Merge branch 'master' of github.com:h4x-x0r/metasploit-framework into my_awesome_branch

Author: h4x-x0r

Gemfile.lock

@@ -29,7 +29,7 @@ PATH
       faraday (= 2.7.11)
       faraday-retry
       faye-websocket
-      ffi (= 1.16.3)
+      ffi (< 1.17.0)
       filesize
       getoptlong
       hrr_rb_ssh-ed25519

db/modules_metadata_base.json

@@ -19845,7 +19845,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2024-05-02 13:57:13 +0000",
+    "mod_time": "2024-07-23 09:56:40 +0000",
     "path": "/modules/auxiliary/gather/asrep.rb",
     "is_install_path": true,
     "ref_name": "gather/asrep",

documentation/modules/auxiliary/gather/asrep.md

@@ -44,7 +44,7 @@ usually preferable, but may be less stealthy.
 An example of brute forcing usernames, in the hope of finding one with pre-auth not required:
 
 ```msf
-msf6 auxiliary(gather/asrep) > run action=BRUTE_FORCE user_file=/tmp/users.txt rhost=192.168.1.1 domain=msf.local rhostname=dc22
+msf6 auxiliary(gather/asrep) > run action=BRUTE_FORCE user_file=/tmp/users.txt rhost=192.168.1.1 domain=msf.local
 [*] Running module against 192.168.1.1
 
 [email protected]:9fb9954fa32193185ab32e2de2ab9f13$bf14e834c661246cad302073c228e6ff7894cd3023665f0f84338432c3929922ae998c4a23bb9d163dda536a230d0503b2cf575389317b52bde782264940e80206a29e9613e47328228441cf013fb1f6672359f6799be97b962de9429e8859f437e53549be6b11ca07af6f09eae6cd78279af6d7f6dcdfd011eccb74b4aa753b2f9e6561c59c9408ee4bec983777908f3a7eef5fba977710e47e4e8ac0af10608a7dd23db506202b27d7892bc28426d2080c343edfe243bf1cae554cf6204733082332be2455e4674e1c3e84614818a6c15b54221dcaa832
@@ -71,4 +71,4 @@ [email protected]:234e56b15bf3a0e3eb93d662ea6ded74$9889b0a449154c1353
 
 [*] Query returned 1 result.
 [*] Auxiliary module execution completed
-```
+```

lib/msf/base/sessions/command_shell.rb

@@ -654,6 +654,7 @@ def shell_command(cmd, timeout=5)
   def shell_read(length=-1, timeout=1)
     begin
       rv = rstream.get_once(length, timeout)
+      rlog(rv, self.log_source) if rv && self.log_source
       framework.events.on_session_output(self, rv) if rv
       return rv
     rescue ::Rex::SocketError, ::EOFError, ::IOError, ::Errno::EPIPE => e
@@ -672,6 +673,7 @@ def shell_write(buf)
     return unless buf
 
     begin
+      rlog(buf, self.log_source) if self.log_source
       framework.events.on_session_command(self, buf.strip)
       rstream.write(buf)
     rescue ::Rex::SocketError, ::EOFError, ::IOError, ::Errno::EPIPE => e

lib/msf/core/auxiliary/report_summary.rb

@@ -44,7 +44,7 @@ def run
       # @param [Hash] credential_data
       # @return [Metasploit::Credential::Login]
       def create_credential_login(credential_data)
-        return super unless framework.features.enabled?(Msf::FeatureManager::SHOW_SUCCESSFUL_LOGINS) && datastore['ShowSuccessfulLogins']
+        return super unless framework.features.enabled?(Msf::FeatureManager::SHOW_SUCCESSFUL_LOGINS) && datastore['ShowSuccessfulLogins'] && @report
 
         credential = {
           public: credential_data[:username],
@@ -65,7 +65,7 @@ def create_credential_login(credential_data)
       # @param [Msf::Sessions::<SESSION_CLASS>] sess
       # @return [Msf::Sessions::<SESSION_CLASS>]
       def start_session(obj, info, ds_merge, crlf = false, sock = nil, sess = nil)
-        return super unless framework.features.enabled?(Msf::FeatureManager::SHOW_SUCCESSFUL_LOGINS) && datastore['ShowSuccessfulLogins']
+        return super unless framework.features.enabled?(Msf::FeatureManager::SHOW_SUCCESSFUL_LOGINS) && datastore['ShowSuccessfulLogins'] && @report
 
         result = super
         @report[rhost].merge!({ successful_sessions: [] })

lib/msf/core/exploit/remote/kerberos/client.rb

@@ -292,11 +292,12 @@ def send_request_tgt(options = {})
             # If we receive an AS_REP response immediately, no-preauthentication was required and we can return immediately
             if initial_as_res.msg_type == Rex::Proto::Kerberos::Model::AS_REP
               pa_data = initial_as_res.pa_data
-              etype_entries = pa_data.find {|entry| entry.type == Rex::Proto::Kerberos::Model::PreAuthType::PA_ETYPE_INFO2}
               if password.nil? && key.nil?
                 decrypted_part = nil
                 krb_enc_key = nil
               else
+                etype_entries = pa_data.find {|entry| entry.type == Rex::Proto::Kerberos::Model::PreAuthType::PA_ETYPE_INFO2}
