Pennyw0rth
Added Kerberos (GSSAPI) authentication for SSH protocol
Description
This PR adds support for the --use-kcache and --kerberos options for the SSH protocol, in light of https://github.com/Pennyw0rth/NetExec/pull/785, this will probably need to be heavily refactored together with the existing codebase.
Unfortunately, the paramiko library has additional dependencies (gssapi==1.9.0) that must be installed in order to support GSSAPI, this is similar to how WinRM requires the krb package. ~~But, this is just an additional Python library so it's easier to manage~~ edit: gssapi likely requires the libkrb5 package.
Leaving this PR here for future maintainers to take reference should there be a demand for GSSAPI authentication, documentation has not been updated yet.
Type of change
Insert an "x" inside the brackets for relevant items (do not delete options)
- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
- [ ] Deprecation of feature or functionality
- [x] This change requires a documentation update
- [ ] This requires a third party update (such as Impacket, Dploot, lsassy, etc)
Setup guide for the review
This has been tested to be working on Windows Server 2022, Ubuntu and Debian domain-joined machines, this can be tested on any domain-joined Windows machine that has the SSH service running.
As for linux machines, there are a couple on vulnlab that can be used. Or, they can be easily set up locally with this.
Screenshots (if appropriate):
Using an existing Kerberos cache, on a Windows machine (--use-kcache):
Using an existing Kerberos cache, on a Linux machine (--use-kcache):
Using plaintext credentials on a Windows machine (--kerberos):
Using plaintext credentials on a Linux machine (--kerberos):
This also supports overpassing the hash with the -H flag:
Checklist:
Insert an "x" inside the brackets for completed and relevant items (do not delete options)
- [x] I have ran Ruff against my changes (via poetry:
poetry run python -m ruff check . --preview, use--fixto automatically fix what it can) - [ ] I have added or updated the
tests/e2e_commands.txtfile if necessary (new modules or features are required to be added to the e2e tests) - [ ] New and existing e2e tests pass locally with my changes
- [ ] If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
- [x] I have performed a self-review of my own code
- [x] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)
Thanks for the PR!
Why is the gssapi package required? I don't see it in the code. Furthermore, does the gssapi package require apt packages, e.g. the libkrb5 package?
Also be aware that https://github.com/Pennyw0rth/NetExec/pull/598 might drastically change the current state of the ssh proto
Thanks for the PR!
Why is the gssapi package required? I don't see it in the code. Furthermore, does the gssapi package require apt packages, e.g. the libkrb5 package?
An exception is raised by paramiko when attempting GSSAPI authentication without the additional dependencies, this is also stated in their documentation.
I do believe that the gssapi package does require libkrb5 actually, but haven't tested this.
Looking at their documentation it looks like this is also platform dependent. I see instructions for windows and linux, but not mac. Not sure if the linux implementation would be sufficient for mac, but my guess would be that it is not.
As we need pure python code without any apt packages i have my doubts that this will work when we build or binaries for the respective platforms.