6d3fc7b732
Neatening kerberoasting modifications
2025-05-13 18:26:25 +10:00
abba784190
Fix AES kerberoast hashcat format. Change when hashes are displayed in module.
2025-05-13 18:26:25 +10:00
365db3c52e
Support different hash type JTR formats
2025-05-13 18:26:25 +10:00
1e56168905
Move kerberoasting to Ruby code
2025-05-13 18:26:25 +10:00
630c2c03bc
Update certs command, pkcs12 matching and specs
...
- use the `status`, certificate's `not_before`/`not_after` and check if the TLS
OID is present to filter pkcs12 before using them with PKInit
- add the `activate`, `deactivate` and `export` capabilities to the
certs command
- add specs
2025-04-02 18:23:14 +02:00
e7535d8fae
Add certs command & use pkinit if kerberos tickets are not available in cache
2025-04-02 18:23:14 +02:00
d47ec03ca7
Refactor CMS data structures used in pkinit functionality
2025-03-14 10:42:32 +11:00
25bd5d736c
Fix comparision case for service name hostname
2025-01-24 14:26:58 +01:00
abfc24efdc
Fix Kerberos cache storage exception
2024-11-08 11:25:28 +00:00
2470a45eb1
Fix out of scope variable with original behaviour
2024-11-06 18:33:34 +11:00
b2075e5e6b
Merge pull request #19553 from smashery/offered-etype-fix
...
Only retrieve cached credentials that match the requested KrbOfferedEncryptionTypes
2024-10-28 09:47:26 -04:00
617270265d
Only retrieve cached credentials that match the requested OfferedEncryptionTypes
2024-10-11 16:23:26 +11:00
b5107583f1
Fix crash in #extract_user_and_realm with specific san extension
2024-09-24 14:34:09 +02:00
1b4362b6d5
Set default server_name in #send_request_tgt_pkinit
2024-09-09 18:03:15 +02:00
19e3f29441
Add missing constants for the Kerberos login scanner & set default server_name value in the client
2024-08-23 15:01:18 +02:00
89cf0223d1
Kerberos asrep roasting improvements
2024-07-24 18:01:11 +01:00
7cdea94000
Convert ldap modules to use the new ldap session type
2024-05-15 15:12:51 +01:00
69e35005ee
Add TLS channel binding for kerberos
2024-05-08 16:30:24 -04:00
cc3fd3bfa0
Update #build_gss_ap_req_checksum_value
...
This updates the #build_gss_ap_req_checksum_value method to allow
control over the flags and channel binding information.
2024-05-08 16:24:54 -04:00
9aead31bb9
Support encrypted LDAP (ldap signing) over Kerberos and NTLM
2024-04-24 12:56:06 +10:00
603e5b2bff
Land #18569 , Add a module to perform ASREP-roasts
...
This adds a module to gather credential material from accounts
with Requires Pre-Authentication disabled. The module supports two
mechanisms, Brute Forcing using a list of usernames or using a LDAP
query to request the relevant usernames, followed by requesting TGTs.
2023-12-11 19:58:06 -05:00
9f126a4d24
Land #18446 , Make DomainControllerRhost optional
...
This PR makes the DomainControllerRhosts option optional,
even when auth is set to kerberos. This change requires
rapid7/rex-socket#64 which was released in the rex-socket 1.5.5 gem.
2023-12-05 17:47:45 -05:00
f000c39b4a
Update to mark DomainControllerRhost as optional
2023-12-05 16:23:35 -05:00
e6321e46c4
Land #18565 , Add kerberos cache TGT lookup logic
...
This PR adds an enhancement to adjust the cache lookup logic.
If no TGT for the specific host is found, it will try again but
with any host.
2023-11-28 12:00:48 -05:00
2ea1f43f12
Unit test for new kerberos client pre-auth behaviour
2023-11-27 17:10:19 +11:00
c293c273ba
Attempt to decrypt pre-auth kerberos response
2023-11-27 13:09:59 +11:00
3ca13d9358
Changes from code review.
...
Added in the stability/IOC notes, since diamond/sapphire do make requests.
2023-11-27 10:30:54 +11:00
2ead152173
Add specific module to perform ASREP-roasting
2023-11-24 07:43:49 +11:00
8d4ae4bc78
Check the cache for a TGT without a host
...
This fixes allows forged golden tickets to be reused from the cache
2023-11-21 14:19:47 -05:00
1b4099f5a3
Copy across some more properties from the PAC
2023-11-21 13:51:05 +11:00
45a5c62308
Fix diamond tickets
2023-11-20 10:11:38 +11:00
5e9ff17e59
Handle NTHASH tickets, including warning users that it's a terrible idea
2023-11-17 19:24:25 +11:00
fb9bd2cae1
Use empty string for missing values rather than nil
2023-11-17 15:09:30 +11:00
9d873cb7ac
Fix bug in writing UpnDnsInfo structure, and include in sapphire PAC
2023-11-17 13:49:55 +11:00
24490cbe1e
Replicate Logon domain name and extra sids from sapphire ticket
2023-11-17 13:16:40 +11:00
4e6a29d0fb
Implement sapphire tickets
2023-11-15 22:31:11 +11:00
bdb13601ae
Implement diamond tickets
2023-11-15 16:13:01 +11:00
c243125612
Land #18379 , Improve ccache hostname matching
...
The service authenticator was filtering out valid credentials
when the hostname wasnt an exact match when credentials for
a domain should work on a subdomaini. This PR fixes that issue.
2023-11-07 22:08:15 -05:00
6e9facbefb
Merge pull request #18419 from smashery/dcsync_kerberos
...
DCSync using Kerberos Pass-the-Ticket
2023-10-30 09:41:22 -04:00
2a699b89fa
Changes from code review
2023-10-30 12:51:55 +11:00
b0b4da543d
Land #18400 , Kerberos ticket_search fix passing in a workspace
2023-10-23 16:17:24 +02:00
1071341b23
Changes from code review
2023-10-09 10:31:36 +11:00
4d87d4e114
Save Kerberos tickets in the MSF cache upon a successful login
2023-10-03 13:45:41 +11:00
185cba04c3
Support validating partial handshakes
2023-10-03 10:19:26 +11:00
1bd229056e
Support Kerberos auth for DCERPC
2023-09-28 16:26:06 +10:00
c1abf37d0c
Use passed in workspace if available, default to current workspace
2023-09-25 13:30:18 +01:00
6a04f5ed3d
Be less strict on hostname matching for ccache credentials
2023-09-18 14:54:20 +01:00
5c93b3880a
Don't add extra PACs for silver tickets
2023-09-13 15:41:09 +10:00
6b8fe05865
Add new PAC types required by DCs for accepting TGTs as valid
2023-09-12 17:19:10 +10:00
f287f50be7
Land #18187 , Fixes incorrect usage of pack/unpack directives
2023-07-21 11:40:02 +01:00
Ashley Donaldson