private async Task DecodeTicket(string ticket, string encryptedPassword, string name, string realm) { string decryptedKey = DecryptKey(encryptedPassword); var keys = new KeyTable( new KerberosKey(decryptedKey, new PrincipalName(PrincipalNameType.NT_PRINCIPAL, realm, new[] { name })) ); var validator = new KerberosValidator(keys); ticket = RemoveNegotiate(ticket); var validated = await validator.Validate(Convert.FromBase64String(ticket)); var authenticator = new KerberosAuthenticator(keys); var identity = await authenticator.Authenticate(ticket) as KerberosIdentity; var formatted = FormatSerialize(new { Decrypted = validated, Identity = new { identity.Name, identity.Restrictions, identity.ValidationMode, Claims = identity.Claims.Select(c => new { c.Type, c.Value }) } }); ViewData["Ticket"] = formatted; }
public async Task DelegationRetrieval() { var validator = new KerberosValidator(new KerberosKey("P@ssw0rd!")) { ValidateAfterDecrypt = DefaultActions }; var data = await validator.Validate(Convert.FromBase64String(TicketContainingDelegation)); Assert.IsNotNull(data); var cred = data.DelegationTicket; Assert.IsNotNull(cred); Assert.AreEqual(1, cred.TicketInfo.Count()); var ticket = cred.TicketInfo.First(); Assert.AreEqual("Administrator", ticket.PName.Name.First()); Assert.AreEqual("krbtgt/CORP.IDENTITYINTERVENTION.COM", ticket.SName.FullyQualifiedName); Assert.IsNotNull(ticket.Key); Assert.IsNotNull(ticket.Key.KeyValue); }
private async Task <string> Decode(string ticket, KeyTable key) { var validator = new KerberosValidator(key) { ValidateAfterDecrypt = ValidationActions.Pac }; var ticketBytes = Convert.FromBase64String(ticket); var decrypted = await validator.Validate(ticketBytes); var request = KerberosRequest.Parse(ticketBytes); var keytableFormat = GenerateFormattedKeyTable(key); var authenticated = await new KerberosAuthenticator(validator).Authenticate(ticketBytes); return(FormatSerialize(new { Request = request, Decrypted = decrypted, Identity = authenticated.Claims.Select(c => new { c.Type, c.Value }), KeyTable = keytableFormat })); }
private async Task <string> Decode(string ticket, KeyTable key) { ticket = StripWhitespace(ticket); var validator = new KerberosValidator(key) { ValidateAfterDecrypt = ValidationActions.Pac }; var ticketBytes = Convert.FromBase64String(ticket); var decrypted = await validator.Validate(ticketBytes); var request = MessageParser.Parse(ticketBytes); var keytableFormat = GenerateFormattedKeyTable(key); var authenticated = await new KerberosAuthenticator(validator).Authenticate(ticketBytes) as KerberosIdentity; return(FormatSerialize(new { Request = request, Decrypted = decrypted, Identity = new { authenticated.Name, authenticated.Restrictions, authenticated.ValidationMode, Claims = authenticated.Claims.Select(c => new { c.Type, c.Value }) }, KeyTable = keytableFormat })); }
public async Task LogsKeyTableDataOnFailure() { FakeExceptionLoggerFactory logger = new FakeExceptionLoggerFactory(); var data = ReadDataFile("rc4-kerberos-data"); var key = ReadDataFile("aes128-key-data"); var validator = new KerberosValidator(new KerberosKey(key, etype: EncryptionType.RC4_HMAC_NT), logger) { ValidateAfterDecrypt = DefaultActions }; bool throws = false; try { await validator.Validate(data); } catch (SecurityException ex) { throws = true; Assert.AreEqual(ex, logger.Exceptions.First()); } Assert.IsTrue(throws); Assert.IsTrue(logger.Logs.Any(l => l.ToLowerInvariant().Contains("keytab"))); }
public async Task NegoExFirstClassUnsupported() { var validator = new KerberosValidator(new KerberosKey()) { ValidateAfterDecrypt = DefaultActions }; await validator.Validate(Convert.FromBase64String(NegoExStart)); }
