def open_db(self, fname=None, client_principal=None):
# If the name is not specified, create a new db!
if not fname:
self.db_name = self.__generate_tmp_file('tmp_krb5_auth_')
raw_data = ''
# If the name exists but the file does not!
elif not os.path.exists(fname):
self.db_name = fname
f = open(fname, 'wb+')
f.close()
raw_data = ''
# The db already exists
else:
self.db_name = fname
try:
f = open(fname, 'rb')
raw_data = f.read()
f.close()
except Exception as e:
logging.error("ccache file %s cannot be read: %s" %
(fname, str(e)))
return 0
self.cc = cc.CCache()
if len(raw_data):
self.cc.set_raw_data(raw_data)
else:
self.cc.set_header(client_principal, self.domain)
return 1
def test_expanded(vec):
try:
client_principal = Convert2PrincipalType(vec['user'], vec['domain'])
auth_principal = Convert2PrincipalType('krbtgt/' + vec['domain'],
vec['domain'])
asreq = AsReq(client_principal, vec['domain'])
asreq.set_server_principal(auth_principal)
asreq.set_encryption_types([vec['cipher']])
asreq.set_passphrase(vec['passphrase'], salt=vec['salt'])
frame = asreq.pack()
data = helper.krb5_send_frame(frame,
vec['ip'],
port=vec['port'],
use_tcp=vec['protocol'] == 'tcp')
if data is None:
logging.error("No answer!")
return False
resp = AsRep(data)
if not resp.is_valid():
logging.error("Invalid response or wrong status!")
return False
# Extract the ticket
raw_ticket = resp.get_ticket()
# Extract the session key, times struct and flags
resp.set_passphrase(vec['passphrase'], salt=vec['salt'])
session_key = resp.get_session_key()
times = resp.get_times()
flags = resp.get_flags()
# Adds information to the CCache
cc1 = cc.CCache()
cc1.set_header(client_principal, vec['user'])
cc1.import_creds(client_principal,
auth_principal,
session_key,
times,
tktflags=flags,
is_skey=0,
ticket=raw_ticket)
cc1.write(fname='/tmp/krb5cc_' + str(os.getuid()), close=1)
return True
except Exception as e:
logging.error('Test failed: %s' % str(e))
return False
def build_apreq_from_credential_file(self,
fname,
service_principal=None,
generate_subkey=True):
# Extract data from ccache file
try:
f = open(fname, 'rb')
raw_data = f.read()
f.close()
except Exception as e:
logging.error("ccache file cannot be read: %s" % str(e))
return None
# Unserialize data
cc1 = cc.CCache()
cc1.set_raw_data(raw_data)
return self.build_apreq_from_credential_db(
cc=cc1,
service_principal=service_principal,
generate_subkey=generate_subkey)
def export_into_credential_file(self, fname):
cc1 = cc.CCache()
cc1.set_header(self.as_client_principal, self.domain)
if self.auth_performed:
cc1.import_creds(self.as_client_principal,
self.as_service_principal,
self.as_session_key,
self.as_times,
tktflags=self.as_flags,
is_skey=0,
ticket=self.as_raw_ticket)
if self.tgs_performed:
cc1.import_creds(self.tgs_client_principal,
self.tgs_service_principal,
self.tgs_session_key,
self.tgs_times,
tktflags=self.tgs_flags,
is_skey=0,
ticket=self.tgs_raw_ticket)
#cc1.show()
cc1.write(fname=fname, close=1)
def test_expanded(vec):
try:
### PART 1 - AS
cifs_principal = Convert2ServiceAndInstanceType(
'cifs/dc1.' + vec['domain'], vec['domain'])
client_principal = Convert2PrincipalType(vec['user'], vec['domain'])
auth_principal = Convert2PrincipalType('krbtgt/' + vec['domain'],
vec['domain'])
asreq = AsReq(client_principal, vec['domain'])
asreq.set_server_principal(auth_principal)
asreq.set_encryption_types([vec['cipher']])
asreq.set_passphrase(vec['passphrase'], salt=vec['salt'])
frame = asreq.pack()
data = helper.krb5_send_frame(frame,
vec['ip'],
port=vec['port'],
use_tcp=vec['protocol'] == 'tcp')
if not data:
logging.error("No answer!")
return False
resp = AsRep(data)
if not resp.is_valid():
logging.error("Invalid response or wrong status!")
return False
# Extract the ticket
raw_ticket = resp.get_ticket()
# Extract the session key, times struct and flags
resp.set_passphrase(vec['passphrase'], salt=vec['salt'])
session_key = resp.get_session_key()
times = resp.get_times()
flags = resp.get_flags()
### PART 2 - TGS
tgsreq = TgsReq(vec['domain'],
client_principal=client_principal,
server_principal=cifs_principal)
tgsreq.set_ticket(raw_ticket)
tgsreq.set_session_key(session_key)
frame = tgsreq.pack()
data = helper.krb5_send_frame(frame,
vec['ip'],
port=vec['port'],
use_tcp=vec['protocol'] == 'tcp')
if not data:
logging.error("No answer!")
return False
subkey = tgsreq.get_subkey()
resp2 = TgsRep(data)
if not resp2.is_valid():
logging.error("Invalid response or wrong status!")
return False
resp2.set_key(subkey)
# Extract the ticket
raw_ticket2 = resp2.get_ticket()
# Extract the session key
session_key2 = resp2.get_session_key()
times2 = resp2.get_times()
flags2 = resp2.get_flags()
# Adds information to the CCache
cc1 = cc.CCache()
cc1.open('/tmp/krb5cc_' + str(os.getuid()), new=1)
cc1.set_header(client_principal, vec['domain'])
cc1.import_creds(client_principal,
auth_principal,
session_key,
times,
tktflags=flags,
is_skey=0,
ticket=raw_ticket)
cc1.import_creds(client_principal,
cifs_principal,
session_key2,
times2,
tktflags=flags2,
is_skey=0,
ticket=raw_ticket2)
cc1.write()
return True
except Exception as e:
logging.error('Test failed: %s' % str(e))
return False