76166c0d14
Update SAMR computer and ICPR cert to support SMB sessions
2024-03-01 17:53:58 +00:00
40e6917b7f
tests passing
2023-04-04 10:24:09 +01:00
0047ce5d3a
Add rbcd exploitation documentation to docs site
2023-03-03 13:18:29 +00:00
2d30909a2f
Change option name namespacing convention
2023-01-26 16:17:50 +00:00
3d003ff14c
Land #17540 , Handle KDC_ERR_CERTIFICATE_MISMATCH for certifried
2023-01-25 18:39:20 +00:00
5b473e4ede
Handle KDC_ERR_CERTIFICATE_MISMATCH for certifried
2023-01-25 18:22:54 +00:00
21f33296b7
Consolidate PKINIT hash extraction code
2023-01-25 12:16:42 -05:00
a5e2c5b3b7
Unify pkinit_login with get_ticket
2023-01-25 08:36:26 -05:00
785e2caa9f
Refactor #send_request_tgt_pkinit, clarify docs
2023-01-25 08:36:26 -05:00
2072111713
Fix from code review & some improvments
...
- Improve option validation
- Always request an impersonated TGS for `cifs/...` SPN
- SPN option now is used to request an additional TGS for another SPN
- Add exception handling for Kerberos errors
- Only remove the computer account if it has been created
2023-01-18 19:28:06 +01:00
3d22fbcad9
Add exploit module for Certifried exploit
...
- Move all the logic from `modules/auxiliary/admin/dcerpc/icpr_cert.rb`
to `lib/msf/core/exploit/remote/ms_icpr.rb` library
- Move all the logic from `modules/auxiliary/admin/dcerpc/samr_computer.rb`
to `lib/msf/core/exploit/remote/ms_samr.rb` library
- Add `modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb` module
- Update the SMB client to disable SSL by default
- Add documentation
- Kerbero client: pass `options` as argument to `send_request_as`
- `calculate_shared_key` returns an EncryptionKey instead of the raw key
- Update `pkinit_login` module to make it compatible
- Add support to `additional_tickets` when requesting tickets
- Add support to PAC CredentialInfo structures
- Add impersonation to escalate privileges
- Add ACTIONS
- Use elevated TGS to delete the computer account
- Update and add specs
2023-01-13 15:30:50 +01:00
f4a65a220a
Support ON_BEHALF_OF in icpr_cert
...
Add the code necessary to request certificates on behalf of other users.
This is necessary to exploit templates vulnerable to ESC2 and ESC3.
2022-11-17 12:12:35 -05:00
31e2ab683c
Update samr_computer to show the SID when adding
2022-10-31 10:56:17 -04:00
b0fe5e1620
Cleanup the code a bit
2022-08-30 11:12:36 -04:00
69cc144e04
Add module docs
2022-08-30 11:12:36 -04:00
86804ce5b8
Add specific UPN and DNS support; switch to pipes
2022-08-30 11:12:36 -04:00
cd13039aae
Add the initial MS-ICPR module
2022-08-30 11:12:36 -04:00
8253e99c11
Update zerologon error handling to output invalid computer name details
2022-08-03 15:32:38 +01:00
41ba2d263b
Address PR feedback
...
Simplify the application_key usage, update docs and catch another
exception.
2022-06-28 11:53:05 -04:00
825604dda9
Add docs and a configurable password
2022-06-15 08:51:47 -04:00
78f2ea39e9
Use some pretty libral error handling
2022-06-15 08:51:28 -04:00
41567b1eb4
Add the DELETE_COMPUTER action
2022-06-13 17:46:34 -04:00
084fc194ea
Add the LOOKUP_COMPUTER action
2022-06-13 17:20:34 -04:00
74936f69a3
Add the ADD_COMPUTER action
2022-06-13 17:03:51 -04:00
45674fbcc2
Add the initial samr module
2022-06-02 14:12:47 -04:00
02e7a65b93
Just move the auxiliary module into an exploit
2022-05-16 17:44:31 -04:00
36921a00f6
Merge branch 'feat/mod/cve-2021-1675-retry' into feat/mod/cve-2021-1675
2022-05-16 14:59:32 -04:00
d278ad9be1
Add the printnightmare exploit
2022-05-16 14:56:46 -04:00
75d137fce5
Rubocop and add todo to printnightmare
2022-05-16 14:56:46 -04:00
f9a5d8285a
Use the retry mixin for printnightmare
...
This module gets disconnected from the named pipe. Use the new retry
mixin to avoid waiting for a standard delay.
2022-05-16 09:53:57 -04:00
d5ba1afbec
fix URLs not resolving
...
fix URLs not resolving
add csv export to references
fix URLs not resolving
pdf not pd
missed a url change
remove extra recirectedfrom fields
remove extra file
fix ovftool url accidental replacement
2022-02-16 17:22:40 -06:00
b146f098a2
Update to use the moved DCERPC definitions
2022-01-31 09:03:07 -05:00
ae2e4d723b
Add NTDS technique
2022-01-03 21:39:33 +01:00
c1c71d34fe
add nil check for the return value of add_printer_driver_ex, since this will return nil if the response can't be mapped to a win32 status code
2021-09-30 19:28:00 -04:00
3098e2fcdd
Update the module notes regarding instability
2021-07-16 09:03:40 -04:00
ed979992fd
Remove a redundant print status statement
2021-07-13 10:14:16 -04:00
32eab49428
Fix a typo in the module description
2021-07-12 12:20:37 -04:00
e155bb64cd
Improved check method for PrintNightmare
2021-07-09 12:15:39 -04:00
70fd9376e3
Final documentation improvements to explain SMB setup and improvements to module to fix one minor error output
2021-07-07 17:05:22 -05:00
f42aa3742c
Automatically reconnect to the named pipe
2021-07-07 13:25:51 -04:00
f74903178e
Add a check method that detects the service
2021-07-06 17:29:08 -04:00
d5d48949b2
Update PrintNightmare module docs
2021-07-06 16:30:51 -04:00
0f9b913b0f
Remove the RPORT redefinition
2021-07-06 09:29:01 -04:00
9c6b023b0d
Add PrintNightmare module docs
2021-07-02 16:00:39 -04:00
dfa91961f7
Use enumeration to find target directories
2021-07-02 15:39:00 -04:00
d9ecfb823f
Add DCERPC plumbing for EnumPrinterDrivers
2021-07-02 12:10:00 -04:00
b9830487de
Add targets for older versions of Windows
2021-07-01 17:48:21 -04:00
9dea8b5f99
Define necessary flags and print target info
2021-07-01 16:01:07 -04:00
f6279ee9bc
Randomize the name and catch some errors
2021-07-01 14:00:51 -04:00
e44eb0005e
Initial PrintNightmare PoC
2021-07-01 12:32:43 -04:00
adfoster-r7