public async Task KerberosValidatorExpiredTicket() { var data = ReadDataFile("rc4-kerberos-data"); var key = ReadDataFile("rc4-key-data"); var validator = new KerberosValidator(key); await validator.Validate(data); }
public async Task TestKerberosValidatorBadKey() { var data = ReadFile("aes128-kerberos-data"); var key = ReadFile("rc4-key-data"); var validator = new KerberosValidator(key); await validator.Validate(data); }
public async Task User2UserFirstClassUnsupported() { var validator = new KerberosValidator(new KerberosKey(key: new byte[16])) { ValidateAfterDecrypt = DefaultActions }; await validator.Validate(Convert.FromBase64String(U2UStart)); }
public async Task KerberosValidatorExpiredTicket() { var data = ReadDataFile("rc4-kerberos-data"); var key = ReadDataFile("rc4-key-data"); var validator = new KerberosValidator(new KerberosKey(key, etype: EncryptionType.RC4_HMAC_NT)); await validator.Validate(data); }
private KerberosAuthenticator CreateAuthenticator() { // This could be done with DI and a factory pattern, but we're keeping it simple here. var principalName = new PrincipalName(PrincipalNameType.NT_PRINCIPAL, Options.Domain, new[] { Options.UserName }); var key = new KerberosKey(Options.Password, principalName, Options.Password); var validator = new KerberosValidator(key); var authenticator = new KerberosAuthenticator(validator); return(authenticator); }
private static async Task <DecryptedKrbApReq> GeneratePacWithoutClaims() { var validator = new KerberosValidator(ReadDataFile("rc4-key-data")) { ValidateAfterDecrypt = DefaultActions }; var result = await validator.Validate(ReadDataFile("rc4-kerberos-data")); return(result); }
private static async Task <DecryptedKrbApReq> GeneratePacContainingClaims() { var validator = new KerberosValidator(new KerberosKey("P@ssw0rd!")) { ValidateAfterDecrypt = DefaultActions }; var result = await validator.Validate(Convert.FromBase64String(RC4Ticket_Claims)); return(result); }
public KerberosEndToEndMiddleware(NextFunc next) { this.next = next; // NOTE: ValidateAfterDecrypt is a dangerous flag. It should only be used for samples validator = new KerberosValidator(new KerberosKey("P@ssw0rd!")) { ValidateAfterDecrypt = ValidationActions.None }; }
public async Task KerberosValidatorBadKey() { var data = ReadDataFile("aes128-kerberos-data"); var key = ReadDataFile("rc4-key-data"); var validator = new KerberosValidator(new KerberosKey(key, etype: EncryptionType.AES128_CTS_HMAC_SHA1_96)) { ValidateAfterDecrypt = DefaultActions }; await validator.Validate(data); }
public async Task TestKerberosValidatorBadKey() { var data = ReadDataFile("aes128-kerberos-data"); var key = ReadDataFile("rc4-key-data"); var validator = new KerberosValidator(key) { ValidateAfterDecrypt = DefaultActions }; await validator.Validate(data); }
public async Task KerberosValidatorTimeOffset() { var data = ReadDataFile("rc4-kerberos-data"); var key = ReadDataFile("rc4-key-data"); var validator = new KerberosValidator(key); validator.Now = () => DateTimeOffset.Parse("1/9/2009 5:20:00 PM +00:00", CultureInfo.InvariantCulture); var result = await validator.Validate(data); Assert.IsNotNull(result); }
public async Task TestKerberosValidator() { var data = ReadFile("rc4-kerberos-data"); var key = ReadFile("rc4-key-data"); var validator = new KerberosValidator(key) { ValidateAfterDecrypt = DefaultActions }; var result = await validator.Validate(data); Assert.IsNotNull(result); }
public async Task ValidatorReplayCache() { var data = ReadDataFile("rc4-kerberos-data"); var key = ReadDataFile("rc4-key-data"); var validator = new KerberosValidator(key); validator.Now = () => DateTimeOffset.Parse("1/9/2009 5:20:00 PM +00:00", CultureInfo.InvariantCulture); await validator.Validate(data); await validator.Validate(data); }
