private NetworkLayerObject GetKerberosTicketsHash(string source, string destination, byte[] data)
{
var kerberosPacket = KerberosPacketParser.GetKerberosPacket(data);
if (kerberosPacket is null)
{
return(null);
}
if (kerberosPacket is KerberosTgsRepPacket)
{
var kerberosTgsRepPacket = kerberosPacket as KerberosTgsRepPacket;
if (kerberosTgsRepPacket.Ticket.EncrytedPart.Etype == 23)
{
return(new KerberosTgsRepHash()
{
Source = source,
Destination = destination,
Realm = kerberosTgsRepPacket.Ticket.Realm,
Etype = 23,
Username = kerberosTgsRepPacket.Cname.Name,
ServiceName = kerberosTgsRepPacket.Ticket.Sname.Name,
Hash = NtlmsspHashParser.ByteArrayToHexString(kerberosTgsRepPacket.Ticket.EncrytedPart.Cipher),
Protocol = "UDP",
HashType = "Kerberos TGS Rep Etype 23"
});
}
}
return(null);
}
private NetworkLayerObject GetKerberosTicketsHash(string source, string destination, string protocol, byte[] data)
{
var kerberosPacket = KerberosPacketParser.GetKerberosPacket(data);
if (kerberosPacket is null)
{
return(null);
}
// TODO: refactor this boilerplate code
if (kerberosPacket is KerberosTgsRepPacket)
{
var kerberosTgsRepPacket = kerberosPacket as KerberosTgsRepPacket;
if (kerberosTgsRepPacket.Ticket.EncrytedPart.Etype == 23)
{
return(new KerberosTgsRepHash()
{
Source = source,
Destination = destination,
Realm = kerberosTgsRepPacket.Ticket.Realm,
Etype = 23,
Username = kerberosTgsRepPacket.Cname.Name,
ServiceName = kerberosTgsRepPacket.Ticket.Sname.Name,
Hash = NtlmsspHashParser.ByteArrayToHexString(kerberosTgsRepPacket.Ticket.EncrytedPart.Cipher),
Protocol = protocol,
HashType = "Kerberos V5 TGS-REP etype 23"
});
}
}
else if (kerberosPacket is KerberosAsRepPacket)
{
var kerberosAsRepPacket = kerberosPacket as KerberosAsRepPacket;
if (kerberosAsRepPacket.Ticket.EncrytedPart.Etype == 23)
{
return(new KerberosAsRepHash()
{
Source = source,
Destination = destination,
Realm = kerberosAsRepPacket.Ticket.Realm,
Etype = 23,
Username = kerberosAsRepPacket.Cname.Name,
ServiceName = kerberosAsRepPacket.Ticket.Sname.Name,
Hash = NtlmsspHashParser.ByteArrayToHexString(kerberosAsRepPacket.Ticket.EncrytedPart.Cipher),
Protocol = protocol,
HashType = "Kerberos V5 AS-REP etype 23"
});
}
}
return(null);
}
private NetworkLayerObject GetKerberosTicketsHash(string source, string destination, string protocol, byte[] data)
{
var kerberosPacket = KerberosPacketParser.GetKerberosPacket(data, protocol);
if (kerberosPacket is null)
{
return(null);
}
// TODO: use enum for hashes types
if (kerberosPacket is KerberosTgsRepPacket)
{
var kerberosTgsRepPacket = kerberosPacket as KerberosTgsRepPacket;
if (kerberosTgsRepPacket.Ticket.EncrytedPart.Etype == 23 || kerberosTgsRepPacket.Ticket.EncrytedPart.Etype == 18 || kerberosTgsRepPacket.Ticket.EncrytedPart.Etype == 17)
{
return(new KerberosTgsRepHash()
{
Source = source,
Destination = destination,
Realm = kerberosTgsRepPacket.Ticket.Realm,
Etype = kerberosTgsRepPacket.Ticket.EncrytedPart.Etype,
Username = kerberosTgsRepPacket.Cname.Name,
ServiceName = kerberosTgsRepPacket.Ticket.Sname.Name,
Hash = NtlmsspHashParser.ByteArrayToHexString(kerberosTgsRepPacket.Ticket.EncrytedPart.Cipher),
Protocol = protocol,
HashType = $"Kerberos V5 TGS-REP etype {kerberosTgsRepPacket.Ticket.EncrytedPart.Etype}"
});
}
}
else if (kerberosPacket is KerberosAsRepPacket)
{
var kerberosAsRepPacket = kerberosPacket as KerberosAsRepPacket;
if (kerberosAsRepPacket.Ticket.EncrytedPart.Etype == 23 || kerberosAsRepPacket.Ticket.EncrytedPart.Etype == 18)
{
return(new KerberosAsRepHash()
{
Source = source,
Destination = destination,
Realm = kerberosAsRepPacket.Ticket.Realm,
Etype = kerberosAsRepPacket.Ticket.EncrytedPart.Etype,
Username = kerberosAsRepPacket.Cname.Name,
ServiceName = kerberosAsRepPacket.Ticket.Sname.Name,
Hash = NtlmsspHashParser.ByteArrayToHexString(kerberosAsRepPacket.Ticket.EncrytedPart.Cipher),
Protocol = protocol,
HashType = $"Kerberos V5 AS-REP etype {kerberosAsRepPacket.Ticket.EncrytedPart.Etype}"
});
}
}
return(null);
}
