--generate-krb5-file should merge realms during CIDR scans instead of overwriting #1088
Description
Please Describe The Problem To Be Solved
When performing a CIDR/subnet scan in a multi-domain or forest environment (such as the GOAD lab), the --generate-krb5-file flag overwrites the destination file every time a new domain is discovered.
This results in a final krb5.conf file that only contains the configuration for the very last domain processed by the scan. In an environment with parent/child domains or multiple forests, this breaks the ability to use Kerberos authentication across the entire infrastructure without manual file merging.
Example of the current behavior:
┌──(kali㉿kali)-[~/GOAD]
└─$ nxc smb 192.168.56.0/24 --generate-krb5-file /etc/krb5.conf
SMB 192.168.56.12 445 MEEREEN [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True) (Null Auth:True)
SMB 192.168.56.12 445 MEEREEN [+] krb5 conf saved to: /etc/krb5.conf
SMB 192.168.56.12 445 MEEREEN [+] Run the following command to use the conf file: export KRB5_CONFIG=/etc/krb5.conf
SMB 192.168.56.10 445 KINGSLANDING [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 192.168.56.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 192.168.56.23 445 BRAAVOS [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
SMB 192.168.56.10 445 KINGSLANDING [+] krb5 conf saved to: /etc/krb5.conf
SMB 192.168.56.11 445 WINTERFELL [+] krb5 conf saved to: /etc/krb5.conf
SMB 192.168.56.10 445 KINGSLANDING [+] krb5 conf saved to: /etc/krb5.conf
SMB 192.168.56.11 445 WINTERFELL [+] krb5 conf saved to: /etc/krb5.confResulting file (truncated to only one domain):
┌──(kali㉿kali)-[~/GOAD]
└─$ cat /etc/krb5.conf
[libdefaults]
dns_lookup_kdc = false
dns_lookup_realm = false
default_realm = NORTH.SEVENKINGDOMS.LOCAL
[realms]
NORTH.SEVENKINGDOMS.LOCAL = {
kdc = winterfell.north.sevenkingdoms.local
admin_server = winterfell.north.sevenkingdoms.local
default_domain = north.sevenkingdoms.local
}Desired Behavior (Cumulative configuration):
[libdefaults]
dns_lookup_kdc = false
dns_lookup_realm = false
default_realm = NORTH.SEVENKINGDOMS.LOCAL
[realms]
NORTH.SEVENKINGDOMS.LOCAL = {
kdc = winterfell.north.sevenkingdoms.local
admin_server = winterfell.north.sevenkingdoms.local
default_domain = north.sevenkingdoms.local
}
ESSOS.LOCAL = {
kdc = meereen.essos.local
admin_server = meereen.essos.local
default_domain = essos.local
}
SEVENKINGDOMS.LOCAL = {
kdc = kingslanding.sevenkingdoms.local
admin_server = kingslanding.sevenkingdoms.local
default_domain = sevenkingdoms.local
}
[domain_realm]
.north.sevenkingdoms.local = NORTH.SEVENKINGDOMS.LOCAL
north.sevenkingdoms.local = NORTH.SEVENKINGDOMS.LOCAL
.essos.local = ESSOS.LOCAL
essos.local = ESSOS.LOCAL
.sevenkingdoms.local = SEVENKINGDOMS.LOCAL
sevenkingdoms.local = SEVENKINGDOMS.LOCAL(Optional): Suggest A Solution
Details of the technical implementation:
Instead of triggering a file write immediately upon discovering a domain on a single host, NXC should collect all unique domain/KDC pairings into a dictionary or list during the scan's lifecycle. Once the scan of the provided subnet/range is complete, a single write operation should generate the krb5.conf file including all discovered realms.
Tradeoffs and Considerations:
- Default Realm: Since
default_realmcan only have one value, the tool can simply pick the first or last domain discovered as the default. This is acceptable as long as all other realms are defined in the[realms]section. - Performance: Collecting a few strings in a dictionary is negligible in terms of memory usage compared to the speed of the SMB scan.
- File Permissions: If the target file (like
/etc/krb5.conf) is not writable, the tool should still alert the user as it currently does.