Land rapid7#4456 - MS14-068, Kerberos Checksum (plus krb protocol support)

Author: wchen-r7

lib/msf/core.rb

@@ -72,6 +72,9 @@ module Msf
 require 'msf/http/typo3'
 require 'msf/http/jboss'
 
+# Kerberos Support
+require 'msf/kerberos/client'
+
 # Drivers
 require 'msf/core/exploit_driver'
 

lib/msf/kerberos/client.rb

@@ -0,0 +1,139 @@
+# -*- coding: binary -*-
+require 'rex/proto/kerberos'
+
+module Msf
+  module Kerberos
+    module Client
+      require 'msf/kerberos/client/base'
+      require 'msf/kerberos/client/as_request'
+      require 'msf/kerberos/client/as_response'
+      require 'msf/kerberos/client/tgs_request'
+      require 'msf/kerberos/client/tgs_response'
+      require 'msf/kerberos/client/pac'
+      require 'msf/kerberos/client/cache_credential'
+
+      include Msf::Kerberos::Client::Base
+      include Msf::Kerberos::Client::AsRequest
+      include Msf::Kerberos::Client::AsResponse
+      include Msf::Kerberos::Client::TgsRequest
+      include Msf::Kerberos::Client::TgsResponse
+      include Msf::Kerberos::Client::Pac
+      include Msf::Kerberos::Client::CacheCredential
+
+      # @!attribute client
+      #   @return [Rex::Proto::Kerberos::Client] The kerberos client
+      attr_accessor :client
+
+      def initialize(info = {})
+        super
+
+        register_options(
+          [
+            Opt::RHOST,
+            Opt::RPORT(88),
+            OptInt.new('Timeout', [true, 'The TCP timeout to establish connection and read data', 10])
+          ], self.class
+        )
+      end
+
+      # Returns the target host
+      #
+      # @return [String]
+      def rhost
+        datastore['RHOST']
+      end
+
+      # Returns the remote port
+      #
+      # @return [Fixnum]
+      def rport
+        datastore['RPORT']
+      end
+
+      # Returns the TCP timeout
+      #
+      # @return [Fixnum]
+      def timeout
+        datastore['Timeout']
+      end
+
+      # Returns the kdc peer
+      #
+      # @return [String]
+      def peer
+        "#{rhost}:#{rport}"
+      end
+
+      # Creates a kerberos connection
+      #
+      # @param opts [Hash{Symbol => <String, Fixnum>}]
+      # @option opts [String] :rhost
+      # @option opts [<String, Fixnum>] :rport
+      # @return [Rex::Proto::Kerberos::Client]
+      def connect(opts={})
+        kerb_client = Rex::Proto::Kerberos::Client.new(
+          host: opts[:rhost] || rhost,
+          port: (opts[:rport] || rport).to_i,
+          timeout: (opts[:timeout] || timeout).to_i,
+          context:
+            {
+              'Msf'        => framework,
+              'MsfExploit' => self,
+            },
+          protocol: 'tcp'
+        )
+
+        disconnect if client
+        self.client = kerb_client
+
+        kerb_client
+      end
+
+      # Disconnects the Kerberos client
+      #
+      # @param kerb_client [Rex::Proto::Kerberos::Client] the client to disconnect
+      def disconnect(kerb_client = client)
+        kerb_client.close if kerb_client
+
+        if kerb_client == client
+          self.client = nil
+        end
+      end
+
+      # Performs cleanup as necessary, disconnecting the Kerberos client
+      # if it's still established.
+      def cleanup
+        super
+        disconnect
+      end
+
+      # Sends a kerberos AS request and reads the response
+      #
+      # @param opts [Hash]
+      # @return [Rex::Proto::Kerberos::Model::KdcResponse]
+      # @see Msf::Kerberos::Client::AsRequest#build_as_request
+      # @see Rex::Proto::Kerberos::Model::KdcResponse
+      def send_request_as(opts = {})
+        connect(opts)
+        req = build_as_request(opts)
+        res = client.send_recv(req)
+        disconnect
+        res
+      end
+
+      # Sends a kerberos AS request and reads the response
+      #
+      # @param opts [Hash]
+      # @return [Rex::Proto::Kerberos::Model::KdcResponse]
+      # @see Msf::Kerberos::Client::TgsRequest#build_tgs_request
+      # @see Rex::Proto::Kerberos::Model::KdcResponse
+      def send_request_tgs(opts = {})
+        connect(opts)
+        req = build_tgs_request(opts)
+        res = client.send_recv(req)
+        disconnect
+        res
+      end
+    end
+  end
+end

