public async Task Authenticator_RoundtripKeytab()
{
var keytab = new KeyTable(ReadDataFile("sample.keytab"));
var buffer = new MemoryStream();
using (var writer = new BinaryWriter(buffer))
{
keytab.Write(writer);
var secondKeytab = new KeyTable(buffer.ToArray());
var authenticator = new KerberosAuthenticator(
new KerberosValidator(secondKeytab)
{
ValidateAfterDecrypt = DefaultActions
});
Assert.IsNotNull(authenticator);
var result = await authenticator.Authenticate(RC4Header);
Assert.IsNotNull(result);
Assert.AreEqual("*****@*****.**", result.Name);
}
}
private static void AssertKeytablesAreEqual(KeyTable keytable, KeyTable secondKeyTable)
{
for (var i = 0; i < keytable.Entries.Count; i++)
{
Assert.AreEqual(keytable.Entries.ElementAt(i), secondKeyTable.Entries.ElementAt(i));
}
}
public void KeyGeneration()
{
var keys = new[]
{
new KerberosKey(
"password",
new PrincipalName(PrincipalNameType.NT_PRINCIPAL, "REALM.COM", new[] { "host/appservice" }),
host: "appservice",
etype: EncryptionType.AES256_CTS_HMAC_SHA1_96
)
};
var keytable = new KeyTable(keys);
var buffer = new MemoryStream();
using (var writer = new BinaryWriter(buffer))
{
keytable.Write(writer);
var secondKeytab = new KeyTable(buffer.ToArray());
AssertKeytablesAreEqual(keytable, secondKeytab);
}
}
public async Task KrbApReqWithoutPacLogonInfo()
{
var data = Convert.FromBase64String(ApReqWithoutPacLogonInfo);
var key = new KeyTable(
new KerberosKey(
"P@ssw0rd!",
principalName: new PrincipalName(
PrincipalNameType.NT_PRINCIPAL,
"CORP.IDENTITYINTERVENTION.com",
new[] { "host/downlevel.corp.identityintervention.com" }
),
saltType: SaltType.ActiveDirectoryUser
)
);
var authenticator = new KerberosAuthenticator(new KerberosValidator(key)
{
ValidateAfterDecrypt = DefaultActions
});
var result = await authenticator.Authenticate(data);
Assert.IsNotNull(result);
Assert.AreEqual(1, result.Claims.Count());
Assert.AreEqual("administrator/CORP.IDENTITYINTERVENTION.COM/CORP.IDENTITYINTERVENTION.COM", result.Name);
}
public void MultipleVersionsInSameKeytab()
{
var keys = new[] {
new KerberosKey(
"password",
new PrincipalName(PrincipalNameType.NT_PRINCIPAL, "REALM.COM", new[] { "host/appservice" }),
host: "appservice",
etype: EncryptionType.AES256_CTS_HMAC_SHA1_96,
kvno: 1
),
new KerberosKey(
"password",
new PrincipalName(PrincipalNameType.NT_PRINCIPAL, "REALM.COM", new[] { "host/appservice" }),
host: "appservice",
etype: EncryptionType.AES256_CTS_HMAC_SHA1_96,
kvno: 2
),
new KerberosKey(
"password",
new PrincipalName(PrincipalNameType.NT_PRINCIPAL, "REALM.COM", new[] { "host/appservice" }),
host: "appservice",
etype: EncryptionType.AES256_CTS_HMAC_SHA1_96,
kvno: 12
)
};
var keytable = new KeyTable(keys);
var key = keytable.GetKey(EncryptionType.AES256_CTS_HMAC_SHA1_96, KrbPrincipalName.FromString("host/appservice"));
Assert.AreEqual(12, key.Version);
}
public async Task Authenticator_SerializedKeytab()
{
var key = new KerberosKey(
password: "******",
principalName: new PrincipalName(
PrincipalNameType.NT_SRV_INST,
"IDENTITYINTERVENTION.COM",
new[] { "host", "aadg.windows.net.nsatc.net" }
),
etype: EncryptionType.RC4_HMAC_NT
);
var keytab = new KeyTable(key);
var buffer = new MemoryStream();
keytab.Write(new BinaryWriter(buffer));
var secondKeytab = new KeyTable(buffer.ToArray());
var authenticator = new KerberosAuthenticator(
new KerberosValidator(secondKeytab)
{
ValidateAfterDecrypt = DefaultActions
});
Assert.IsNotNull(authenticator);
var result = await authenticator.Authenticate(RC4Header);
Assert.IsNotNull(result);
Assert.AreEqual("*****@*****.**", result.Name);
}
public void KeyVersionOverride_32Bit()
{
var keyTable = new KeyTable(ReadDataFile("sample_with_32_bit_version_override.keytab"));
Assert.IsNotNull(keyTable);
