def test_asn1_decode_key_with_context(self):
		context = heimdal.context()
		(keyblock, salt, kvno) = heimdal.asn1_decode_key(self.ASN1, context)
		self.assertEqual(ENCSTR, str(keyblock.keytype()))
		self.assertEqual(self.VALUE, keyblock.keyvalue())
		self.assertEqual(self.SALT, salt.saltvalue())
		self.assertEqual(KVNO, kvno)
def krb5_asn1(principal, password, krb5_context=None):
	# type: (str, str, Optional[heimdal.context]) -> List[bytes]
	"""
	Generate Kerberos password hashes.

	:param principal: Kerberos principal name.
	:param password: password string.
	:param krb5_context: optional Kerberos context.
	:returns: list of ASN1 encoded Kerberos hashes.
	"""
	list = []
	if isinstance(principal, unicode):
		principal = principal.encode('utf-8')
	if isinstance(password, unicode):
		password = password.encode('utf-8')
	if not krb5_context:
		krb5_context = heimdal.context()
	for krb5_etype in krb5_context.get_permitted_enctypes():
		if str(krb5_etype) == 'des3-cbc-md5' and configRegistry.is_false('password/krb5/enctype/des3-cbc-md5', True):
			continue
		krb5_principal = heimdal.principal(krb5_context, principal)
		krb5_keyblock = heimdal.keyblock(krb5_context, krb5_etype, password, krb5_principal)
		krb5_salt = heimdal.salt(krb5_context, krb5_principal)
		list.append(heimdal.asn1_encode_key(krb5_keyblock, krb5_salt, 0))
	return list
	def test_context(self):
		before = middle = after = 0
		before = sys.gettotalrefcount()
		context = heimdal.context()
		middle = sys.gettotalrefcount()
		del context
		after = sys.gettotalrefcount()

		self.assertGreater(middle, before)
		self.assertLess(after, middle)
		self.assertEqual(before, after)
	def test_keyblock(self):
		context = heimdal.context()

		before = middle = after = 0
		before = sys.gettotalrefcount()
		keyblock = heimdal.keyblock_raw(context, ENCINT, TestKeyblock.VALUE)
		middle = sys.gettotalrefcount()
		del keyblock
		after = sys.gettotalrefcount()

		self.assertGreater(middle, before)
		self.assertLess(after, middle)
		self.assertEqual(before, after)
	def test_principal(self):
		context = heimdal.context()

		before = middle = after = 0
		before = sys.gettotalrefcount()
		principal = heimdal.principal(context, USER)
		middle = sys.gettotalrefcount()
		del principal
		after = sys.gettotalrefcount()

		self.assertGreater(middle, before)
		self.assertLess(after, middle)
		self.assertEqual(before, after)
	def test_enctype(self):
		context = heimdal.context()

		before = middle = after = 0
		before = sys.gettotalrefcount()
		enctype = heimdal.enctype(context, ENCSTR)
		middle = sys.gettotalrefcount()
		del enctype
		after = sys.gettotalrefcount()

		self.assertGreater(middle, before)
		self.assertLess(after, middle)
		self.assertEqual(before, after)
	def test_keytab(self):
		context = heimdal.context()

		before = middle = after = 0
		with NamedTemporaryFile() as tmpfile:
			before = sys.gettotalrefcount()
			keytab = heimdal.keytab(context, tmpfile.name)
			middle = sys.gettotalrefcount()
			del keytab
			after = sys.gettotalrefcount()

		self.assertGreater(middle, before)
		self.assertLess(after, middle)
		self.assertEqual(before, after)
	def test_creds(self):
		context = heimdal.context()
		principal = heimdal.principal(context, USER)
		tkt_service = ""

		before = middle = after = 0
		before = sys.gettotalrefcount()
		creds = heimdal.creds(context, principal, PASSWORD, tkt_service)
		middle = sys.gettotalrefcount()
		del creds
		after = sys.gettotalrefcount()

