public void DetectTicketModification_Http()
{
base.Logging();
client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.User[1].Username,
this.testConfig.LocalRealm.User[1].Password,
KerberosAccountType.User,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
//Create and send AS request
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
client.SendAsRequest(options, null);
//Recieve preauthentication required error
METHOD_DATA methodData;
KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);
//Create sequence of PA data
string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
0,
client.Context.SelectedEType,
this.client.Context.CName.Password,
this.client.Context.CName.Salt);
PaPacRequest paPacRequest = new PaPacRequest(true);
Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data });
//Create and send AS request
client.SendAsRequest(options, seqOfPaData);
KerberosAsResponse asResponse = client.ExpectAsResponse();
BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT.");
//Create and send TGS request
client.SendTgsRequest(this.testConfig.LocalRealm.WebServer[0].HttpServiceName, options);
KerberosTgsResponse tgsResponse = client.ExpectTgsResponse();
EncryptionKey tgskey = testConfig.QueryKey(this.testConfig.LocalRealm.WebServer[0].HttpServiceName, this.testConfig.LocalRealm.RealmName, this.client.Context.SelectedEType);
tgsResponse.DecryptTicket(tgskey);
//Change ticket
//tgsResponse.DecryptTicket(this.testConfig.LocalRealm.WebServer[0].Password, this.testConfig.LocalRealm.WebServer[0].ServiceSalt);
//tgsResponse.TicketEncPart.cname = new PrincipalName((long)PrincipalType.NT_PRINCIPAL, KerberosUtility.String2SeqKerbString("NonExistUser", testConfig.LocalRealm.RealmName));
Asn1BerEncodingBuffer encodeBuffer = new Asn1BerEncodingBuffer();
tgsResponse.TicketEncPart.BerEncode(encodeBuffer, true);
EncryptionType encryptType = (EncryptionType)tgsResponse.Response.ticket.enc_part.etype.Value;
var key = KeyGenerator.MakeKey(encryptType, "WrongPassword", this.testConfig.LocalRealm.WebServer[0].ServiceSalt);
var encrypedData = KerberosUtility.Encrypt(
encryptType,
key,
encodeBuffer.Data,
(int)KeyUsageNumber.AS_REP_TicketAndTGS_REP_Ticket);
tgsResponse.Response.ticket.enc_part = new EncryptedData(new KerbInt32((long)encryptType), null, new Asn1OctetString(encrypedData));
AuthorizationData data = null;
EncryptionKey subkey = KerberosUtility.GenerateKey(client.Context.SessionKey);
byte[] token = client.CreateGssApiToken(ApOptions.MutualRequired,
data,
subkey,
ChecksumFlags.GSS_C_MUTUAL_FLAG | ChecksumFlags.GSS_C_INTEG_FLAG);
BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send Http request.");
//Receive Error here
KerberosKrbError error = client.GetKrbErrorFromToken(SendAndRecieveHttpAp(this.testConfig.LocalRealm.WebServer[0], token));
BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_MODIFIED,
error.ErrorCode,
"AP should return KRB_AP_ERR_MODIFIED if authenticator changed");
}
public void DetectAuthenticatorModification_Http()
{
base.Logging();
client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.User[1].Username,
this.testConfig.LocalRealm.User[1].Password,
KerberosAccountType.User,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
//Create and send AS request
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
client.SendAsRequest(options, null);
//Recieve preauthentication required error
METHOD_DATA methodData;
KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);
//Create sequence of PA data
string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
0,
client.Context.SelectedEType,
this.client.Context.CName.Password,
this.client.Context.CName.Salt);
PaPacRequest paPacRequest = new PaPacRequest(true);
Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data });
//Create and send AS request
client.SendAsRequest(options, seqOfPaData);
KerberosAsResponse asResponse = client.ExpectAsResponse();
BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT.");
//Create and send TGS request
client.SendTgsRequest(this.testConfig.LocalRealm.WebServer[0].HttpServiceName, options);
KerberosTgsResponse tgsResponse = client.ExpectTgsResponse();
//change authenticator
client.Context.Ticket.SessionKey = KerberosUtility.GenerateKey(client.Context.SessionKey);
AuthorizationData data = null;
EncryptionKey subkey = KerberosUtility.GenerateKey(client.Context.SessionKey);
byte[] token = client.CreateGssApiToken(ApOptions.MutualRequired,
data,
subkey,
ChecksumFlags.GSS_C_MUTUAL_FLAG | ChecksumFlags.GSS_C_INTEG_FLAG);
BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send Http request.");
//Receive Error here
KerberosKrbError error = client.GetKrbErrorFromToken(SendAndRecieveHttpAp(this.testConfig.LocalRealm.WebServer[0], token));
BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_MODIFIED, error.ErrorCode, "AP should return KRB_AP_ERR_MODIFIED if authenticator changed");
}
public void KrbErrorGeneric()
{
base.Logging();
client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.User[1].Username,
this.testConfig.LocalRealm.User[1].Password,
KerberosAccountType.User,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client.");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
//Create and send AS request
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
client.SendAsRequest(options, null);
//Recieve preauthentication required error
METHOD_DATA methodData;
KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);
//Create sequence of PA data
string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
0,
client.Context.SelectedEType,
this.client.Context.CName.Password,
this.client.Context.CName.Salt);
PaPacRequest paPacRequest = new PaPacRequest(true);
Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data });
//Create and send AS request
client.SendAsRequest(options, seqOfPaData);
KerberosAsResponse asResponse = client.ExpectAsResponse();
//Create and send TGS request
client.SendTgsRequest(this.testConfig.LocalRealm.FileServer[0].Smb2ServiceName, options);
