def to_kirbi(self):
filename = '%s@%s_%s' % (self.client.to_string() , self.server.to_string(), hashlib.sha1(self.ticket.to_asn1()).hexdigest()[:8])
krbcredinfo = {}
krbcredinfo['key'] = EncryptionKey(self.key.to_asn1())
krbcredinfo['prealm'] = self.client.realm.to_string()
krbcredinfo['pname'] = self.client.to_asn1()[0]
krbcredinfo['flags'] = core.IntegerBitString(self.tktflags).cast(TicketFlags)
if self.time.authtime != 0: #this parameter is not mandatory, and most of the time not present
krbcredinfo['authtime'] = datetime.datetime.fromtimestamp(self.time.authtime)
krbcredinfo['starttime'] = datetime.datetime.fromtimestamp(self.time.starttime)
krbcredinfo['endtime'] = datetime.datetime.fromtimestamp(self.time.endtime)
if self.time.renew_till != 0: #this parameter is not mandatory, and sometimes it's not present
krbcredinfo['renew-till'] = datetime.datetime.fromtimestamp(self.time.authtime)
krbcredinfo['srealm'] = self.server.realm.to_string()
krbcredinfo['sname'] = self.server.to_asn1()[0]
enc_krbcred = {}
enc_krbcred['ticket-info'] = [KrbCredInfo(krbcredinfo)]
krbcred = {}
krbcred['pvno'] = krb5_pvno
krbcred['msg-type'] = MESSAGE_TYPE.KRB_CRED.value
krbcred['tickets'] = [Ticket.load(self.ticket.to_asn1())]
krbcred['enc-part'] = EncryptedData({'etype': EncryptionType.NULL.value, 'cipher': EncKrbCredPart(enc_krbcred).dump()})
kirbi = KRBCRED(krbcred)
return kirbi, filename
def tgt_to_kirbi(tgs, encTGSRepPart):
#encTGSRepPart is already decrypted at this point
ci = {}
ci['key'] = encTGSRepPart['key']
ci['prealm'] = tgs['crealm']
ci['pname'] = tgs['cname']
ci['flags'] = encTGSRepPart['flags']
ci['authtime'] = encTGSRepPart['authtime']
ci['starttime'] = encTGSRepPart['starttime']
ci['endtime'] = encTGSRepPart['endtime']
ci['renew-till'] = encTGSRepPart['renew-till']
ci['srealm'] = encTGSRepPart['srealm']
ci['sname'] = encTGSRepPart['sname']
ti = {}
ti['ticket-info'] = [KrbCredInfo(ci)]
te = {}
te['etype'] = 0
te['cipher'] = EncKrbCredPart(ti).dump()
t = {}
t['pvno'] = 5
t['msg-type'] = 22
t['enc-part'] = EncryptedData(te)
t['tickets'] = [tgs['ticket']]
return KRB_CRED(t)
def to_asn1(self):
krbcredinfo = {}
krbcredinfo['key'] = EncryptionKey({
'keytype': self.KeyType,
'keyvalue': self.Key
})
krbcredinfo['prealm'] = self.AltTargetDomainName
krbcredinfo['pname'] = PrincipalName({
'name-type': self.EClientName_type,
'name-string': self.EClientName
})
krbcredinfo['flags'] = core.IntegerBitString(
self.TicketFlags).cast(TicketFlags)
krbcredinfo['starttime'] = self.StartTime
krbcredinfo['endtime'] = self.EndTime
krbcredinfo['renew-till'] = self.RenewUntil
krbcredinfo['srealm'] = self.DomainName
krbcredinfo['sname'] = PrincipalName({
'name-type': self.ServiceName_type,
'name-string': self.ServiceName
})
enc_krbcred = {}
enc_krbcred['ticket-info'] = [KrbCredInfo(krbcredinfo)]
ticket = {}
ticket['tkt-vno'] = krb5_pvno
ticket['realm'] = self.DomainName
ticket['sname'] = PrincipalName({
'name-type': NAME_TYPE.SRV_INST.value,
'name-string': self.ServiceName
})
ticket['enc-part'] = EncryptedData({
'etype': self.TicketEncType,
'kvno': self.TicketKvno,
'cipher': self.Ticket
})
krbcred = {}
krbcred['pvno'] = krb5_pvno
krbcred['msg-type'] = MESSAGE_TYPE.KRB_CRED.value
krbcred['tickets'] = [Ticket(ticket)]
krbcred['enc-part'] = EncryptedData({
'etype':
EncryptionType.NULL.value,
'cipher':
EncKrbCredPart(enc_krbcred).dump()
})
return KRBCRED(krbcred)
def add_kirbi(self, krbcred, override_pp=True, include_expired=False):
c = Credential()
enc_credinfo = EncKrbCredPart.load(
krbcred['enc-part']['cipher']).native
ticket_info = enc_credinfo['ticket-info'][0]
"""
if ticket_info['endtime'] < datetime.datetime.now(datetime.timezone.utc):
if include_expired == True:
logging.debug('This ticket has most likely expired, but include_expired is forcing me to add it to cache! This can cause problems!')
