コード例 #1
0
	def construct_apreq_from_ticket(ticket_data, sessionkey, crealm, cname, flags = None, seq_number = 0, ap_opts = []):
		"""
		ticket: bytes of Ticket
		"""
		now = datetime.datetime.now(datetime.timezone.utc)
		authenticator_data = {}
		authenticator_data['authenticator-vno'] = krb5_pvno
		authenticator_data['crealm'] = Realm(crealm)
		authenticator_data['cname'] = PrincipalName({'name-type': NAME_TYPE.PRINCIPAL.value, 'name-string': [cname]})
		authenticator_data['cusec'] = now.microsecond
		authenticator_data['ctime'] = now.replace(microsecond=0)
		if flags is not None:
			ac = AuthenticatorChecksum()
			ac.flags = flags
			ac.channel_binding = b'\x00'*16
			
			chksum = {}
			chksum['cksumtype'] = 0x8003
			chksum['checksum'] = ac.to_bytes()
			
			authenticator_data['cksum'] = Checksum(chksum)
			authenticator_data['seq-number'] = seq_number
		
		cipher = _enctype_table[sessionkey.enctype]
		authenticator_data_enc = cipher.encrypt(sessionkey, 11, Authenticator(authenticator_data).dump(), None)
		
		ap_req = {}
		ap_req['pvno'] = krb5_pvno
		ap_req['msg-type'] = MESSAGE_TYPE.KRB_AP_REQ.value
		ap_req['ticket'] = Ticket.load(ticket_data)
		ap_req['ap-options'] = APOptions(set(ap_opts))
		ap_req['authenticator'] = EncryptedData({'etype': sessionkey.enctype, 'cipher': authenticator_data_enc})

		return AP_REQ(ap_req).dump()
コード例 #2
0
	def construct_apreq(self, tgs, encTGSRepPart, sessionkey, flags = None, seq_number = 0, ap_opts = []):
		now = datetime.datetime.now(datetime.timezone.utc)
		authenticator_data = {}
		authenticator_data['authenticator-vno'] = krb5_pvno
		authenticator_data['crealm'] = Realm(self.kerberos_TGT['crealm'])
		authenticator_data['cname'] = self.kerberos_TGT['cname']
		authenticator_data['cusec'] = now.microsecond
		authenticator_data['ctime'] = now.replace(microsecond=0)
		if flags is not None:
			ac = AuthenticatorChecksum()
			ac.flags = flags
			ac.channel_binding = b'\x00'*16
			
			chksum = {}
			chksum['cksumtype'] = 0x8003
			chksum['checksum'] = ac.to_bytes()
			
			authenticator_data['cksum'] = Checksum(chksum)
			authenticator_data['seq-number'] = seq_number
		
		cipher = _enctype_table[encTGSRepPart['key']['keytype']]
		authenticator_data_enc = cipher.encrypt(sessionkey, 11, Authenticator(authenticator_data).dump(), None)
		
		ap_req = {}
		ap_req['pvno'] = krb5_pvno
		ap_req['msg-type'] = MESSAGE_TYPE.KRB_AP_REQ.value
		ap_req['ticket'] = Ticket(tgs['ticket'])
		ap_req['ap-options'] = APOptions(set(ap_opts))
		ap_req['authenticator'] = EncryptedData({'etype': self.kerberos_cipher_type, 'cipher': authenticator_data_enc})

		return AP_REQ(ap_req).dump()
コード例 #3
0
ファイル: kerberoslive.py プロジェクト: wellr00t3d/pypykatz 
    def get_tgt(self, target=None):
        if target is None:
            logon = get_logon_info()
            if logon['logonserver'] is None:
                raise Exception(
                    'Failed to get logonserver and no target was specified! This wont work.'
                )
            target = 'cifs/%s' % logon['logonserver']

        ctx = AcquireCredentialsHandle(None, 'kerberos', target,
                                       SECPKG_CRED.OUTBOUND)
        res, ctx, data, outputflags, expiry = InitializeSecurityContext(
            ctx,
            target,
            token=None,
            ctx=ctx,
            flags=ISC_REQ.DELEGATE | ISC_REQ.MUTUAL_AUTH
            | ISC_REQ.ALLOCATE_MEMORY)

        if res == SEC_E.OK or res == SEC_E.CONTINUE_NEEDED:
            #key_data = sspi._get_session_key()
            raw_ticket = self.export_ticketdata_target(0, target)
            key = Key(raw_ticket['Key']['KeyType'], raw_ticket['Key']['Key'])
            token = InitialContextToken.load(data[0][1])
            ticket = AP_REQ(token.native['innerContextToken']).native
            cipher = _enctype_table[ticket['authenticator']['etype']]
            dec_authenticator = cipher.decrypt(
                key, 11, ticket['authenticator']['cipher'])
            authenticator = Authenticator.load(dec_authenticator).native
            if authenticator['cksum']['cksumtype'] != 0x8003:
                raise Exception('Checksum not good :(')

            checksum_data = AuthenticatorChecksum.from_bytes(
                authenticator['cksum']['checksum'])
            if ChecksumFlags.GSS_C_DELEG_FLAG not in checksum_data.flags:
                raise Exception('delegation flag not set!')

