metasploit-credential 6.0.0 → 6.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7afa56f62ffab74a375a44d83d744c9f5b1f0f8702a682309935e03b21feea93
-  data.tar.gz: 16215af1cd66654473612735e82468e7b210ce6aeecbf2703ccf1600dded9d12
+  metadata.gz: 41274b5efbed334ec9e1a4eb06858c1cf98e1d7e9dcc131627461f14cf673da1
+  data.tar.gz: 3869f4e0aaae9f3f74d7a156027b08f7273032058dcc3fea63a29d93a798a453
 SHA512:
-  metadata.gz: 5d4dd413e6667d822c01b44fc5e0342085f5aa07539de1bc2a40249043c15aca10941ea3afe79867459d8453fa6f66639aefbef8be0fcd3fb770cd3875079285
-  data.tar.gz: c8558814afe833b4c7e8bf622a4bfd6f8261ce767144341542d892a3963254eebb735160d22f3e8448cfc50b2df6191053f6f82bef797e7eb9e5cff49440843f
+  metadata.gz: 1adda9e1223a6fccd257dcc743ac3756d4c99e163c81ecf1064892076892e583c45cc90f943e4bbab2da2e7c0a84438a90a9d4b1ff74d5ae1d908ee712ff3184
+  data.tar.gz: 50ff172c767c0b1c886fabfccc1444c46d1b03f822af8aa73ff909cb65abc5de0aa830045c24ed691e8fc77f41d21722773cd9d563885a75dc0a188fa18e3c3e

