Fix a stack trace in forge_ticket when SPN is blank

[zeroSteiner]

This fixes a stack trace in auxiliary/admin/kerberos/forge_ticket that would occur when you attempt to forge a silver ticket with a blank SPN.

Original stack trace:

msf6 auxiliary(admin/kerberos/forge_ticket) > show options 

Module options (auxiliary/admin/kerberos/forge_ticket):

   Name        Current Setting                                Required  Description
   ----        ---------------                                --------  -----------
   AES_KEY                                                    no        The krbtgt/service AES key
   DOMAIN      msflab.local                                   yes       The Domain (upper case) Ex: DEMO.LOCAL
   DOMAIN_SID  S-1-5-21-1755879683-3641577184-3486455962-519  yes       The Domain SID, Ex: S-1-5-21-1755879683-3641577184-3486455962
   DURATION    3650                                           yes       Duration of the ticket in days
   EXTRA_SIDS                                                 no        Extra sids separated by commas, Ex: S-1-5-21-1755879683-3641577184-3486455962-519
   NTHASH                                                     no        The krbtgt/service nthash
   USER        smcintyre                                      yes       The Domain User
   USER_RID    500                                            yes       The Domain User's relative identifier(RID)


   When ACTION is FORGE_SILVER:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------
   SPN                    no        The Service Principal Name (Only used for silver ticket)


Auxiliary action:

   Name          Description
   ----          -----------
   FORGE_SILVER  Forge a Silver Ticket



View the full module info with the info, or info -d command.

msf6 auxiliary(admin/kerberos/forge_ticket) > forge_silver

[-] Auxiliary failed: NoMethodError undefined method `join' for "SPN":String
[-] Call stack:
[-]   /home/smcintyre/Repositories/metasploit-framework/lib/msf/core/exception.rb:41:in `initialize'
[-]   /home/smcintyre/Repositories/metasploit-framework/modules/auxiliary/admin/kerberos/forge_ticket.rb:111:in `exception'
[-]   /home/smcintyre/Repositories/metasploit-framework/modules/auxiliary/admin/kerberos/forge_ticket.rb:111:in `raise'
[-]   /home/smcintyre/Repositories/metasploit-framework/modules/auxiliary/admin/kerberos/forge_ticket.rb:111:in `forge_silver'
[-]   /home/smcintyre/Repositories/metasploit-framework/modules/auxiliary/admin/kerberos/forge_ticket.rb:71:in `run'
[*] Auxiliary module execution completed
msf6 auxiliary(admin/kerberos/forge_ticket) >

To reproduce this. Use the auxiliary/admin/kerberos/forge_ticket module. Set the USER, DOMAIN and DOMAIN_SID options then run the FORGE_SILVER action. The text in the exception that's raised when validating the SPN was changed as well. Ex: was presumably short for "example" so it should be an example of a legitimate SPN. It has been updated to the example value used in the docs for clarity. The DOMIN_SID example, is already the value from the docs.

Testing

• Use the auxiliary/admin/kerberos/forge_ticket module
• Set the USER, DOMAIN and DOMAIN_SID options
• Run the FORGE_SILVER action

[dwelch-r7]

I think a more correct fox for this is
raise Msf::OptionValidateError, ['SPN'] if datastore['SPN'].blank?

I'm not sure how this got in as is that's my bad, but I do think we want to raise a validiation error if you try to create a silver ticket without an SPN?

[zeroSteiner]

An error is still raised, but now it's from the fail_with(Failure::BadConfig, ... in #validate_spn!. Does that work, or should it be Msf::OptionValidateError specifically? What I liked about the Failure::BadConfig is that it's what the other #validate_ methods use and it also included details as to how it should be formatted.

This is the error now:

msf6 auxiliary(admin/kerberos/forge_ticket) > rerun
[*] Reloading module...

[-] Auxiliary aborted due to failure: bad-config: Invalid SPN, must be in the format <service class>/<host><realm>:<port>/<service name>. Ex: cifs/host.realm.local
[*] Auxiliary module execution completed
msf6 auxiliary(admin/kerberos/forge_ticket) >

[dwelch-r7]

uhhh yea actually that's fine, at the time I wanted there to be a different error message for not setting it vs setting it incorrectly but you're right might as well just output the better message

[jheysel-r7]

Nice fix @zeroSteiner! Testing checks out 👌

Before

msf6 > use auxiliary/admin/kerberos/forge_ticket
msf6 auxiliary(admin/kerberos/forge_ticket) > set DOMAIN_SID S-1-5-21-3994283402-3102005956-542000839-512
DOMAIN_SID => S-1-5-21-3994283402-3102005956-542000839-512
msf6 auxiliary(admin/kerberos/forge_ticket) > set DOMAIN example.com
DOMAIN => example.com
msf6 auxiliary(admin/kerberos/forge_ticket) > set user Administrator
user => Administrator
msf6 auxiliary(admin/kerberos/forge_ticket) > forge_silver

[-] Auxiliary failed: NoMethodError undefined method `join' for "SPN":String
[-] Call stack:
[-]   /Users/jheysel/rapid7/metasploit-framework/lib/msf/core/exception.rb:41:in `initialize'
[-]   /Users/jheysel/rapid7/metasploit-framework/modules/auxiliary/admin/kerberos/forge_ticket.rb:111:in `exception'
[-]   /Users/jheysel/rapid7/metasploit-framework/modules/auxiliary/admin/kerberos/forge_ticket.rb:111:in `raise'
[-]   /Users/jheysel/rapid7/metasploit-framework/modules/auxiliary/admin/kerberos/forge_ticket.rb:111:in `forge_silver'
[-]   /Users/jheysel/rapid7/metasploit-framework/modules/auxiliary/admin/kerberos/forge_ticket.rb:71:in `run'
[*] Auxiliary module execution completed
msf6 auxiliary(admin/kerberos/forge_ticket) >

After

msf6 auxiliary(admin/kerberos/forge_ticket) > reload
[*] Reloading module...
msf6 auxiliary(admin/kerberos/forge_ticket) > forge_silver

[-] Auxiliary aborted due to failure: bad-config: Invalid SPN, must be in the format <service class>/<host><realm>:<port>/<service name>. Ex: cifs/host.realm.local
[*] Auxiliary module execution completed
msf6 auxiliary(admin/kerberos/forge_ticket) >

[jheysel-r7]

Release Notes

This PR fixes a stack trace thrown by the forge_ticket module when the SPN datastore option was left blank. The module now fails due to bad-config and gives a detailed error message.