public void DecryptReferralTgt()
{
var ticket = KrbApReq.DecodeApplication(Convert.FromBase64String(ReferralTicket));
var apreq = new DecryptedKrbApReq(ticket, MessageType.KRB_AS_REQ);
var key = new KerberosKey(
"P@ssw0rd!",
new PrincipalName(
PrincipalNameType.NT_SRV_INST,
CRealm,
new[] { "krbtgt", "TEST.IDENTITYINTERVENTION.COM" }
),
saltType: SaltType.Rfc4120
);
apreq.Decrypt(key);
Assert.IsNotNull(apreq.Ticket);
Assert.AreEqual("Administrator", apreq.Ticket.CName.FullyQualifiedName);
Assert.AreEqual(CRealm, apreq.Ticket.CRealm);
var adif = apreq.Ticket.AuthorizationData.FirstOrDefault(f => f.Type == AuthorizationDataType.AdIfRelevant).DecodeAdIfRelevant();
var pacStr = adif.FirstOrDefault(f => f.Type == AuthorizationDataType.AdWin2kPac);
var pac = new PrivilegedAttributeCertificate(pacStr);
Assert.IsNotNull(pac);
Assert.AreEqual(500u, pac.LogonInfo.UserId);
}
private static DecryptedKrbApReq CreateDecryptedApReq(DateTimeOffset now, DateTimeOffset notBefore, DateTimeOffset notAfter, DateTimeOffset renewUntil)
{
var key = new KerberosKey(key: new byte[16], etype: EncryptionType.AES128_CTS_HMAC_SHA1_96);
var tgsRep = KrbKdcRep.GenerateServiceTicket <KrbTgsRep>(new ServiceTicketRequest
{
EncryptedPartKey = key,
Principal = new FakeKerberosPrincipal("*****@*****.**"),
ServicePrincipal = new FakeKerberosPrincipal("host/test.com"),
ServicePrincipalKey = key,
IncludePac = false,
RealmName = "test.com",
Now = now,
StartTime = notBefore,
EndTime = notAfter,
RenewTill = renewUntil,
Flags = TicketFlags.Renewable
});
var encKdcRepPart = tgsRep.EncPart.Decrypt(
key,
KeyUsage.EncTgsRepPartSessionKey,
d => KrbEncTgsRepPart.DecodeApplication(d)
);
var apReq = KrbApReq.CreateApReq(tgsRep, encKdcRepPart.Key.AsKey(), 0, out KrbAuthenticator authenticator);
var decrypted = new DecryptedKrbApReq(apReq);
decrypted.Decrypt(key);
return(decrypted);
}
private DecryptedKrbApReq DecryptApReq(KrbApReq apReq, KerberosKey krbtgtKey)
{
var apReqDecrypted = new DecryptedKrbApReq(apReq, MessageType.KRB_TGS_REQ);
apReqDecrypted.Decrypt(krbtgtKey);
apReqDecrypted.Validate(Validation);
return(apReqDecrypted);
}
protected static DecryptedKrbApReq DecryptApReq(KrbApReq token, KeyTable keytab)
{
if (token.Ticket == null)
{
return(null);
}
var decryptedApReq = new DecryptedKrbApReq(token);
decryptedApReq.Decrypt(keytab);
return(decryptedApReq);
}
public async Task U2U()
{
var port = new Random().Next(20000, 40000);
var options = new ListenerOptions
{
ListeningOn = new IPEndPoint(IPAddress.Loopback, port),
DefaultRealm = "corp2.identityintervention.com".ToUpper(),
IsDebug = true,
RealmLocator = realm => LocateRealm(realm),
ReceiveTimeout = TimeSpan.FromHours(1)
};
KdcServiceListener listener = new KdcServiceListener(options);
_ = listener.Start();
var kerbClientCred = new KerberosPasswordCredential("*****@*****.**", "P@ssw0rd!");
var client = new KerberosClient($"127.0.0.1:{port}");
await client.Authenticate(kerbClientCred);
var kerbServerCred = new KerberosPasswordCredential("*****@*****.**", "P@ssw0rd!");
var server = new KerberosClient($"127.0.0.1:{port}");
await server.Authenticate(kerbClientCred);
var serverEntry = await server.Cache.Get <KerberosClientCacheEntry>($"krbtgt/{server.DefaultDomain}");
var serverTgt = serverEntry.Ticket.Ticket;
var apReq = await client.GetServiceTicket("host/u2u", ApOptions.MutualRequired | ApOptions.UseSessionKey, u2uServerTicket : serverTgt);
Assert.IsNotNull(apReq);
var decrypted = new DecryptedKrbApReq(apReq);
Assert.IsNull(decrypted.Ticket);
decrypted.Decrypt(serverEntry.SessionKey.AsKey());
decrypted.Validate(ValidationActions.All);
Assert.IsNotNull(decrypted.Ticket);
Assert.AreEqual("host/u2u/CORP.IDENTITYINTERVENTION.COM", decrypted.SName.FullyQualifiedName);
listener.Stop();
}
public async Task E2E_U2U()
{
var port = NextPort();
using (var listener = StartListener(port))
{
var kerbClientCred = new KerberosPasswordCredential(AdminAtCorpUserName, FakeAdminAtCorpPassword);
var kerbServerCred = new KerberosPasswordCredential("*****@*****.**", FakeAdminAtCorpPassword);
using (var client = CreateClient(listener))
using (var server = CreateClient(listener))
{
await client.Authenticate(kerbClientCred);
await server.Authenticate(kerbClientCred);
var serverEntry = await server.Cache.Get <KerberosClientCacheEntry>($"krbtgt/{server.DefaultDomain}");
var serverTgt = serverEntry.KdcResponse.Ticket;
var apReq = await client.GetServiceTicket("host/u2u.corp.identityintervention.com",
ApOptions.MutualRequired | ApOptions.UseSessionKey,
u2uServerTicket : serverTgt
);
Assert.IsNotNull(apReq);
var decrypted = new DecryptedKrbApReq(apReq);
Assert.IsNull(decrypted.Ticket);
decrypted.Decrypt(serverEntry.SessionKey.AsKey());
decrypted.Validate(ValidationActions.All);
Assert.IsNotNull(decrypted.Ticket);
Assert.AreEqual("host/u2u.corp.identityintervention.com", decrypted.SName.FullyQualifiedName);
}
listener.Stop();
}
}
