//EncKDCRepPart::= SEQUENCE {
// key[0] EncryptionKey,
// last-req[1] LastReq,
// nonce[2] UInt32,
// key-expiration[3] KerberosTime OPTIONAL,
// flags[4] TicketFlags,
// authtime[5] KerberosTime,
// starttime[6] KerberosTime OPTIONAL,
// endtime[7] KerberosTime,
// renew-till[8] KerberosTime OPTIONAL,
// srealm[9] Realm,
// sname[10] PrincipalName,
// caddr[11] HostAddresses OPTIONAL,
// encrypted-pa-data[12] SEQUENCE OF PA-DATA OPTIONAL
//}
public EncKDCRepPart(AsnElt body)
{
foreach (AsnElt s in body.Sub)
{
switch (s.TagValue)
{
case 0:
key = new EncryptionKey(s);
break;
case 1:
lastReq = new LastReq(s.Sub[0]);
break;
case 2:
nonce = Convert.ToUInt32(s.Sub[0].GetInteger());
break;
case 3:
key_expiration = s.Sub[0].GetTime();
break;
case 4:
UInt32 temp = Convert.ToUInt32(s.Sub[0].GetInteger());
byte[] tempBytes = BitConverter.GetBytes(temp);
flags = (Interop.TicketFlags)BitConverter.ToInt32(tempBytes, 0);
break;
case 5:
authtime = s.Sub[0].GetTime();
break;
case 6:
starttime = s.Sub[0].GetTime();
break;
case 7:
endtime = s.Sub[0].GetTime();
break;
case 8:
renew_till = s.Sub[0].GetTime();
break;
case 9:
realm = Encoding.ASCII.GetString(s.Sub[0].GetOctetString());
break;
case 10:
// sname (optional)
sname = new PrincipalName(s.Sub[0]);
break;
case 11:
// HostAddresses, skipped for now
break;
case 12:
// encrypted-pa-data, skipped for now
break;
default:
break;
}
}
}
public static byte[] TGS(string userName, string domain, Ticket providedTicket, EncryptionKey key,
string service, bool ptt, string domainController = "", bool display = true)
{
if (display)
{
Console.WriteLine("[*] Action: Ask TGS\r\n");
}
string dcIP = Networking.GetDCIP(domainController, display);
if (string.IsNullOrEmpty(dcIP))
{
return(null);
}
if (display)
{
Console.WriteLine("[*] Building TGS-REQ request for: '{0}'", service);
}
byte[] tgsBytes = TGS_REQ.NewTGSReq(userName, domain, service, providedTicket, key.keyvalue, key.keytype, false);
byte[] response = Networking.SendBytes(dcIP, 88, tgsBytes);
if (response == null)
{
return(null);
}
// decode the supplied bytes to an AsnElt object
// false == ignore trailing garbage
AsnElt responseAsn = AsnElt.Decode(response, false);
// check the response value
int responseTag = responseAsn.TagValue;
if (responseTag == 13)
{
Console.WriteLine("[+] TGS request successful!");
// parse the response to an TGS-REP
TGS_REP rep = new TGS_REP(responseAsn);
// KRB_KEY_USAGE_TGS_REP_EP_SESSION_KEY = 8
byte[] outBytes = Crypto.KerberosDecrypt(key.keytype, Interop.KRB_KEY_USAGE_TGS_REP_EP_SESSION_KEY,
key.keyvalue, rep.enc_part.cipher);
AsnElt ae = AsnElt.Decode(outBytes, false);
EncKDCRepPart encRepPart = new EncKDCRepPart(ae.FirstElement);
// now build the final KRB-CRED structure
KRB_CRED cred = new KRB_CRED();
// add the ticket
cred.Tickets.Add(rep.ticket);
// build the EncKrbCredPart/KrbCredInfo parts from the ticket and the data in the encRepPart
KrbCredInfo info = new KrbCredInfo();
// [0] add in the session key
info.key.keytype = encRepPart.key.keytype;
info.key.keyvalue = encRepPart.key.keyvalue;
// [1] prealm (domain)
info.prealm = encRepPart.realm;
// [2] pname (user)
info.pname.name_type = rep.cname.name_type;
info.pname.name_string = rep.cname.name_string;
// [3] flags
info.flags = encRepPart.flags;
// [4] authtime (not required)
// [5] starttime
info.starttime = encRepPart.starttime;
// [6] endtime
info.endtime = encRepPart.endtime;
// [7] renew-till
info.renew_till = encRepPart.renew_till;
// [8] srealm
info.srealm = encRepPart.realm;
// [9] sname
info.sname.name_type = encRepPart.sname.name_type;
info.sname.name_string = encRepPart.sname.name_string;
// add the ticket_info into the cred object
cred.EncryptedPart.ticket_info.Add(info);
byte[] kirbiBytes = cred.Encode().Encode();
if (display)
{
Helpers.DisplayKerberosTicket(kirbiBytes);
if (ptt)
{
// pass-the-ticket -> import into LSASS
LSA.ImportTicket(kirbiBytes);
}
}
return(kirbiBytes);
}
else if (responseTag == 30)
{
// parse the response to an KRB-ERROR
KRB_ERROR error = new KRB_ERROR(responseAsn.FirstElement);
Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", error.ErrorCode, (Interop.KERBEROS_ERROR)error.ErrorCode);
}
else
{
Console.WriteLine("\r\n[X] Unknown application tag: {0}", responseTag);
}
return(null);
}
