Add database ref opts for kerberos and pkcs12

Author: adfoster-r7

Gemfile.lock

@@ -683,4 +683,4 @@ DEPENDENCIES
   yard
 
 BUNDLED WITH
-   2.5.10
+   2.5.22

lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb

@@ -157,7 +157,8 @@ def initialize(
     credential = nil
     if cache_file.present?
       # the cache file is only used for loading credentials, it is *not* written to
-      credential = load_credential_from_file(cache_file, sname: nil, sname_hostname: @hostname)
+      load_sname_hostname_credential_result = load_credential_from_file(cache_file, sname: nil, sname_hostname: @hostname)
+      credential = load_sname_hostname_credential_result[:credential]
       serviceclass = build_spn.name_string.first
       if credential && credential.server.components[0] != serviceclass
         old_sname = credential.server.components.snapshot.join('/')
@@ -168,9 +169,18 @@ def initialize(
         ticket.sname.name_string[0] = serviceclass
         credential.ticket = ticket.encode
       elsif credential.nil? && hostname.present?
-        credential = load_credential_from_file(cache_file, sname: "krbtgt/#{hostname.split('.', 2).last}")
+        load_sname_krbtgt_hostname_credential_result = load_credential_from_file(cache_file, sname: "krbtgt/#{hostname.split('.', 2).last}")
+        credential = load_sname_krbtgt_hostname_credential_result[:credential]
       end
       if credential.nil?
+        vprint_error("Failed to load a usable credential from ticket file: #{cache_file}")
+        vprint_error("Attempt: finding a valid credential in #{cache_file} for sname: nil, and sname_hostname: #{@hostname}:")
+        vprint_error(load_sname_hostname_credential_result[:filter_reasons].join("\n").indent(2))
+
+        if load_sname_krbtgt_hostname_credential_result
+          vprint_error("Attempt: Failed finding a valid credential in #{cache_file} for sname: #{"krbtgt/#{hostname.split('.', 2).last}"}")
+          vprint_error(load_sname_krbtgt_hostname_credential_result[:filter_reasons].join("\n").indent(2))
+        end
         raise ::Rex::Proto::Kerberos::Model::Error::KerberosError.new("Failed to load a usable credential from ticket file: #{cache_file}")
       end
       print_status("Loaded a credential from ticket file: #{cache_file}")
@@ -255,6 +265,7 @@ def authenticate(options = {})
     elsif options[:credential]
       auth_context = authenticate_via_krb5_ccache_credential_tgs(options[:credential], options)
     else
+      # TODO: If krbcachemode=none is set, should this be getting used?
       pkcs12_storage = Msf::Exploit::Remote::Pkcs12::Storage.new(framework: framework, framework_module: framework_module)
       pkcs12_results = pkcs12_storage.pkcs12(
         workspace: workspace,
@@ -362,7 +373,7 @@ def build_spn(options = {})
   # @return [Rex::Proto::Kerberos::CredentialCache::Krb5CcacheCredential] The ccache credential
   def request_tgt_only(options = {})
     if options[:cache_file]
-      credential = load_credential_from_file(options[:cache_file])
+      credential = load_credential_from_file(options[:cache_file])[:credential]
     else
       credential = get_cached_credential(
         options.merge(
@@ -1055,67 +1066,92 @@ def get_cached_credential(options = {})
     )
   end
 
-  # Load a credential object from a file for authentication. Credentials in the file will be filtered by multiple
+  # Load a credential object from a file or database entry for authentication. Credentials in the credential cache will be filtered by multiple
   # attributes including their timestamps to ensure that the returned credential appears usable.
   #
-  # @param [String] file_path The file path to load a credential object from
+  # @param [path] path The file path to load a credential object from or database string reference
   # @return [Rex::Proto::Kerberos::CredentialCache::Krb5CacheCredential] the credential object for authentication
-  def load_credential_from_file(file_path, options = {})
-    unless File.readable?(file_path.to_s)
-      wlog("Failed to load ticket file '#{file_path}' (file not readable)")
-      return nil
-    end
+  def load_credential_from_file(path, options = {})
+    # Load a database reference or a path
+    if path.start_with?('id:')
+      id = path.delete_prefix('id:')
+      storage = Msf::Exploit::Remote::Kerberos::Ticket::Storage::ReadOnly.new(framework: framework)
+      cache = storage.tickets({ id: id  }).first&.ccache
+      if !cache
+        wlog("Invalid cache id #{id} provided") unless cache
+        return { credential: nil }
+      end
+    else
+      unless File.readable?(file_path.to_s)
+        wlog("Failed to load ticket file '#{file_path}' (file not readable)")
+        return nil
+      end
 