Assert.AreEqual(2, keyTable.Entries.First().Version);
}
private object GenerateFormattedKeyTable(KeyTable keytab)
{
if (keytab == null)
{
return(null);
}
var keys = keytab.Entries.Select(k =>
{
var key = new KerberosKey(Encoding.Unicode.GetString(k.Key.GetKey(NoOpEncryptor)), k.Principal);
return(new
{
k.EncryptionType,
k.Length,
k.Timestamp,
k.Version,
key.Host,
key.PasswordBytes,
Key = key.PrincipalName
});
});
var table = new
{
keytab.FileVersion,
keytab.KerberosVersion,
Entries = keys.ToArray()
};
return(table);
}
public void Compile(Stream input)
{
var keyTab = new KeyTable();
scanner = new Scanner(input, keyTab);
NextToken();
Module();
}
public void Test32BitKeyVersionOverride()
{
var keyTable = new KeyTable(File.ReadAllBytes("data\\sample_with_32_bit_version_override.keytab"));
Assert.IsNotNull(keyTable);
Assert.AreEqual(2, keyTable.Entries.First().Version);
}
public static void ClearCache(object threadid)
{
try
{
while (true)
{
Thread.Sleep(5);
if (!KeyTable.HasAutoCacheTable && KeyTable.CheckSysAutoCacheTable()) //检测并创建表,放在循环中,是因为可能在代码中延后会AppConifg.Cache.AutoCacheConn赋值;
{
ThreadBreak.AddGlobalThread(new ParameterizedThreadStart(AutoCacheKeyTask)); //将数据库检测独立一个线程,不影响此内存操作。
}
if (removeList.Count > 0)
{
string baseKey = removeList.Dequeue();
if (!string.IsNullOrEmpty(baseKey))
{
RemoveCache(baseKey);
if (KeyTable.HasAutoCacheTable)//检测是否开启AutoCacheConn数据库链接
{
removeListForKeyTask.Enqueue(baseKey);
}
}
}
}
}
catch
{
}
}
private void LoadKeytab(string fileName)
{
try
{
var keytab = new KeyTable(File.ReadAllBytes(fileName));
if (keytab.Entries.Any())
{
table = keytab;
lblKeytab.Text = fileName;
if (string.IsNullOrWhiteSpace(txtTicket.Text))
{
var formatted = GenerateFormattedKeyTable(table);
var serialized = FormatSerialize(new { KeyTable = formatted });
DisplayDeconstructed(serialized, "KeyTable");
}
}
}
catch (Exception ex)
{
lblKeytab.Text = "";
this.ShowError(ex);
}
}
private async Task Decode()
{
if (chkRemember.Checked)
{
TryPersistingValues();
}
else
{
ResetPersistedValues();
}
if (string.IsNullOrWhiteSpace(txtTicket.Text))
{
return;
}
string ticket;
if (string.IsNullOrWhiteSpace(txtKey.Text))
{
ticket = Decode(txtTicket.Text);
}
else
{
var key = table;
var domain = Environment.GetEnvironmentVariable("USERDNSDOMAIN");
if (key == null)
{
if (chkEncodedKey.Checked)
{
var bytes = Convert.FromBase64String(txtKey.Text);
key = new KeyTable(
new KerberosKey(
password: bytes,
principal: new PrincipalName(PrincipalNameType.NT_SRV_HST, domain, new[] { Environment.MachineName }),
host: txtHost.Text
)
);
}
else
{
key = new KeyTable(
new KerberosKey(
txtKey.Text,
principalName: new PrincipalName(PrincipalNameType.NT_SRV_HST, domain, new[] { Environment.MachineName }),
host: string.IsNullOrWhiteSpace(txtHost.Text) ? null : txtHost.Text
)
);
}
}
ticket = await Decode(txtTicket.Text, key);
}
DisplayDeconstructed(ticket, "Decoded Ticket");
}
public KerberosAuthenticator(string upn, KeyTable keytab, Krb5Config config, ILoggerFactory logger = null)
: this(new KerberosValidator(keytab, logger))
{
if (!string.IsNullOrWhiteSpace(upn))
{
this.s4uProvider = new S4UProviderFactory(upn, keytab, config, logger);
}
}
internal void Validate(KeyTable keytab, KrbPrincipalName sname)
{
var key = keytab.GetKey(Type, sname);
Validator.Validate(key);
Validated = true;
}
protected static int GetTimeStepNumber(Program solver)
{
solver.QueryResultTable.FormatTable(out string[] KeyColumnNames, out string[] ValueColumnNames, out object[,] KeyTable, out object[,] ValueTable);
int iCol = Array.IndexOf(KeyColumnNames, "Timestep");
int iTimeStep = (int)(KeyTable.GetColumn(iCol).Last());
return(iTimeStep);
}
public KerberosValidator(KeyTable keytab, ITicketReplayValidator ticketCache = null)
{
this.keytab = keytab;
