Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle kerberos properly when an account has no pre-auth required #18437

Closed
wants to merge 2 commits into from
Closed

Handle kerberos properly when an account has no pre-auth required #18437

wants to merge 2 commits into from

Conversation

smashery
Copy link
Contributor

@smashery smashery commented Oct 9, 2023

This fixes an issue relating to accounts with Kerberos pre-auth disabled.

Upon encountering such an account, the KDC sends us an AS-REP that we could use for authentication, as long as we know the password. However, Metasploit has not performed this step. Rather, it just returns with "The account has pre-auth disabled; you can crack this ticket with Hashcat". This works fine for the kerberos brute force module; but for modules that actually intend to use kerberos to perform some action, the action will fail for such accounts. But if we know the account password, we can treat this exactly as with any other account: decrypt the AS-REP enc-part, and carry on.

This bug appeared when setting the correct password on a Kerberos module (e.g. winrm_cmd) would return with an error message, when it should be able to succeed:

msf6 auxiliary(scanner/winrm/winrm_cmd) > run rhosts=192.168.20.210 domain=pod8.lan username=administrator winrm::auth=kerberos winrm::rhostname=WIN2012DC.POD8.LAN domaincontrollerrhost=192.168.20.210 password=Password123!

[*] Error: 192.168.20.210: Rex::Proto::Kerberos::Model::Error::KerberosError Kerberos ticket does not require preauthentication. It is not possible to decrypt the encrypted message to request further TGS tickets. Try cracking the password via AS-REP Roasting techniques.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use winrm_cmd
  • Run the module against an admin account with pre-auth disabled, using the correct password
  • Verify that the module completes successfully
  • use kerberos_login
  • Run the module against an account with pre-auth disabled, using the correct password
  • Verify that it shows that the password is correct
  • Run the module against an account with pre-auth disabled, using the incorrect password
  • Verify that it shows the crackable hash

@smashery smashery added the bug label Oct 9, 2023
@smashery
Copy link
Contributor Author

This work was implemented as part of #18560.

@smashery smashery closed this Nov 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cgranleese-r7 cgranleese-r7 cgranleese-r7 left review comments

Assignees
No one assigned
Labels
bug
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@smashery @cgranleese-r7