-    begin
-      cache = Rex::Proto::Kerberos::CredentialCache::Krb5Ccache.read(File.binread(file_path))
-    rescue StandardError => e
-      elog("Failed to load ticket file '#{file_path}' (parsing failed)", error: e)
-      return nil
+      begin
+        cache = Rex::Proto::Kerberos::CredentialCache::Krb5Ccache.read(File.binread(file_path))
+      rescue StandardError => e
+        elog("Failed to load ticket file '#{file_path}' (parsing failed)", error: e)
+        return nil
+      end
     end
 
     sname = options.fetch(:sname) { build_spn&.to_s }
     sname_hostname = options.fetch(:sname_hostname, nil)
     now = Time.now.utc
 
+    filter_reasons = []
+
     cache.credentials.to_ary.each.with_index(1) do |credential, index|
       tkt_start = credential.starttime == Time.at(0).utc ? credential.authtime : credential.starttime
       tkt_end = credential.endtime
 
       unless tkt_start < now
-        wlog("Filtered credential #{file_path} ##{index} reason: Ticket start time is before now (start: #{tkt_start})")
+        filter_reason = "Filtered credential #{path} ##{index} reason: Ticket start time is before now (start: #{tkt_start})"
+        filter_reasons << filter_reason
+        wlog(filter_reason)
         next
       end
 
       unless now < tkt_end
-        wlog("Filtered credential #{file_path} ##{index} reason: Ticket is expired (expiration: #{tkt_end})")
+        wlog("Filtered credential #{path} ##{index} reason: Ticket is expired (expiration: #{tkt_end})")
+        filter_reasons << filter_reason
+        wlog(filter_reason)
         next
       end
 
       unless !@realm || @realm.casecmp?(credential.server.realm.to_s)
-        wlog("Filtered credential #{file_path} ##{index} reason: Realm (#{@realm}) does not match (realm: #{credential.server.realm})")
+        filter_reason = "Filtered credential #{path} ##{index} reason: Realm (#{@realm}) does not match (realm: #{credential.server.realm})"
+        filter_reasons << filter_reason
+        wlog(filter_reason)
         next
       end
 
       unless !sname || sname.to_s.casecmp?(credential.server.components.snapshot.join('/'))
-        wlog("Filtered credential #{file_path} ##{index} reason: SPN (#{sname}) does not match (spn: #{credential.server.components.snapshot.join('/')})")
+        filter_reason = "Filtered credential #{path} ##{index} reason: SPN (#{sname}) does not match (spn: #{credential.server.components.snapshot.join('/')})"
+        filter_reasons << filter_reason
+        wlog(filter_reason)
         next
       end
 
       unless !sname_hostname ||
           sname_hostname.to_s.downcase == credential.server.components[1].downcase ||
           sname_hostname.to_s.downcase.ends_with?('.' + credential.server.components[1].downcase)
-        wlog("Filtered credential #{file_path} ##{index} reason: SPN (#{sname_hostname}) hostname does not match (spn: #{credential.server.components.snapshot.join('/')})")
+        filter_reason = "Filtered credential #{path} ##{index} reason: SPN (#{sname_hostname}) hostname does not match (spn: #{credential.server.components.snapshot.join('/')})"
+        filter_reasons << filter_reason
+        wlog(filter_reason)
         next
       end
 
       unless !@username || @username.casecmp?(credential.client.components.last.to_s)
-        wlog("Filtered credential #{file_path} ##{index} reason: Username (#{@username}) does not match (username: #{credential.client.components.last})")
+        filter_reason = "Filtered credential #{path} ##{index} reason: Username (#{@username}) does not match (username: #{credential.client.components.last})"
+        filter_reasons << filter_reason
+        wlog(filter_reason)
         next
       end
 
