Add some error handling for kerberos options

Author: zeroSteiner

lib/msf/core/exploit/remote/http_client.rb

@@ -159,22 +159,29 @@ def connect(opts={})
 
     http_logger_subscriber = Rex::Proto::Http::HttpLoggerSubscriber.new(logger: self)
 
-    kerberos_authenticator = Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::HTTP.new(
-      host: datastore['DomainControllerRhost'],
-      hostname: datastore['HTTP::Rhostname'],
-      proxies: datastore['Proxies'],
-      realm: datastore['DOMAIN'],
-      username: datastore['HttpUsername'],
-      password: datastore['HttpPassword'],
-      timeout: 20, # datastore['timeout']
-      framework: framework,
-      framework_module: self,
-      cache_file: datastore['HTTP::Krb5Ccname'].blank? ? nil : datastore['HTTP::Krb5Ccname'],
-      mutual_auth: true,
-      use_gss_checksum: true,
-      ticket_storage: kerberos_ticket_storage,
-      offered_etypes: Msf::Exploit::Remote::AuthOption.as_default_offered_etypes(datastore['HTTP::KrbOfferedEncryptionTypes'])
-    )
+    kerberos_authenticator = nil
+    if datastore['HTTP::Auth'] == Msf::Exploit::Remote::AuthOption::KERBEROS
+      fail_with(Msf::Exploit::Failure::BadConfig, 'The HTTP::Rhostname option is required when using Kerberos authentication.') if datastore['HTTP::Rhostname'].blank?
+      fail_with(Msf::Exploit::Failure::BadConfig, 'The DOMAIN option is required when using Kerberos authentication.') if datastore['DOMAIN'].blank?
+      offered_etypes = Msf::Exploit::Remote::AuthOption.as_default_offered_etypes(datastore['HTTP::KrbOfferedEncryptionTypes'])
+      fail_with(Msf::Exploit::Failure::BadConfig, 'At least one encryption type is required when using Kerberos authentication.') if offered_etypes.empty?
+
+      kerberos_authenticator = Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::HTTP.new(
+        host: datastore['DomainControllerRhost'],
+        hostname: datastore['HTTP::Rhostname'],
+        proxies: datastore['Proxies'],
+        realm: datastore['DOMAIN'],
+        username: datastore['HttpUsername'],
+        password: datastore['HttpPassword'],
+        framework: framework,
+        framework_module: self,
+        cache_file: datastore['HTTP::Krb5Ccname'].blank? ? nil : datastore['HTTP::Krb5Ccname'],
+        mutual_auth: true,
+        use_gss_checksum: true,
+        ticket_storage: kerberos_ticket_storage,
+        offered_etypes: offered_etypes
+      )
+    end
 
     nclient = Rex::Proto::Http::Client.new(
       opts['rhost'] || rhost,

lib/rex/proto/http/client.rb

@@ -314,14 +314,21 @@ def send_auth(res, opts, t, persist)
               res = temp_response
             end
             return res
+          elsif supported_auths.include?('Kerberos') && (preferred_auth.nil? || preferred_auth == 'Kerberos') && kerberos_authenticator
+            opts['provider'] = 'Kerberos'
+            temp_response = kerberos_auth(opts, mechanism: Rex::Proto::Gss::Mechanism::KERBEROS)
+            if temp_response.is_a? Rex::Proto::Http::Response
+              res = temp_response
+            end
+            return res
           elsif supported_auths.include?('Negotiate') && (preferred_auth.nil? || preferred_auth == 'Negotiate')
             opts['provider'] = 'Negotiate'
             temp_response = negotiate_auth(opts)
             if temp_response.is_a? Rex::Proto::Http::Response
               res = temp_response
             end
             return res
-          elsif supported_auths.include?('Negotiate') && (preferred_auth.nil? || preferred_auth == 'Kerberos')
+          elsif supported_auths.include?('Negotiate') && (preferred_auth.nil? || preferred_auth == 'Kerberos') && kerberos_authenticator
             opts['provider'] = 'Negotiate'
             temp_response = kerberos_auth(opts, mechanism: Rex::Proto::Gss::Mechanism::SPNEGO)
             if temp_response.is_a? Rex::Proto::Http::Response