TokenCache = ticketCache ?? new TicketReplayValidator();
ValidateAfterDecrypt = ValidationActions.All;
}
public void AddKeyEvent(KeyTable table, UnityAction action)
{
if (!actionTable.ContainsKey(table))
{
actionTable.Add(table, new List <UnityAction>());
}
actionTable[table].Add(action);
}
protected DatFile FromBytesInternal([NotNull] byte[] bytes)
{
DatHeader header = BuildDatHeaderFromBytesInternal(bytes);
IndexTable indexTable = BuildIndexTableFromBytesInternal(bytes, header.KeyCount);
ValueTable valueTable = BuildValueTableFromBytesInternal(bytes, indexTable, header.KeyCount);
KeyTable keyTable = BuildKeyTableFromBytesInternal(bytes, indexTable, header.KeyCount);
return(new DatFile(header, indexTable, valueTable, keyTable));
}
public void TrailingPadding()
{
var keyTable = new KeyTable(ReadDataFile("sample_with_padding.keytab"));
Assert.IsNotNull(keyTable);
Assert.AreEqual(15, keyTable.Entries.Count);
Assert.AreEqual(keyTable.Entries.First().EncryptionType, EncryptionType.DES_CBC_CRC);
Assert.AreEqual(keyTable.Entries.Last().EncryptionType, EncryptionType.RC4_HMAC_NT);
}
public DatFile Build(byte[] bytes)
{
DatHeader header = BuildDatHeader(bytes);
IndexTable indexTable = BuildIndexTable(bytes, header.KeyCount);
ValueTable valueTable = BuildValueTable(bytes, indexTable, header.KeyCount);
KeyTable keyTable = BuildKeyTable(bytes, indexTable, header.KeyCount);
return(new DatFile(header, indexTable, valueTable, keyTable));
}
public KerberosValidator(KeyTable keytab, ILoggerFactory logger = null, ITicketReplayValidator ticketCache = null)
{
this.keytab = keytab;
this.logger = logger.CreateLoggerSafe <KerberosValidator>();
TokenCache = ticketCache ?? new TicketReplayValidator(logger);
ValidateAfterDecrypt = ValidationActions.All;
}
public override DecryptedData Decrypt(KeyTable keys)
{
if (NegotiationToken?.MechToken?.NtlmNegotiate != null)
{
throw new NotSupportedException("NTLM is not supported");
}
var token = NegotiationToken?.MechToken?.InnerContextToken;
return(Decrypt(token, keys));
}
private void btnClear_Click(object sender, EventArgs e)
{
txtTicket.Text = "";
txtDump.Text = "";
txtHost.Text = "";
txtKey.Text = "";
treeView1.Nodes.Clear();
table = null;
lblKeytab.Text = "";
}
public KeytabCredential(string username, KeyTable keytab, string domain = null)
{
TrySplitUserNameDomain(username, out username, ref domain);
this.UserName = username;
this.keytab = keytab ?? throw new ArgumentNullException(nameof(keytab));
if (!string.IsNullOrWhiteSpace(domain))
{
this.Domain = domain.ToUpperInvariant();
}
}
protected static DecryptedKrbApReq DecryptApReq(KrbApReq token, KeyTable keytab)
{
if (token.Ticket == null)
{
return(null);
}
var decryptedApReq = new DecryptedKrbApReq(token);
decryptedApReq.Decrypt(keytab);
return(decryptedApReq);
}
public DecryptedData Decrypt(KeyTable keytab)
{
if (NegotiationToken != null)
{
return(DecryptNegotiate(NegotiationToken, keytab));
}
if (Request != null)
{
return(DecryptKerberos(Request, keytab));
}
return(null);
}
private void LoadKeyTable(GXXmlReader reader)
{
KeyTable.Clear();
if (reader.IsStartElement("KeyTable", true))
{
while (reader.IsStartElement("Item", true))
{
byte k = (byte)reader.ReadElementContentAsInt("Key");
byte[] d = GXDLMSTranslator.HexToBytes(reader.ReadElementContentAsString("Data"));
KeyTable.Add(new GXKeyValuePair <byte, byte[]>(k, d));
}
reader.ReadEndElement("KeyTable");
}
}
public override DecryptedKrbApReq DecryptApReq(KeyTable keys)
{
var mechToken = token.InitialToken.MechToken;
var apReq = MessageParser.Parse <ContextToken>(mechToken.Value);
if (apReq is NegotiateContextToken)
{
throw new InvalidOperationException(
"Negotiated ContextToken is another negotiated token. Failing to prevent stack overflow."
