metasploit-credential 6.0.2 → 6.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 416819532338ddf04c5f8305550aa8c3b728223a6ddfe0e8aff141c4690f84bb
-  data.tar.gz: 1a1f815cde01159da2d994b3bc87a90c98a055957c317841d4c5f64381f5a4cc
+  metadata.gz: 97884e997f5fe9428e4fc79f0b4a9e4a4e51a06363b372a2fa1affa0dffba6d5
+  data.tar.gz: 37e4b1a543e249e7facb0c6570efd104d4bf347922636b561aecb78bab0602a8
 SHA512:
-  metadata.gz: bf49d45cfb1f1e5b80795d117947ae7bfe15c507d62d37e7e70b80e6b47e03bfdee5ed5e21f071f5746cb7d20e7ba878049cb4c4f44106f98c831fcd13624b88
-  data.tar.gz: 056fd6587af57c9078459859e43284fb809fb394132919ed70ed237693e2edc1e3eea66ba70b6a1cad1d532959b1aab8d4515cbfbffd3be923c837cd7034fc9a
+  metadata.gz: 23da300c2d52cd12a8aeb398010b21d2542ab4f88f59946fabde21efbb3554c30f36b32839961abef13c43528324ddacc807d68872cc9df3bbf2e47d31c66905
+  data.tar.gz: 90f93c7bd036e2f6b328dca97707d5e85bd40a257cb6f7dba928d0d6fd983cd295e38b3052cb6aae271c37bd730e4b5c36e71feed1e1dc561bb0b163c207d098

data/app/models/metasploit/credential/pkcs12.rb

@@ -0,0 +1,84 @@
+require 'openssl'
+require 'base64'
+
+# A private Pkcs12 file.
+class Metasploit::Credential::Pkcs12 < Metasploit::Credential::Private
+  #
+  # Attributes
+  #
+
+  # @!attribute data
+  #   A private pkcs12 file, base64 encoded - i.e. starting with 'MIIMhgIBAzCCDFAGCSqGSIb3DQEHAaCC....'
+  #
+  #   @return [String]
+
+  #
+  #
+  # Validations
+  #
+  #
+
+  #
+  # Attribute Validations
+  #
+
+  validates :data,
+            presence: true
+  #
+  # Method Validations
+  #
+
+  validate :readable
+
+  #
+  # Instance Methods
+  #
+
+  # Converts the private pkcs12 data in {#data} to an `OpenSSL::PKCS12` instance.
+  #
+  # @return [OpenSSL::PKCS12]
+  # @raise [ArgumentError] if {#data} cannot be loaded
+  def openssl_pkcs12
+    if data
+      begin
+        password = ''
+        OpenSSL::PKCS12.new(Base64.strict_decode64(data), password)
+      rescue OpenSSL::PKCS12::PKCS12Error => error
+        raise ArgumentError.new(error)
+      end
+    end
+  end
+
+  # The {#data key data}'s fingerprint, suitable for displaying to the
+  # user.
+  #
+  # @return [String]
+  def to_s
+    return '' unless data
+
+    cert = openssl_pkcs12.certificate
+    result = []
+    result << "subject:#{cert.subject.to_s}"
+    result << "issuer:#{cert.issuer.to_s}"
+    result.join(',')
+  end
+
+  private
+
+  #
+  # Validates that {#data} can be read by OpenSSL and a `OpenSSL::PKCS12` can be created from {#data}.  Any exception
+  # raised will be reported as a validation error.
+  #
+  # @return [void]
+  def readable
+    if data
+      begin
+        openssl_pkcs12
+      rescue => error
+        errors.add(:data, "#{error.class} #{error}")
+      end
+    end
+  end
+
+  Metasploit::Concern.run(self)
+end

data/app/models/metasploit/credential/private.rb

@@ -74,6 +74,7 @@ class Metasploit::Credential::Private < ApplicationRecord
                 Metasploit::Credential::Password
                 Metasploit::Credential::SSHKey
                 Metasploit::Credential::KrbEncKey
+                Metasploit::Credential::Pkcs12
               }
 
