switch dependency for kerberos js module (ropnop/gorkb5 -> jcmturner/gokrb5)

[5amu]

Proposed changes

Closes #4646

I updated the KerberosClient object to contain the real kerberos client from gokrb5:

type KerberosClient struct {
	client *kclient.Client
}

So that in file sendtokdc.go the struct can have the method SendToKDC() exposed to EnumerateUser. The behavior stays the same, except now there is one less dependency to the project and (as github.com/jcmturner is used by github.com/go-ldap/ldap/v3 under the hood).

I tested the behavior with the template:

id: get-service-ticket

info:
  name: test
  author: 5amu
  severity: info

javascript:
  - args:
      DomainController: "{{Host}}"
    code: |
      krb = require("nuclei/kerberos");
      client = krb.KerberosClient();
      ticket = client.GetServiceTicket(template.Domain, DomainController, template.Username, template.Password, "roastme", "DC01/ldap");
      to_json(ticket);
    extractors:
      - type: json
        json:
          - '.Hash'

And here's the result

go run .\cmd\nuclei\main.go -u dc01.lab.local -t .\test-krb5.yaml -var Username=victim -var Password=Trust_Me_Br0 -var Domain=LAB.LOCAL -debug

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.1.5

                projectdiscovery.io

[WRN] Found 12 template[s] loaded with deprecated paths, update before v3 for continued support.
[INF] Current nuclei version: v3.1.5 (latest)
[INF] Current nuclei-templates version: v9.7.3 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 46
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[DBG] [get-service-ticket] Dumped Javascript request for dc01.lab.local:
Variables:
        1. DomainController => dc01.lab.local
        2. Port =>  address=dc01.lab.local
[DBG]  [get-service-ticket] Javascript Code:

        krb = require("nuclei/kerberos");
        client = krb.KerberosClient();
        ticket = client.GetServiceTicket(template.Domain, DomainController, template.Username, template.Password, "roastme", "DC01/ldap");
        to_json(ticket);

[DBG] [get-service-ticket] Dumped Javascript response for dc01.lab.local:
        1. response => {   "Ticket": {     "TktV .... 22c02fc896b11d34c34752" }
        2. success => true address=dc01.lab.local
[get-service-ticket] [javascript] [info] dc01.lab.local ["$krb5tgs$23$*roastme$LAB.LOCAL$DC01/ldap*$9bfaad122883d29d01a7b87a09769fde$f771b64413184d86e886f8d101c6ebd3c99a1dc54edd23ff6959caea26c6de0fe960ebd45af4b4a70b8d5051269f71e2b818c41bcc9391768a377fa01ad83fce2ad6795fc574daa7c3e1dc8877b753637a02378fae8c0300f093a612954bacfb6ba881eb712060eb91ec2c3e3d2fca79d9839f8e8ce8f52b27a4c189cb3b014df5ab8caf560e484ac90379de7439c5eadaf189e5828ce80f42ab50136db5d0c44010a87a7c272282cc0e8b204ce5bab464f73fba22569c3105302643463cecb39801ba29edd4377553f41648d17ee86013ae252366901658212862f94bf55eec2e9d910c21875d2cb93cc1d4d92baeaeab168b5a44e4106771167de4008ce94c958ef913806c9a20ef8fd61ff53dccd19996688482b38d7f474292946a79886a4aa89831c2cdf9c47fb5b9f0aefeaacc2db8192d9609528618fe770c1bf65174a25677f34f97c4bbd3646c1ed2bbed969d8656ad4783e9f321b5a649f70481d89a3b3a8984959376d4c12bbd1d7b232e8021f1e8a56908d7f6cbbd678bbcfa57967bf5b4f496b402c6a1f0a06e9191a8232240a594b109c4484c287cb1913f8f2c8480c5d2b4a3cc3742a73661549ffde4ec45e9bf697d6cb090815fed6f329cd57b94e22a6f5542635e6f60fd6f475cb926a314e359fe748c7a20c5e88eae864e1be3de0c1b2b033e9fa69aeefb76f107df2301f51b562ba9ed4af52334cebd75b7dd6b807c70aff6a83395a1765ff563034e35cf3557b2d0d7a7f11cef7ae1533ab3040d41422f03d1c64d1a6455635630685aef5abe8f4dde90f5ff4a0f99912ddc85a92f17ad75ea656438e929d0ee0ab6396dc13e354fff7f8f5f02b9df96adff41ab8b7991d745546893ab7ebb08c65de6add5b4a000a5a74b6d32fb6600b1e7315ef51ec6b880048ed0e95375a22059d45409bceedbfda321bd50234ff1bcfe9ffba4cd5be90431e9a8897a9ce8c5b945774050621325625e85fc1404a3c5869d003e1dc401a5618c149331b15ca2f12803bca76d598eaa23ca71aad4a72906eb9382454f7cc04f1b7e64ac896ff8828666ecf4687d3a6d2f23231d88c1190e3ebb73a616fd487bb87b55b069a48248576b49f19177a0977a076e2d507f3bb3547b91fc23bdfbce458612812ae8fb5d092a8ad961561cf37ccdec08ec7e31a93e0ee0b48e8ccad458fe7b343de216a53b8c2bbc3ab7f90267cf78b4d5c17097bebbafd40907704bd125916a176f2022c02fc896b11d34c34752"]

NB: The change reflected on go.mod and go.sum, please be careful.

Checklist

• Pull request is created against the dev branch
• All checks passed (lint, unit/integration/regression tests etc.) with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

[olearycrew]

@5amu thanks for this contribution!

[pussycat0x]

@tarunKoyalwar lgtm!