lib/msf/kerberos/client/as_request.rb

@@ -0,0 +1,111 @@
+# -*- coding: binary -*-
+require 'rex/proto/kerberos'
+
+module Msf
+  module Kerberos
+    module Client
+      module AsRequest
+
+        # Builds a kerberos AS request
+        #
+        # @param opts [Hash{Symbol => <Array<Rex::Proto::Kerberos::Model::PreAuthData>, Rex::Proto::Kerberos::Model::KdcRequestBody>}]
+        # @option opts [Array<Rex::Proto::Kerberos::Model::PreAuthData>] :pa_data
+        # @option opts [Rex::Proto::Kerberos::Model::KdcRequestBody] :body
+        # @return [Rex::Proto::Kerberos::Model::KdcRequest]
+        # @see [Rex::Proto::Kerberos::Model::KdcRequest]
+        # @see #build_as_pa_time_stamp
+        # @see #build_as_request_body
+        def build_as_request(opts = {})
+          pa_data = opts[:pa_data] || build_as_pa_time_stamp(opts)
+          body = opts[:body] || build_as_request_body(opts)
+
+          request = Rex::Proto::Kerberos::Model::KdcRequest.new(
+            pvno: 5,
+            msg_type: Rex::Proto::Kerberos::Model::AS_REQ,
+            pa_data: pa_data,
+            req_body: body
+          )
+
+          request
+        end
+
+        # Builds a kerberos PA-ENC-TIMESTAMP pre authenticated structure
+        #
+        # @param opts [Hash{Symbol => <Time, Fixnum, String>}]
+        # @option opts [Time] :time_stamp
+        # @option opts [Fixnum] :pausec
+        # @option opts [Fixnum] :etype
+        # @option opts [String] :key
+        # @return [Rex::Proto::Kerberos::Model::PreAuthData]
+        # @see Rex::Proto::Kerberos::Model::PreAuthEncTimeStamp
+        # @see Rex::Proto::Kerberos::Model::EncryptedData
+        # @see Rex::Proto::Kerberos::Model::PreAuthData
+        def build_as_pa_time_stamp(opts = {})
+          time_stamp = opts[:time_stamp] || Time.now
+          pausec = opts[:pausec] || 0
+          etype = opts[:etype] || Rex::Proto::Kerberos::Crypto::RC4_HMAC
+          key = opts[:key] || ''
+
+          pa_time_stamp = Rex::Proto::Kerberos::Model::PreAuthEncTimeStamp.new(
+              pa_time_stamp: time_stamp,
+              pausec: pausec
+          )
+
+          enc_time_stamp = Rex::Proto::Kerberos::Model::EncryptedData.new(
+              etype: etype,
+              cipher: pa_time_stamp.encrypt(etype, key)
+          )
+
+          pa_enc_time_stamp = Rex::Proto::Kerberos::Model::PreAuthData.new(
+              type: Rex::Proto::Kerberos::Model::PA_ENC_TIMESTAMP,
+              value: enc_time_stamp.encode
+          )
+
+          pa_enc_time_stamp
+        end
+
+        # Builds a kerberos AS request body
+        #
+        # @param opts [Hash{Symbol => <Fixnum, Time, String, Rex::Proto::Kerberos::Model::PrincipalName>}]
+        # @option opts [Fixnum] :options
+        # @option opts [Time] :from
+        # @option opts [Time] :till
+        # @option opts [Time] :rtime
+        # @option opts [Fixnum] :nonce
+        # @option opts [Fixnum] :etype
+        # @option opts [Rex::Proto::Kerberos::Model::PrincipalName] :cname
+        # @option opts [String] :realm
+        # @option opts [Rex::Proto::Kerberos::Model::PrincipalName] :sname
+        # @return [Rex::Proto::Kerberos::Model::KdcRequestBody]
+        # @see #build_client_name
+        # @see #build_server_name
+        # @see Rex::Proto::Kerberos::Model::KdcRequestBody
+        def build_as_request_body(opts = {})
+          options = opts[:options] || 0x50800000 # Forwardable, Proxiable, Renewable
+          from = opts[:from] || Time.utc('1970-01-01-01 00:00:00')
+          till = opts[:till] || Time.utc('1970-01-01-01 00:00:00')
+          rtime = opts[:rtime] || Time.utc('1970-01-01-01 00:00:00')
+          nonce = opts[:nonce] || Rex::Text.rand_text_numeric(6).to_i
+          etype = opts[:etype] || [Rex::Proto::Kerberos::Crypto::RC4_HMAC]
+          cname = opts[:cname] || build_client_name(opts)
+          realm = opts[:realm] || ''
+          sname = opts[:sname] || build_server_name(opts)
+
+          body = Rex::Proto::Kerberos::Model::KdcRequestBody.new(
+            options: options,
+            cname: cname,
+            realm: realm,
+            sname: sname,
+            from: from,
+            till: till,
+            rtime: rtime,
+            nonce: nonce,
+            etype: etype
+          )
+
+          body
+        end
+      end
+    end
+  end
+end

