private async Task DecodeTicket(string ticket, string encryptedPassword, string name, string realm)
{
string decryptedKey = DecryptKey(encryptedPassword);
var keys = new KeyTable(
new KerberosKey(decryptedKey, new PrincipalName(PrincipalNameType.NT_PRINCIPAL, realm, new[] { name }))
);
var validator = new KerberosValidator(keys);
ticket = RemoveNegotiate(ticket);
var validated = await validator.Validate(Convert.FromBase64String(ticket));
var authenticator = new KerberosAuthenticator(keys);
var identity = await authenticator.Authenticate(ticket) as KerberosIdentity;
var formatted = FormatSerialize(new
{
Decrypted = validated,
Identity = new
{
identity.Name,
identity.Restrictions,
identity.ValidationMode,
Claims = identity.Claims.Select(c => new { c.Type, c.Value })
}
});
ViewData["Ticket"] = formatted;
}
public async Task DelegationRetrieval()
{
var validator = new KerberosValidator(new KerberosKey("P@ssw0rd!"))
{
ValidateAfterDecrypt = DefaultActions
};
var data = await validator.Validate(Convert.FromBase64String(TicketContainingDelegation));
Assert.IsNotNull(data);
var cred = data.DelegationTicket;
Assert.IsNotNull(cred);
Assert.AreEqual(1, cred.TicketInfo.Count());
var ticket = cred.TicketInfo.First();
Assert.AreEqual("Administrator", ticket.PName.Name.First());
Assert.AreEqual("krbtgt/CORP.IDENTITYINTERVENTION.COM", ticket.SName.FullyQualifiedName);
Assert.IsNotNull(ticket.Key);
Assert.IsNotNull(ticket.Key.KeyValue);
}
private async Task <string> Decode(string ticket, KeyTable key)
{
var validator = new KerberosValidator(key)
{
ValidateAfterDecrypt = ValidationActions.Pac
};
var ticketBytes = Convert.FromBase64String(ticket);
var decrypted = await validator.Validate(ticketBytes);
var request = KerberosRequest.Parse(ticketBytes);
var keytableFormat = GenerateFormattedKeyTable(key);
var authenticated = await new KerberosAuthenticator(validator).Authenticate(ticketBytes);
return(FormatSerialize(new
{
Request = request,
Decrypted = decrypted,
Identity = authenticated.Claims.Select(c => new { c.Type, c.Value }),
KeyTable = keytableFormat
}));
}
private async Task <string> Decode(string ticket, KeyTable key)
{
ticket = StripWhitespace(ticket);
var validator = new KerberosValidator(key)
{
ValidateAfterDecrypt = ValidationActions.Pac
};
var ticketBytes = Convert.FromBase64String(ticket);
var decrypted = await validator.Validate(ticketBytes);
var request = MessageParser.Parse(ticketBytes);
var keytableFormat = GenerateFormattedKeyTable(key);
var authenticated = await new KerberosAuthenticator(validator).Authenticate(ticketBytes) as KerberosIdentity;
return(FormatSerialize(new
{
Request = request,
Decrypted = decrypted,
Identity = new
{
authenticated.Name,
authenticated.Restrictions,
authenticated.ValidationMode,
Claims = authenticated.Claims.Select(c => new { c.Type, c.Value })
},
KeyTable = keytableFormat
}));
}
public async Task LogsKeyTableDataOnFailure()
{
FakeExceptionLoggerFactory logger = new FakeExceptionLoggerFactory();
var data = ReadDataFile("rc4-kerberos-data");
var key = ReadDataFile("aes128-key-data");
var validator = new KerberosValidator(new KerberosKey(key, etype: EncryptionType.RC4_HMAC_NT), logger)
{
ValidateAfterDecrypt = DefaultActions
};
bool throws = false;
try
{
await validator.Validate(data);
}
catch (SecurityException ex)
{
throws = true;
Assert.AreEqual(ex, logger.Exceptions.First());
}
Assert.IsTrue(throws);
Assert.IsTrue(logger.Logs.Any(l => l.ToLowerInvariant().Contains("keytab")));
}
public async Task NegoExFirstClassUnsupported()
{
var validator = new KerberosValidator(new KerberosKey())
{
ValidateAfterDecrypt = DefaultActions
};
await validator.Validate(Convert.FromBase64String(NegoExStart));
}
public async Task KerberosValidatorExpiredTicket()
{
var data = ReadDataFile("rc4-kerberos-data");
var key = ReadDataFile("rc4-key-data");
var validator = new KerberosValidator(key);
await validator.Validate(data);
}
public async Task TestKerberosValidatorBadKey()
{
var data = ReadFile("aes128-kerberos-data");
var key = ReadFile("rc4-key-data");
var validator = new KerberosValidator(key);
await validator.Validate(data);
}
public async Task User2UserFirstClassUnsupported()
{
var validator = new KerberosValidator(new KerberosKey(key: new byte[16]))
{
ValidateAfterDecrypt = DefaultActions
};
await validator.Validate(Convert.FromBase64String(U2UStart));
}
public async Task KerberosValidatorExpiredTicket()
{
var data = ReadDataFile("rc4-kerberos-data");
var key = ReadDataFile("rc4-key-data");
var validator = new KerberosValidator(new KerberosKey(key, etype: EncryptionType.RC4_HMAC_NT));
await validator.Validate(data);
}
private KerberosAuthenticator CreateAuthenticator()
{
// This could be done with DI and a factory pattern, but we're keeping it simple here.
