/// <summary> /// Construct an kerbcred EncryptedData. /// </summary> /// <param name="key">The key to do encryption.</param> /// <returns>The EncKrbCredPart.</returns> private EncKrbCredPart ConstrutCredEncryptedData(EncryptionKey key) { EncKrbCredPart encKrbCred = new EncKrbCredPart(); encKrbCred.nonce = new KerbUInt32((uint)Math.Abs((int)DateTime.Now.Ticks)); encKrbCred.timestamp = new KerberosTime(KileUtility.GetCurrentUTCTime()); encKrbCred.usec = new Microseconds(0); encKrbCred.s_address = new HostAddress(new KerbInt32((int)AddressType.NetBios), new Asn1OctetString(Dns.GetHostName())); KrbCredInfo[] krbCredInfo = new KrbCredInfo[1]; krbCredInfo[0] = new KrbCredInfo(); krbCredInfo[0].key = key; encKrbCred.ticket_info = new Asn1SequenceOf <KrbCredInfo>(krbCredInfo); return(encKrbCred); }
//FROM TGS_REP public static byte[] toKirbi(KrbTgsRep tgsRep, KrbEncTgsRepPart tgsDecryptedRepPart, bool ptt = false) { //KrbCredInfo::= SEQUENCE { // key[0] EncryptionKey, //prealm[1] Realm OPTIONAL, //pname[2] PrincipalName OPTIONAL, //flags[3] TicketFlags OPTIONAL, //authtime[4] KerberosTime OPTIONAL, //starttime[5] KerberosTime OPTIONAL, //endtime[6] KerberosTime OPTIONAL //renew - till[7] KerberosTime OPTIONAL, //srealm[8] Realm OPTIONAL, //sname[9] PrincipalName OPTIONAL, //caddr[10] HostAddresses OPTIONAL //} var info = new KrbCredInfo() { Key = tgsDecryptedRepPart.Key, Realm = tgsDecryptedRepPart.Realm, PName = tgsRep.CName, Flags = tgsDecryptedRepPart.Flags, StartTime = tgsDecryptedRepPart.StartTime, EndTime = tgsDecryptedRepPart.EndTime, RenewTill = tgsDecryptedRepPart.RenewTill, SRealm = tgsDecryptedRepPart.Realm, SName = tgsDecryptedRepPart.SName }; //EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { //ticket-info[0] SEQUENCE OF KrbCredInfo, //nonce[1] INTEGER OPTIONAL, //timestamp[2] KerberosTime OPTIONAL, //usec[3] INTEGER OPTIONAL, //s-address[4] HostAddress OPTIONAL, //r-address[5] HostAddress OPTIONAL //} KrbCredInfo[] infos = { info }; var encCredPart = new KrbEncKrbCredPart() { TicketInfo = infos }; //KRB-CRED ::= [APPLICATION 22] SEQUENCE { //pvno[0] INTEGER, //msg - type[1] INTEGER, --KRB_CRED //tickets[2] SEQUENCE OF Ticket, //enc - part[3] EncryptedData //} var myCred = new KrbCred(); myCred.ProtocolVersionNumber = 5; myCred.MessageType = MessageType.KRB_CRED; KrbTicket[] tickets = { tgsRep.Ticket }; myCred.Tickets = tickets; var encryptedData = new KrbEncryptedData() { Cipher = encCredPart.EncodeApplication(), }; myCred.EncryptedPart = encryptedData; byte[] kirbiBytes = myCred.EncodeApplication().ToArray(); string kirbiString = Convert.ToBase64String(kirbiBytes); if (ptt) { LSA.ImportTicket(kirbiBytes, new LUID()); } return(kirbiBytes); }
public static TicketCacheEntry ConvertKrbCredToCacheEntry(KrbEncKrbCredPart credPart, KrbTicket ticket, KrbCredInfo ticketInfo) { var key = new byte[ticketInfo.Key.KeyValue.Length]; ticketInfo.Key.KeyValue.CopyTo(key); var usage = KeyUsage.EncTgsRepPartSessionKey; var sessionKey = new KrbEncryptionKey { EType = ticketInfo.Key.EType, Usage = usage, KeyValue = key }; var kdcRepData = new KrbEncTgsRepPart { AuthTime = ticketInfo.AuthTime ?? DateTimeOffset.UtcNow, EndTime = ticketInfo.EndTime ?? DateTimeOffset.MaxValue, Flags = ticketInfo.Flags, Key = sessionKey, Nonce = credPart.Nonce ?? 