);
}
return(apReq.DecryptApReq(keys));
}
private async Task <KerberosIdentity> ProcessAsMiddleBox(Krb5Config config, ILoggerFactory logger, ApplicationSessionContext serviceTicket)
{
var serviceCred = new KerberosPasswordCredential(this.ServicePrincipalSamAccountName, this.ServicePrincipalNamePassword, serviceTicket.ApReq.Ticket.Realm);
var ping = await KerberosPing.Ping(serviceCred, config, logger);
serviceCred.IncludePreAuthenticationHints(ping.Error.DecodePreAuthentication());
var keytab = new KeyTable(serviceCred.CreateKey());
var authenticator = new KerberosAuthenticator(this.ServicePrincipalSamAccountName, keytab, config, logger);
var identity = await authenticator.Authenticate(serviceTicket.ApReq.EncodeGssApi()) as KerberosIdentity;
return(identity);
}
private async Task <string> Decode(string ticket, KeyTable key)
{
var validator = new KerberosValidator(key)
{
ValidateAfterDecrypt = ValidationActions.None
};
var ticketBytes = Convert.FromBase64String(ticket);
var decrypted = await validator.Validate(ticketBytes);
var request = KerberosRequest.Parse(ticketBytes);
var keytableFormat = GenerateFormattedKeyTable(key);
return(FormatSerialize(new { Request = request, Decrypted = decrypted, KeyTable = keytableFormat }));
}
public Scanner(Stream t, KeyTable keyTable)
{
this.t = t;
this.keyTable = keyTable;
if (Eof())
throw new InvalidOperationException("Cannot init empty stream");
ReadChar();
EnterKW(Token.Null, "BY");
EnterKW(Token.Do, "DO");
EnterKW(Token.If, "IF");
EnterKW(Token.Null, "IN");
EnterKW(Token.Null, "IS");
EnterKW(Token.Of, "OF");
EnterKW(Token.Or, "OR");
EnterKW(Token.Null, "TO");
EnterKW(Token.End, "END");
EnterKW(Token.Null, "FOR");
EnterKW(Token.Mod, "MOD");
EnterKW(Token.Null, "NIL");
EnterKW(Token.Var, "VAR");
EnterKW(Token.Null, "CASE");
EnterKW(Token.Else, "ELSE");
EnterKW(Token.Null, "EXIT");
EnterKW(Token.Then, "THEN");
EnterKW(Token.Type, "TYPE");
EnterKW(Token.Null, "WITH");
EnterKW(Token.Array, "ARRAY");
EnterKW(Token.Begin, "BEGIN");
EnterKW(Token.Const, "CONST");
EnterKW(Token.Elsif, "ELSIF");
EnterKW(Token.Null, "IMPORT");
EnterKW(Token.Null, "UNTIL");
EnterKW(Token.While, "WHILE");
EnterKW(Token.Record, "RECORD");
EnterKW(Token.Null, "REPEAT");
EnterKW(Token.Null, "RETURN");
EnterKW(Token.Null, "POINTER");
EnterKW(Token.Procedure, "PROCEDURE");
EnterKW(Token.Div, "DIV");
EnterKW(Token.Null, "LOOP");
EnterKW(Token.Module, "MODULE");
}
void AddToTable (Keywords keywords, char[] word)
{
KeyTable[] curTable = table;
for (int i = 0; i < word.Length; i++) {
uint idx = (uint)word[i];
if (idx > 255)
throw new ArgumentOutOfRangeException (word + " contains invalid chars.");
if (curTable[idx] == null)
curTable[idx] = new KeyTable ();
if (i == word.Length -1) {
curTable[idx].keywords = keywords;
break;
}
curTable = curTable[idx].table;
}
}
