//EncKDCRepPart::= SEQUENCE { // key[0] EncryptionKey, // last-req[1] LastReq, // nonce[2] UInt32, // key-expiration[3] KerberosTime OPTIONAL, // flags[4] TicketFlags, // authtime[5] KerberosTime, // starttime[6] KerberosTime OPTIONAL, // endtime[7] KerberosTime, // renew-till[8] KerberosTime OPTIONAL, // srealm[9] Realm, // sname[10] PrincipalName, // caddr[11] HostAddresses OPTIONAL, // encrypted-pa-data[12] SEQUENCE OF PA-DATA OPTIONAL //} public EncKDCRepPart(AsnElt body) { foreach (AsnElt s in body.Sub) { switch (s.TagValue) { case 0: key = new EncryptionKey(s); break; case 1: lastReq = new LastReq(s.Sub[0]); break; case 2: nonce = Convert.ToUInt32(s.Sub[0].GetInteger()); break; case 3: key_expiration = s.Sub[0].GetTime(); break; case 4: UInt32 temp = Convert.ToUInt32(s.Sub[0].GetInteger()); byte[] tempBytes = BitConverter.GetBytes(temp); flags = (Interop.TicketFlags)BitConverter.ToInt32(tempBytes, 0); break; case 5: authtime = s.Sub[0].GetTime(); break; case 6: starttime = s.Sub[0].GetTime(); break; case 7: endtime = s.Sub[0].GetTime(); break; case 8: renew_till = s.Sub[0].GetTime(); break; case 9: realm = Encoding.ASCII.GetString(s.Sub[0].GetOctetString()); break; case 10: // sname (optional) sname = new PrincipalName(s.Sub[0]); break; case 11: // HostAddresses, skipped for now break; case 12: // encrypted-pa-data, skipped for now break; default: break; } } }
public static byte[] TGS(string userName, string domain, Ticket providedTicket, EncryptionKey key, string service, bool ptt, string domainController = "", bool display = true) { if (display) { Console.WriteLine("[*] Action: Ask TGS\r\n"); } string dcIP = Networking.GetDCIP(domainController, display); if (string.IsNullOrEmpty(dcIP)) { return(null); } if (display) { Console.WriteLine("[*] Building TGS-REQ request for: '{0}'", service); } byte[] tgsBytes = TGS_REQ.NewTGSReq(userName, domain, service, providedTicket, key.keyvalue, key.keytype, false); byte[] response = Networking.SendBytes(dcIP, 88, tgsBytes); if (response == null) { return(null); } // decode the supplied bytes to an AsnElt object // false == ignore trailing garbage AsnElt responseAsn = AsnElt.Decode(response, false); // check the response value int responseTag = responseAsn.TagValue; if (responseTag == 13) { Console.WriteLine("[+] TGS request successful!"); // parse the response to an TGS-REP TGS_REP rep = new TGS_REP(responseAsn); // KRB_KEY_USAGE_TGS_REP_EP_SESSION_KEY = 8 byte[] outBytes = Crypto.KerberosDecrypt(key.keytype, Interop.KRB_KEY_USAGE_TGS_REP_EP_SESSION_KEY, key.keyvalue, rep.enc_part.cipher); AsnElt ae = AsnElt.Decode(outBytes, false); EncKDCRepPart encRepPart = new EncKDCRepPart(ae.FirstElement); // now build the final KRB-CRED structure KRB_CRED cred = new KRB_CRED(); // add the ticket cred.Tickets.Add(rep.ticket); // build the EncKrbCredPart/KrbCredInfo parts from the ticket and the data in the encRepPart KrbCredInfo info = new KrbCredInfo(); // [0] add in the session key info.key.keytype = encRepPart.key.keytype; info.key.keyvalue = encRepPart.key.keyvalue; // [1] prealm (domain) info.prealm = encRepPart.realm; // [2] pname (user) info.pname.name_type = rep.cname.name_type; info.pname.name_string = rep.cname.name_string; // [3] flags info.flags = encRepPart.flags; // [4] authtime (not required) // [5] starttime info.starttime = encRepPart.starttime; // [6] endtime info.endtime = encRepPart.endtime; // [7] renew-till info.renew_till = encRepPart.renew_till; // [8] srealm info.srealm = encRepPart.realm; // [9] sname info.sname.name_type = encRepPart.sname.name_type; info.sname.name_string = encRepPart.sname.name_string; // add the ticket_info into the cred object cred.EncryptedPart.ticket_info.Add(info); byte[] kirbiBytes = cred.Encode().Encode(); if (display) { Helpers.DisplayKerberosTicket(kirbiBytes); if (ptt) { // pass-the-ticket -> import into LSASS LSA.ImportTicket(kirbiBytes); } } return(kirbiBytes); } else if (responseTag == 30) { // parse the response to an KRB-ERROR KRB_ERROR error = new KRB_ERROR(responseAsn.FirstElement); Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", error.ErrorCode, (Interop.KERBEROS_ERROR)error.ErrorCode); } else { Console.WriteLine("\r\n[X] Unknown application tag: {0}", responseTag); } return(null); }