+
                 # Let's try to check the password
                 server_ciphers = etype_entries.decoded_value
                 # Should only have one etype

lib/msf/ui/console/driver.rb

@@ -569,10 +569,16 @@ def run_unknown_command(command)
   def handle_session_logging(val)
     if (val =~ /^(y|t|1)/i)
       Msf::Logging.enable_session_logging(true)
-      print_line("Session logging will be enabled for future sessions.")
+      framework.sessions.values.each do |session|
+        Msf::Logging.start_session_log(session)
+      end
+      print_line("Session logging enabled.")
     else
       Msf::Logging.enable_session_logging(false)
-      print_line("Session logging will be disabled for future sessions.")
+      framework.sessions.values.each do |session|
+        Msf::Logging.stop_session_log(session)
+      end
+      print_line("Session logging disabled.")
     end
   end
 

metasploit-framework.gemspec

@@ -154,7 +154,7 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'net-smtp'
   spec.add_runtime_dependency 'net-sftp'
   spec.add_runtime_dependency 'winrm'
-  spec.add_runtime_dependency 'ffi', '1.16.3'
+  spec.add_runtime_dependency 'ffi', '< 1.17.0'
 
   #
   # REX Libraries

modules/auxiliary/gather/asrep.rb

@@ -46,7 +46,7 @@ def initialize(info = {})
         Opt::RHOSTS(nil, true, 'The target KDC, see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html'),
         OptPath.new('USER_FILE', [ false, 'File containing usernames, one per line' ], conditions: %w[ACTION == BRUTE_FORCE]),
         OptBool.new('USE_RC4_HMAC', [ true, 'Request using RC4 hash instead of default encryption types (faster to crack)', true]),
-        OptString.new('Rhostname', [ true, "The domain controller's hostname"], aliases: ['LDAP::Rhostname']),
+        OptString.new('Rhostname', [ false, "The domain controller's hostname"], aliases: ['LDAP::Rhostname']),
       ]
     )
     register_option_group(name: 'SESSION',
@@ -77,26 +77,36 @@ def run
   def run_brute
     result_count = 0
     user_file = datastore['USER_FILE']
-    if user_file.nil?
-      fail_with(Msf::Module::Failure::BadConfig, 'User file must be specified when brute forcing')
+    username = datastore['USERNAME']
+    if user_file.blank? && username.blank?
+      fail_with(Msf::Module::Failure::BadConfig, 'User file or username must be specified when brute forcing')
+    end
+    if username.present?
+      begin
+        roast(datastore['USERNAME'])
+        result_count += 1
+      rescue ::Rex::Proto::Kerberos::Model::Error::KerberosError => e
+        # User either not present, or requires preauth
+        vprint_status("User: #{username} - #{e}")
+      end
     end
     if user_file.present?
       File.open(user_file, 'rb') do |file|
         file.each_line(chomp: true) do |user_from_file|
           roast(user_from_file)
           result_count += 1
-        rescue ::Rex::Proto::Kerberos::Model::Error::KerberosError
+        rescue ::Rex::Proto::Kerberos::Model::Error::KerberosError => e
           # User either not present, or requires preauth
+          vprint_status("User: #{user_from_file} - #{e}")
         end
       end
-      if result_count == 0
-        print_error('No users found without preauth required')
-      else
-        print_line
-        print_status("Query returned #{result_count} #{'result'.pluralize(result_count)}.")
-      end
+    end
+
+    if result_count == 0
+      print_error('No users found without preauth required')
     else
-      fail_with(Msf::Module::Failure::BadConfig, 'User file not found')
+      print_line
+      print_status("Query returned #{result_count} #{'result'.pluralize(result_count)}.")
     end
   end
 
@@ -138,7 +148,7 @@ def run_ldap
 
   def roast(username)
     res = send_request_tgt(
-      server_name: datastore['Rhostname'],
+      server_name: "krbtgt/#{datastore['domain']}",
       client_name: username,
       realm: datastore['DOMAIN'],
       offered_etypes: etypes,

spec/tools/dev/rubocop_runner_spec.rb

@@ -72,8 +72,8 @@ def patch_io_read_encoding
       expect(@status).to be_zero
     end
 
-    it 'contains no warnings' do
-      expect(@stdout).to be_empty
+    it 'contains a status message' do
+      expect(@stdout).to match /Rubocop not required for older modules skipping/
     end
   end
 end