data/app/models/metasploit/credential/krb_enc_key.rb

@@ -0,0 +1,184 @@
+require 'json'
+
+# A {Metasploit::Credential::PasswordHash password hash} that cannot be replayed to authenticate to other services.
+# {#data} is a string in the format `'msf_krbenckey:<enctype digits>:<key hexadecimal>:<salt hexadecimal>'`.
+#
+# This class contains information relevant to a Kerberos EncryptionKey https://www.rfc-editor.org/rfc/rfc4120.html#section-5.2.9
+# which is used to encrypt/decrypt arbitrary Kerberos protocol message data - such as the AS-REP krbtgt ticket and enc-part.
+class Metasploit::Credential::KrbEncKey < Metasploit::Credential::PasswordHash
+
+  #
+  # Constants
+  #
+
+  # Valid format for KrbEncKey enctype portion of {#data}: numeric characters
+  # @see ENCTYPE_NAMES
+  TYPE_REGEXP = /(?<enctype>\d+)/
+  private_constant :TYPE_REGEXP
+
+  # Valid format for KrbEncKey key portion of {#data}: lowercase hexadecimal characters
+  KEY_REGEXP = /(?<key>[0-9a-f]+)/
+  private_constant :KEY_REGEXP
+
+  # Valid format for KrbEncKey enctype portion of {#data}: lowercase hexadecimal characters
+  SALT_REGEXP = /(?<salt>[0-9a-f]*)/
+  private_constant :SALT_REGEXP
+
+  # Valid format for {#data} composed of `'msf_krbenckey:<enctype digits>:<key hexadecimal>:<salt hexadecimal>'`.
+  DATA_REGEXP = /\Amsf_krbenckey:#{TYPE_REGEXP}:#{KEY_REGEXP}:#{SALT_REGEXP}\z/
+  private_constant :DATA_REGEXP
+
+  # https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml
+  ENCTYPE_NAMES = (Hash.new { |_hash, enctype| "unassigned-#{enctype}" }).merge({
+    0 => 'reserved-0',
+    1 => 'des-cbc-crc',
+    2 => 'des-cbc-md4',
+    3 => 'des-cbc-md5',
+    4 => 'reserved-4',
+    5 => 'des3-cbc-md5',
+    6 => 'reserved-6',
+    7 => 'des3-cbc-sha1',
+    8 => 'unassigned-8',
+    9 => 'dsaWithSHA1-CmsOID',
+    10 => 'md5WithRSAEncryption-CmsOID',
+    11 => 'sha1WithRSAEncryption-CmsOID',
+    12 => 'rc2CBC-EnvOID',
+    13 => 'rsaEncryption-EnvOID',
+    14 => 'rsaES-OAEP-ENV-OID',
+    15 => 'des-ede3-cbc-Env-OID',
+    16 => 'des3-cbc-sha1-kd',
+    17 => 'aes128-cts-hmac-sha1-96',
+    18 => 'aes256-cts-hmac-sha1-96',
+    19 => 'aes128-cts-hmac-sha256-128',
+    20 => 'aes256-cts-hmac-sha384-192',
+    21 => 'unassigned-21',
+    22 => 'unassigned-22',
+    23 => 'rc4-hmac',
+    24 => 'rc4-hmac-exp',
+    25 => 'camellia128-cts-cmac',
+    26 => 'camellia256-cts-cmac',
+    65 => 'subkey-keymaterial'
+  })
+  private_constant :ENCTYPE_NAMES
+
+  #
+  # Attributes
+  #
+
+  # @!attribute data
+  #
+  #   @return [Hash{Symbol => String}]
+
+  #
+  # Callbacks
+  #
+
+  before_validation :normalize_data
+
+  #
+  # Validations
+  #
+
+  validate :data_format
+
+  #
+  # Class methods
+  #
+
+  # @param [Integer] enctype The enctype
+  # @param [String] key The key bytes
+  # @param [String,nil] salt The salt
+  # @return [String]
+  # @raise [ArgumentError] if an option is invalid
+  def self.build_data(enctype:, key:, salt: nil)
+    raise ArgumentError('enctype must be numeric') unless enctype.is_a?(Numeric)
+    raise ArgumentError('key must be set') if key.nil?
+
+    "msf_krbenckey:#{enctype}:#{as_hex(key)}:#{as_hex(salt)}"
+  end
+
+  #
+  # Instance Methods
+  #
+
+  # The enctype as defined by https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml
+  #
+  # @return [Integer]
+  def enctype
+    parsed_data[:enctype]
+  end
+
+  # The key
+  #
+  # @return [String]
+  def key
+    parsed_data[:key]
+  end
+
+  # The salt used as part of creating the key. This is normally derived from the Kerberos principal name/Realm.
+  # For windows the following convention is used to create the salt:
+  # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/7a7b081d-c0c6-46f4-acbf-a439664270b8
+  #
+  # This value can be nil if the salt is not known
+  # @return [String,nil] The key salt if available
+  def salt
+    parsed_data[:salt]
+  end
+
+  # A string suitable for displaying to the user
+  #
+  # @return [String]
+  def to_s
+    "#{ENCTYPE_NAMES[enctype]}:#{self.class.as_hex(key)}#{salt ? ":#{self.class.as_hex(salt)}" : ''}"
+  end
+
+  private
+
+  # Converts a buffer containing bytes to a String containing the hex representation of the bytes
+  #
+  # @param hash [String,nil] a buffer of bytes
+  # @return [String] a string where every 2 hexadecimal characters represents a byte in the original hash buffer
+  def self.as_hex(value)
+    value.to_s.unpack1('H*')
+  end
+
+  # Converts a buffer containing bytes to a String containing the hex representation of the bytes
+  #
+  # @param hash [String,nil] a buffer of bytes
+  # @return [String] a string where every 2 hexadecimal characters represents a byte in the original hash buffer
+  def self.as_bytes(value)
+    [value.to_s].pack('H*')
+  end
+
+  # @return [Hash] The parsed data with enctype, key, salt keys
+  def parsed_data
+    match = data.match(DATA_REGEXP)
+    return {} unless match
+
+    {
+      enctype: match[:enctype].to_i,
+      key: self.class.as_bytes(match[:key]),
+      salt: match[:salt].empty? ? nil : self.class.as_bytes(match[:salt])
+    }
+  end
+
+  # Normalizes {#data} by making it all lowercase so that the unique validation and index on
+  # ({Metasploit::Credential::Private#type}, {#data}) catches collision in a case-insensitive manner without the need
+  # to use case-insensitive comparisons.
+  def normalize_data
+    if data
+      self.data = data.downcase
+    end
+  end
+
+  # Validates that {#data} is in the expected data format
+  def data_format
+    unless DATA_REGEXP.match(data)
+      errors.add(:data, :format)
+    end
+  end
+
+  public
+
+  Metasploit::Concern.run(self)
+end