./main -u 192.168.1.10  -t ticket.yaml  -var Username=victim -var Password=Trust_Me_Br0 -var Domain=LAB.LOCAL -debug 

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.1.5

                projectdiscovery.io

[INF] Current nuclei version: v3.1.5 (outdated)
[INF] Current nuclei-templates version: v9.7.4 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 6
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[DBG] [get-service-ticket] Dumped Javascript request for 192.168.1.10:
Variables:
        1. DomainController => 192.168.1.10
        2. Port =>  address=192.168.1.10
[DBG]  [get-service-ticket] Javascript Code:

        krb = require("nuclei/kerberos");
        client = krb.KerberosClient();
        ticket = client.GetServiceTicket(template.Domain, DomainController, template.Username, template.Password, "roastme", "DC01/ldap");
        to_json(ticket);

[DBG] [get-service-ticket] Dumped Javascript response for 192.168.1.10:
        1. response => {   "Ticket": {     "TktV .... f77588fedac9066949b855" }
        2. success => true address=192.168.1.10
[get-service-ticket] [javascript] [info] 192.168.1.10 ["$krb5tgs$23$*roastme$LAB.LOCAL$DC01/ldap*$7d54d963df70ea69d3409ea07746f33b$d6edb2f195a3d36afbc0a903985a8c60cc95630616f6cbebbdd5c78569fd6b5a1f2c858e582a885beaf7b90ad0a2b0730e9b512f123bb06f66cdf7b19d2673224fc7757c8fe5bfe7b258d041762dee87c334a0b5a657ffebd73df5da1e219dacc92f351db8dfb6d6f83da4271023b637195313d245e49662f7652a0ac61f322c5ddf51af65c394e290d786b312f7eafa023397be1b97588706fb74a7891baebbca4b3709b174f7ac254c0d181254745cb6bc7504249bd0c451d478dba5254d5ed575498cd854b2c68af8b94788fe002390d82f4dca28c51215550636066d90454751daf10ccb9389e4a7337c9e9ff65486b4c80193cfcfb3be59768e758983d80f043dd569ce29cc5505d3e8767d88b212a8ab9bee1a570b933d9153813713f2e7bedf1d1932eb4e24aeae7006a076753a0956df38db8d77805ee2122c9ab99d5535701d5645a0da8d84c88bfc8c260d74b49a7009e5c8efa25e1c4655506ac2a50b667234d401033ed56143324453c45069570c69049871a2056baf674ae63f366ba9509883cbf972d7f65a285cde606be3a236aa1c10dd43e71ee74ff6373ef880ec33465fcf6b99cc6e4c1338a5f3cdac1ffcc81b65d32cc045c0cadf9074f881164388e09112eeeb810930bdba876c5f63d5613daa223c30172bdb81fc9641a1997c704b18354415588907843a3e425b84cecbd5d8c29c22aff86f23b7949e6bbc9269cdf7942e90b0667f1927e78e9cd894666391c90d618cc8aaff9f77a7204ef89fc8f44bfbca7dfdff5fd5957461d7648c6045ca5dc474c231e394e53c0c5a621cbf839c7ff49e1b0d2c01a76b171ba6aeb716f3d60a7c0844ba482120671476a8ecea6aa258e92a9a5bb7f057cfb0dfc777cb4f3b2efab3650c1b586358bac4a9cd16fb9dac112893fc57627338f5c835c11035eea2186a8be319920755597b142fac8d938519cfd123357746f928ac3958d7bb91ca7893f7593e0c04520fe1fc732d0c142b01b6153af4f187c0231014aff33a09b47c4b482a6348da4d6905499672d12ef7bb3701ff2b361187aea5a157c8a3e8a767cde80498ea9a43d2025edd49f5ec9119aeaeebeccd85f1bffb29193151757c41560903bf75bf82f7ae004a63071a1438af84f09c09da29cb1971bdc8c861cc55089206a363e83e4ed570de2330d402d52117cfc77fd1b2f3cd04407271afdcf8e489cc96048133e486fa31898f92434d468ee72ad214e6fe564cb5d9010ac1a3ccaf7a15b8a8dcc4926389763f2eb4e08fb22445bea84b5e82648b39542bd5c28a2d3aa0c9f8a10052f3d0f97932cd850c7e2c9078b38d49bd731df76d71f5a249dd72c85077ff178b4cf7b2592951966475bf5c62e185acd186f7c2f4699bc9d02ff0901535aee98201a44e807de323fd7240fcd73446f77588fedac9066949b855"]

[tarunKoyalwar]

@5amu , thanks and everything looks good , just decided to do some refactoring to keep public api simple and use fastdialer instead of net.Conn ( added some cool helper utils to throw errors , create constructors and stuff)

ticket = client.GetServiceTicket(template.Domain, DomainController, template.Username, template.Password, "roastme", "DC01/ldap");

^ will be converted to

const client = new kerberos.Client(domain,controller)
const ticket = client.GetServiceTicket({Username: template.Username,Password: template.Password,Target: "roastme",SPN: "DC01/ldap"})

aka

const client = new kerberos.Client(domain, controller)
const ticket = client.GetServiceTicket({
    Username: template.Username,
    Password: template.Password,
    Target: "roastme",
    SPN: "DC01/ldap"
})

this will not be a breaking change (we will keep existing ones) but this is recommended because new options/args can be added without breaking anything and this also adds code readability + intellisense if you use it any IDE

[tarunKoyalwar]

lgtm ! tested it locally everything seems to working also added fastdialer + network policy .

thanks for pr @5amu , i just refactored kerberos struct / types to make it more easy to write js templates by leveraging autocomplete etc ( mostly adding a constructor throwing errors etc) . so if you have any nuclei templates written using this module you will need to update it after next release .