KerberosTgsResponse tgsResponse = client.ExpectTgsResponse();
AuthorizationData data = null;
EncryptionKey subkey = KerberosUtility.GenerateKey(client.Context.SessionKey);
// Set ApOptions as None but check on GSS_C_MUTUAL_FLAG
byte[] token = client.CreateGssApiToken(ApOptions.None,
data,
subkey,
ChecksumFlags.GSS_C_MUTUAL_FLAG);
BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send Smb2 request.");
KerberosKrbError error = client.GetKrbErrorFromToken(SendAndRecieveSmb2Ap(this.testConfig.LocalRealm.FileServer[0], token));
BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve Kerberos error.");
BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_ERR_GENERIC, error.ErrorCode,
"When a generic security error is returned from AP, KRB_ERR_GENERIC will be returned.");
}
public void KrbErrorTktNotYetValid()
{
base.Logging();
client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.User[1].Username,
this.testConfig.LocalRealm.User[1].Password,
KerberosAccountType.User,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client.");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
//Create and send AS request
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
client.SendAsRequest(options, null);
//Recieve preauthentication required error
METHOD_DATA methodData;
KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);
//Create sequence of PA data
string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
0,
client.Context.SelectedEType,
this.client.Context.CName.Password,
this.client.Context.CName.Salt);
PaPacRequest paPacRequest = new PaPacRequest(true);
Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data });
//Create and send AS request
client.SendAsRequest(options, seqOfPaData);
KerberosAsResponse asResponse = client.ExpectAsResponse();
//Create and send TGS request
client.SendTgsRequest(this.testConfig.LocalRealm.FileServer[0].Smb2ServiceName, options);
KerberosTgsResponse tgsResponse = client.ExpectTgsResponse();
// Change ticket
EncryptionKey tgskey = testConfig.QueryKey(
this.testConfig.LocalRealm.FileServer[0].Smb2ServiceName,
this.testConfig.LocalRealm.RealmName,
this.client.Context.SelectedEType);
// Decrypt ticket
tgsResponse.DecryptTicket(tgskey);
// Set ticket start time 15 minutes later than now
string nyvTime = DateTime.Now.AddMinutes(15).ToUniversalTime().ToString("yyyyMMddHHmmss") + "Z";
tgsResponse.TicketEncPart.starttime = new KerberosTime(nyvTime);
Asn1BerEncodingBuffer encodeBuffer = new Asn1BerEncodingBuffer();
tgsResponse.TicketEncPart.BerEncode(encodeBuffer, true);
EncryptionType encryptType = (EncryptionType) tgsResponse.Response.ticket.enc_part.etype.Value;
var key = KeyGenerator.MakeKey(encryptType, this.testConfig.LocalRealm.FileServer[0].Password, this.testConfig.LocalRealm.FileServer[0].ServiceSalt);
// Re-encrypt ticket
var encrypedData = KerberosUtility.Encrypt(
encryptType,
key,
encodeBuffer.Data,
(int)KeyUsageNumber.AS_REP_TicketAndTGS_REP_Ticket);
tgsResponse.Response.ticket.enc_part = new EncryptedData(new KerbInt32((long)encryptType), null, new Asn1OctetString(encrypedData));
AuthorizationData data = null;
EncryptionKey subkey = KerberosUtility.GenerateKey(client.Context.SessionKey);
byte[] token = client.CreateGssApiToken(ApOptions.MutualRequired,
data,
subkey,
ChecksumFlags.GSS_C_MUTUAL_FLAG | ChecksumFlags.GSS_C_INTEG_FLAG);
BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send Smb2 request.");
KerberosKrbError error = client.GetKrbErrorFromToken(SendAndRecieveSmb2Ap(this.testConfig.LocalRealm.FileServer[0], token));
BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve Kerberos error.");
BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_TKT_NYV, error.ErrorCode,
"If the starttime is later than the current time by more than the allowable clock skew (10 minutes), " +
"the KRB_AP_ERR_TKT_NYV error is returned.");
}
public void KrbErrorBadMatch()
{
base.Logging();
client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.User[1].Username,
this.testConfig.LocalRealm.User[1].Password,
KerberosAccountType.User,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
//Create and send AS request
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
client.SendAsRequest(options, null);
//Recieve preauthentication required error
METHOD_DATA methodData;
KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);
//Create sequence of PA data
string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
0,
client.Context.SelectedEType,
this.client.Context.CName.Password,
this.client.Context.CName.Salt);
PaPacRequest paPacRequest = new PaPacRequest(true);
Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data });
//Create and send AS request
client.SendAsRequest(options, seqOfPaData);
KerberosAsResponse asResponse = client.ExpectAsResponse();
//Create and send TGS request
client.SendTgsRequest(this.testConfig.LocalRealm.FileServer[0].Smb2ServiceName, options);
KerberosTgsResponse tgsResponse = client.ExpectTgsResponse();
// Change username in authenticator
client.Context.Ticket.TicketOwner.name_string.Elements[0].Value = client.Context.Ticket.TicketOwner.name_string.Elements[0].Value.Insert(0, "BADMATCH");
AuthorizationData data = null;
EncryptionKey subkey = KerberosUtility.GenerateKey(client.Context.SessionKey);
byte[] token = client.CreateGssApiToken(ApOptions.MutualRequired,
data,
subkey,
ChecksumFlags.GSS_C_MUTUAL_FLAG | ChecksumFlags.GSS_C_INTEG_FLAG);
BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send Smb2 request.");
KerberosKrbError error = client.GetKrbErrorFromToken(SendAndRecieveSmb2Ap(this.testConfig.LocalRealm.FileServer[0], token));
BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve Kerberos error.");
BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_BADMATCH, error.ErrorCode,
"The name and realm of the client from the ticket are compared against the same fields in the authenticator. " +
"If they don't match, the KRB_AP_ERR_BADMATCH error is returned");
}