Merge pull request rapid7#19760 from cdelafuente-r7/feat/pkcs12/certs_command/pkinit

Add certs command & use pkinit if kerberos tickets are not available in cache

Author: jheysel-r7

lib/metasploit/framework/ldap/client.rb

@@ -50,6 +50,7 @@ def ldap_auth_opts_kerberos(opts, ssl)
           auth_opts = {}
           raise Msf::ValidationError, 'The LDAP::Rhostname option is required when using Kerberos authentication.' if opts[:ldap_rhostname].blank?
           raise Msf::ValidationError, 'The DOMAIN option is required when using Kerberos authentication.' if opts[:domain].blank?
+          raise Msf::ValidationError, 'The DomainControllerRhost is required when using Kerberos authentication.' if opts[:domain_controller_rhost].blank?
 
           offered_etypes = Msf::Exploit::Remote::AuthOption.as_default_offered_etypes(opts[:ldap_krb_offered_enc_types])
           raise Msf::ValidationError, 'At least one encryption type is required when using Kerberos authentication.' if offered_etypes.empty?
@@ -112,17 +113,35 @@ def ldap_auth_opts_schannel(opts, ssl)
           auth_opts = {}
           pfx_path = opts[:ldap_cert_file]
           raise Msf::ValidationError, 'The SSL option must be enabled when using Schannel authentication.' unless ssl
-          raise Msf::ValidationError, 'The LDAP::CertFile option is required when using Schannel authentication.' if pfx_path.blank?
           raise Msf::ValidationError, 'Can not sign and seal when using Schannel authentication.' if opts.fetch(:sign_and_seal, false)
 
-          unless ::File.file?(pfx_path) && ::File.readable?(pfx_path)
-            raise Msf::ValidationError, 'Failed to load the PFX certificate file. The path was not a readable file.'
-          end
+          if pfx_path.present?
+            unless ::File.file?(pfx_path) && ::File.readable?(pfx_path)
+              raise Msf::ValidationError, 'Failed to load the PFX certificate file. The path was not a readable file.'
+            end
+
+            begin
+              pkcs = OpenSSL::PKCS12.new(File.binread(pfx_path), '')
+            rescue StandardError => e
+              raise Msf::ValidationError, "Failed to load the PFX file (#{e})"
+            end
+          else
+            pkcs12_storage = Msf::Exploit::Remote::Pkcs12::Storage.new(
+              framework: opts[:framework],
+              framework_module: opts[:framework_module]
+            )
+            pkcs12_results = pkcs12_storage.pkcs12(
+              username: opts[:username],
+              realm: opts[:domain],
+              tls_auth: true,
+              status: 'active'
+            )
+            if pkcs12_results.empty?
+              raise Msf::ValidationError, "Pkcs12 for #{opts[:username]}@#{opts[:domain]} not found in the database"
+            end
 
-          begin
-            pkcs = OpenSSL::PKCS12.new(File.binread(pfx_path), '')
-          rescue StandardError => e
-            raise Msf::ValidationError, "Failed to load the PFX file (#{e})"
+            elog("Using stored certificate for #{opts[:username]}@#{opts[:domain]}")
+            pkcs = pkcs12_results.first.openssl_pkcs12
           end
 
           auth_opts[:auth] = {

lib/metasploit/framework/login_scanner/ldap.rb

@@ -87,8 +87,8 @@ def each_credential
               credential.private = nil
             elsif opts[:ldap_auth] == Msf::Exploit::Remote::AuthOption::SCHANNEL
               # If we're using kerberos auth with schannel then the user/password is irrelevant
-              # Remove it from the credential so we don't store it
-              credential.public = nil
+              # Remove the password from the credential so we don't store it
+              # Note that the username is kept since it is needed for the certificate lookup.
               credential.private = nil
             end
 

lib/msf/core/db_manager/cred.rb

@@ -246,7 +246,7 @@ def update_credential(opts)
         if opts[:public][:id]
           public_id = opts[:public].delete(:id)
           public = Metasploit::Credential::Public.find(public_id)
-          public.update_attributes(opts[:public])
+          public.update(opts[:public])
         else
           public = Metasploit::Credential::Public.where(opts[:public]).first_or_initialize
         end
@@ -256,7 +256,7 @@ def update_credential(opts)
         if opts[:private][:id]
           private_id = opts[:private].delete(:id)
           private = Metasploit::Credential::Private.find(private_id)
-          private.update_attributes(opts[:private])
+          private.update(opts[:private])
         else
           private = Metasploit::Credential::Private.where(opts[:private]).first_or_initialize
         end
@@ -266,7 +266,7 @@ def update_credential(opts)
         if opts[:origin][:id]
           origin_id = opts[:origin].delete(:id)
           origin = Metasploit::Credential::Origin.find(origin_id)
-          origin.update_attributes(opts[:origin])
+          origin.update(opts[:origin])
         else
           origin = Metasploit::Credential::Origin.where(opts[:origin]).first_or_initialize
         end

lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb

@@ -253,6 +253,18 @@ def authenticate(options = {})
     elsif options[:credential]
       auth_context = authenticate_via_krb5_ccache_credential_tgs(options[:credential], options)
     else
+      pkcs12_storage = Msf::Exploit::Remote::Pkcs12::Storage.new(framework: framework, framework_module: framework_module)
+      pkcs12_results = pkcs12_storage.pkcs12(
+        workspace: workspace,
+        username: @username,
+        realm: @realm,
+        status: 'active'
+      )
+      if pkcs12_results.any?
+        stored_pkcs12 = pkcs12_results.first
+        options[:pfx] = stored_pkcs12.openssl_pkcs12
+        print_status("Using stored certificate for #{stored_pkcs12.username}@#{stored_pkcs12.realm}")
+      end
       auth_context = authenticate_via_kdc(options)
       auth_context = authenticate_via_krb5_ccache_credential_tgt(auth_context[:credential], options)
     end

lib/msf/core/exploit/remote/ms_icpr.rb

@@ -240,6 +240,9 @@ def do_request_cert(icpr, opts)
     pkcs12 = OpenSSL::PKCS12.create('', '', private_key, response[:certificate])
     # see: https://pki-tutorial.readthedocs.io/en/latest/mime.html#mime-types
     info = "#{simple.client.default_domain}\\#{datastore['SMBUser']} Certificate"
+    # TODO: I was under the impression a single certificate can only have one UPN associated with it.
+    #       But here, `upn` can be an array of UPN's. This will need to be sorted out.
+    upn_username, upn_domain = upn&.first&.split('@')
 
     service_data = icpr_service_data
     credential_data = {
@@ -249,10 +252,12 @@ def do_request_cert(icpr, opts)
       protocol: service_data[:proto],
       service_name: service_data[:name],
       workspace_id: myworkspace_id,
-      username: upn || datastore['SMBUser'],
+      username: upn_username || datastore['SMBUser'],
       private_type: :pkcs12,
       private_data: Base64.strict_encode64(pkcs12.to_der),
       private_metadata: { adcs_ca: datastore['CA'], adcs_template: cert_template },
+      realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
+      realm_value: upn_domain || simple.client.default_domain,
       origin_type: :service,
       module_fullname: fullname
     }