   #

data/config/locales/en.yml

@@ -57,6 +57,7 @@ en:
       metasploit/credential/ntlm_hash: "NTLM hash"
       metasploit/credential/ssh_key: "SSH key"
       metasploit/credential/krb_enc_key: 'Krb enc key'
+      metasploit/credential/pkcs12: 'Pkcs12 (pfx)'
     errors:
       models:
         metasploit/credential/core:
@@ -83,10 +84,14 @@ en:
           attributes:
             data:
               format: "is not in the KrbEncKey data format of 'msf_krbenckey:<ENCTYPE>:<KEY>:<SALT>', where the key and salt are in hexadecimal characters"
+        metasploit/credential/pkcs12:
+          attributes:
+            data:
+              format: "is not a Base64 encoded pkcs12 file without a password"
         metasploit/credential/ssh_key:
           attributes:
             data:
-              encrypted: "is encrypted, but Metasploit::Credential::SSHKey only supports unencrypred private keys."
+              encrypted: "is encrypted, but Metasploit::Credential::SSHKey only supports unencrypted private keys."
               not_private: "is not a private key."
   errors:
     messages:

data/db/migrate/20221209005658_create_index_on_private_data_and_type_for_pkcs12.rb

@@ -0,0 +1,32 @@
+class CreateIndexOnPrivateDataAndTypeForPkcs12 < ActiveRecord::Migration[6.1]
+  def up
+    # Drop the existing index created by 20161107153145_recreate_index_on_private_data_and_type.rb, and recreate it
+    # with Metasploit::Credential::Pkcs12 ignored
+    remove_index :metasploit_credential_privates, [:type, :data], if_exists: true
+    change_table :metasploit_credential_privates do |t|
+      t.index [:type, :data],
+              unique: true,
+              where: "NOT (type = 'Metasploit::Credential::SSHKey' or type = 'Metasploit::Credential::Pkcs12')"
+    end
+
+    # Create a new index similar to 20161107203710_create_index_on_private_data_and_type_for_ssh_key.rb
+    sql = <<~EOF
+      CREATE UNIQUE INDEX IF NOT EXISTS "index_metasploit_credential_privates_on_type_and_data_pkcs12" ON
+      "metasploit_credential_privates" ("type", decode(md5(data), 'hex'))
+      WHERE type in ('Metasploit::Credential::Pkcs12')
+    EOF
+    execute(sql)
+  end
+
+  def down
+    # Restore the original metasploit_credential_privates index from /Users/adfoster/Documents/code/metasploit-credential/db/migrate/20161107153145_recreate_index_on_private_data_and_type.rb
+    # XXX: this would crash if there are any Pkcs12 entries present, so for the simplicity of avoiding a data migration we keep the pkcs12 type ommitted from the index
+    remove_index :metasploit_credential_privates, [:type, :data], if_exists: true
+    change_table :metasploit_credential_privates do |t|
+      t.index [:type, :data],
+              unique: true,
+              where: "NOT (type = 'Metasploit::Credential::SSHKey' or type = 'Metasploit::Credential::Pkcs12')"
+    end
+    remove_index :metasploit_credential_privates, name: :index_metasploit_credential_privates_on_type_and_data_pkcs12, if_exists: true
+  end
+end

data/lib/metasploit/credential/creation.rb

@@ -479,6 +479,8 @@ module Metasploit::Credential::Creation
           private_object = Metasploit::Credential::Password.where(data: private_data).first_or_create
         when :ssh_key
           private_object = Metasploit::Credential::SSHKey.where(data: private_data).first_or_create
+        when :pkcs12
+          private_object = Metasploit::Credential::Pkcs12.where(data: private_data).first_or_create
         when :krb_enc_key
           private_object = Metasploit::Credential::KrbEncKey.where(data: private_data).first_or_create
         when :ntlm_hash

data/lib/metasploit/credential/version.rb

@@ -3,7 +3,7 @@
 module Metasploit
   module Credential
     # VERSION is managed by GemRelease
-    VERSION = '6.0.2'
+    VERSION = '6.0.4'
 
