Connection URL

Disclaimer

Modules that use networking (kerberos/ldap/smb) will expect you to enter some form of network credentials.
All network credentials will be expected to be in the connection_url format.
This page will help you understand the connection_url format

Why so complex?

It's not, just unusual.

The connection_url format

<PROTOCOL>+<AUTHMETHOD>-<SECRET_TYPE>://<DOMAIN>\<USERNAME>:<SECRET>@<TARGET_IP_OR_HOSTNAME>/?<PARAMETER_NAME>=<PARAMETER_VALUE>...

Parameters explained:

• PROTOCOL : The protocol the connection will use eg. ldap/smb/smb2/smb3/kerberos
• AUTHMETHOD : The authentication method. This will depend on the protocol (ovbiously) and in case of kerberos it can be omitted (for now).
• SECRET_TYPE : The type of secret you will use for authentication. Eg. password or nt or aes etc.
• DOMAIN : Name of the domain, if no domain is expected just leave it empty or use a dot .
• USERNAME : Username.
• SECRET : Format depends on the SECRET_TYPE. Can be empty in some cases.
• TARGET_IP_OR_HOSTNAME : The IP address or hostname of the target you wish to connect to.

The SECRET_TYPE

• pw/pass/password : Plaintext password (smb/ldap/kerberos)
• pwprompt : It will prompt to enter the plaintext password (smb/ldap/kerberos)
• nt: NT hash (smb/ldap/kerberos)
• rc4 : Kerberos RC4 long term key (kerberos)
• aes : Kerberos AES long term key. The length will determine which one (kerberos)
• sspi-ntlm: Use integrated SSPI with NTLM auth, SECRET can be left empty. This will only work on Windows. You will get authenticated as the current user
• sspi-kerberos: Use integrated SSPI with Kerberos auth, SECRET can be left empty. This will only work on Windows. You will get authenticated as the current user
• ... TBD

The PARAMETER

The parameter options depend on the protocol used. There are a large variety of parameters available for each protocols.
This section will not expand into explaining each parameters, there will be links to each libraries wiki page explaining those.

Examples

Please note that this is not an extensive list with all possible protocol/auth method compinations just the minimum to get you accustomed to the format.
In the examples below we are authenticating to the Domain controller as the user victim with the password Passw0rd!1 under the domain TEST.corp. The DC's IP address is 10.10.10.2 and it's hostname is WIN2019AD.test.corp

SMB/LDAP:

The examples are using smb2 protocol, but will work for LDAP by replacing the smb2 string with ldap or ldaps. There are also other SMB protocol specifications available like smb3 for dialect 3 or smb to auto negotiate between smb dialect 2/3. SMBv1 IS NOT SUPPORTED

• NTLM:
  • smb2+ntlm-password://TEST\victim:[email protected] Plaintext password in the URL
  • smb2+ntlm-pwprompt://TEST\[email protected] Plaintext password will be prompted
  • smb2+ntlm-nt://TEST\victim:[email protected] NT hash of the user's password will be used
• Kerberos
  • smb2+kerberos-password://TEST\victim:Passw0rd!1@WIN2019AD/?dc=10.10.10.2 Plaintext password in the URL. Notice that for kerberos auth you will need to use the hostname (or DNS name) of the server and must specify the dc parameter that will point to the active directory's IP address or hostname
  • smb2+kerberos-pwprompt://TEST\victim@WIN2019AD/?dc=10.10.10.2 Password will be prompted.
  • smb2+kerberos-nt://TEST\victim:f8963568a1ec62a3161d9d6449baba93@WIN2019AD/?dc=10.10.10.2 NT hash of the user is used for kerberos auth
  • smb2+kerberos-rc4://TEST\victim:f8963568a1ec62a3161d9d6449baba93@WIN2019AD/?dc=10.10.10.2 RC4 key is used. Same as NT
  • smb2+kerberos-aes://TEST\victim:<AES>@WIN2019AD/?dc=10.10.10.2 AES key is used, can be AES128 or ASE256.
• SSPI
  • smb2+sspi-ntlm://10.10.10.2/ (only works on windows) Integrated authentication, this will authenticate you as the current user to the target machine using NTLM auth
  • smb2+sspi-kerberos://TEST\aaaa@win2019ad/ (only works on windows) Integrated authentication, this will authenticate you as the current user to the target machine using Kerberos auth. Remember to use the hostname (dns) of the target!

Kerberos

Kerberos is in itself an authentication protocol BUT we are also using this as a connection spcifier for kerberos related accatcks like kerberoast or s4u or just fetching a TGT or a TGS

• Password:
  • kerberos+password://TEST\victim:[email protected]
• NT/RC4:
  • kerberos+rc4://TEST\victim:[email protected]
• AES:
  • kerberos+aes://TEST\victim:<aes_key>@10.10.10.2