data/app/models/metasploit/credential/private.rb

@@ -73,6 +73,7 @@ class Metasploit::Credential::Private < ApplicationRecord
                 Metasploit::Credential::NTLMHash
                 Metasploit::Credential::Password
                 Metasploit::Credential::SSHKey
+                Metasploit::Credential::KrbEncKey
               }
 
   #

data/config/locales/en.yml

@@ -56,6 +56,7 @@ en:
     models:
       metasploit/credential/ntlm_hash: "NTLM hash"
       metasploit/credential/ssh_key: "SSH key"
+      metasploit/credential/krb_enc_key: 'Krb enc key'
     errors:
       models:
         metasploit/credential/core:
@@ -78,6 +79,10 @@ en:
           attributes:
             data:
               format: "is not in the NTLMHash data format of <LAN Manager hex digest>:<NT LAN Manager hex digest>, where each hex digest is 32 lowercase hexadecimal characters."
+        metasploit/credential/krb_enc_key:
+          attributes:
+            data:
+              format: "is not in the KrbEncKey data format of 'msf_krbenckey:<ENCTYPE>:<KEY>:<SALT>', where the key and salt are in hexadecimal characters"
         metasploit/credential/ssh_key:
           attributes:
             data:

data/lib/metasploit/credential/creation.rb

@@ -462,6 +462,7 @@ module Metasploit::Credential::Creation
   # @return [Metasploit::Credential::SSHKey] if the private_type was :ssh_key
   # @return [Metasploit::Credential::NTLMHash] if the private_type was :ntlm_hash
   # @return [Metasploit::Credential::NonreplayableHash] if the private_type was :nonreplayable_hash
+  # @return [Metasploit::Credential::KrbEncKey] if the private_type was :krb_enc_key
   def create_credential_private(opts={})
     return nil unless active_db?
     private_data = opts.fetch(:private_data)
@@ -478,6 +479,8 @@ module Metasploit::Credential::Creation
           private_object = Metasploit::Credential::Password.where(data: private_data).first_or_create
         when :ssh_key
           private_object = Metasploit::Credential::SSHKey.where(data: private_data).first_or_create
+        when :krb_enc_key
+          private_object = Metasploit::Credential::KrbEncKey.where(data: private_data).first_or_create
         when :ntlm_hash
           private_object = Metasploit::Credential::NTLMHash.where(data: private_data).first_or_create
           private_object.jtr_format = 'nt,lm'

data/lib/metasploit/credential/version.rb

@@ -3,7 +3,7 @@
 module Metasploit
   module Credential
     # VERSION is managed by GemRelease
-    VERSION = '6.0.0'
+    VERSION = '6.0.1'
 
     # @return [String]
     #

data/lib/metasploit/credential.rb

@@ -35,6 +35,7 @@ module Metasploit
     autoload :EntityRelationshipDiagram
     autoload :Exporter
     autoload :Importer
+    autoload :KrbEncKey
     autoload :Login
     autoload :Migrator
     autoload :NonreplayableHash

data/spec/dummy/config/database.yml

@@ -1,6 +1,6 @@
 development: &pgsql
   adapter: postgresql
-  database: metasploit-credential_development1
+  database: metasploit-credential_development3
   username: msf
   password: pass123
   host: localhost
@@ -10,4 +10,4 @@ development: &pgsql
   min_messages: warning
 test:
   <<: *pgsql
-  database: metasploit-credential_test1
+  database: metasploit-credential_test3

data/spec/factories/metasploit/credential/cores.rb

@@ -62,7 +62,8 @@ FactoryBot.define do
       :metasploit_credential_password,
       :metasploit_credential_nonreplayable_hash,
       :metasploit_credential_ntlm_hash,
-      :metasploit_credential_ssh_key
+      :metasploit_credential_ssh_key,
+      :metasploit_credential_krb_enc_key
   ]
   sequence :metasploit_credential_core_private_factory, metasploit_credential_core_private_factories.cycle
 

