diff --git a/lib/msf/core/exploit/remote/kerberos/client/pac.rb b/lib/msf/core/exploit/remote/kerberos/client/pac.rb index 7c3e321daa..1e3cbb8ebf 100644 --- a/lib/msf/core/exploit/remote/kerberos/client/pac.rb +++ b/lib/msf/core/exploit/remote/kerberos/client/pac.rb @@ -52,6 +52,7 @@ module Msf group_ids = opts[:group_ids] || [Rex::Proto::Kerberos::Pac::DOMAIN_USERS] extra_sids = opts[:extra_sids] || [] domain_name = opts[:realm] || '' + logon_domain_name = opts[:logon_domain_name] || opts[:realm] || '' domain_id = opts[:domain_id] || Rex::Proto::Kerberos::Pac::NT_AUTHORITY_SID auth_time = opts[:auth_time] || Time.now checksum_type = opts[:checksum_type] || Rex::Proto::Kerberos::Crypto::Checksum::RSA_MD5 @@ -64,7 +65,7 @@ module Msf effective_name: user_name, user_id: user_id, primary_group_id: primary_group_id, - logon_domain_name: domain_name, + logon_domain_name: logon_domain_name, logon_domain_id: domain_id, full_name: base_vi.full_name, logon_script: base_vi.logon_script, diff --git a/lib/msf/core/exploit/remote/kerberos/ticket.rb b/lib/msf/core/exploit/remote/kerberos/ticket.rb index bcb3307b2c..9502ee6a97 100644 --- a/lib/msf/core/exploit/remote/kerberos/ticket.rb +++ b/lib/msf/core/exploit/remote/kerberos/ticket.rb @@ -150,8 +150,12 @@ module Msf when Rex::Proto::Kerberos::Pac::Krb5PacElementType::LOGON_INFORMATION opts[:group_id] = element.data.primary_group_id.value opts[:domain_id] = element.data.logon_domain_id + opts[:logon_domain_name] = element.data.logon_domain_name if copy_entire_pac opts[:base_verification_info] = element.data + element.data.extra_sids.each do |sid| + opts[:extra_sids].append(sid.sid.to_s) + end end when Rex::Proto::Kerberos::Pac::Krb5PacElementType::TICKET_CHECKSUM # We want to be stealthy and match whatever the KDC is doing, so we should do it too