def to_kirbi(self): filename = '%s@%s_%s' % (self.client.to_string() , self.server.to_string(), hashlib.sha1(self.ticket.to_asn1()).hexdigest()[:8]) krbcredinfo = {} krbcredinfo['key'] = EncryptionKey(self.key.to_asn1()) krbcredinfo['prealm'] = self.client.realm.to_string() krbcredinfo['pname'] = self.client.to_asn1()[0] krbcredinfo['flags'] = core.IntegerBitString(self.tktflags).cast(TicketFlags) if self.time.authtime != 0: #this parameter is not mandatory, and most of the time not present krbcredinfo['authtime'] = datetime.datetime.fromtimestamp(self.time.authtime) krbcredinfo['starttime'] = datetime.datetime.fromtimestamp(self.time.starttime) krbcredinfo['endtime'] = datetime.datetime.fromtimestamp(self.time.endtime) if self.time.renew_till != 0: #this parameter is not mandatory, and sometimes it's not present krbcredinfo['renew-till'] = datetime.datetime.fromtimestamp(self.time.authtime) krbcredinfo['srealm'] = self.server.realm.to_string() krbcredinfo['sname'] = self.server.to_asn1()[0] enc_krbcred = {} enc_krbcred['ticket-info'] = [KrbCredInfo(krbcredinfo)] krbcred = {} krbcred['pvno'] = krb5_pvno krbcred['msg-type'] = MESSAGE_TYPE.KRB_CRED.value krbcred['tickets'] = [Ticket.load(self.ticket.to_asn1())] krbcred['enc-part'] = EncryptedData({'etype': EncryptionType.NULL.value, 'cipher': EncKrbCredPart(enc_krbcred).dump()}) kirbi = KRBCRED(krbcred) return kirbi, filename
def tgt_to_kirbi(tgs, encTGSRepPart): #encTGSRepPart is already decrypted at this point ci = {} ci['key'] = encTGSRepPart['key'] ci['prealm'] = tgs['crealm'] ci['pname'] = tgs['cname'] ci['flags'] = encTGSRepPart['flags'] ci['authtime'] = encTGSRepPart['authtime'] ci['starttime'] = encTGSRepPart['starttime'] ci['endtime'] = encTGSRepPart['endtime'] ci['renew-till'] = encTGSRepPart['renew-till'] ci['srealm'] = encTGSRepPart['srealm'] ci['sname'] = encTGSRepPart['sname'] ti = {} ti['ticket-info'] = [KrbCredInfo(ci)] te = {} te['etype'] = 0 te['cipher'] = EncKrbCredPart(ti).dump() t = {} t['pvno'] = 5 t['msg-type'] = 22 t['enc-part'] = EncryptedData(te) t['tickets'] = [tgs['ticket']] return KRB_CRED(t)
def to_asn1(self): krbcredinfo = {} krbcredinfo['key'] = EncryptionKey({ 'keytype': self.KeyType, 'keyvalue': self.Key }) krbcredinfo['prealm'] = self.AltTargetDomainName krbcredinfo['pname'] = PrincipalName({ 'name-type': self.EClientName_type, 'name-string': self.EClientName }) krbcredinfo['flags'] = core.IntegerBitString( self.TicketFlags).cast(TicketFlags) krbcredinfo['starttime'] = self.StartTime krbcredinfo['endtime'] = self.EndTime krbcredinfo['renew-till'] = self.RenewUntil krbcredinfo['srealm'] = self.DomainName krbcredinfo['sname'] = PrincipalName({ 'name-type': self.ServiceName_type, 'name-string': self.ServiceName }) enc_krbcred = {} enc_krbcred['ticket-info'] = [KrbCredInfo(krbcredinfo)] ticket = {} ticket['tkt-vno'] = krb5_pvno ticket['realm'] = self.DomainName ticket['sname'] = PrincipalName({ 'name-type': NAME_TYPE.SRV_INST.value, 'name-string': self.ServiceName }) ticket['enc-part'] = EncryptedData({ 'etype': self.TicketEncType, 'kvno': self.TicketKvno, 'cipher': self.Ticket }) krbcred = {} krbcred['pvno'] = krb5_pvno krbcred['msg-type'] = MESSAGE_TYPE.KRB_CRED.value krbcred['tickets'] = [Ticket(ticket)] krbcred['enc-part'] = EncryptedData({ 'etype': EncryptionType.NULL.value, 'cipher': EncKrbCredPart(enc_krbcred).dump() }) return KRBCRED(krbcred)