		self.assertGreater(middle, before)
		self.assertLess(after, middle)
		self.assertEqual(before, after)
示例#9
0
def krb5_asn1(principal, password, krb5_context=None):
	list = []
	if isinstance(principal, types.UnicodeType):
		principal = str(principal)
	if isinstance(password, types.UnicodeType):
		password = str(password)
	if not krb5_context:
		krb5_context = heimdal.context()
	for krb5_etype in krb5_context.get_permitted_enctypes():
		if str(krb5_etype) == 'des3-cbc-md5' and configRegistry.is_false('password/krb5/enctype/des3-cbc-md5', True):
			continue
		krb5_principal = heimdal.principal(krb5_context, principal)
		krb5_keyblock = heimdal.keyblock(krb5_context, krb5_etype, password, krb5_principal)
		krb5_salt = heimdal.salt(krb5_context, krb5_principal)
		list.append(heimdal.asn1_encode_key(krb5_keyblock, krb5_salt, 0))
	return list
示例#10
0
文件: password.py 项目: B-Rich/smart
def krb5_asn1(principal, password, krb5_context=None):
	list=[]
	if type(principal) == types.UnicodeType:
		principal = str( principal )
	if type(password) == types.UnicodeType:
		password = str( password )
	if not krb5_context:
		krb5_context = heimdal.context()
	for krb5_etype in krb5_context.get_permitted_enctypes():
		if str(krb5_etype) == 'des3-cbc-md5' and configRegistry.is_false('password/krb5/enctype/des3-cbc-md5', True):
			continue
		krb5_principal = heimdal.principal(krb5_context, principal)
		krb5_keyblock = heimdal.keyblock(krb5_context, krb5_etype, password, krb5_principal)
		krb5_salt = heimdal.salt(krb5_context, krb5_principal)
		list.append(heimdal.asn1_encode_key(krb5_keyblock, krb5_salt, 0))
	return list
	def setUp(self):
		context = heimdal.context()
		principal = heimdal.principal(context, USER)
		tkt_service = ""
		self.creds = heimdal.creds(self.context, principal, PASSWORD, tkt_service)
def calculate_krb5keys(supplementalCredentialsblob):
	spl = supplementalCredentialsblob
	#cleartext_hex = None
	keys = []
	keytypes = []
	kvno = 0
	context = heimdal.context()
#	for i in range(0, spl.sub.num_packages):
#		pkg = spl.sub.packages[i]
#		if pkg.name != "Primary:CLEARTEXT":
#			continue
#		cleartext_hex = pkg.data

	krb5_old_hex = None

	for i in range(0, spl.sub.num_packages):
		pkg = spl.sub.packages[i]
		if pkg.name != "Primary:Kerberos":
			continue
		krb5_old_hex = pkg.data

	if krb5_old_hex is not None:
		krb5_old_raw = binascii.a2b_hex(krb5_old_hex)
		krb5_old = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb5_old_raw, allow_remaining=True)
		assert krb5_old.version == 3
		for k in krb5_old.ctr.keys:
			if k.keytype not in keytypes:
				ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ctr3.key.keytype: %s" % k.keytype)
				try:
					key = heimdal.keyblock_raw(context, k.keytype, k.value)
					krb5SaltObject = heimdal.salt_raw(context, krb5_old.ctr.salt.string)
					keys.append(heimdal.asn1_encode_key(key, krb5SaltObject, kvno))
					keytypes.append(k.keytype)
				except Exception:
					if k.keytype == 4294967156:  # in all known cases W2k8 AD uses keytype 4294967156 (=-140L) for this
						ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring unknown key with special keytype %s in %s" % (k.keytype, pkg.name))
					else:
						ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: krb5Key with keytype %s could not be parsed in %s. Ignoring this keytype." % (k.keytype, pkg.name))
						ud.debug(ud.LDAP, ud.ERROR, traceback.format_exc())

	krb5_new_hex = None

	for i in range(0, spl.sub.num_packages):
		pkg = spl.sub.packages[i]
		if pkg.name != "Primary:Kerberos-Newer-Keys":
			continue
		krb5_new_hex = pkg.data

	if krb5_new_hex is not None:
		krb_blob = binascii.unhexlify(krb5_new_hex)
		krb = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb_blob)
		assert krb.version == 4