     # @return [String]
     #

data/lib/metasploit/credential.rb

@@ -43,6 +43,7 @@ module Metasploit
     autoload :Origin
     autoload :Password
     autoload :PasswordHash
+    autoload :Pkcs12
     autoload :PostgresMD5
     autoload :Private
     autoload :Public

data/spec/dummy/config/database.yml

@@ -1,6 +1,6 @@
 development: &pgsql
   adapter: postgresql
-  database: metasploit-credential_development2
+  database: metasploit-credential_development3
   username: msf
   password: pass123
   host: localhost
@@ -10,4 +10,4 @@ development: &pgsql
   min_messages: warning
 test:
   <<: *pgsql
-  database: metasploit-credential_test2
+  database: metasploit-credential_test3

data/spec/factories/metasploit/credential/pkcs12.rb

@@ -0,0 +1,37 @@
+FactoryBot.define do
+  factory :metasploit_credential_pkcs12,
+          class: Metasploit::Credential::Pkcs12 do
+    transient do
+      # key size tuned for speed.  DO NOT use for production, it is below current recommended key size of 2048
+      key_size { 1024 }
+      # signing algorithm for the pkcs12 cert
+      signing_algorithm { 'SHA256' }
+      # the cert subject
+      subject { '/C=BE/O=Test/OU=Test/CN=Test' }
+      # the cert issuer
+      issuer { '/C=BE/O=Test/OU=Test/CN=Test' }
+    end
+
+    data {
+      password = ''
+      pkcs12_name = ''
+
+      private_key = OpenSSL::PKey::RSA.new(key_size)
+      public_key = private_key.public_key
+
+      cert = OpenSSL::X509::Certificate.new
+      cert.subject = OpenSSL::X509::Name.parse(subject)
+      cert.issuer = OpenSSL::X509::Name.parse(issuer)
+      cert.not_before = Time.now
+      cert.not_after = Time.now + 365 * 24 * 60 * 60
+      cert.public_key = public_key
+      cert.serial = 0x0
+      cert.version = 2
+      cert.sign(private_key, OpenSSL::Digest.new(signing_algorithm))
+
+      pkcs12 = OpenSSL::PKCS12.create(password, pkcs12_name, private_key, cert)
+      pkcs12_base64 = Base64.strict_encode64(pkcs12.to_der)
+      pkcs12_base64
+    }
+  end
+end

