Rapid7 has released Metasploit Framework 6.3, which adds native support for Kerberos authentication, incorporates new modules to conduct a wide range of Active Directory attacks, and simplifies complex workflows to support faster and more intuitive security testing.
Kerberos is an authentication protocol commonly used to verify the identity of a user or a host in Windows environments.
Kerberos support is built into most operating systems, but it’s best known as the authentication protocol used in Active Directory implementations, which thousands of organisations rely on to define user groups and permissions and to provision network resources.
Kerberos and Active Directory more broadly have been prime attack targets and featured prominently in both threat actor and pen tester playbooks.
In 2021, a slew of novel attack techniques were published for targeting Active Directory Certificate Services (AD CS) – a popular tool that allows administrators to implement public key infrastructure, and to issue and manage public key certificates.
Abusing AD CS gave adversaries and red teams fresh opportunities to escalate privileges, move laterally, and establish persistence within Windows environments.
First-class support for Active Directory and Kerberos-based attack techniques is critical to many pen testers and security researchers keen to demonstrate risk to clients and the public.
Whilst plenty of new tooling has sprung up to facilitate offensive security operations, much of that tooling requires operators to manage their own tickets and environment variables, and/or is too narrowly scoped to support end-to-end attack workflows.
As a result, many operators find themselves using multiple purpose-built tools to accomplish specific pieces of their playbooks, and then having to track ticket information manually to pursue broader objectives.
Metasploit Framework 6.3 streamlines Kerberos and Active Directory attack workflows by allowing users to authenticate to multiple services via Kerberos and build attack chains with new modules that request, forge, and convert tickets between formats for use in other tools.
Tickets are cached and stored in the Metasploit database as loot, which removes the need for manual management of environment variables.
Attack workflows support pivoting over sessions out of the box, as users expect from Metasploit.
Key highlights include:
- Native Kerberos authentication over HTTP, LDAP, MSSQL, SMB, and WinRM
- The ability to request Ticket-Granting Tickets (TGT) and Ticket-Granting Server (TGS) if the user obtains a password, NT hash, or encryption key; users can also request tickets via PKINIT with certificates issued from AD CS
- Kerberos ticket inspection and debugging via the auxiliary/admin/kerberos/inspect_ticket module and the auxiliary/admin/kerberos/keytab module, which can generate Keytab files to allow decryption of Kerberos network traffic in Wireshark
- Fully automated privilege escalation via Certifried (CVE-2022–26923)