		for k in krb.ctr.keys:
			if k.keytype not in keytypes:
				ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ctr4.key.keytype: %s" % k.keytype)
				try:
					key = heimdal.keyblock_raw(context, k.keytype, k.value)
					krb5SaltObject = heimdal.salt_raw(context, krb.ctr.salt.string)
					keys.append(heimdal.asn1_encode_key(key, krb5SaltObject, kvno))
					keytypes.append(k.keytype)
				except Exception:
					if k.keytype == 4294967156:  # in all known cases W2k8 AD uses keytype 4294967156 (=-140L) for this
						ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring unknown key with special keytype %s in %s" % (k.keytype, pkg.name))
					else:
						ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: krb5Key with keytype %s could not be parsed in %s. Ignoring this keytype." % (k.keytype, pkg.name))
						ud.debug(ud.LDAP, ud.ERROR, traceback.format_exc())
	return keys
	def __init__(self):
		self.ctx = heimdal.context()
		self.etypes = self.ctx.get_permitted_enctypes()
		self.etype_ids = [et.toint() for et in self.etypes]
	def test_asn1_encode_key_invalid_salt(self):
		context = heimdal.context()
		keyblock = heimdal.keyblock_raw(context, ENCINT, self.VALUE)
		with self.assertRaises(TypeError):
			heimdal.asn1_encode_key(keyblock, 0, KVNO)
	def test_asn1_encode_key_without_salt(self):
		context = heimdal.context()
		keyblock = heimdal.keyblock_raw(context, ENCINT, self.VALUE)
		asn1 = heimdal.asn1_encode_key(keyblock, None, KVNO)
		self.assertIsNotNone(asn1)
	def test_asn1_encode_key(self):
		context = heimdal.context()
		keyblock = heimdal.keyblock_raw(context, ENCINT, self.VALUE)
		salt = heimdal.salt_raw(context, self.SALT)
		asn1 = heimdal.asn1_encode_key(keyblock, salt, KVNO)
		self.assertEqual(self.ASN1, asn1)
def calculate_krb5key(unicodePwd, supplementalCredentials, kvno=0):
	up_blob = unicodePwd
	sc_blob = supplementalCredentials

	keys = []
	keytypes = []
	context = heimdal.context()

	if up_blob:
		# ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: up_blob: %s" % binascii.b2a_base64(up_blob))
		assert len(up_blob) == 16
		key = heimdal.keyblock_raw(context, 23, up_blob)
		keys.append(heimdal.asn1_encode_key(key, None, kvno))

	if sc_blob:
		# ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: sc_blob: %s" % binascii.b2a_base64(sc_blob))
		try:
			sc = ndr_unpack(drsblobs.supplementalCredentialsBlob, sc_blob)
			for p in sc.sub.packages:
				krb = None
				ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: parsing %s blob" % p.name)
				if p.name == "Primary:Kerberos":
					krb_blob = binascii.unhexlify(p.data)
					krb = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb_blob)
					assert krb.version == 3

					for k in krb.ctr.keys:
						if k.keytype not in keytypes:
							ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ctr3.key.keytype: %s" % k.keytype)
							try:
								key = heimdal.keyblock_raw(context, k.keytype, k.value)
								krb5SaltObject = heimdal.salt_raw(context, krb.ctr.salt.string)
								keys.append(heimdal.asn1_encode_key(key, krb5SaltObject, kvno))
								keytypes.append(k.keytype)
							except:
								if k.keytype == 4294967156:  # in all known cases W2k8 AD uses keytype 4294967156 (=-140L) for this
									if k.value == up_blob:  # the known case
										ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring arc4 NThash with special keytype %s in %s" % (k.keytype, p.name))
									else:  # unknown special case
										ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring unknown key with special keytype %s in %s" % (k.keytype, p.name))
								else:
									traceback.print_exc()
									ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: krb5Key with keytype %s could not be parsed in %s. Ignoring this keytype." % (k.keytype, p.name))

				elif p.name == "Primary:Kerberos-Newer-Keys":
					krb_blob = binascii.unhexlify(p.data)
					krb = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb_blob)
					assert krb.version == 4

					for k in krb.ctr.keys:
						if k.keytype not in keytypes:
							ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ctr4.key.keytype: %s" % k.keytype)
							try:
								key = heimdal.keyblock_raw(context, k.keytype, k.value)
								krb5SaltObject = heimdal.salt_raw(context, krb.ctr.salt.string)
								keys.append(heimdal.asn1_encode_key(key, krb5SaltObject, kvno))
								keytypes.append(k.keytype)
							except:
								if k.keytype == 4294967156:  # in all known cases W2k8 AD uses keytype 4294967156 (=-140L) for this
									if k.value == up_blob:  # the known case
										ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring arc4 NThash with special keytype %s in %s" % (k.keytype, p.name))
									else:  # unknown special case
										ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring unknown key with special keytype %s in %s" % (k.keytype, p.name))
								else:
									traceback.print_exc()
									ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: krb5Key with keytype %s could not be parsed in %s. Ignoring this keytype." % (k.keytype, p.name))

		except Exception:
			import sys
			exc = sys.exc_info()[1]
			if isinstance(exc.args, type(())) and len(exc.args) == 2 and exc.args[1] == 'Buffer Size Error':
				ud.debug(ud.LDAP, ud.WARN, "calculate_krb5key: '%s' while unpacking supplementalCredentials:: %s" % (exc, binascii.b2a_base64(sc_blob)))
				ud.debug(ud.LDAP, ud.WARN, "calculate_krb5key: the krb5Keys from the PrimaryKerberosBlob could not be parsed. Continuing anyway.")
			else:
				traceback.print_exc()
				ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: the krb5Keys from the PrimaryKerberosBlob could not be parsed. Continuing anyway.")

