Report CA, ADCS Template and Password along with Pkcs12 in the database #19736
+177
−51
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cdelafuente-r7
commented
Dec 16, 2024
| @@ -414,11 +420,13 @@ def creds_search(*args) | |||
| when 'password' | |||
| Metasploit::Credential::Password | |||
| when 'hash' | |||
| Metasploit::Credential::PasswordHash | |||
| Metasploit::Credential::NonreplayableHash | |||
There was a problem hiding this comment.
Apparently hash corresponds to a Nonreplayable hash instead of a PasswordHash. This change were required otherwise the specs were failing.
| # realm: nil, | ||
| # workspace: framework.db.workspace) | ||
| # end | ||
| let!(:ntlm_core) do |
There was a problem hiding this comment.
These tests are now working properly. I've added them back even if it is not related to the changes in this PR.
cdelafuente-r7
commented
Dec 16, 2024
Comment on lines
+6
to
+7
| gem 'metasploit-credential', git: 'https://github.com/cdelafuente-r7/metasploit-credential', branch: 'enh/MS-9710/add_pkcs12_metadata' | ||
|
|
There was a problem hiding this comment.
This will need to be reverted before landing.
Gemfile.lock
Outdated
There was a problem hiding this comment.
This file will need to be updated to point to the new metasploit-credential gem is available instead of the this feature branch.
cdelafuente-r7
force-pushed
the
enh/pkcs12/add_metadata
branch
from
4c5a365 to
c44cad3
Compare
…base - Update the `creds` command to add Pkcs12 private credentials with metadata. - Update `ms_icpr` module to store metadata.
cdelafuente-r7
force-pushed
the
enh/pkcs12/add_metadata
branch
from
c44cad3 to
3581724
Compare
cdelafuente-r7
changed the title
cdelafuente-r7
force-pushed
the
enh/pkcs12/add_metadata
branch
4 times, most recently
from
fddd218 to
91ff4ce
Compare
…a model - a separate field is now used for metadata (`private_metadata`) when creating a new Pkcs12 - the `creds` command now support adding an encrypted Pkcs12 with a password
cdelafuente-r7
force-pushed
the
enh/pkcs12/add_metadata
branch
from
91ff4ce to
7df6dbc
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds support to the new Pkcs12 data format added in rapid7/metasploit-credential#183. Now, the CA and ADCS template can be added to the Pkcs12 as metadata in the database.
Also, it is now possible to store a Pkcs12 password as a metadata in the database. If the Pkcs12 is encrypted, the password can (and must) be added to the metadata field. It will be used to decrypt the Pkcs12. The
credscommand has been updated to accept a new optionpkcs12-password. The validation will fail if the Pkcs12 we want to add withcredsis encrypted and the password is wrong or empty.This PR needs the
metasploit-credentialscounterpart be landed first. I have updated the Gemfile to point to the feature branch to be able to test it. This will need to be reverted before landing.Verification
Testing
auxiliary/admin/dcerpc/icpr_certFollow the instructions here to set up an AD CS server for testing purposes.
msfconsoleuse auxiliary/admin/dcerpc/icpr_certrun verbose=true CA=<CA name> RHOSTS=<remote host> username=<username> password=<user password> CERT_TEMPLATE=Usercredsreturns the generated Pkcs12irbinmsfconsoleif the Pkcs12 model contains the metadata filed with the expected values.Testing
credscommandmsfconsolecreds add user:testuser pkcs12:<pkcs12 filepath> ca:myca adcs-template:OtherTemplatecredsreturns the generated Pkcs12irbinmsfconsoleif the Pkcs12 model contains the metadata filed with the expected values.Testing
credscommand with an encrypted Pkcs12 and a passwordFirst we need to get an password protected Pkcs12. We can use
opensslcommand with an already retrieved pkcs12, with theauxiliary/admin/dcerpc/icpr_certmodule for example, and set a password. Check the certificate files with thelootcommand to get the filepath.Hit Enter when asked for the Import Password (there is no password).
2. Extract client certificate's private key:
Hit Enter when asked for the Import Password (there is no password).
Enter a password for the private key export (e.g.
password)3. Re-create the PKCS#12
Enter the previous password set when asked for the pass phrase for existingpkcs12_key.pem (e.g.
password)Enter Export Password:
123456msfconsolecreds add user:testuser pkcs12:newpkcs12.p12 ca:myca adcs-template:OtherTemplate pkcs12-password:123456credsreturns the generated Pkcs12irbinmsfconsoleif the Pkcs12 model contains the metadata filed with the expected values.creds add user:testuser pkcs12:newpkcs12.p12 ca:myca adcs-template:OtherTemplate pkcs12-password:wrongpasswdData ArgumentError