Example #1
0
        private NetworkLayerObject GetKerberosTicketsHash(string source, string destination, byte[] data)
        {
            var kerberosPacket = KerberosPacketParser.GetKerberosPacket(data);

            if (kerberosPacket is null)
            {
                return(null);
            }

            if (kerberosPacket is KerberosTgsRepPacket)
            {
                var kerberosTgsRepPacket = kerberosPacket as KerberosTgsRepPacket;

                if (kerberosTgsRepPacket.Ticket.EncrytedPart.Etype == 23)
                {
                    return(new KerberosTgsRepHash()
                    {
                        Source = source,
                        Destination = destination,
                        Realm = kerberosTgsRepPacket.Ticket.Realm,
                        Etype = 23,
                        Username = kerberosTgsRepPacket.Cname.Name,
                        ServiceName = kerberosTgsRepPacket.Ticket.Sname.Name,
                        Hash = NtlmsspHashParser.ByteArrayToHexString(kerberosTgsRepPacket.Ticket.EncrytedPart.Cipher),
                        Protocol = "UDP",
                        HashType = "Kerberos TGS Rep Etype 23"
                    });
                }
            }

            return(null);
        }
Example #2
0
        private NetworkLayerObject GetKerberosTicketsHash(string source, string destination, string protocol, byte[] data)
        {
            var kerberosPacket = KerberosPacketParser.GetKerberosPacket(data);

            if (kerberosPacket is null)
            {
                return(null);
            }

            // TODO: refactor this boilerplate code
            if (kerberosPacket is KerberosTgsRepPacket)
            {
                var kerberosTgsRepPacket = kerberosPacket as KerberosTgsRepPacket;

                if (kerberosTgsRepPacket.Ticket.EncrytedPart.Etype == 23)
                {
                    return(new KerberosTgsRepHash()
                    {
                        Source = source,
                        Destination = destination,
                        Realm = kerberosTgsRepPacket.Ticket.Realm,
                        Etype = 23,
                        Username = kerberosTgsRepPacket.Cname.Name,
                        ServiceName = kerberosTgsRepPacket.Ticket.Sname.Name,
                        Hash = NtlmsspHashParser.ByteArrayToHexString(kerberosTgsRepPacket.Ticket.EncrytedPart.Cipher),
                        Protocol = protocol,
                        HashType = "Kerberos V5 TGS-REP etype 23"
                    });
                }
            }
            else if (kerberosPacket is KerberosAsRepPacket)
            {
                var kerberosAsRepPacket = kerberosPacket as KerberosAsRepPacket;

                if (kerberosAsRepPacket.Ticket.EncrytedPart.Etype == 23)
                {
                    return(new KerberosAsRepHash()
                    {
                        Source = source,
                        Destination = destination,
                        Realm = kerberosAsRepPacket.Ticket.Realm,
                        Etype = 23,
                        Username = kerberosAsRepPacket.Cname.Name,
                        ServiceName = kerberosAsRepPacket.Ticket.Sname.Name,
                        Hash = NtlmsspHashParser.ByteArrayToHexString(kerberosAsRepPacket.Ticket.EncrytedPart.Cipher),
                        Protocol = protocol,
                        HashType = "Kerberos V5 AS-REP etype 23"
                    });
                }
            }

            return(null);
        }
        private NetworkLayerObject GetKerberosTicketsHash(string source, string destination, string protocol, byte[] data)
        {
            var kerberosPacket = KerberosPacketParser.GetKerberosPacket(data, protocol);

            if (kerberosPacket is null)
            {
                return(null);
            }

            // TODO: use enum for hashes types
            if (kerberosPacket is KerberosTgsRepPacket)
            {
                var kerberosTgsRepPacket = kerberosPacket as KerberosTgsRepPacket;

                if (kerberosTgsRepPacket.Ticket.EncrytedPart.Etype == 23 || kerberosTgsRepPacket.Ticket.EncrytedPart.Etype == 18 || kerberosTgsRepPacket.Ticket.EncrytedPart.Etype == 17)
                {
                    return(new KerberosTgsRepHash()
                    {
                        Source = source,
                        Destination = destination,
                        Realm = kerberosTgsRepPacket.Ticket.Realm,
                        Etype = kerberosTgsRepPacket.Ticket.EncrytedPart.Etype,
                        Username = kerberosTgsRepPacket.Cname.Name,
                        ServiceName = kerberosTgsRepPacket.Ticket.Sname.Name,
                        Hash = NtlmsspHashParser.ByteArrayToHexString(kerberosTgsRepPacket.Ticket.EncrytedPart.Cipher),
                        Protocol = protocol,
                        HashType = $"Kerberos V5 TGS-REP etype {kerberosTgsRepPacket.Ticket.EncrytedPart.Etype}"
                    });
                }
            }
            else if (kerberosPacket is KerberosAsRepPacket)
            {
                var kerberosAsRepPacket = kerberosPacket as KerberosAsRepPacket;

                if (kerberosAsRepPacket.Ticket.EncrytedPart.Etype == 23 || kerberosAsRepPacket.Ticket.EncrytedPart.Etype == 18)
                {
                    return(new KerberosAsRepHash()
                    {
                        Source = source,
                        Destination = destination,
                        Realm = kerberosAsRepPacket.Ticket.Realm,
                        Etype = kerberosAsRepPacket.Ticket.EncrytedPart.Etype,
                        Username = kerberosAsRepPacket.Cname.Name,
                        ServiceName = kerberosAsRepPacket.Ticket.Sname.Name,
                        Hash = NtlmsspHashParser.ByteArrayToHexString(kerberosAsRepPacket.Ticket.EncrytedPart.Cipher),
                        Protocol = protocol,
                        HashType = $"Kerberos V5 AS-REP etype {kerberosAsRepPacket.Ticket.EncrytedPart.Etype}"
                    });
                }
            }

            return(null);
        }