data/spec/lib/metasploit/credential/creation_spec.rb

@@ -134,20 +134,30 @@ RSpec.describe Metasploit::Credential::Creation do
       nonreplayable_hash: "Metasploit::Credential::NonreplayableHash",
       ntlm_hash: "Metasploit::Credential::NTLMHash",
       postgres_md5: "Metasploit::Credential::PostgresMD5",
-      ssh_key: "Metasploit::Credential::SSHKey"
+      ssh_key: "Metasploit::Credential::SSHKey",
+      krb_enc_key: "Metasploit::Credential::KrbEncKey",
+      pkcs12: "Metasploit::Credential::Pkcs12"
     }.each_pair do |private_type, public_class|
       context "Origin[manual], Public[Username], Private[#{private_type}]" do
         let(:ssh_key) {
           key_class = OpenSSL::PKey.const_get(:RSA)
           key_class.generate(512).to_s
         }
+        let(:krb_enc_key) {
+          FactoryBot.build(:metasploit_credential_krb_enc_key).data
+        }
+        let(:pkcs12) {
+          FactoryBot.build(:metasploit_credential_pkcs12).data
+        }
         let(:private_data) { {
           password: 'password',
           blank_password: '',
           nonreplayable_hash: '435ba65d2e46d35bc656086694868d1ab2c0f9fd',
           ntlm_hash: 'aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0',
           postgres_md5: 'md5ac4bbe016b808c3c0b816981f240dcae',
-          ssh_key: ssh_key
+          ssh_key: ssh_key,
+          krb_enc_key: krb_enc_key,
+          pkcs12: pkcs12
         }}
         let(:credential_data) {{
           workspace_id: workspace.id,
@@ -821,6 +831,16 @@ RSpec.describe Metasploit::Credential::Creation do
         expect{ test_object.create_credential_private(opts) }.to change{ Metasploit::Credential::KrbEncKey.count }.by(1)
       end
     end
+
+    context 'when :private_type is pkcs12' do
+      it 'creates a Metasploit::Credential::Pkcs12' do
+        opts = {
+          private_data: FactoryBot.build(:metasploit_credential_pkcs12).data,
+          private_type: :pkcs12
+        }
+        expect{ test_object.create_credential_private(opts) }.to change{ Metasploit::Credential::Pkcs12.count }.by(1)
+      end
+    end
   end
 
   context '#create_credential_core' do

data/spec/models/metasploit/credential/pkcs12_spec.rb

@@ -0,0 +1,116 @@
+RSpec.describe Metasploit::Credential::Pkcs12, type: :model do
+  it_should_behave_like 'Metasploit::Concern.run'
+
+  context 'factories' do
+    context 'metasploit_credential_pkcs12' do
+      subject(:metasploit_credential_pkcs12) do
+        FactoryBot.build(:metasploit_credential_pkcs12)
+      end
+
+      it { is_expected.to be_valid }
+    end
+  end
+
+  context 'validations' do
+    it { is_expected.to validate_presence_of :data }
+
+    context 'on #data' do
+      subject(:data_errors) do
+        pkcs12.errors[:data]
+      end
+
+      let(:pkcs12) do
+        FactoryBot.build(:metasploit_credential_pkcs12)
+      end
+
+      context '#readable' do
+        context 'with #data' do
+          context 'with error' do
+            #
+            # Shared Examples
+            #
+
+            shared_examples_for 'exception' do
+              it 'includes error class' do
+                exception_class_name = exception.class.to_s
+                expect(
+                    data_errors.any? { |error|
+                      error.include? exception_class_name
+                    }
+                ).to be true
+              end
+
+              it 'includes error message' do
+                exception_message = exception.to_s
+
+                expect(
+                    data_errors.any? { |error|
+                      error.include? exception_message
+                    }
+                ).to be true
+              end
+            end
+
+            #
+            # Callbacks
+            #
+
+            before(:example) do
+              expect(pkcs12).to receive(:openssl_pkcs12).and_raise(exception)
+
+              pkcs12.valid?
+            end
+
+            context 'with ArgumentError' do
+              let(:exception) do
+                ArgumentError.new("Bad Argument")
+              end
+
+              it_should_behave_like 'exception'
+            end
+
+            context 'with OpenSSL::PKCS12::PKCS12Error' do
+              let(:exception) do
+                OpenSSL::PKCS12::PKCS12Error.new('mac verify failure')
+              end
+
+              it_should_behave_like 'exception'
+            end
+          end
+
+          context 'without error' do
+            before(:example) do
+              pkcs12.valid?
+            end
+
+            it { is_expected.to be_empty }
+          end
+        end
+
+        context 'without #data' do
+          let(:error) do
+            I18n.translate!('errors.messages.blank')
+          end
+
+          #
+          # Callbacks
+          #
+
+          before(:example) do
+            pkcs12.data = nil
+
+            pkcs12.valid?
+          end
+
+          it { is_expected.to include(error) }
+        end
+      end
+    end
+  end
+
+  describe 'human name' do
+    it 'properly determines the model\'s human name' do
+      expect(described_class.model_name.human).to eq('Pkcs12 (pfx)')
+    end
+  end
+end

