Tie in Kerberos authentication for HTTP modules

Author: zeroSteiner

lib/msf/core/exploit/remote/http_client.rb

@@ -15,6 +15,7 @@ module Exploit::Remote::HttpClient
 
   include Msf::Auxiliary::Report
   include Msf::Auxiliary::LoginScanner
+  include Msf::Exploit::Remote::Kerberos::Ticket::Storage
 
   #
   # Initializes an exploit module that exploits a vulnerability in an HTTP
@@ -155,6 +156,25 @@ def connect(opts={})
 
     http_logger_subscriber = Rex::Proto::Http::HttpLoggerSubscriber.new(logger: self)
 
+    if datastore['HTTP::Auth'] == Msf::Exploit::Remote::AuthOption::KERBEROS
+      kerberos_authenticator = Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::HTTP.new(
+        host: datastore['DomainControllerRhost'],
+        hostname: datastore['HTTP::Rhostname'],
+        proxies: datastore['Proxies'],
+        realm: datastore['DOMAIN'],
+        username: datastore['HttpUsername'],
+        password: datastore['HttpPassword'],
+        timeout: 20, # datastore['timeout']
+        framework: framework,
+        framework_module: self,
+        cache_file: datastore['HTTP::Krb5Ccname'].blank? ? nil : datastore['HTTP::Krb5Ccname'],
+        mutual_auth: true,
+        use_gss_checksum: true,
+        ticket_storage: kerberos_ticket_storage,
+        offered_etypes: Msf::Exploit::Remote::AuthOption.as_default_offered_etypes(datastore['HTTP::KrbOfferedEncryptionTypes'])
+      )
+    end
+
     nclient = Rex::Proto::Http::Client.new(
       opts['rhost'] || rhost,
       (opts['rport'] || rport).to_i,
@@ -167,6 +187,7 @@ def connect(opts={})
       proxies,
       client_username,
       client_password,
+      kerberos_authenticator: kerberos_authenticator,
       comm: opts['comm'],
       subscriber: http_logger_subscriber,
       sslkeylogfile: sslkeylogfile
@@ -375,6 +396,22 @@ def send_request_raw(opts = {}, timeout = 20, disconnect = false)
       actual_timeout = opts[:timeout] || timeout
     end
 
+    unless opts.key?('preferred_auth')
+      case datastore['HTTP::Auth']
+      when Msf::Exploit::Remote::AuthOption::AUTO
+        opts['preferred_auth'] = nil
+      when Msf::Exploit::Remote::AuthOption::KERBEROS
+        opts['preferred_auth'] = 'Kerberos'
+      when Msf::Exploit::Remote::AuthOption::NTLM
+        opts['preferred_auth'] = 'NTLM'
+      when Msf::Exploit::Remote::AuthOption::PLAINTEXT
+        # Basic auth might as well be plaintext right?
+        opts['preferred_auth'] = 'Basic'
+      when Msf::Exploit::Remote::AuthOption::NONE
+        opts['preferred_auth'] = 'None'
+      end
+    end
+
     c = opts['client'] || connect(opts)
     r = opts['cgi'] ? c.request_cgi(opts) : c.request_raw(opts)
 

lib/rex/proto/http/client.rb

@@ -323,7 +323,7 @@ def send_auth(res, opts, t, persist)
             return res
           elsif supported_auths.include?('Negotiate') && (preferred_auth.nil? || preferred_auth == 'Kerberos')
             opts['provider'] = 'Negotiate'
-            temp_response = kerberos_auth(opts)
+            temp_response = kerberos_auth(opts, mechanism: Rex::Proto::Gss::Mechanism::SPNEGO)
             if temp_response.is_a? Rex::Proto::Http::Response
               res = temp_response
             end
@@ -411,16 +411,21 @@ def digest_auth(opts = {})
           end
         end
 
-        def kerberos_auth(opts = {})
+        def kerberos_auth(opts = {}, mechanism: Rex::Proto::Gss::Mechanism::KERBEROS)
           to = opts['timeout'] || 20
-          auth_result = kerberos_authenticator.authenticate(mechanism: Rex::Proto::Gss::Mechanism::KERBEROS)
+          auth_result = kerberos_authenticator.authenticate(mechanism: mechanism)
           gss_data = auth_result[:security_blob]
           gss_data_b64 = Rex::Text.encode_base64(gss_data)
 
           # Separate options for the auth requests
           auth_opts = opts.clone
           auth_opts['headers'] = opts['headers'].clone
-          auth_opts['headers']['Authorization'] = "Kerberos #{gss_data_b64}"
+          case mechanism
+          when Rex::Proto::Gss::Mechanism::KERBEROS
+            auth_opts['headers']['Authorization'] = "Kerberos #{gss_data_b64}"
+          when Rex::Proto::Gss::Mechanism::SPNEGO
+            auth_opts['headers']['Authorization'] = "Negotiate #{gss_data_b64}"
+          end
 
           if auth_opts['no_body_for_auth']
             auth_opts.delete('data')

modules/auxiliary/scanner/http/title.rb

@@ -8,6 +8,8 @@ class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::HttpClient
   # Scanner mixin should be near last
   include Msf::Auxiliary::Scanner
+  include Msf::Exploit::Remote::Kerberos::Ticket::Storage
+  include Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Options
 
   def initialize
     super(
@@ -31,6 +33,8 @@ def initialize
 
     register_advanced_options(
       [
+        *kerberos_storage_options(protocol: 'HTTP'),
+        *kerberos_auth_options(protocol: 'HTTP', auth_methods: Msf::Exploit::Remote::AuthOption::HTTP_OPTIONS),
         OptString.new('HttpQueryString', [ false, 'The HTTP query string', nil ]),
         OptBool.new('FollowRedirect', [ false, 'Follow a HTTP redirect', false ]),
         OptInt.new('FollowRedirectDepth', [false, 'Follow HTTP redirect depth', 1]),