@@ -15,6 +15,8 @@ module Exploit::Remote::HttpClient
1515
1616 include Msf ::Auxiliary ::Report
1717 include Msf ::Auxiliary ::LoginScanner
18+ include Msf ::Exploit ::Remote ::Kerberos ::Ticket ::Storage
19+ include Msf ::Exploit ::Remote ::Kerberos ::ServiceAuthenticator ::Options
1820
1921 #
2022 # Initializes an exploit module that exploits a vulnerability in an HTTP
@@ -35,6 +37,8 @@ def initialize(info = {})
3537
3638 register_advanced_options (
3739 [
40+ *kerberos_storage_options ( protocol : 'HTTP' ) ,
41+ *kerberos_auth_options ( protocol : 'HTTP' , auth_methods : Msf ::Exploit ::Remote ::AuthOption ::HTTP_OPTIONS ) ,
3842 OptString . new ( 'UserAgent' , [ false , 'The User-Agent header to use for all requests' ,
3943 Rex ::UserAgent . session_agent
4044 ] ) ,
@@ -155,6 +159,30 @@ def connect(opts={})
155159
156160 http_logger_subscriber = Rex ::Proto ::Http ::HttpLoggerSubscriber . new ( logger : self )
157161
162+ kerberos_authenticator = nil
163+ if datastore [ 'HTTP::Auth' ] == Msf ::Exploit ::Remote ::AuthOption ::KERBEROS
164+ fail_with ( Msf ::Exploit ::Failure ::BadConfig , 'The HTTP::Rhostname option is required when using Kerberos authentication.' ) if datastore [ 'HTTP::Rhostname' ] . blank?
165+ fail_with ( Msf ::Exploit ::Failure ::BadConfig , 'The DOMAIN option is required when using Kerberos authentication.' ) if datastore [ 'DOMAIN' ] . blank?
166+ offered_etypes = Msf ::Exploit ::Remote ::AuthOption . as_default_offered_etypes ( datastore [ 'HTTP::KrbOfferedEncryptionTypes' ] )
167+ fail_with ( Msf ::Exploit ::Failure ::BadConfig , 'At least one encryption type is required when using Kerberos authentication.' ) if offered_etypes . empty?
168+
169+ kerberos_authenticator = Msf ::Exploit ::Remote ::Kerberos ::ServiceAuthenticator ::HTTP . new (
170+ host : datastore [ 'DomainControllerRhost' ] ,
171+ hostname : datastore [ 'HTTP::Rhostname' ] ,
172+ proxies : datastore [ 'Proxies' ] ,
173+ realm : datastore [ 'DOMAIN' ] ,
174+ username : datastore [ 'HttpUsername' ] ,
175+ password : datastore [ 'HttpPassword' ] ,
176+ framework : framework ,
177+ framework_module : self ,
178+ cache_file : datastore [ 'HTTP::Krb5Ccname' ] . blank? ? nil : datastore [ 'HTTP::Krb5Ccname' ] ,
179+ mutual_auth : true ,
180+ use_gss_checksum : true ,
181+ ticket_storage : kerberos_ticket_storage ,
182+ offered_etypes : offered_etypes
183+ )
184+ end
185+
158186 nclient = Rex ::Proto ::Http ::Client . new (
159187 opts [ 'rhost' ] || rhost ,
160188 ( opts [ 'rport' ] || rport ) . to_i ,
@@ -167,6 +195,7 @@ def connect(opts={})
167195 proxies ,
168196 client_username ,
169197 client_password ,
198+ kerberos_authenticator : kerberos_authenticator ,
170199 comm : opts [ 'comm' ] ,
171200 subscriber : http_logger_subscriber ,
172201 sslkeylogfile : sslkeylogfile
@@ -375,6 +404,22 @@ def send_request_raw(opts = {}, timeout = 20, disconnect = false)
375404 actual_timeout = opts [ :timeout ] || timeout
376405 end
377406
407+ unless opts . key? ( 'preferred_auth' )
408+ case datastore [ 'HTTP::Auth' ]
409+ when Msf ::Exploit ::Remote ::AuthOption ::AUTO
410+ opts [ 'preferred_auth' ] = nil
411+ when Msf ::Exploit ::Remote ::AuthOption ::KERBEROS
412+ opts [ 'preferred_auth' ] = 'Kerberos'
413+ when Msf ::Exploit ::Remote ::AuthOption ::NTLM
414+ opts [ 'preferred_auth' ] = 'NTLM'
415+ when Msf ::Exploit ::Remote ::AuthOption ::PLAINTEXT
416+ # Basic auth might as well be plaintext right?
417+ opts [ 'preferred_auth' ] = 'Basic'
418+ when Msf ::Exploit ::Remote ::AuthOption ::NONE
419+ opts [ 'preferred_auth' ] = 'None'
420+ end
421+ end
422+
378423 c = opts [ 'client' ] || connect ( opts )
379424 r = opts [ 'cgi' ] ? c . request_cgi ( opts ) : c . request_raw ( opts )
380425
0 commit comments