Save Kerberos tickets in the MSF cache upon a successful login

rapid7 · Oct 3, 2023 · 4d87d4e · 4d87d4e · Playgirlkaybraz11 · Sep 8, 2024
1 parent 50e4269
commit 4d87d4e
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/documentation/modules/auxiliary/scanner/kerberos/kerberos_login.md b/documentation/modules/auxiliary/scanner/kerberos/kerberos_login.md
@@ -3,7 +3,9 @@
 The `auxiliary/scanner/kerberos/kerberos_login` module can verify Kerberos credentials against a range of machines and
 report successful logins. If you have loaded a database plugin
 and connected to a database this module will record successful
-logins and hosts so you can track your access.
+logins and hosts so you can track your access. It will also
+store kerberos tickets that can be used even after the user's
+password has been changed.
 
 Kerberos accounts which do not require pre-authentication will
 have the TGT logged for offline cracking, this technique is known as AS-REP Roasting.

diff --git a/lib/msf/core/exploit/remote/kerberos/auth_brute.rb b/lib/msf/core/exploit/remote/kerberos/auth_brute.rb
@@ -75,6 +75,8 @@ def attempt_kerberos_logins
             print_good("#{peer} - User: #{format_user(user)} does not require preauthentication. Hash: #{hash}")
           else
             print_good("#{peer} - User found: #{format_user(user)} with password #{password}. Hash: #{hash}")
+            ccache = Rex::Proto::Kerberos::CredentialCache::Krb5Ccache.from_responses(result.proof.as_rep, result.proof.decrypted_part)
+            Msf::Exploit::Remote::Kerberos::Ticket::Storage.store_ccache(ccache, host: rhost, framework_module: self)
           end
           report_cred(user: user, password: password, asrep: hash)
         else