sempervictus
diff --git a/‎lib/msf/core.rb
Lines changed: 0 additions & 3 deletions b/‎lib/msf/core.rb
Lines changed: 0 additions & 3 deletions
diff --git a/‎lib/msf/core/exploit/kerberos/client.rb
Lines changed: 143 additions & 0 deletions b/‎lib/msf/core/exploit/kerberos/client.rb
Lines changed: 143 additions & 0 deletions
diff --git a/‎lib/msf/core/exploit/kerberos/client/as_request.rb
Lines changed: 114 additions & 0 deletions b/‎lib/msf/core/exploit/kerberos/client/as_request.rb
Lines changed: 114 additions & 0 deletions
diff --git a/‎lib/msf/core/exploit/kerberos/client/as_response.rb
Lines changed: 49 additions & 0 deletions b/‎lib/msf/core/exploit/kerberos/client/as_response.rb
Lines changed: 49 additions & 0 deletions
diff --git a/‎lib/msf/core/exploit/kerberos/client/base.rb
Lines changed: 48 additions & 0 deletions b/‎lib/msf/core/exploit/kerberos/client/base.rb
Lines changed: 48 additions & 0 deletions
@@ -72,9 +72,6 @@ module Msf
 require 'msf/http/typo3'
 require 'msf/http/jboss'
 
-# Kerberos Support
-require 'msf/kerberos/client'
-
 # Drivers
 require 'msf/core/exploit_driver'
 
@@ -0,0 +1,143 @@
+# -*- coding: binary -*-
+require 'rex/proto/kerberos'
+
+module Msf
+  class Exploit
+    class Remote
+      module Kerberos
+        module Client
+          require 'msf/core/exploit/kerberos/client/base'
+          require 'msf/core/exploit/kerberos/client/as_request'
+          require 'msf/core/exploit/kerberos/client/as_response'
+          require 'msf/core/exploit/kerberos/client/tgs_request'
+          require 'msf/core/exploit/kerberos/client/tgs_response'
+          require 'msf/core/exploit/kerberos/client/pac'
+          require 'msf/core/exploit/kerberos/client/cache_credential'
+
+          include Msf::Exploit::Remote::Kerberos::Client::Base
+          include Msf::Exploit::Remote::Kerberos::Client::AsRequest
+          include Msf::Exploit::Remote::Kerberos::Client::AsResponse
+          include Msf::Exploit::Remote::Kerberos::Client::TgsRequest
+          include Msf::Exploit::Remote::Kerberos::Client::TgsResponse
+          include Msf::Exploit::Remote::Kerberos::Client::Pac
+          include Msf::Exploit::Remote::Kerberos::Client::CacheCredential
+
+          # @!attribute client
+          #   @return [Rex::Proto::Kerberos::Client] The kerberos client
+          attr_accessor :client
+
+          def initialize(info = {})
+            super
+
+            register_options(
+              [
+                Opt::RHOST,
+                Opt::RPORT(88),
+                OptInt.new('Timeout', [true, 'The TCP timeout to establish connection and read data', 10])
+              ], self.class
+            )
+          end
+
+          # Returns the target host
+          #
+          # @return [String]
+          def rhost
+            datastore['RHOST']
+          end
+
+          # Returns the remote port
+          #
+          # @return [Fixnum]
+          def rport
+            datastore['RPORT']
+          end
+
+          # Returns the TCP timeout
+          #
+          # @return [Fixnum]
+          def timeout
+            datastore['Timeout']
+          end
+
+          # Returns the kdc peer
+          #
+          # @return [String]
+          def peer
+            "#{rhost}:#{rport}"
+          end
+
+          # Creates a kerberos connection
+          #
+          # @param opts [Hash{Symbol => <String, Fixnum>}]
+          # @option opts [String] :rhost
+          # @option opts [<String, Fixnum>] :rport
+          # @return [Rex::Proto::Kerberos::Client]
+          def connect(opts={})
+            kerb_client = Rex::Proto::Kerberos::Client.new(
+              host: opts[:rhost] || rhost,
+              port: (opts[:rport] || rport).to_i,
+              timeout: (opts[:timeout] || timeout).to_i,
+              context:
+                {
+                  'Msf'        => framework,
+                  'MsfExploit' => self,
+                },
+              protocol: 'tcp'
+            )
+
+            disconnect if client
+            self.client = kerb_client
+
+            kerb_client
+          end
+
+          # Disconnects the Kerberos client
+          #
+          # @param kerb_client [Rex::Proto::Kerberos::Client] the client to disconnect
+          def disconnect(kerb_client = client)
+            kerb_client.close if kerb_client
+
+            if kerb_client == client
+              self.client = nil
+            end
+          end
+
+          # Performs cleanup as necessary, disconnecting the Kerberos client
+          # if it's still established.