            cred_orig = KRB_CRED.load(checksum_data.delegation_data).native
            dec_authenticator = cipher.decrypt(key, 14,
                                               cred_orig['enc-part']['cipher'])
            #info = EncKrbCredPart.load(dec_authenticator).native

            #reconstructing kirbi with the unencrypted data
            te = {}
            te['etype'] = 0
            te['cipher'] = dec_authenticator
            ten = EncryptedData(te)

            t = {}
            t['pvno'] = cred_orig['pvno']
            t['msg-type'] = cred_orig['msg-type']
            t['tickets'] = cred_orig['tickets']
            t['enc-part'] = ten

            cred = KRB_CRED(t)
            return cred.dump()
コード例 #4
0
	def get_TGS(self, spn_user, override_etype = None, is_linux = False):
		"""
		Requests a TGS ticket for the specified user.
		Returns the TGS ticket, end the decrpyted encTGSRepPart.

		spn_user: KerberosTarget: the service user you want to get TGS for.
		override_etype: None or list of etype values (int) Used mostly for kerberoasting, will override the AP_REQ supported etype values (which is derived from the TGT) to be able to recieve whatever tgs tiecket 
		"""

		logger.debug('[getTGS] Constructing request for user %s' % spn_user.get_formatted_pname())
		now = datetime.datetime.now(datetime.timezone.utc)
		kdc_req_body = {}
		kdc_req_body['kdc-options'] = KDCOptions(set(['forwardable','renewable','renewable_ok', 'canonicalize']))
		kdc_req_body['realm'] = spn_user.domain.upper()
		kdc_req_body['sname'] = PrincipalName({'name-type': NAME_TYPE.SRV_INST.value, 'name-string': spn_user.get_principalname()})
		kdc_req_body['till'] = (now + datetime.timedelta(days=1)).replace(microsecond=0)
		kdc_req_body['nonce'] = secrets.randbits(31)
		if override_etype:
			kdc_req_body['etype'] = override_etype
		else:
			kdc_req_body['etype'] = [self.kerberos_cipher_type]

		authenticator_data = {}
		authenticator_data['authenticator-vno'] = krb5_pvno
		authenticator_data['crealm'] = Realm(self.kerberos_TGT['crealm'])
		authenticator_data['cname'] = self.kerberos_TGT['cname']
		authenticator_data['cusec'] = now.microsecond
		authenticator_data['ctime'] = now.replace(microsecond=0)
		
		if is_linux:
			ac = AuthenticatorChecksum()
			ac.flags = 0
			ac.channel_binding = b'\x00'*16
			
			chksum = {}
			chksum['cksumtype'] = 0x8003
			chksum['checksum'] = ac.to_bytes()
			
			authenticator_data['cksum'] = Checksum(chksum)
			authenticator_data['seq-number'] = 0
		
		authenticator_data_enc = self.kerberos_cipher.encrypt(self.kerberos_session_key, 7, Authenticator(authenticator_data).dump(), None)
		
		ap_req = {}
		ap_req['pvno'] = krb5_pvno
		ap_req['msg-type'] = MESSAGE_TYPE.KRB_AP_REQ.value
		ap_req['ap-options'] = APOptions(set())
		ap_req['ticket'] = Ticket(self.kerberos_TGT['ticket'])
		ap_req['authenticator'] = EncryptedData({'etype': self.kerberos_cipher_type, 'cipher': authenticator_data_enc})
		
		pa_data_1 = {}
		pa_data_1['padata-type'] = PaDataType.TGS_REQ.value
		pa_data_1['padata-value'] = AP_REQ(ap_req).dump()
		
		
		kdc_req = {}
		kdc_req['pvno'] = krb5_pvno
		kdc_req['msg-type'] = MESSAGE_TYPE.KRB_TGS_REQ.value
		kdc_req['padata'] = [pa_data_1]
		kdc_req['req-body'] = KDC_REQ_BODY(kdc_req_body)
		
		req = TGS_REQ(kdc_req)
		logger.debug('[getTGS] Constructing request to server')
		rep = self.ksoc.sendrecv(req.dump())
		logger.debug('[getTGS] Got reply, decrypting...')
		tgs = rep.native
		