var principalName = new PrincipalName(PrincipalNameType.NT_PRINCIPAL, Options.Domain, new[] { Options.UserName });
var key = new KerberosKey(Options.Password, principalName, Options.Password);
var validator = new KerberosValidator(key);
var authenticator = new KerberosAuthenticator(validator);
return(authenticator);
}
private static async Task <DecryptedKrbApReq> GeneratePacWithoutClaims()
{
var validator = new KerberosValidator(ReadDataFile("rc4-key-data"))
{
ValidateAfterDecrypt = DefaultActions
};
var result = await validator.Validate(ReadDataFile("rc4-kerberos-data"));
return(result);
}
private static async Task <DecryptedKrbApReq> GeneratePacContainingClaims()
{
var validator = new KerberosValidator(new KerberosKey("P@ssw0rd!"))
{
ValidateAfterDecrypt = DefaultActions
};
var result = await validator.Validate(Convert.FromBase64String(RC4Ticket_Claims));
return(result);
}
public KerberosEndToEndMiddleware(NextFunc next)
{
this.next = next;
// NOTE: ValidateAfterDecrypt is a dangerous flag. It should only be used for samples
validator = new KerberosValidator(new KerberosKey("P@ssw0rd!"))
{
ValidateAfterDecrypt = ValidationActions.None
};
}
public async Task KerberosValidatorBadKey()
{
var data = ReadDataFile("aes128-kerberos-data");
var key = ReadDataFile("rc4-key-data");
var validator = new KerberosValidator(new KerberosKey(key, etype: EncryptionType.AES128_CTS_HMAC_SHA1_96))
{
ValidateAfterDecrypt = DefaultActions
};
await validator.Validate(data);
}
public async Task TestKerberosValidatorBadKey()
{
var data = ReadDataFile("aes128-kerberos-data");
var key = ReadDataFile("rc4-key-data");
var validator = new KerberosValidator(key)
{
ValidateAfterDecrypt = DefaultActions
};
await validator.Validate(data);
}
public async Task KerberosValidatorTimeOffset()
{
var data = ReadDataFile("rc4-kerberos-data");
var key = ReadDataFile("rc4-key-data");
var validator = new KerberosValidator(key);
validator.Now = () => DateTimeOffset.Parse("1/9/2009 5:20:00 PM +00:00", CultureInfo.InvariantCulture);
var result = await validator.Validate(data);
Assert.IsNotNull(result);
}
public async Task TestKerberosValidator()
{
var data = ReadFile("rc4-kerberos-data");
var key = ReadFile("rc4-key-data");
var validator = new KerberosValidator(key)
{
ValidateAfterDecrypt = DefaultActions
};
var result = await validator.Validate(data);
Assert.IsNotNull(result);
}
public async Task ValidatorReplayCache()
{
var data = ReadDataFile("rc4-kerberos-data");
var key = ReadDataFile("rc4-key-data");
var validator = new KerberosValidator(key);
validator.Now = () => DateTimeOffset.Parse("1/9/2009 5:20:00 PM +00:00", CultureInfo.InvariantCulture);
await validator.Validate(data);
await validator.Validate(data);
}
public async Task KerberosValidatorTimeOffset()
{
var data = ReadDataFile("rc4-kerberos-data");
var key = ReadDataFile("rc4-key-data");
var validator = new KerberosValidator(new KerberosKey(key, etype: EncryptionType.RC4_HMAC_NT))
{
Now = () => DateTimeOffset.Parse("1/9/2009 5:20:00 PM +00:00", CultureInfo.InvariantCulture)
};
var result = await validator.Validate(data);
Assert.IsNotNull(result);
}
public async Task KerberosValidatorNone()
{
var data = ReadDataFile("rc4-kerberos-data");
var key = ReadDataFile("rc4-key-data");
var validator = new KerberosValidator(key)
{
ValidateAfterDecrypt = ValidationActions.None
};
var result = await validator.Validate(data);
Assert.IsNotNull(result);
}
public async Task KerberosValidator()
{
var data = ReadDataFile("rc4-kerberos-data");
var key = ReadDataFile("rc4-key-data");
var validator = new KerberosValidator(new KerberosKey(key, etype: EncryptionType.RC4_HMAC_NT))
{
ValidateAfterDecrypt = DefaultActions
};
var result = await validator.Validate(data);
Assert.IsNotNull(result);
}
public async Task ValidatorReplayCache()
{
var data = ReadDataFile("rc4-kerberos-data");
var key = ReadDataFile("rc4-key-data");