+          def cleanup
+            super
+            disconnect
+          end
+
+          # Sends a kerberos AS request and reads the response
+          #
+          # @param opts [Hash]
+          # @return [Rex::Proto::Kerberos::Model::KdcResponse]
+          # @see Msf::Kerberos::Client::AsRequest#build_as_request
+          # @see Rex::Proto::Kerberos::Model::KdcResponse
+          def send_request_as(opts = {})
+            connect(opts)
+            req = build_as_request(opts)
+            res = client.send_recv(req)
+            disconnect
+            res
+          end
+
+          # Sends a kerberos AS request and reads the response
+          #
+          # @param opts [Hash]
+          # @return [Rex::Proto::Kerberos::Model::KdcResponse]
+          # @see Msf::Kerberos::Client::TgsRequest#build_tgs_request
+          # @see Rex::Proto::Kerberos::Model::KdcResponse
+          def send_request_tgs(opts = {})
+            connect(opts)
+            req = build_tgs_request(opts)
+            res = client.send_recv(req)
+            disconnect
+            res
+          end
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,114 @@
+# -*- coding: binary -*-
+require 'rex/proto/kerberos'
+
+module Msf
+  class Exploit
+    class Remote
+      module Kerberos
+        module Client
+          module AsRequest
+            # Builds a kerberos AS request
+            #
+            # @param opts [Hash{Symbol => <Array<Rex::Proto::Kerberos::Model::PreAuthData>, Rex::Proto::Kerberos::Model::KdcRequestBody>}]
+            # @option opts [Array<Rex::Proto::Kerberos::Model::PreAuthData>] :pa_data
+            # @option opts [Rex::Proto::Kerberos::Model::KdcRequestBody] :body
+            # @return [Rex::Proto::Kerberos::Model::KdcRequest]
+            # @see [Rex::Proto::Kerberos::Model::KdcRequest]
+            # @see #build_as_pa_time_stamp
+            # @see #build_as_request_body
+            def build_as_request(opts = {})
+              pa_data = opts[:pa_data] || build_as_pa_time_stamp(opts)
+              body = opts[:body] || build_as_request_body(opts)
+
+              request = Rex::Proto::Kerberos::Model::KdcRequest.new(
+                pvno: 5,
+                msg_type: Rex::Proto::Kerberos::Model::AS_REQ,
+                pa_data: pa_data,
+                req_body: body
+              )
+
+              request
+            end
+
+            # Builds a kerberos PA-ENC-TIMESTAMP pre authenticated structure
+            #
+            # @param opts [Hash{Symbol => <Time, Fixnum, String>}]
+            # @option opts [Time] :time_stamp
+            # @option opts [Fixnum] :pausec
+            # @option opts [Fixnum] :etype
+            # @option opts [String] :key
+            # @return [Rex::Proto::Kerberos::Model::PreAuthData]
+            # @see Rex::Proto::Kerberos::Model::PreAuthEncTimeStamp
+            # @see Rex::Proto::Kerberos::Model::EncryptedData
+            # @see Rex::Proto::Kerberos::Model::PreAuthData
+            def build_as_pa_time_stamp(opts = {})
+              time_stamp = opts[:time_stamp] || Time.now
+              pausec = opts[:pausec] || 0
+              etype = opts[:etype] || Rex::Proto::Kerberos::Crypto::RC4_HMAC
+              key = opts[:key] || ''
+
+              pa_time_stamp = Rex::Proto::Kerberos::Model::PreAuthEncTimeStamp.new(
+                  pa_time_stamp: time_stamp,
+                  pausec: pausec
+              )
+
+              enc_time_stamp = Rex::Proto::Kerberos::Model::EncryptedData.new(
+                  etype: etype,
+                  cipher: pa_time_stamp.encrypt(etype, key)
+              )
+
+              pa_enc_time_stamp = Rex::Proto::Kerberos::Model::PreAuthData.new(
+                  type: Rex::Proto::Kerberos::Model::PA_ENC_TIMESTAMP,
+                  value: enc_time_stamp.encode
+              )
+
+              pa_enc_time_stamp
+            end
+
+            # Builds a kerberos AS request body
+            #
+            # @param opts [Hash{Symbol => <Fixnum, Time, String, Rex::Proto::Kerberos::Model::PrincipalName>}]
+            # @option opts [Fixnum] :options
+            # @option opts [Time] :from
+            # @option opts [Time] :till
+            # @option opts [Time] :rtime
+            # @option opts [Fixnum] :nonce
+            # @option opts [Fixnum] :etype
+            # @option opts [Rex::Proto::Kerberos::Model::PrincipalName] :cname
+            # @option opts [String] :realm
+            # @option opts [Rex::Proto::Kerberos::Model::PrincipalName] :sname
+            # @return [Rex::Proto::Kerberos::Model::KdcRequestBody]
+            # @see #build_client_name
+            # @see #build_server_name
+            # @see Rex::Proto::Kerberos::Model::KdcRequestBody
+            def build_as_request_body(opts = {})