def add_kirbi(self, krbcred, override_pp=True, include_expired=False): c = Credential() enc_credinfo = EncKrbCredPart.load( krbcred['enc-part']['cipher']).native ticket_info = enc_credinfo['ticket-info'][0] """ if ticket_info['endtime'] < datetime.datetime.now(datetime.timezone.utc): if include_expired == True: logging.debug('This ticket has most likely expired, but include_expired is forcing me to add it to cache! This can cause problems!') else: logging.debug('This ticket has most likely expired, skipping') return """ c.client = CCACHEPrincipal.from_asn1(ticket_info['pname'], ticket_info['prealm']) if override_pp == True: self.primary_principal = c.client #yaaaaay 4 additional weirdness!!!! #if sname name-string contains a realm as well htne impacket will crash miserably :( if len(ticket_info['sname']['name-string'] ) > 2 and ticket_info['sname']['name-string'][-1].upper( ) == ticket_info['srealm'].upper(): logger.debug('SNAME contains the realm as well, trimming it') t = ticket_info['sname'] t['name-string'] = t['name-string'][:-1] c.server = CCACHEPrincipal.from_asn1(t, ticket_info['srealm']) else: c.server = CCACHEPrincipal.from_asn1(ticket_info['sname'], ticket_info['srealm']) c.time = Times.from_asn1(ticket_info) c.key = Keyblock.from_asn1(ticket_info['key']) c.is_skey = 0 #not sure! c.tktflags = TicketFlags(ticket_info['flags']).cast( core.IntegerBitString).native c.num_address = 0 c.num_authdata = 0 c.ticket = CCACHEOctetString.from_asn1( Ticket(krbcred['tickets'] [0]).dump()) #kirbi only stores one ticket per file c.second_ticket = CCACHEOctetString.empty() self.credentials.append(c)
def describe_kirbi_data(data): if isinstance(data, bytes): kirbi = KRB_CRED.load(data).native elif isinstance(data, dict): kirbi = data elif isinstance(data, KRB_CRED): kirbi = data.native elif isinstance(data, KRBCRED): kirbi = data.native else: raise Exception('Unknown data type! %s' % type(data)) t = '\r\n' for ticket in kirbi['tickets']: t += 'Realm : %s\r\n' % ticket['realm'] t += 'Sname : %s\r\n' % '/'.join(ticket['sname']['name-string']) if kirbi['enc-part']['etype'] == 0: cred = EncKrbCredPart.load(kirbi['enc-part']['cipher']).native cred = cred['ticket-info'][0] username = cred.get('pname') if username is not None: username = '******'.join(username['name-string']) flags = cred.get('flags') if flags is not None: flags = ', '.join(flags) t += 'UserName : %s\r\n' % username t += 'UserRealm : %s\r\n' % cred.get('prealm') t += 'StartTime : %s\r\n' % cred.get('starttime') t += 'EndTime : %s\r\n' % cred.get('endtime') t += 'RenewTill : %s\r\n' % cred.get('renew-till') t += 'Flags : %s\r\n' % flags t += 'Keytype : %s\r\n' % cred['key']['keytype'] t += 'Key : %s\r\n' % base64.b64encode(cred['key']['keyvalue']).decode() t += 'EncodedKirbi : \r\n\r\n' t += format_kirbi(KRB_CRED(kirbi).dump()) return t