lib/msf/core/exploit/remote/pkcs12/storage.rb

@@ -0,0 +1,151 @@
+module Msf::Exploit::Remote::Pkcs12
+
+  class Storage
+    include Msf::Auxiliary::Report
+
+    # @!attribute [r] framework
+    #   @return [Msf::Framework] the Metasploit framework instance
+    attr_reader :framework
+
+    # @!attribute [r] framework_module
+    #   @return [Msf::Module] the Metasploit framework module that is associated with the authentication instance
+    attr_reader :framework_module
+
+    def initialize(framework: nil, framework_module: nil)
+      @framework = framework || framework_module&.framework
+      @framework_module = framework_module
+    end
+
+    # Get stored pkcs12 matching the options query.
+    #
+    # @param [Hash] options The options for matching pkcs12's.
+    # @option options [Integer, Array<Integer>] :id The identifier of the pkcs12 (optional)
+    # @option options [String] :realm The realm of the pkcs12 (optional)
+    # @option options [String] :username The username of the pkcs12 (optional)
+    # @return [Array<StoredPkcs12>]
+    def pkcs12(options = {}, &block)
+      stored_pkcs12_array = filter_pkcs12(options).map do |pkcs12_entry|
+        StoredPkcs12.new(pkcs12_entry)
+      end
+
+      stored_pkcs12_array.each do |stored_pkcs12|
+        block.call(stored_pkcs12) if block_given?
+      end
+
+      stored_pkcs12_array
+    end
+
+    # Return the raw stored pkcs12.
+    #
+    # @param [Hash] options See the options hash description in {#pkcs12}.
+    # @return [Array<Metasploit::Credential::Core>]
+    def filter_pkcs12(options)
+      return [] unless active_db?
+
+      filter = {}
+      filter[:id] = options[:id] if options[:id].present?
+
+      creds = framework.db.creds(
+        workspace: options.fetch(:workspace) { workspace },
+        type: 'Metasploit::Credential::Pkcs12',
+        **filter
+      ).select do |cred|
+        # this is needed since if a filter is provided (e.g. `id:`) framework.db.creds will ignore the type:
+        next false unless cred.private.type == 'Metasploit::Credential::Pkcs12'
+
+        if options[:username].present?
+          next false if options[:username].casecmp(cred.public.username) != 0
+        end
+
+        if options[:realm].present? && cred.realm
+          next false if options[:realm].casecmp(cred.realm.value) != 0
+        end
+
+        if options[:status].present?
+          # If status is not set on the credential, considere it is `active`
+          status = cred.private.status || 'active'
+          next false if status != options[:status]
+        end
+
+        cert = cred.private.openssl_pkcs12.certificate
+        unless Time.now.between?(cert.not_before, cert.not_after)
+          ilog("[filter_pkcs12] Found a matching certificate but it has expired")
+          next false
+        end
+
+        if options[:tls_auth]
+          eku = cert.extensions.select { |c| c.oid == 'extendedKeyUsage' }.first
+          unless eku&.value.include?('TLS Web Client Authentication')
+            ilog("[filter_pkcs12] Found a matching certificate but it doesn't have the 'TLS Web Client Authentication' EKU")
+            next false
+          end
+        end
+
+        true
+      end
+    end
+
+    def delete(options = {})
+      if options.keys == [:ids]
+        # skip calling #filter_pkcs12 which issues a query when the IDs are specified
+        ids = options[:ids]
+      else
+        ids = filter_pkcs12(options).map(&:id)
+      end
+
+      framework.db.delete_credentials(ids: ids).map do |stored_pkcs12|
+        StoredPkcs12.new(stored_pkcs12)
+      end
+    end
+
+    # @return [String] The name of the workspace in which to operate.
+    def workspace
+      if @framework_module
+        return @framework_module.workspace
+      elsif @framework&.db&.active
+        return @framework.db.workspace&.name
+      end
+    end
+
+    # Mark Pkcs12(s) as inactive
+    #
+    # @param [Array<Integer>] ids The list of pkcs12 IDs.
+    # @return [Array<StoredPkcs12>]
+    def deactivate(ids:)
+      set_status(ids: ids, status: 'inactive')
+    end
+
+    # Mark Pkcs12(s) as active
+    #
+    # @param [Array<Integer>] ids The list of pkcs12 IDs.
+    # @return [Array<StoredPkcs12>]
+    def activate(ids:)
+      set_status(ids: ids, status: 'active')
+    end
+
+    private
+
+    # @param [Array<Integer>] ids List of pkcs12 IDs to update
+    # @param [String] status The status to set for the pkcs12
+    # @return [Array<StoredPkcs12>]
+    def set_status(ids:, status:)
+      updated_pkcs12 = []
+      ids.each do |id|
+        pkcs12 = filter_pkcs12({ id: id })
+        if pkcs12.blank?
+          print_warning("Pkcs12 with id: #{id} was not found in the database")
+          next
+        end
+        private = pkcs12.first.private
+        private.metadata.merge!({ 'status' => status } )
+        updated_pkcs12 << framework.db.update_credential({ id: id, private: { id: private.id, metadata: private.metadata }})
+        # I know this looks weird but the local db returns a single loot object, remote db returns an array of them
+        #updated_certs << Array.wrap(framework.db.update_loot({ id: id, info: updated_pkcs12_status })).first
+      end
+      updated_pkcs12.map do |stored_pkcs12|
+        StoredPkcs12.new(stored_pkcs12)
+      end
+    end
+
+  end
+end

lib/msf/core/exploit/remote/pkcs12/stored_pkcs12.rb

@@ -0,0 +1,47 @@
+module Msf::Exploit::Remote::Pkcs12
+
+  class StoredPkcs12
+    def initialize(pkcs12)
+      @pkcs12 = pkcs12
+    end
+
+    def id
+      @pkcs12.id
+    end
+
+    def openssl_pkcs12
+      private_cred.openssl_pkcs12
+    end
+
+    def adcs_ca
+      private_cred.adcs_ca || ''
+    end
+
+    def adcs_template
+      private_cred.adcs_template || ''
+    end
+
+    def private_cred
+      @pkcs12.private
+    end
+
+    def username
+      @pkcs12.public&.username || ''
+    end
+
+    def realm
+      @pkcs12.realm&.value || ''
+    end
+
+    def status
+      private_cred.status || ''
+    end
+
+    # @return [TrueClass, FalseClass] True if the certificate is valid within the not_before/not_after, false otherwise
+    def expired?(now = Time.now)
+      cert = openssl_pkcs12.certificate
+      !now.between?(cert.not_before, cert.not_after)
+    end
+  end
+end
+

lib/msf/ui/console/command_dispatcher/db.rb

@@ -19,6 +19,7 @@ class Db
   include Msf::Ui::Console::CommandDispatcher::Db::Common
   include Msf::Ui::Console::CommandDispatcher::Db::Analyze
   include Msf::Ui::Console::CommandDispatcher::Db::Klist
+  include Msf::Ui::Console::CommandDispatcher::Db::Certs
 
   DB_CONFIG_PATH = 'framework/database'
 
@@ -49,6 +50,7 @@ def commands
       "notes"         => "List all notes in the database",
       "loot"          => "List all loot in the database",
       "klist"         => "List Kerberos tickets in the database",
+      "certs"         => "List Pkcs12 certificate bundles in the database",
       "db_import"     => "Import a scan result file (filetype will be auto-detected)",
       "db_export"     => "Export a file containing the contents of the database",
       "db_nmap"       => "Executes nmap and records the output automatically",