lib/msf/kerberos/client/as_response.rb

@@ -0,0 +1,46 @@
+# -*- coding: binary -*-
+require 'rex/proto/kerberos'
+
+module Msf
+  module Kerberos
+    module Client
+      module AsResponse
+
+        # Extracts the session key from a Kerberos AS Response
+        #
+        # @param res [Rex::Proto::Kerberos::Model::KdcResponse]
+        # @param key [String]
+        # @return [Rex::Proto::Kerberos::Model::EncryptionKey]
+        # @see Rex::Proto::Kerberos::Model::KdcResponse
+        # @see Rex::Proto::Kerberos::Model::EncryptedData.decrypt
+        # @see Rex::Proto::Kerberos::Model::EncKdcResponse
+        # @see Rex::Proto::Kerberos::Model::EncKdcResponse.decode
+        # @see Rex::Proto::Kerberos::Model::EncryptionKey
+        def extract_session_key(res, key)
+          decrypt_res = res.enc_part.decrypt(key, Rex::Proto::Kerberos::Crypto::ENC_AS_RESPONSE)
+          enc_kdc_res = Rex::Proto::Kerberos::Model::EncKdcResponse.decode(decrypt_res)
+
+          enc_kdc_res.key
+        end
+
+        # Extracts the logon time from a Kerberos AS Response
+        #
+        # @param res [Rex::Proto::Kerberos::Model::KdcResponse]
+        # @param key [String]
+        # @return [Fixnum]
+        # @see Rex::Proto::Kerberos::Model::KdcResponse
+        # @see Rex::Proto::Kerberos::Model::EncryptedData.decrypt
+        # @see Rex::Proto::Kerberos::Model::EncKdcResponse
+        # @see Rex::Proto::Kerberos::Model::EncKdcResponse.decode
+        def extract_logon_time(res, key)
+          decrypt_res = res.enc_part.decrypt(key, Rex::Proto::Kerberos::Crypto::ENC_AS_RESPONSE)
+          enc_kdc_res = Rex::Proto::Kerberos::Model::EncKdcResponse.decode(decrypt_res)
+
+          auth_time = enc_kdc_res.auth_time
+
+          auth_time.to_i
+        end
+      end
+    end
+  end
+end

lib/msf/kerberos/client/base.rb

@@ -0,0 +1,44 @@
+# -*- coding: binary -*-
+
+module Msf
+  module Kerberos
+    module Client
+      module Base
+
+        # Builds a kerberos Client Name Principal
+        #
+        # @param opts [Hash{Symbol => <String, Fixnum>}]
+        # @option opts [String] :client_name the client's name
+        # @option opts [Fixnum] :client_type the client's name type
+        # @return [Rex::Proto::Kerberos::Model::PrincipalName]
+        # @see Rex::Proto::Kerberos::Model::PrincipalName
+        def build_client_name(opts = {})
+          name = opts[:client_name] || ''
+          name_type = opts[:client_type] || Rex::Proto::Kerberos::Model::NT_PRINCIPAL
+
+          Rex::Proto::Kerberos::Model::PrincipalName.new(
+            name_type: name_type,
+            name_string: name.split('/')
+          )
+        end
+
+        # Builds a kerberos Server Name Principal
+        #
+        # @param opts [Hash{Symbol => <String, Fixnum>}]
+        # @option opts [String] :server_name the server's name
+        # @option opts [Fixnum] :server_type the server's name type
+        # @return [Rex::Proto::Kerberos::Model::PrincipalName]
+        # @see Rex::Proto::Kerberos::Model::PrincipalName
+        def build_server_name(opts = {})
+          name = opts[:server_name] || ''
+          name_type = opts[:server_type] || Rex::Proto::Kerberos::Model::NT_PRINCIPAL
+
+          Rex::Proto::Kerberos::Model::PrincipalName.new(
+            name_type: name_type,
+            name_string: name.split('/')
+          )
+        end
+      end
+    end
+  end
+end