	return keys
	def setUp(self):
		self.context = heimdal.context()
		self.principal = heimdal.principal(self.context, USER)
		self.ccache = heimdal.ccache(self.context)
	def setUp(self):
		self.context = heimdal.context()
		self.enctype = heimdal.enctype(self.context, ENCSTR)
		self.principal = heimdal.principal(self.context, USER)
	def setUp(self):
		context = heimdal.context()
		self.enctype = heimdal.enctype(context, ENCSTR)
	def setUp(self):
		self.context = heimdal.context()
	def setUp(self):
		context = heimdal.context()
		self.principal = heimdal.principal(context, USER)
示例#23
0
文件: password.py 项目: B-Rich/smart
def calculate_krb5key(unicodePwd, supplementalCredentials, kvno=0):
	up_blob = unicodePwd
	sc_blob = supplementalCredentials

	keys = []
	keytypes = []
	context = heimdal.context()

	if up_blob:
		#ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: up_blob: %s" % binascii.b2a_base64(up_blob))
		assert len(up_blob) == 16
		key = heimdal.keyblock_raw(context, 23, up_blob)
		keys.append(heimdal.asn1_encode_key(key, None, kvno))

	if sc_blob:
		#ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: sc_blob: %s" % binascii.b2a_base64(sc_blob))
		try:
			sc = ndr_unpack(drsblobs.supplementalCredentialsBlob, sc_blob)
			for p in sc.sub.packages:
				krb = None
				ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: parsing %s blob" % p.name)
				if p.name == "Primary:Kerberos":
					krb_blob = binascii.unhexlify(p.data)
					krb = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb_blob)
					assert krb.version == 3

					for k in krb.ctr.keys:
						if k.keytype not in keytypes:
							ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ctr3.key.keytype: %s" % k.keytype)
							try:
								key = heimdal.keyblock_raw(context, k.keytype, k.value)
								krb5SaltObject = heimdal.salt_raw(context, krb.ctr.salt.string)
								keys.append(heimdal.asn1_encode_key(key, krb5SaltObject, kvno))
								keytypes.append(k.keytype)
							except:
								if k.keytype == 4294967156:	## in all known cases W2k8 AD uses keytype 4294967156 (=-140L) for this
									if k.value == up_blob:	## the known case
										ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring arc4 NThash with special keytype %s in %s" % (k.keytype, p.name))
									else:					## unknown special case
										ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring unknown key with special keytype %s in %s" % (k.keytype, p.name))
								else:
									traceback.print_exc()
									ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: krb5Key with keytype %s could not be parsed in %s. Ignoring this keytype." % (k.keytype, p.name))

				elif p.name == "Primary:Kerberos-Newer-Keys":
					krb_blob = binascii.unhexlify(p.data)
					krb = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb_blob)
					assert krb.version == 4

					for k in krb.ctr.keys:
						if k.keytype not in keytypes:
							ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ctr4.key.keytype: %s" % k.keytype)
							try:
								key = heimdal.keyblock_raw(context, k.keytype, k.value)
								krb5SaltObject = heimdal.salt_raw(context, krb.ctr.salt.string)
								keys.append(heimdal.asn1_encode_key(key, krb5SaltObject, kvno))
								keytypes.append(k.keytype)
							except:
								if k.keytype == 4294967156:	## in all known cases W2k8 AD uses keytype 4294967156 (=-140L) for this
									if k.value == up_blob:	## the known case
										ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring arc4 NThash with special keytype %s in %s" % (k.keytype, p.name))
									else:					## unknown special case
										ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring unknown key with special keytype %s in %s" % (k.keytype, p.name))
								else:
									traceback.print_exc()
									ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: krb5Key with keytype %s could not be parsed in %s. Ignoring this keytype." % (k.keytype, p.name))

		except Exception:
			import sys
			exc = sys.exc_info()[1]
			if type(exc.args) == type(()) and len(exc.args) == 2 and exc.args[1] == 'Buffer Size Error':
				ud.debug(ud.LDAP, ud.WARN, "calculate_krb5key: '%s' while unpacking supplementalCredentials:: %s" % ( exc, binascii.b2a_base64(sc_blob) ) )
				ud.debug(ud.LDAP, ud.WARN, "calculate_krb5key: the krb5Keys from the PrimaryKerberosBlob could not be parsed. Continuing anyway.")
			else:
				traceback.print_exc()
				ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: the krb5Keys from the PrimaryKerberosBlob could not be parsed. Continuing anyway.")

	return keys