0, Realm = ticketInfo.Realm, RenewTill = ticketInfo.RenewTill, SName = ticketInfo.SName, StartTime = ticketInfo.StartTime ?? DateTimeOffset.MinValue, LastReq = Array.Empty <KrbLastReq>() }; return(new TicketCacheEntry { Key = ticket.SName.FullyQualifiedName, Expires = ticketInfo.EndTime ?? DateTimeOffset.MaxValue, RenewUntil = ticketInfo.RenewTill, Value = new KerberosClientCacheEntry { SessionKey = sessionKey, AuthTime = kdcRepData.AuthTime, StartTime = kdcRepData.StartTime, EndTime = kdcRepData.EndTime, RenewTill = kdcRepData.RenewTill, Flags = kdcRepData.Flags, SName = kdcRepData.SName, KdcResponse = new KrbTgsRep { Ticket = ticket, CName = ticketInfo.PName, CRealm = ticketInfo.Realm, EncPart = KrbEncryptedData.Encrypt(kdcRepData.EncodeApplication(), sessionKey.AsKey(), usage) } } }); }
//FROM TGS public static byte[] toKirbi(KrbTicket tgs, string srvName, string srvHash, EncryptionType etype, string service, bool ptt = false, bool verbose = false) { var kerbCred = new Utils.KerberosHashCreds(srvName, srvHash, etype); var ticketDecrypted = tgs.EncryptedPart.Decrypt (kerbCred.CreateKey(), KeyUsage.Ticket, b => KrbEncTicketPart.DecodeApplication(b)); //KrbCredInfo::= SEQUENCE { // key[0] EncryptionKey, //prealm[1] Realm OPTIONAL, //pname[2] PrincipalName OPTIONAL, //flags[3] TicketFlags OPTIONAL, //authtime[4] KerberosTime OPTIONAL, //starttime[5] KerberosTime OPTIONAL, //endtime[6] KerberosTime OPTIONAL //renew - till[7] KerberosTime OPTIONAL, //srealm[8] Realm OPTIONAL, //sname[9] PrincipalName OPTIONAL, //caddr[10] HostAddresses OPTIONAL //} string srvHost = null; if (srvName.Contains("$")) { srvHost = srvName.Replace("$", string.Empty) + "." + ticketDecrypted.CRealm; } else { srvHost = srvName; } var info = new KrbCredInfo() { Key = ticketDecrypted.Key, Realm = ticketDecrypted.CRealm, PName = ticketDecrypted.CName, Flags = ticketDecrypted.Flags, StartTime = ticketDecrypted.StartTime, EndTime = ticketDecrypted.EndTime, RenewTill = ticketDecrypted.RenewTill, SRealm = ticketDecrypted.CRealm, SName = new KrbPrincipalName() { Type = PrincipalNameType.NT_SRV_INST, Name = new[] { service, srvHost } } }; //EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { //ticket-info[0] SEQUENCE OF KrbCredInfo, //nonce[1] INTEGER OPTIONAL, //timestamp[2] KerberosTime OPTIONAL, //usec[3] INTEGER OPTIONAL, //s-address[4] HostAddress OPTIONAL, //r-address[5] HostAddress OPTIONAL //} KrbCredInfo[] infos = { info }; var encCredPart = new KrbEncKrbCredPart() { TicketInfo = infos }; //KRB-CRED ::= [APPLICATION 22] SEQUENCE { //pvno[0] INTEGER, //msg - type[1] INTEGER, --KRB_CRED //tickets[2] SEQUENCE OF Ticket, //enc - part[3] EncryptedData //} var myCred = new KrbCred(); myCred.ProtocolVersionNumber = 5; myCred.MessageType = MessageType.KRB_CRED; KrbTicket[] tickets = { tgs }; myCred.Tickets = tickets; //https://github.com/dirkjanm/krbrelayx/blob/master/lib/utils/kerberos.py#L220 //No Encryption for KRB-CRED var encryptedData = new KrbEncryptedData() { Cipher = encCredPart.EncodeApplication() }; myCred.EncryptedPart = encryptedData; byte[] kirbiBytes = myCred.EncodeApplication().ToArray(); string kirbiString = Convert.ToBase64String(kirbiBytes); if (ptt) { LSA.ImportTicket(kirbiBytes, new LUID()); } else { Console.WriteLine("[+] SliverTicket Ticket Kirbi:"); Console.WriteLine(" - {0}", kirbiString); } if (verbose) { Console.WriteLine("[*] Ticket Info:"); PrintFunc.PrintKirbi(kirbiString); } return(kirbiBytes); }