-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consolidate Kerberos Ticket Storage #17377
Consolidate Kerberos Ticket Storage #17377
Conversation
lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb
Outdated
Show resolved
Hide resolved
lib/msf/core/exploit/remote/kerberos/service_authenticator/base.rb
Outdated
Show resolved
Hide resolved
Placeholder comment to double check ldap_query, as I had to add in a dependency within a previous PR: https://github.com/rapid7/metasploit-framework/pull/17236/files#r1020143352 |
Not a blocker: Do we want to scope creep this PR and add support for invalidating tickets? |
lib/msf/core/exploit/remote/kerberos/ticket/storage/stored_ticket.rb
Outdated
Show resolved
Hide resolved
94f5513
to
fe15bfb
Compare
Testing Output
|
fe15bfb
to
0b10245
Compare
@@ -130,8 +125,10 @@ def initialize( | |||
@use_gss_checksum = use_gss_checksum | |||
@mechanism = mechanism | |||
@send_delegated_creds = send_delegated_creds | |||
@use_cached_credentials = use_cached_credentials | |||
@store_credential_cache = store_credential_cache | |||
@ticket_storage = ticket_storage || Msf::Exploit::Remote::Kerberos::Ticket::Storage::ReadWrite.new( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What are your thoughts on defaulting to Write behavior by default? 👀
I'm thinking in terms of element of least surprise for existing workflows with tools like impacket, users might not expect the ticket re-use behavior occurring out of the box
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't have a strong opinion about the default storage mode right here. If you're instantiating the authenticator yourself, as a module developer to do something specific, it might make sense to just be WriteOnly.
Changing it here wouldn't change the default mode for modules though.
0b10245
to
81d4b25
Compare
The goal is to provide an abstraction for how Kerberos tickets are persisted to disk.
81d4b25
to
60a76da
Compare
Since we're keeping the loot-based storage for the foreseeable future, we should consolidate how tickets are stored in loot. This creates a series of new
TicketStorage::Base
classes that expose a common interface. The classes include:TicketStorage::None
-- Storage is not used at all, nothing is read from it and nothing is saved.TicketStorage::ReadOnly
-- Previously stored tickets are used, but new tickets are not saved and no tickets can be deleted.TicketStorage::WriteOnly
-- Previously stored tickets are not used, but new tickets are saved and tickets can be deleted.TicketStorage::ReadWrite
-- Previously stored tickets are used, new tickets are saved and tickets can be deleted.These classes replace the
use_cached_credentials
andstore_credential_cache
options as used byServiceAuthenticator::Base
. The original uses of these options have been replaced. More modules have also been updated with the newKrbCacheMode
option allowing the user to switch between the 4 available modes (none, read-only, write-only and read-write).The storage classes also return
TicketStorage::StoredTicket
instead ofMdm::Loot
objects. The intention is to abstract away how they're stored so the Mdm object itself should not be leaked. In the future, the stored tickets should expose the same API.Verification
List the steps needed to make sure this thing works
kerberos/forge_ticket
are stored in a way that they can be fetched from the cachekerberos/pkinit_login
are stored in a way that they can be fetched from the cacheThere should be no different in functionality.