		encTGSRepPart = EncTGSRepPart.load(self.kerberos_cipher.decrypt(self.kerberos_session_key, 8, tgs['enc-part']['cipher'])).native
		key = Key(encTGSRepPart['key']['keytype'], encTGSRepPart['key']['keyvalue'])
		
		self.ccache.add_tgs(tgs, encTGSRepPart)
		logger.debug('[getTGS] Got valid reply')
		self.kerberos_TGS = tgs
		return tgs, encTGSRepPart, key
コード例 #5
0
ファイル: pkinit.py プロジェクト: skelsec/minikerberos 
    def build_apreq(self,
                    asrep,
                    session_key,
                    cipher,
                    subkey_data,
                    krb_finished_data,
                    flags=GSSAPIFlags.GSS_C_MUTUAL_FLAG
                    | GSSAPIFlags.GSS_C_INTEG_FLAG
                    | GSSAPIFlags.GSS_C_EXTENDED_ERROR_FLAG):

        # TODO: https://www.ietf.org/rfc/rfc4757.txt
        #subkey_data = {}
        #subkey_data['keytype'] = Enctype.AES256
        #subkey_data['keyvalue'] = os.urandom(32)

        subkey_cipher = _enctype_table[subkey_data['keytype']]
        subkey_key = Key(subkey_cipher.enctype, subkey_data['keyvalue'])
        subkey_checksum = _checksum_table[
            16]  # ChecksumTypes.hmac_sha1_96_aes256

        krb_finished_checksum_data = {}
        krb_finished_checksum_data['cksumtype'] = 16
        krb_finished_checksum_data['checksum'] = subkey_checksum.checksum(
            subkey_key, 41, krb_finished_data)

        krb_finished_data = {}
        krb_finished_data['gss-mic'] = Checksum(krb_finished_checksum_data)

        krb_finished = KRB_FINISHED(krb_finished_data).dump()

        a = 2
        extensions_data = a.to_bytes(
            4, byteorder='big', signed=True) + len(krb_finished).to_bytes(
                4, byteorder='big', signed=True) + krb_finished

        ac = AuthenticatorChecksum()
        ac.flags = flags
        ac.channel_binding = b'\x00' * 16
        chksum = {}
        chksum['cksumtype'] = 0x8003
        chksum['checksum'] = ac.to_bytes() + extensions_data

        tii = LSAP_TOKEN_INFO_INTEGRITY()
        tii.Flags = 1
        tii.TokenIL = 0x00002000  # Medium integrity
        tii.MachineID = bytes.fromhex(
            '7e303fffe6bff25146addca4fbddf1b94f1634178eb4528fb2731c669ca23cde')

        restriction_data = {}
        restriction_data['restriction-type'] = 0
        restriction_data['restriction'] = tii.to_bytes()
        restriction_data = KERB_AD_RESTRICTION_ENTRY(restriction_data)

        x = KERB_AD_RESTRICTION_ENTRYS([restriction_data]).dump()
        restrictions = AuthorizationData([{
            'ad-type': 141,
            'ad-data': x
        }]).dump()

        now = datetime.datetime.now(datetime.timezone.utc)
        authenticator_data = {}
        authenticator_data['authenticator-vno'] = krb5_pvno
        authenticator_data['crealm'] = Realm(asrep['crealm'])
        authenticator_data['cname'] = asrep['cname']
        authenticator_data['cusec'] = now.microsecond
        authenticator_data['ctime'] = now.replace(microsecond=0)
        authenticator_data['subkey'] = EncryptionKey(subkey_data)
        authenticator_data['seq-number'] = 682437742  #??? TODO: check this!
        authenticator_data['authorization-data'] = AuthorizationData([{
            'ad-type':
            1,
            'ad-data':
            restrictions
        }])
        authenticator_data['cksum'] = Checksum(chksum)

        #print('Authenticator(authenticator_data).dump()')
        #print(Authenticator(authenticator_data).dump().hex())

        authenticator_data_enc = cipher.encrypt(
            session_key, 11,
            Authenticator(authenticator_data).dump(), None)

        ap_opts = ['mutual-required']

        ap_req = {}
        ap_req['pvno'] = krb5_pvno
        ap_req['msg-type'] = MESSAGE_TYPE.KRB_AP_REQ.value
        ap_req['ticket'] = Ticket(asrep['ticket'])
        ap_req['ap-options'] = APOptions(set(ap_opts))
        ap_req['authenticator'] = EncryptedData({
            'etype':
            session_key.enctype,
            'cipher':
            authenticator_data_enc
        })

        #pprint('AP_REQ \r\n%s' % AP_REQ(ap_req).native)

        #print(AP_REQ(ap_req).dump().hex())
        #input()

        return AP_REQ(ap_req).dump()