else:
logging.debug('This ticket has most likely expired, skipping')
return
"""
c.client = CCACHEPrincipal.from_asn1(ticket_info['pname'],
ticket_info['prealm'])
if override_pp == True:
self.primary_principal = c.client
#yaaaaay 4 additional weirdness!!!!
#if sname name-string contains a realm as well htne impacket will crash miserably :(
if len(ticket_info['sname']['name-string']
) > 2 and ticket_info['sname']['name-string'][-1].upper(
) == ticket_info['srealm'].upper():
logger.debug('SNAME contains the realm as well, trimming it')
t = ticket_info['sname']
t['name-string'] = t['name-string'][:-1]
c.server = CCACHEPrincipal.from_asn1(t, ticket_info['srealm'])
else:
c.server = CCACHEPrincipal.from_asn1(ticket_info['sname'],
ticket_info['srealm'])
c.time = Times.from_asn1(ticket_info)
c.key = Keyblock.from_asn1(ticket_info['key'])
c.is_skey = 0 #not sure!
c.tktflags = TicketFlags(ticket_info['flags']).cast(
core.IntegerBitString).native
c.num_address = 0
c.num_authdata = 0
c.ticket = CCACHEOctetString.from_asn1(
Ticket(krbcred['tickets']
[0]).dump()) #kirbi only stores one ticket per file
c.second_ticket = CCACHEOctetString.empty()
self.credentials.append(c)
def describe_kirbi_data(data):
if isinstance(data, bytes):
kirbi = KRB_CRED.load(data).native
elif isinstance(data, dict):
kirbi = data
elif isinstance(data, KRB_CRED):
kirbi = data.native
elif isinstance(data, KRBCRED):
kirbi = data.native
else:
raise Exception('Unknown data type! %s' % type(data))
t = '\r\n'
for ticket in kirbi['tickets']:
t += 'Realm : %s\r\n' % ticket['realm']
t += 'Sname : %s\r\n' % '/'.join(ticket['sname']['name-string'])
if kirbi['enc-part']['etype'] == 0:
cred = EncKrbCredPart.load(kirbi['enc-part']['cipher']).native
cred = cred['ticket-info'][0]
username = cred.get('pname')
if username is not None:
username = '******'.join(username['name-string'])
flags = cred.get('flags')
if flags is not None:
flags = ', '.join(flags)
t += 'UserName : %s\r\n' % username
t += 'UserRealm : %s\r\n' % cred.get('prealm')
t += 'StartTime : %s\r\n' % cred.get('starttime')
t += 'EndTime : %s\r\n' % cred.get('endtime')
t += 'RenewTill : %s\r\n' % cred.get('renew-till')
t += 'Flags : %s\r\n' % flags
t += 'Keytype : %s\r\n' % cred['key']['keytype']
t += 'Key : %s\r\n' % base64.b64encode(cred['key']['keyvalue']).decode()
t += 'EncodedKirbi : \r\n\r\n'
t += format_kirbi(KRB_CRED(kirbi).dump())
return t