Add certs command & use pkinit if kerberos tickets are not available in cache #19760
+1,543
−81
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cdelafuente-r7
force-pushed
the
feat/pkcs12/certs_command/pkinit
branch
from
c4d21eb to
5e8e292
Compare
…base - Update the `creds` command to add Pkcs12 private credentials with metadata. - Update `ms_icpr` module to store metadata.
cdelafuente-r7
force-pushed
the
feat/pkcs12/certs_command/pkinit
branch
from
5e8e292 to
f9ed213
Compare
cdelafuente-r7
changed the title
cdelafuente-r7
force-pushed
the
feat/pkcs12/certs_command/pkinit
branch
2 times, most recently
from
2cad3ff to
5dc0d65
Compare
…a model - a separate field is now used for metadata (`private_metadata`) when creating a new Pkcs12 - the `creds` command now support adding an encrypted Pkcs12 with a password
- use the `status`, certificate's `not_before`/`not_after` and check if the TLS OID is present to filter pkcs12 before using them with PKInit - add the `activate`, `deactivate` and `export` capabilities to the certs command - add specs
cdelafuente-r7
force-pushed
the
feat/pkcs12/certs_command/pkinit
branch
from
5dc0d65 to
e353684
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR does two things:
certscommand, similar toklist, that displays and manages Pkcs12 certificates stored in the database.pkinitautomatically when<protocol>::Authoption is set tokerberosand no related kerberos tickets is found in the cache. If a matching certificate is found, it will be used to get a TGT from the KDC using thepkinitprotocol.This PR is based on top of this PR. So, it includes extra commits present in this branch. To review the changes related to this PR only, you can compare branches here.
certscommandThis command list the available certificates stored in the
credsdatabase (usecerts -vto display verbose output). It can also search a pkcs12 by ID or by username. Note that username can include the domain using the UPN format (e.g.[email protected]). The command can also be used to delete and export certificates.Here is the help output:
Automated Pkcs12 authentication
When the user sets
<protocol>::Authtokerberos, the original process will look into the cached tickets and try to find a suitable ticket to authenticate. If no ticket is found, it will use the credentials provided by the user to query fresh new tickets (TGT and TGS). Now, before requesting new tickets using these credentials, the module will look into the database if a pkcs12 certificate can be re-used to request these tickets. The process is transparent to the user. The look up is done based on the provided username and domain.This automation also also works with schannel authentication. When using a module that supports schannel (only
scanner/ldap/ldap_loginfor now), you can set<protocol>::Authtoschannel. If no Pkcs12 file is provided as an argument, the same look up will occurs in the database to find a matching Pkcs12.Note that automated Pkcs12 authentication will work with Pkcs12 with the status set to
activeor when the status is not set at all. You can disable this feature for specific Pkcs12's by using thecerts -Acommand.Verification
Request a certificate with the
admin/dcerpc/icpr_certmodule.For example, exploiting the ESC1 vulnerability:
Check the
certscommandTry to search certificate:
Select a certificate with an ID:
Deactivate a certificate:
Delete a certificate:
Check the automated Pkcs12 authentication
Make sure you don't have any Kerberos ticket in cache:
Use the
scanner/winrm/winrm_cmdmodule to execute thewhoamicommand on the target:You should see
Using stored certificate for ...message.Now, verify the ticket were stored in cache:
If you re-run the module with the same options, it should now use the cached ticket instead of the certificate.
You can repeat the operation with the following modules:
scanner/ldap/ldap_loginMake sure theThis has been fixedldap_session_typefeature is set and set theCreateSessionoption totrue. Note that you will have to pass a fake password otherwise the module won't validate the options (see ldap/ldap_login module requires a password for schannel #19743)Schannel can also be used the same way:
scanner/smb/smb_loginTODO
I noticed the credentials are being saved in the database when using kerberos authentication with theThis has been fixed.scanner/ldap/ldap_loginandscanner/smb/smb_login. This will need to be fixed.