-      return credential
+      return { credential: credential, filter_reasons: filter_reasons }
     end
 
-    nil
+    { credential: nil, filter_reasons: filter_reasons }
   end
 end

lib/msf/core/exploit/remote/kerberos/service_authenticator/options.rb

@@ -41,7 +41,7 @@ def kerberos_auth_options(protocol:, auth_methods:)
         [false, 'The resolvable rhost for the Domain Controller'],
         conditions: option_conditions
       ),
-      Msf::OptPath.new(
+      Msf::OptKerberosCredentialCache.new(
         "#{protocol}::Krb5Ccname",
         [false, 'The ccache file to use for kerberos authentication', nil],
         conditions: option_conditions

lib/msf/core/exploit/remote/ldap.rb

@@ -40,13 +40,14 @@ def initialize(info = {})
           Opt::Proxies,
           *kerberos_storage_options(protocol: 'LDAP'),
           *kerberos_auth_options(protocol: 'LDAP', auth_methods: Msf::Exploit::Remote::AuthOption::LDAP_OPTIONS),
-          Msf::OptPath.new('LDAP::CertFile', [false, 'The path to the PKCS12 (.pfx) certificate file to authenticate with'], conditions: ['LDAP::Auth', '==', Msf::Exploit::Remote::AuthOption::SCHANNEL]),
+          Msf::OptPkcs12Cert.new('LDAP::CertFile', [false, 'The path to the PKCS12 (.pfx) certificate file to authenticate with'], conditions: ['LDAP::Auth', '==', Msf::Exploit::Remote::AuthOption::SCHANNEL]),
           OptFloat.new('LDAP::ConnectTimeout', [true, 'Timeout for LDAP connect', 10.0]),
           OptEnum.new('LDAP::Signing', [true, 'Use signed and sealed (encrypted) LDAP', 'auto', %w[ disabled auto required ]])
         ]
       )
     end
 
+
     # Alias to return the RHOST datastore option.
     #
     # @return [String] The current value of RHOST in the datastore.
@@ -68,6 +69,7 @@ def peer
       "#{rhost}:#{rport}"
     end
 
+
     # Set the various connection options to use when connecting to the
     # target LDAP server based on the current datastore options. Returns
     # the resulting connection configuration as a hash.

lib/msf/core/exploit/remote/pkcs12/storage.rb

@@ -20,11 +20,20 @@ def initialize(framework: nil, framework_module: nil)
     # @param [String] cert_pass The certificate password
     # @param [String] workspace The workspace to restrict searches to
     def read_pkcs12_cert_path(cert_path, cert_pass = '', workspace: nil)
-      is_readable = ::File.file?(cert_path) && ::File.readable?(cert_path)
-      raise Msf::ValidationError, 'Failed to load the PFX certificate file. The path was not a readable file.' unless is_readable
-      data = File.binread(cert_path)
+      if cert_path.start_with?('id:')
+        core = framework.db.creds({ workspace: workspace, id: cert_path.delete_prefix('id:') }).first
+        raise Msf::ValidationError, 'Invalid cert id provided' unless core
+        raise Msf::ValidationError, 'Invalid cert id provided - not a pkcs12 credential' unless core.private.type == 'Metasploit::Credential::Pkcs12'
+
+        data = Base64.decode64(core.private.data)
+      else
+        is_readable = ::File.file?(cert_path) && ::File.readable?(cert_path)
+        raise Msf::ValidationError, 'Failed to load the PFX certificate file. The path was not a readable file.' unless is_readable
+        data = File.binread(cert_path)
+      end
 
       begin
+        # TODO: Is it possible to read the cert pass from the db?
         pkcs12 = OpenSSL::PKCS12.new(data, cert_pass)
       rescue StandardError => e
         raise Msf::ValidationError, "Failed to load the PFX file (#{e})"