data/spec/factories/metasploit/credential/krb_enc_key.rb

@@ -0,0 +1,81 @@
+require 'openssl'
+
+FactoryBot.define do
+  klass = Metasploit::Credential::KrbEncKey
+
+  factory :metasploit_credential_krb_enc_key,
+          class: klass,
+          parent: :metasploit_credential_password_hash do
+
+    # By default - use the with_rc4 trait for performance reasons
+    with_rc4
+
+    trait :with_rc4 do
+      data { generate(:metasploit_credential_krb_enc_key_rc4) }
+    end
+
+    trait :with_aes128 do
+      data { generate(:metasploit_credential_krb_enc_key_aes128) }
+    end
+
+    trait :with_aes256 do
+      data { generate(:metasploit_credential_krb_enc_key_aes256) }
+    end
+  end
+
+  sequence :metasploit_credential_krb_enc_key_rc4 do |n|
+    salt = nil
+    password = "password#{n}"
+    unicode_password = password.encode('utf-16le')
+    key = OpenSSL::Digest.digest('MD4', unicode_password)
+    enctype = 23
+
+    klass.build_data(enctype: enctype, key: key, salt: salt)
+  end
+
+  sequence :metasploit_credential_krb_enc_key_aes128 do |n|
+    salt = "DOMAIN.LOCALUserAccount#{n}"
+    password = "password#{n}"
+    key = aes_cts_hmac_sha1_96('128-CBC', password, salt)
+    enctype = 17
+
+    klass.build_data(enctype: enctype, key: key, salt: salt)
+  end
+
+  sequence :metasploit_credential_krb_enc_key_aes256 do |n|
+    salt = "DOMAIN.LOCALUserAccount#{n}"
+    password = "password#{n}"
+    enctype = 18
+    key = aes_cts_hmac_sha1_96('256-CBC', password, salt)
+
+    klass.build_data(enctype: enctype, key: key, salt: salt)
+  end
+
+  # Encrypt using MIT Kerberos aesXXX-cts-hmac-sha1-96
+  # http://web.mit.edu/kerberos/krb5-latest/doc/admin/enctypes.html?highlight=des#enctype-compatibility
+  #
+  # @param algorithm [String] The AES algorithm to use (e.g. `128-CBC` or `256-CBC`)
+  # @param raw_secret [String] The data to encrypt
+  # @param salt [String] The salt used by the encryption algorithm
+  # @return [String, nil] The encrypted data
+  def aes_cts_hmac_sha1_96(algorithm, raw_secret, salt)
+    iterations = 4096
+    cipher = OpenSSL::Cipher::AES.new(algorithm)
+    key = OpenSSL::PKCS5.pbkdf2_hmac_sha1(raw_secret, salt, iterations, cipher.key_len)
+    plaintext = "kerberos\x7B\x9B\x5B\x2B\x93\x13\x2B\x93".b
+    result = ''.b
+    loop do
+      cipher.reset
+      cipher.encrypt
+      cipher.iv = "\x00".b * 16
+      cipher.key = key
+      ciphertext = cipher.update(plaintext)
+      result += ciphertext
+      break unless result.size < cipher.key_len
+
+      plaintext = ciphertext
+    end
+    result
+  end
+
+end

data/spec/lib/metasploit/credential/creation_spec.rb

@@ -811,6 +811,16 @@ RSpec.describe Metasploit::Credential::Creation do
         expect(test_object.create_credential_private(opts)).to be_kind_of Metasploit::Credential::BlankPassword
       end
     end
+
+    context 'when :private_type is krb_enc_key' do
+      it 'creates a Metasploit::Credential::KrbEncKey' do
+        opts = {
+          private_data: FactoryBot.generate(:metasploit_credential_krb_enc_key_aes256),
+          private_type: :krb_enc_key
+        }
+        expect{ test_object.create_credential_private(opts) }.to change{ Metasploit::Credential::KrbEncKey.count }.by(1)
+      end
+    end
   end
 