data/spec/models/metasploit/credential/private_spec.rb

@@ -135,6 +135,7 @@ RSpec.describe Metasploit::Credential::Private, type: :model do
                               Metasploit::Credential::Password
                               Metasploit::Credential::SSHKey
                               Metasploit::Credential::KrbEncKey
+                              Metasploit::Credential::Pkcs12
                             }
     end
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: metasploit-credential
 version: !ruby/object:Gem::Version
-  version: 6.0.2
+  version: 6.0.4
 platform: ruby
 authors:
 - Metasploit Hackers
@@ -93,7 +93,7 @@ cert_chain:
   EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
   9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
   -----END CERTIFICATE-----
-date: 2023-01-31 00:00:00.000000000 Z
+date: 2023-04-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: metasploit-concern
@@ -255,6 +255,7 @@ files:
 - app/models/metasploit/credential/origin/session.rb
 - app/models/metasploit/credential/password.rb
 - app/models/metasploit/credential/password_hash.rb
+- app/models/metasploit/credential/pkcs12.rb
 - app/models/metasploit/credential/postgres_md5.rb
 - app/models/metasploit/credential/private.rb
 - app/models/metasploit/credential/public.rb
@@ -288,6 +289,7 @@ files:
 - db/migrate/20150106201450_old_creds_to_new_creds2.rb
 - db/migrate/20161107153145_recreate_index_on_private_data_and_type.rb
 - db/migrate/20161107203710_create_index_on_private_data_and_type_for_ssh_key.rb
+- db/migrate/20221209005658_create_index_on_private_data_and_type_for_pkcs12.rb
 - lib/metasploit/credential.rb
 - lib/metasploit/credential/core_validations.rb
 - lib/metasploit/credential/creation.rb
@@ -366,6 +368,7 @@ files:
 - spec/factories/metasploit/credential/origin/sessions.rb
 - spec/factories/metasploit/credential/password_hashes.rb
 - spec/factories/metasploit/credential/passwords.rb
+- spec/factories/metasploit/credential/pkcs12.rb
 - spec/factories/metasploit/credential/postgres_md5.rb
 - spec/factories/metasploit/credential/privates.rb
 - spec/factories/metasploit/credential/publics.rb
@@ -401,6 +404,7 @@ files:
 - spec/models/metasploit/credential/origin/session_spec.rb
 - spec/models/metasploit/credential/password_hash_spec.rb
 - spec/models/metasploit/credential/password_spec.rb
+- spec/models/metasploit/credential/pkcs12_spec.rb
 - spec/models/metasploit/credential/postgres_md5_spec.rb
 - spec/models/metasploit/credential/private_spec.rb
 - spec/models/metasploit/credential/public_spec.rb
@@ -497,6 +501,7 @@ test_files:
 - spec/factories/metasploit/credential/origin/sessions.rb
 - spec/factories/metasploit/credential/password_hashes.rb
 - spec/factories/metasploit/credential/passwords.rb
+- spec/factories/metasploit/credential/pkcs12.rb
 - spec/factories/metasploit/credential/postgres_md5.rb
 - spec/factories/metasploit/credential/privates.rb
 - spec/factories/metasploit/credential/publics.rb
@@ -532,6 +537,7 @@ test_files:
 - spec/models/metasploit/credential/origin/session_spec.rb
 - spec/models/metasploit/credential/password_hash_spec.rb
 - spec/models/metasploit/credential/password_spec.rb
+- spec/models/metasploit/credential/pkcs12_spec.rb
 - spec/models/metasploit/credential/postgres_md5_spec.rb
 - spec/models/metasploit/credential/private_spec.rb
 - spec/models/metasploit/credential/public_spec.rb