def construct_apreq_from_ticket(ticket_data, sessionkey, crealm, cname, flags = None, seq_number = 0, ap_opts = []):
"""
ticket: bytes of Ticket
"""
now = datetime.datetime.now(datetime.timezone.utc)
authenticator_data = {}
authenticator_data['authenticator-vno'] = krb5_pvno
authenticator_data['crealm'] = Realm(crealm)
authenticator_data['cname'] = PrincipalName({'name-type': NAME_TYPE.PRINCIPAL.value, 'name-string': [cname]})
authenticator_data['cusec'] = now.microsecond
authenticator_data['ctime'] = now.replace(microsecond=0)
if flags is not None:
ac = AuthenticatorChecksum()
ac.flags = flags
ac.channel_binding = b'\x00'*16
chksum = {}
chksum['cksumtype'] = 0x8003
chksum['checksum'] = ac.to_bytes()
authenticator_data['cksum'] = Checksum(chksum)
authenticator_data['seq-number'] = seq_number
cipher = _enctype_table[sessionkey.enctype]
authenticator_data_enc = cipher.encrypt(sessionkey, 11, Authenticator(authenticator_data).dump(), None)
ap_req = {}
ap_req['pvno'] = krb5_pvno
ap_req['msg-type'] = MESSAGE_TYPE.KRB_AP_REQ.value
ap_req['ticket'] = Ticket.load(ticket_data)
ap_req['ap-options'] = APOptions(set(ap_opts))
ap_req['authenticator'] = EncryptedData({'etype': sessionkey.enctype, 'cipher': authenticator_data_enc})
return AP_REQ(ap_req).dump()
def to_kirbi(self):
filename = '%s@%s_%s' % (self.client.to_string() , self.server.to_string(), hashlib.sha1(self.ticket.to_asn1()).hexdigest()[:8])
krbcredinfo = {}
krbcredinfo['key'] = EncryptionKey(self.key.to_asn1())
krbcredinfo['prealm'] = self.client.realm.to_string()
krbcredinfo['pname'] = self.client.to_asn1()[0]
krbcredinfo['flags'] = core.IntegerBitString(self.tktflags).cast(TicketFlags)
if self.time.authtime != 0: #this parameter is not mandatory, and most of the time not present
krbcredinfo['authtime'] = datetime.datetime.fromtimestamp(self.time.authtime)
krbcredinfo['starttime'] = datetime.datetime.fromtimestamp(self.time.starttime)
krbcredinfo['endtime'] = datetime.datetime.fromtimestamp(self.time.endtime)
if self.time.renew_till != 0: #this parameter is not mandatory, and sometimes it's not present
krbcredinfo['renew-till'] = datetime.datetime.fromtimestamp(self.time.authtime)
krbcredinfo['srealm'] = self.server.realm.to_string()
krbcredinfo['sname'] = self.server.to_asn1()[0]
enc_krbcred = {}
enc_krbcred['ticket-info'] = [KrbCredInfo(krbcredinfo)]
krbcred = {}
krbcred['pvno'] = krb5_pvno
krbcred['msg-type'] = MESSAGE_TYPE.KRB_CRED.value
krbcred['tickets'] = [Ticket.load(self.ticket.to_asn1())]
krbcred['enc-part'] = EncryptedData({'etype': EncryptionType.NULL.value, 'cipher': EncKrbCredPart(enc_krbcred).dump()})
kirbi = KRBCRED(krbcred)
return kirbi, filename
def get_hashes(self, all_hashes = False): """ Returns a list of hashes in hashcat-firendly format for tickets with encryption type 23 (which is RC4) all_hashes: overrides the encryption type filtering and returns hash for all tickets """ hashes = [] for cred in self.credentials: res = Ticket.load(cred.ticket.to_asn1()).native if int(res['enc-part']['etype']) == 23 or all_hashes == True: hashes.append(cred.to_hash()) return hashes
def to_hash(self): res = Ticket.load(self.ticket.to_asn1()).native tgs_encryption_type = int(res['enc-part']['etype']) t = len(res['sname']['name-string']) if t == 1: tgs_name_string = res['sname']['name-string'][0] else: tgs_name_string = res['sname']['name-string'][1] tgs_realm = res['realm'] if tgs_encryption_type == EncryptionType.AES256_CTS_HMAC_SHA1_96.value: tgs_checksum = res['enc-part']['cipher'][-12:] tgs_encrypted_data2 = res['enc-part']['cipher'][:-12:] return '$krb5tgs$%s$%s$%s$%s$%s' % (tgs_encryption_type,tgs_name_string,tgs_realm, tgs_checksum.hex(), tgs_encrypted_data2.hex() ) else: tgs_checksum = res['enc-part']['cipher'][:16] tgs_encrypted_data2 = res['enc-part']['cipher'][16:] return '$krb5tgs$%s$*%s$%s$spn*$%s$%s' % (tgs_encryption_type,tgs_name_string,tgs_realm, tgs_checksum.hex(), tgs_encrypted_data2.hex() )
def to_tgt(self):
"""
Returns the native format of an AS_REP message and the sessionkey in EncryptionKey native format
"""
enc_part = EncryptedData({'etype': 1, 'cipher': b''})
tgt_rep = {}
tgt_rep['pvno'] = krb5_pvno
tgt_rep['msg-type'] = MESSAGE_TYPE.KRB_AS_REP.value
tgt_rep['crealm'] = self.server.realm.to_string()
tgt_rep['cname'] = self.client.to_asn1()[0]
tgt_rep['ticket'] = Ticket.load(self.ticket.to_asn1()).native
tgt_rep['enc-part'] = enc_part.native
t = EncryptionKey(self.key.to_asn1()).native
return tgt_rep, t