var validator = new KerberosValidator(new KerberosKey(key, etype: EncryptionType.RC4_HMAC_NT))
{
Now = () => DateTimeOffset.Parse("1/9/2009 5:20:00 PM +00:00", CultureInfo.InvariantCulture)
};
await validator.Validate(data);
await validator.Validate(data);
}
public async Task <ClaimsIdentity> Authenticate(IKeyIdentifier id, string token, string scheme = null)
{
var key = await storage.GetKey(id);
var kerbKey = key.RetrieveKey <byte[]>();
var validator = new KerberosValidator(
new KeyTable(
new KerberosKey(kerbKey)
)
);
var authenticator = new KerberosAuthenticator(validator);
return(await authenticator.Authenticate(token));
}
private async Task <string> Decode(string ticket, KeyTable key)
{
var validator = new KerberosValidator(key)
{
ValidateAfterDecrypt = ValidationActions.None
};
var ticketBytes = Convert.FromBase64String(ticket);
var decrypted = await validator.Validate(ticketBytes);
var request = KerberosRequest.Parse(ticketBytes);
var keytableFormat = GenerateFormattedKeyTable(key);
return(FormatSerialize(new { Request = request, Decrypted = decrypted, KeyTable = keytableFormat }));
}
public async Task TestParseClaims()
{
var validator = new KerberosValidator(new KeyTable(ReadDataFile("sample.keytab")))
{
ValidateAfterDecrypt = DefaultActions
};
var authenticator = new KerberosAuthenticator(validator);
var result = await authenticator.Authenticate(RC4Ticket_Claims);
Assert.IsNotNull(result);
Assert.IsTrue(result.Claims.Count() > 0);
Assert.IsTrue(result.Claims.Any(c => c.Type == "ad://ext/employeeType:88d4d68c56082042" && c.Value == "lazy"));
Assert.AreEqual(2, result.Claims.Count(c => c.Type == "ad://ext/localeID:88d4d68c6aa51687"));
}
public async Task TestValidatorClaimsPresent()
{
var validator = new KerberosValidator(new KeyTable(ReadFile("sample.keytab")))
{
ValidateAfterDecrypt = DefaultActions
};
var authenticator = new KerberosAuthenticator(validator);
var result = await authenticator.Authenticate(RC4Ticket);
Assert.IsNotNull(result);
Assert.IsTrue(result.Claims.Count() > 0);
var validation = result.Claims.First(c => c.Type == "Validated");
Assert.AreEqual("ClientPrincipalIdentifier Realm Replay Pac", validation.Value);
}
private static async Task <PrivilegedAttributeCertificate> GeneratePac()
{
var data = ReadDataFile("rc4-kerberos-data");
var key = ReadDataFile("rc4-key-data");
var validator = new KerberosValidator(key)
{
ValidateAfterDecrypt = DefaultActions
};
var result = await validator.Validate(data);
var pac = result.Ticket.AuthorizationData
.Where(d => d.Type == AuthorizationDataType.AdIfRelevant)
.Select(d => d.DecodeAdIfRelevant()
.Where(a => a.Type == AuthorizationDataType.AdWin2kPac)
).First();
return(new PrivilegedAttributeCertificate(pac.First().Data.ToArray()));
}
private static async Task <DecryptedKrbApReq> GeneratePacWithoutClaims()
{
var validator = new KerberosValidator(
new KeyTable(
new KerberosKey(
"P@ssw0rd!",
principalName: new PrincipalName(
PrincipalNameType.NT_PRINCIPAL,
"CORP.IDENTITYINTERVENTION.com",
new[] { "*****@*****.**" }
),
saltType: SaltType.ActiveDirectoryUser
)
)
)
{
ValidateAfterDecrypt = DefaultActions
};
return(await validator.Validate(Convert.FromBase64String(S4UProxyTicket)));
}
private static async System.Threading.Tasks.Task MainAsync()
{
foreach (var f in Files)
{
var data = File.ReadAllBytes("data\\" + f.Key);
var key = File.ReadAllBytes("data\\" + f.Value);
W($"Decrypting {f.Key} with key {f.Value}", ConsoleColor.Green);
var validator = new KerberosValidator(key)
{
//Logger = W,
ValidateAfterDecrypt = ValidationActions.Replay
};
var authenticator = new KerberosAuthenticator(validator);
var result = await authenticator.Authenticate(data);
;
if (result == null)
{
throw new InvalidDataException("Could not decrypt token");
}
foreach (var c in result.Claims.OrderBy(c => c.Type))
{
W($"{c.Type}: {c.Value}");
}
W("");
;
}
;
}