+              options = opts[:options] || 0x50800000 # Forwardable, Proxiable, Renewable
+              from = opts[:from] || Time.utc('1970-01-01-01 00:00:00')
+              till = opts[:till] || Time.utc('1970-01-01-01 00:00:00')
+              rtime = opts[:rtime] || Time.utc('1970-01-01-01 00:00:00')
+              nonce = opts[:nonce] || Rex::Text.rand_text_numeric(6).to_i
+              etype = opts[:etype] || [Rex::Proto::Kerberos::Crypto::RC4_HMAC]
+              cname = opts[:cname] || build_client_name(opts)
+              realm = opts[:realm] || ''
+              sname = opts[:sname] || build_server_name(opts)
+
+              body = Rex::Proto::Kerberos::Model::KdcRequestBody.new(
+                options: options,
+                cname: cname,
+                realm: realm,
+                sname: sname,
+                from: from,
+                till: till,
+                rtime: rtime,
+                nonce: nonce,
+                etype: etype
+              )
+
+              body
+            end
+          end
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,49 @@
+# -*- coding: binary -*-
+require 'rex/proto/kerberos'
+
+module Msf
+  class Exploit
+    class Remote
+      module Kerberos
+        module Client
+          module AsResponse
+            # Extracts the session key from a Kerberos AS Response
+            #
+            # @param res [Rex::Proto::Kerberos::Model::KdcResponse]
+            # @param key [String]
+            # @return [Rex::Proto::Kerberos::Model::EncryptionKey]
+            # @see Rex::Proto::Kerberos::Model::KdcResponse
+            # @see Rex::Proto::Kerberos::Model::EncryptedData.decrypt
+            # @see Rex::Proto::Kerberos::Model::EncKdcResponse
+            # @see Rex::Proto::Kerberos::Model::EncKdcResponse.decode
+            # @see Rex::Proto::Kerberos::Model::EncryptionKey
+            def extract_session_key(res, key)
+              decrypt_res = res.enc_part.decrypt(key, Rex::Proto::Kerberos::Crypto::ENC_AS_RESPONSE)
+              enc_kdc_res = Rex::Proto::Kerberos::Model::EncKdcResponse.decode(decrypt_res)
+
+              enc_kdc_res.key
+            end
+
+            # Extracts the logon time from a Kerberos AS Response
+            #
+            # @param res [Rex::Proto::Kerberos::Model::KdcResponse]
+            # @param key [String]
+            # @return [Fixnum]
+            # @see Rex::Proto::Kerberos::Model::KdcResponse
+            # @see Rex::Proto::Kerberos::Model::EncryptedData.decrypt
+            # @see Rex::Proto::Kerberos::Model::EncKdcResponse
+            # @see Rex::Proto::Kerberos::Model::EncKdcResponse.decode
+            def extract_logon_time(res, key)
+              decrypt_res = res.enc_part.decrypt(key, Rex::Proto::Kerberos::Crypto::ENC_AS_RESPONSE)
+              enc_kdc_res = Rex::Proto::Kerberos::Model::EncKdcResponse.decode(decrypt_res)
+
+              auth_time = enc_kdc_res.auth_time
+
+              auth_time.to_i
+            end
+          end
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,48 @@
+# -*- coding: binary -*-
+
+module Msf
+  class Exploit
+    class Remote
+      module Kerberos
+        module Client
+          module Base
+
+            # Builds a kerberos Client Name Principal
+            #
+            # @param opts [Hash{Symbol => <String, Fixnum>}]
+            # @option opts [String] :client_name the client's name
+            # @option opts [Fixnum] :client_type the client's name type
+            # @return [Rex::Proto::Kerberos::Model::PrincipalName]
+            # @see Rex::Proto::Kerberos::Model::PrincipalName
+            def build_client_name(opts = {})
+              name = opts[:client_name] || ''
+              name_type = opts[:client_type] || Rex::Proto::Kerberos::Model::NT_PRINCIPAL
+
+              Rex::Proto::Kerberos::Model::PrincipalName.new(
+                name_type: name_type,
+                name_string: name.split('/')
+              )
+            end
+
+            # Builds a kerberos Server Name Principal
+            #
+            # @param opts [Hash{Symbol => <String, Fixnum>}]
+            # @option opts [String] :server_name the server's name
+            # @option opts [Fixnum] :server_type the server's name type
+            # @return [Rex::Proto::Kerberos::Model::PrincipalName]
+            # @see Rex::Proto::Kerberos::Model::PrincipalName
+            def build_server_name(opts = {})
+              name = opts[:server_name] || ''
+              name_type = opts[:server_type] || Rex::Proto::Kerberos::Model::NT_PRINCIPAL
+
+              Rex::Proto::Kerberos::Model::PrincipalName.new(
+                name_type: name_type,
+                name_string: name.split('/')
+              )
+            end
+          end
+        end
+      end
+    end
+  end
+end