
+              private_str = "subject:#{pkcs12_subject},issuer:#{pkcs12_issuer},ADCS CA:#{pkcs12_ca},ADCS template:#{pkcs12_adcs_template}"
+              private_str = "#{private_str[0,76]} (TRUNCATED)"
+              creds.cmd_creds('-t', 'pkcs12')
+              expect(@output.join("\n")).to match_table <<~TABLE
+                Credentials
+                ===========
+
+                host  origin  service  public  private                                                                                   realm  private_type  JtR Format  cracked_password
+                ----  ------  -------  ------  -------                                                                                   -----  ------------  ----------  ----------------
+                                               #{private_str}         Pkcs12 (pfx)
 
               TABLE
             end
@@ -479,6 +527,65 @@
               }.to_not change { Metasploit::Credential::Core.count }
             end
           end
+          context 'pkcs12' do
+            let(:priv) { FactoryBot.build(:metasploit_credential_pkcs12) }
+            before(:each) do
+              @file = Tempfile.new('mypkcs12.pfx')
+              @file.write(Base64.strict_decode64(priv.data))
+              @file.close
+            end
+            it 'creates a core if one does not exist' do
+              expect {
+                creds.cmd_creds('add', "pkcs12:#{@file.path}")
+              }.to change { Metasploit::Credential::Core.count }.by 1
+            end
+            it 'does not create a core if it already exists' do
+              FactoryBot.create(:metasploit_credential_core,
+                origin: FactoryBot.create(:metasploit_credential_origin_import),
+                private: priv,
+                public: nil,
+                realm: nil,
+                workspace: framework.db.workspace)
+              expect {
+                creds.cmd_creds('add', "pkcs12:#{@file.path}")
+              }.to_not change { Metasploit::Credential::Core.count }
+            end
+
+            context 'with a password' do
+              let(:pkcs12_password) { 'mypass' }
+              let(:priv) {
+                FactoryBot.build(:metasploit_credential_pkcs12,
+                  pkcs12_password: pkcs12_password,
+                  metadata: { pkcs12_password: pkcs12_password }
+                )
+              }
+
+              it 'creates a core if the password is correct' do
+                expect {
+                  creds.cmd_creds('add', "pkcs12:#{@file.path}", "pkcs12-password:#{pkcs12_password}")
+                }.to change { Metasploit::Credential::Core.count }.by 1
+              end
+
+              it 'does not creates a core if the password is incorrect' do
+                expect {
+                  creds.cmd_creds('add', "pkcs12:#{@file.path}", "pkcs12-password:wrongpass")
+                }.to_not change { Metasploit::Credential::Core.count }
+              end
+            end
+
+            context 'with metadata other than password' do
+              let(:adcs_ca) { 'myca' }
+              let(:adcs_template) { 'mytemplate' }
+
+              it 'creates a core if the password is correct' do
+                expect {
+                  creds.cmd_creds('add', "pkcs12:#{@file.path}", "adcs-ca:#{adcs_ca}", "adcs-template:#{adcs_template}")
+                }.to change { Metasploit::Credential::Core.count }.by 1
+                expect(Metasploit::Credential::Pkcs12.first.adcs_ca).to eq(adcs_ca)
+                expect(Metasploit::Credential::Pkcs12.first.adcs_template).to eq(adcs_template)
+              end
+            end
+          end
         end
         context 'realm-types' do
           Metasploit::Model::Realm::Key::SHORT_NAMES.each do |short_name, long_name|