Skip to content

Commit

Permalink
Copy across some more properties from the PAC
Browse files Browse the repository at this point in the history
  • Loading branch information
@smashery
smashery committed Nov 21, 2023
1 parent 45a5c62 commit 94e2894
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 3 deletions.
11 changes: 8 additions & 3 deletions lib/msf/core/exploit/remote/kerberos/client/pac.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,8 @@ def build_pac(opts = {})
extra_sids = opts[:extra_sids] || []
domain_name = opts[:realm] || ''
logon_domain_name = opts[:logon_domain_name] || opts[:realm] || ''
logon_count = opts.fetch(:logon_count)
password_last_set = opts.fetch(:password_last_set)
domain_id = opts[:domain_id] || Rex::Proto::Kerberos::Pac::NT_AUTHORITY_SID
auth_time = opts[:auth_time] || Time.now
checksum_type = opts[:checksum_type] || Rex::Proto::Kerberos::Crypto::Checksum::RSA_MD5
Expand All @@ -68,12 +70,14 @@ def build_pac(opts = {})
primary_group_id: primary_group_id,
logon_domain_name: logon_domain_name,
logon_domain_id: domain_id,
logon_count: logon_count,
full_name: '',
logon_script: '',
profile_path: '',
home_directory: '',
home_directory_drive: '',
logon_server: ''
logon_server: '',
password_last_set: password_last_set
}
unless base_vi.nil?
obj_opts.merge({
Expand Down Expand Up @@ -138,8 +142,9 @@ def build_pac(opts = {})
if is_golden
# These PAC elements are required for golden tickets in post-October 2022 systems
pac_elements.append(
pac_requestor,
pac_attributes)
pac_attributes,
pac_requestor
)
end

pac_elements.append(
Expand Down
2 changes: 2 additions & 0 deletions lib/msf/core/exploit/remote/kerberos/ticket.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,8 @@ def modify_ticket(ticket, enc_kdc_response, new_user, new_user_rid, domain, extr
opts[:group_id] = element.data.primary_group_id.value
opts[:domain_id] = element.data.logon_domain_id
opts[:logon_domain_name] = element.data.logon_domain_name
opts[:logon_count] = element.data.logon_count
opts[:password_last_set] = element.data.password_last_set
if copy_entire_pac
opts[:base_verification_info] = element.data
element.data.extra_sids.each do |sid|
Expand Down

0 comments on commit 94e2894

Please sign in to comment.