search

rapid7 / ruby_smb

A native Ruby implementation of the SMB Protocol Family
Other
80 stars 80 forks source link

Enable Kerberos auth for DCERPC #253

Closed smashery closed 9 months ago

smashery commented 10 months ago

This PR supports the kerberos-in-DCSync work in the Metasploit repo (see: https://github.com/rapid7/metasploit-framework/pull/18419). Test cases are listed in that PR, and should exercise all of the changes in this PR.

smashery commented 9 months ago

Thanks for the review @cdelefuente-r7. Agreed regarding having the Kerberos functionality available here. I wonder whether it would be worth a refactoring job to pull it out into either here, or a separate repo? I think I've addressed the comments - let me know if there's anything else needed.

cdelafuente-r7 commented 9 months ago

Thanks for updating this @smashery! Everything looks good to me know. I retested and confirmed the signature verification issue is fixed now. Adding Kerberos functionality would be great, but it would require a lot of refactoring and changes. I think your solution is the best for now. That being said, I keep this idea in mind for a future enhancement.

smcintyre-r7 commented 9 months ago

@cdelafuente-r7 I opened a PR implemented the changes you requested here https://github.com/smashery/ruby_smb/pull/1. Give it a look and let me know what you think

smcintyre-r7 commented 9 months ago

Tested this with the Metasploit side of things and it's all looking good to me now!

Thanks for your work on this Smashery, this is a great improvement!

msf6 auxiliary(gather/windows_secrets_dump) > run DOMAIN=msflab.local SMB::Auth=kerberos SMB::Rhostname=dc.msflab.local DomainControllerRhost=192.168.159.10
[*] Running module against 192.168.159.10

[+] 192.168.159.10:445 - 192.168.159.10:88 - Received a valid TGT-Response
[*] 192.168.159.10:445 - 192.168.159.10:445 - TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20231025135757_default_192.168.159.10_mit.kerberos.cca_191490.bin
[+] 192.168.159.10:445 - 192.168.159.10:88 - Received a valid TGS-Response
[*] 192.168.159.10:445 - 192.168.159.10:445 - TGS MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20231025135757_default_192.168.159.10_mit.kerberos.cca_964676.bin
[+] 192.168.159.10:445 - 192.168.159.10:88 - Received a valid delegation TGS-Response
[*] 192.168.159.10:445 - Service RemoteRegistry is already running
[*] 192.168.159.10:445 - Retrieving target system bootKey
[+] 192.168.159.10:445 - bootKey: 0x369c37bc5ec5e4b3eaeee7b69caf5d6a
[*] 192.168.159.10:445 - Saving remote SAM database
[*] 192.168.159.10:445 - Dumping SAM hashes
[*] 192.168.159.10:445 - Password hints:
No users with password hints on this system
[*] 192.168.159.10:445 - Password hashes (pwdump format - uid:rid:lmhash:nthash:::):
... cut because secrets