   context '#create_credential_core' do

data/spec/models/metasploit/credential/krb_enc_key_spec.rb

@@ -0,0 +1,151 @@
+RSpec.shared_examples_for 'a KrbEncKey' do |expected:|
+  describe '#enctype' do
+    it 'has an enctype' do
+      expect(subject.enctype).to eq(expected[:enctype])
+    end
+  end
+
+  describe '#key' do
+    it 'has a key' do
+      expect(subject.key.length).to eq(expected[:key_length])
+    end
+  end
+
+  describe '#salt' do
+    it 'has a salt' do
+      expect(subject.salt).to match(expected[:salt])
+    end
+  end
+
+  describe '#to_s' do
+    it 'has a human readable to_s' do
+      expect(subject.to_s).to match expected[:to_s]
+    end
+  end
+end
+
+RSpec.describe Metasploit::Credential::KrbEncKey, type: :model do
+  it_should_behave_like 'Metasploit::Concern.run'
+
+  it { is_expected.to be_a Metasploit::Credential::PasswordHash }
+
+  context 'factories' do
+    context 'metasploit_credential_krb_enc_key' do
+      subject(:metasploit_credential_krb_enc_key) do
+        FactoryBot.build(:metasploit_credential_krb_enc_key)
+      end
+
+      it { is_expected.to be_valid }
+    end
+
+    FactoryBot.factories[:metasploit_credential_krb_enc_key].defined_traits.each do |trait|
+      context "with #{trait}" do
+        subject(:metasploit_credential_krb_enc_key) do
+          FactoryBot.build(:metasploit_credential_krb_enc_key, trait.name)
+        end
+
+        it { is_expected.to be_valid }
+        it { expect(subject.data).to be_a(String) }
+      end
+    end
+  end
+
+  context 'when the krb enc key is rc4' do
+    subject :krb_enc_key_rc4 do
+      FactoryBot.build(:metasploit_credential_krb_enc_key, :with_rc4)
+    end
+
+    it_behaves_like 'a KrbEncKey',
+                    expected: {
+                      enctype: 23,
+                      key_length: 16,
+                      salt: nil,
+                      to_s: /rc4-hmac:\w{32}/
+                    }
+  end
+
+  context 'when the krb enc key is aes128' do
+    subject :krb_enc_key_aes256 do
+      FactoryBot.build(:metasploit_credential_krb_enc_key, :with_aes128)
+    end
+
+    it_behaves_like 'a KrbEncKey',
+                    expected: {
+                      enctype: 17,
+                      key_length: 16,
+                      salt: /DOMAIN.LOCALUserAccount\d+/,
+                      to_s: /aes128-cts-hmac-sha1-96:\w{32}/
+                    }
+  end
+
+  context 'when the krb enc key is aes128' do
+    subject :krb_enc_key_aes256 do
+      FactoryBot.build(:metasploit_credential_krb_enc_key, :with_aes256)
+    end
+
+    it_behaves_like 'a KrbEncKey',
+                    expected: {
+                      enctype: 18,
+                      key_length: 32,
+                      salt: /DOMAIN.LOCALUserAccount\d+/,
+                      to_s: /aes256-cts-hmac-sha1-96:\w{64}/
+                    }
+  end
+
+  context 'when the krb enc key is not a known enctype' do
+    subject :krb_enc_key_aes256 do
+      FactoryBot.build(:metasploit_credential_krb_enc_key, data: described_class.build_data(enctype: 1024, key: "abc"))
+    end
+
+    it_behaves_like 'a KrbEncKey',
+                    expected: {
+                      enctype: 1024,
+                      key_length: 3,
+                      salt: nil,
+                      to_s: 'unassigned-1024:616263'
+                    }
+  end
+
+  context 'validations' do
+    context '#data' do
+      subject(:data_errors) do
+        krb_enc_key.errors[:data]
+      end
+
+      #
+      # lets
+      #
+
+      let(:data) do
+        FactoryBot.generate(:metasploit_credential_krb_enc_key_aes256)
+      end
+
+      let(:krb_enc_key) do
+        FactoryBot.build(
+          :metasploit_credential_krb_enc_key,
+          data: data
+        )
+      end
+
+      #
+      # Callbacks
+      #
+
+      before(:example) do
+        krb_enc_key.valid?
+      end
+
+      context 'when the data is valid' do
+        it { is_expected.to be_empty }
+      end
+
+      context "when the data is invalid" do
+        let(:data) do
+          "foo"
+        end
+
+        it { is_expected.to include("is not in the KrbEncKey data format of 'msf_krbenckey:<ENCTYPE>:<KEY>:<SALT>', where the key and salt are in hexadecimal characters") }
+      end
+    end
+  end
+end