lib/msf/core/opt_database_ref_or_path.rb

@@ -0,0 +1,37 @@
+# -*- coding: binary -*-
+
+module Msf
+  ###
+  #
+  # Opt that can be reference a database Id or a file on disk; Valid eExamples:
+  # - /tmp/foo.txt
+  # - id:123
+  ###
+  class OptDatabaseRefOrPath < OptBase
+    def normalize(value)
+      return value if value.nil? || value.to_s.empty? || value.start_with?('id:')
+
+      File.expand_path(value)
+    end
+
+    def validate_on_assignment?
+      false
+    end
+
+    # Generally, 'value' should be a file that exists, or an integer database id.
+    def valid?(value, check_empty: true, datastore: nil)
+      return false if check_empty && empty_required_value?(value)
+
+      if value && !value.empty?
+        if value.start_with?('id:')
+          return value.match?(/^id:\d+$/)
+        end
+
+        unless File.exist?(File.expand_path(value))
+          return false
+        end
+      end
+      super
+    end
+  end
+end

lib/msf/core/opt_kerberos_credential_cache.rb

@@ -0,0 +1,14 @@
+# -*- coding: binary -*-
+
+module Msf
+  ###
+  #
+  # Pkcs12 cert that can either exist on disk, or as a database core ID
+  #
+  ###
+  class OptKerberosCredentialCache < OptDatabaseRefOrPath
+    def type
+      'kerberos_credential_cache'
+    end
+  end
+end

lib/msf/core/opt_pkcs12_cert.rb

@@ -0,0 +1,14 @@
+# -*- coding: binary -*-
+
+module Msf
+  ###
+  #
+  # Pkcs12 cert that can either exist on disk, or as a database core ID
+  #
+  ###
+  class OptPkcs12Cert < OptDatabaseRefOrPath
+    def type
+      'pkcs12_cert'
+    end
+  end
+end

lib/msf/ui/console/command_dispatcher/creds.rb

@@ -343,13 +343,27 @@ def creds_search(*args)
 
     set_rhosts = false
     truncate = true
+    show_id = false
 
     cred_table_columns = [ 'host', 'origin' , 'service', 'public', 'private', 'realm', 'private_type', 'JtR Format', 'cracked_password' ]
     delete_count = 0
     search_term = nil
 
     while (arg = args.shift)
       case arg
+      # TODO: We should add this to other commands, other options: `-e` `--extended`
+      #   Or from sessions:
+      #           when "-x", "--list-extended"
+      #             show_extended = true
+      #           when "-v", "--list-verbose"
+      #             verbose = true
+      #   I think this has come up before too with the bruteforce PR that required adding Ids that we didn't render
+      #     https://github.com/rapid7/metasploit-framework/issues/17367
+      #     https://github.com/rapid7/metasploit-framework/pull/17601
+      #   There's also the new 'certs' command
+      when '--id'
+        cred_table_columns.unshift('id')
+        show_id = true
       when '-o'
         output_file = args.shift
         if (!output_file)
@@ -506,7 +520,7 @@ def creds_search(*args)
           service_info = build_service_info(service)
         end
         cracked_password_val = cracked_password_core&.private&.data.to_s
-        tbl << [
+        row = [
           host,
           origin,
           service_info,
@@ -517,6 +531,11 @@ def creds_search(*args)
           jtr_val,
           cracked_password_val
         ]
+        if show_id
+          row.unshift(core.id)
+        end
+
+        tbl << row
       end
     end
 

modules/auxiliary/admin/kerberos/get_ticket.rb

@@ -48,7 +48,7 @@ def initialize(info = {})
         OptString.new('DOMAIN', [ false, 'The Fully Qualified Domain Name (FQDN). Ex: mydomain.local' ]),
         OptString.new('USERNAME', [ false, 'The domain user' ]),
         OptString.new('PASSWORD', [ false, 'The domain user\'s password' ]),
-        OptPath.new('CERT_FILE', [ false, 'The PKCS12 (.pfx) certificate file to authenticate with' ]),
+        OptPkcs12Cert.new('CERT_FILE', [ false, 'The PKCS12 (.pfx) certificate file to authenticate with' ]),
         OptString.new('CERT_PASSWORD', [ false, 'The certificate file\'s password' ]),
         OptString.new(
           'NTHASH', [
@@ -76,7 +76,7 @@ def initialize(info = {})
           ],
           conditions: %w[ACTION == GET_TGS]
         ),
-        OptPath.new(
+        OptKerberosCredentialCache.new(
           'Krb5Ccname', [
             false,
             'The Kerberos TGT to use when requesting the service ticket. If unset, the database will be checked'