def test_asn1_encode_key(self): context = heimdal.context() keyblock = heimdal.keyblock_raw(context, ENCINT, self.VALUE) salt = heimdal.salt_raw(context, self.SALT) asn1 = heimdal.asn1_encode_key(keyblock, salt, KVNO) self.assertEqual(self.ASN1, asn1)
def test_dir(self):
salt = heimdal.salt_raw(self.context, self.VALUE)
self.assertLessEqual({'saltvalue'}, set(dir(salt)))
def test_salt_raw(self): salt = heimdal.salt_raw(self.context, self.VALUE) self.assertEqual(self.VALUE, salt.saltvalue())
def calculate_krb5key(unicodePwd, supplementalCredentials, kvno=0): up_blob = unicodePwd sc_blob = supplementalCredentials keys = [] keytypes = [] context = heimdal.context() if up_blob: #ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: up_blob: %s" % binascii.b2a_base64(up_blob)) assert len(up_blob) == 16 key = heimdal.keyblock_raw(context, 23, up_blob) keys.append(heimdal.asn1_encode_key(key, None, kvno)) if sc_blob: #ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: sc_blob: %s" % binascii.b2a_base64(sc_blob)) try: sc = ndr_unpack(drsblobs.supplementalCredentialsBlob, sc_blob) for p in sc.sub.packages: krb = None ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: parsing %s blob" % p.name) if p.name == "Primary:Kerberos": krb_blob = binascii.unhexlify(p.data) krb = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb_blob) assert krb.version == 3 for k in krb.ctr.keys: if k.keytype not in keytypes: ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ctr3.key.keytype: %s" % k.keytype) try: key = heimdal.keyblock_raw(context, k.keytype, k.value) krb5SaltObject = heimdal.salt_raw(context, krb.ctr.salt.string) keys.append(heimdal.asn1_encode_key(key, krb5SaltObject, kvno)) keytypes.append(k.keytype) except: if k.keytype == 4294967156: ## in all known cases W2k8 AD uses keytype 4294967156 (=-140L) for this if k.value == up_blob: ## the known case ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring arc4 NThash with special keytype %s in %s" % (k.keytype, p.name)) else: ## unknown special case ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring unknown key with special keytype %s in %s" % (k.keytype, p.name)) else: traceback.print_exc() ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: krb5Key with keytype %s could not be parsed in %s. Ignoring this keytype." % (k.keytype, p.name)) elif p.name == "Primary:Kerberos-Newer-Keys": krb_blob = binascii.unhexlify(p.data) krb = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb_blob) assert krb.version == 4 for k in krb.ctr.keys: if k.keytype not in keytypes: ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ctr4.key.keytype: %s" % k.keytype) try: key = heimdal.keyblock_raw(context, k.keytype, k.value) krb5SaltObject = heimdal.salt_raw(context, krb.ctr.salt.string) keys.append(heimdal.asn1_encode_key(key, krb5SaltObject, kvno)) keytypes.append(k.keytype) except: if k.keytype == 4294967156: ## in all known cases W2k8 AD uses keytype 4294967156 (=-140L) for this if k.value == up_blob: ## the known case ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring arc4 NThash with special keytype %s in %s" % (k.keytype, p.name)) else: ## unknown special case ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring unknown key with special keytype %s in %s" % (k.keytype, p.name)) else: traceback.print_exc() ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: krb5Key with keytype %s could not be parsed in %s. Ignoring this keytype." % (k.keytype, p.name)) except Exception: import sys exc = sys.exc_info()[1] if type(exc.args) == type(()) and len(exc.args) == 2 and exc.args[1] == 'Buffer Size Error': ud.debug(ud.LDAP, ud.WARN, "calculate_krb5key: '%s' while unpacking supplementalCredentials:: %s" % ( exc, binascii.b2a_base64(sc_blob) ) ) ud.debug(ud.LDAP, ud.WARN, "calculate_krb5key: the krb5Keys from the PrimaryKerberosBlob could not be parsed. Continuing anyway.") else: traceback.print_exc() ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: the krb5Keys from the PrimaryKerberosBlob could not be parsed. Continuing anyway.") return keys
def calculate_krb5key(unicodePwd, supplementalCredentials, kvno=0): up_blob = unicodePwd sc_blob = supplementalCredentials keys = [] keytypes = [] context = heimdal.context() if up_blob: # ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: up_blob: %s" % binascii.b2a_base64(up_blob)) assert len(up_blob) == 16 key = heimdal.keyblock_raw(context, 23, up_blob) keys.append(heimdal.asn1_encode_key(key, None, kvno)) if sc_blob: # ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: sc_blob: %s" % binascii.b2a_base64(sc_blob)) try: sc = ndr_unpack(drsblobs.supplementalCredentialsBlob, sc_blob) for p in sc.sub.packages: krb = None ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: parsing %s blob" % p.name) if p.name == "Primary:Kerberos": krb_blob = binascii.unhexlify(p.data) krb = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb_blob) assert krb.version == 3 for k in krb.ctr.keys: if k.keytype not in keytypes: ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ctr3.key.keytype: %s" % k.keytype) try: key = heimdal.keyblock_raw(context, k.keytype, k.value) krb5SaltObject = heimdal.salt_raw(context, krb.ctr.salt.string) keys.append(heimdal.asn1_encode_key(key, krb5SaltObject, kvno)) keytypes.append(k.keytype) except: if k.keytype == 4294967156: # in all known cases W2k8 AD uses keytype 4294967156 (=-140L) for this if k.value == up_blob: # the known case ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring arc4 NThash with special keytype %s in %s" % (k.keytype, p.name)) else: # unknown special case ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring unknown key with special keytype %s in %s" % (k.keytype, p.name)) else: traceback.print_exc() ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: krb5Key with keytype %s could not be parsed in %s. Ignoring this keytype." % (k.keytype, p.name)) elif p.name == "Primary:Kerberos-Newer-Keys": krb_blob = binascii.unhexlify(p.data) krb = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb_blob) assert krb.version == 4 for k in krb.ctr.keys: if k.keytype not in keytypes: ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ctr4.key.keytype: %s" % k.keytype) try: key = heimdal.keyblock_raw(context, k.keytype, k.value) krb5SaltObject = heimdal.salt_raw(context, krb.ctr.salt.string) keys.append(heimdal.asn1_encode_key(key, krb5SaltObject, kvno)) keytypes.append(k.keytype) except: if k.keytype == 4294967156: # in all known cases W2k8 AD uses keytype 4294967156 (=-140L) for this if k.value == up_blob: # the known case ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring arc4 NThash with special keytype %s in %s" % (k.keytype, p.name)) else: # unknown special case ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring unknown key with special keytype %s in %s" % (k.keytype, p.name)) else: traceback.print_exc() ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: krb5Key with keytype %s could not be parsed in %s. Ignoring this keytype." % (k.keytype, p.name)) except Exception: import sys exc = sys.exc_info()[1] if isinstance(exc.args, type(())) and len(exc.args) == 2 and exc.args[1] == 'Buffer Size Error': ud.debug(ud.LDAP, ud.WARN, "calculate_krb5key: '%s' while unpacking supplementalCredentials:: %s" % (exc, binascii.b2a_base64(sc_blob))) ud.debug(ud.LDAP, ud.WARN, "calculate_krb5key: the krb5Keys from the PrimaryKerberosBlob could not be parsed. Continuing anyway.") else: traceback.print_exc() ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: the krb5Keys from the PrimaryKerberosBlob could not be parsed. Continuing anyway.") return keys
def calculate_krb5keys(supplementalCredentialsblob): spl = supplementalCredentialsblob #cleartext_hex = None keys = [] keytypes = [] kvno = 0 context = heimdal.context() # for i in range(0, spl.sub.num_packages): # pkg = spl.sub.packages[i] # if pkg.name != "Primary:CLEARTEXT": # continue # cleartext_hex = pkg.data krb5_old_hex = None for i in range(0, spl.sub.num_packages): pkg = spl.sub.packages[i] if pkg.name != "Primary:Kerberos": continue krb5_old_hex = pkg.data if krb5_old_hex is not None: krb5_old_raw = binascii.a2b_hex(krb5_old_hex) krb5_old = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb5_old_raw, allow_remaining=True) assert krb5_old.version == 3 for k in krb5_old.ctr.keys: if k.keytype not in keytypes: ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ctr3.key.keytype: %s" % k.keytype) try: key = heimdal.keyblock_raw(context, k.keytype, k.value) krb5SaltObject = heimdal.salt_raw(context, krb5_old.ctr.salt.string) keys.append(heimdal.asn1_encode_key(key, krb5SaltObject, kvno)) keytypes.append(k.keytype) except Exception: if k.keytype == 4294967156: # in all known cases W2k8 AD uses keytype 4294967156 (=-140L) for this ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring unknown key with special keytype %s in %s" % (k.keytype, pkg.name)) else: ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: krb5Key with keytype %s could not be parsed in %s. Ignoring this keytype." % (k.keytype, pkg.name)) ud.debug(ud.LDAP, ud.ERROR, traceback.format_exc()) krb5_new_hex = None for i in range(0, spl.sub.num_packages): pkg = spl.sub.packages[i] if pkg.name != "Primary:Kerberos-Newer-Keys": continue krb5_new_hex = pkg.data if krb5_new_hex is not None: krb_blob = binascii.unhexlify(krb5_new_hex) krb = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb_blob) assert krb.version == 4 for k in krb.ctr.keys: if k.keytype not in keytypes: ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ctr4.key.keytype: %s" % k.keytype) try: key = heimdal.keyblock_raw(context, k.keytype, k.value) krb5SaltObject = heimdal.salt_raw(context, krb.ctr.salt.string) keys.append(heimdal.asn1_encode_key(key, krb5SaltObject, kvno)) keytypes.append(k.keytype) except Exception: if k.keytype == 4294967156: # in all known cases W2k8 AD uses keytype 4294967156 (=-140L) for this ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring unknown key with special keytype %s in %s" % (k.keytype, pkg.name)) else: ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: krb5Key with keytype %s could not be parsed in %s. Ignoring this keytype." % (k.keytype, pkg.name)) ud.debug(ud.LDAP, ud.ERROR, traceback.format_exc()) return keys