data/spec/models/metasploit/credential/private_spec.rb

@@ -134,6 +134,7 @@ RSpec.describe Metasploit::Credential::Private, type: :model do
                               Metasploit::Credential::NTLMHash
                               Metasploit::Credential::Password
                               Metasploit::Credential::SSHKey
+                              Metasploit::Credential::KrbEncKey
                             }
     end
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: metasploit-credential
 version: !ruby/object:Gem::Version
-  version: 6.0.0
+  version: 6.0.1
 platform: ruby
 authors:
 - Metasploit Hackers
@@ -93,7 +93,7 @@ cert_chain:
   EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
   9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
   -----END CERTIFICATE-----
-date: 2022-11-29 00:00:00.000000000 Z
+date: 2022-12-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: metasploit-concern
@@ -244,6 +244,7 @@ files:
 - app/models/metasploit/credential/blank_password.rb
 - app/models/metasploit/credential/blank_username.rb
 - app/models/metasploit/credential/core.rb
+- app/models/metasploit/credential/krb_enc_key.rb
 - app/models/metasploit/credential/login.rb
 - app/models/metasploit/credential/nonreplayable_hash.rb
 - app/models/metasploit/credential/ntlm_hash.rb
@@ -355,6 +356,7 @@ files:
 - spec/factories/metasploit/credential/importer/cores.rb
 - spec/factories/metasploit/credential/importer/pwdumps.rb
 - spec/factories/metasploit/credential/importer/zips.rb
+- spec/factories/metasploit/credential/krb_enc_key.rb
 - spec/factories/metasploit/credential/logins.rb
 - spec/factories/metasploit/credential/nonreplayable_hashes.rb
 - spec/factories/metasploit/credential/ntlm_hashes.rb
@@ -387,6 +389,7 @@ files:
 - spec/models/mdm/workspace_spec.rb
 - spec/models/metasploit/credential/blank_username_spec.rb
 - spec/models/metasploit/credential/core_spec.rb
+- spec/models/metasploit/credential/krb_enc_key_spec.rb
 - spec/models/metasploit/credential/login/status_spec.rb
 - spec/models/metasploit/credential/login_spec.rb
 - spec/models/metasploit/credential/nonreplayable_hash_spec.rb
@@ -484,6 +487,7 @@ test_files:
 - spec/factories/metasploit/credential/importer/cores.rb
 - spec/factories/metasploit/credential/importer/pwdumps.rb
 - spec/factories/metasploit/credential/importer/zips.rb
+- spec/factories/metasploit/credential/krb_enc_key.rb
 - spec/factories/metasploit/credential/logins.rb
 - spec/factories/metasploit/credential/nonreplayable_hashes.rb
 - spec/factories/metasploit/credential/ntlm_hashes.rb
@@ -516,6 +520,7 @@ test_files:
 - spec/models/mdm/workspace_spec.rb
 - spec/models/metasploit/credential/blank_username_spec.rb
 - spec/models/metasploit/credential/core_spec.rb
+- spec/models/metasploit/credential/krb_enc_key_spec.rb
 - spec/models/metasploit/credential/login/status_spec.rb
 - spec/models/metasploit/credential/login_spec.rb
 - spec/models/metasploit/credential/nonreplayable_hash_spec.rb