public async Task KerberosValidatorTimeOffset() { var data = ReadDataFile("rc4-kerberos-data"); var key = ReadDataFile("rc4-key-data"); var validator = new KerberosValidator(new KerberosKey(key, etype: EncryptionType.RC4_HMAC_NT)) { Now = () => DateTimeOffset.Parse("1/9/2009 5:20:00 PM +00:00", CultureInfo.InvariantCulture) }; var result = await validator.Validate(data); Assert.IsNotNull(result); }
public async Task KerberosValidatorNone() { var data = ReadDataFile("rc4-kerberos-data"); var key = ReadDataFile("rc4-key-data"); var validator = new KerberosValidator(key) { ValidateAfterDecrypt = ValidationActions.None }; var result = await validator.Validate(data); Assert.IsNotNull(result); }
public async Task KerberosValidator() { var data = ReadDataFile("rc4-kerberos-data"); var key = ReadDataFile("rc4-key-data"); var validator = new KerberosValidator(new KerberosKey(key, etype: EncryptionType.RC4_HMAC_NT)) { ValidateAfterDecrypt = DefaultActions }; var result = await validator.Validate(data); Assert.IsNotNull(result); }
public async Task ValidatorReplayCache() { var data = ReadDataFile("rc4-kerberos-data"); var key = ReadDataFile("rc4-key-data"); var validator = new KerberosValidator(new KerberosKey(key, etype: EncryptionType.RC4_HMAC_NT)) { Now = () => DateTimeOffset.Parse("1/9/2009 5:20:00 PM +00:00", CultureInfo.InvariantCulture) }; await validator.Validate(data); await validator.Validate(data); }
public async Task <ClaimsIdentity> Authenticate(IKeyIdentifier id, string token, string scheme = null) { var key = await storage.GetKey(id); var kerbKey = key.RetrieveKey <byte[]>(); var validator = new KerberosValidator( new KeyTable( new KerberosKey(kerbKey) ) ); var authenticator = new KerberosAuthenticator(validator); return(await authenticator.Authenticate(token)); }
private async Task <string> Decode(string ticket, KeyTable key) { var validator = new KerberosValidator(key) { ValidateAfterDecrypt = ValidationActions.None }; var ticketBytes = Convert.FromBase64String(ticket); var decrypted = await validator.Validate(ticketBytes); var request = KerberosRequest.Parse(ticketBytes); var keytableFormat = GenerateFormattedKeyTable(key); return(FormatSerialize(new { Request = request, Decrypted = decrypted, KeyTable = keytableFormat })); }
public async Task TestParseClaims() { var validator = new KerberosValidator(new KeyTable(ReadDataFile("sample.keytab"))) { ValidateAfterDecrypt = DefaultActions }; var authenticator = new KerberosAuthenticator(validator); var result = await authenticator.Authenticate(RC4Ticket_Claims); Assert.IsNotNull(result); Assert.IsTrue(result.Claims.Count() > 0); Assert.IsTrue(result.Claims.Any(c => c.Type == "ad://ext/employeeType:88d4d68c56082042" && c.Value == "lazy")); Assert.AreEqual(2, result.Claims.Count(c => c.Type == "ad://ext/localeID:88d4d68c6aa51687")); }
public async Task TestValidatorClaimsPresent() { var validator = new KerberosValidator(new KeyTable(ReadFile("sample.keytab"))) { ValidateAfterDecrypt = DefaultActions }; var authenticator = new KerberosAuthenticator(validator); var result = await authenticator.Authenticate(RC4Ticket); Assert.IsNotNull(result); Assert.IsTrue(result.Claims.Count() > 0); var validation = result.Claims.First(c => c.Type == "Validated"); Assert.AreEqual("ClientPrincipalIdentifier Realm Replay Pac", validation.Value); }
private static async Task <PrivilegedAttributeCertificate> GeneratePac() { var data = ReadDataFile("rc4-kerberos-data"); var key = ReadDataFile("rc4-key-data"); var validator = new KerberosValidator(key) { ValidateAfterDecrypt = DefaultActions }; var result = await validator.Validate(data); var pac = result.Ticket.AuthorizationData .Where(d => d.Type == AuthorizationDataType.AdIfRelevant) .Select(d => d.DecodeAdIfRelevant() .Where(a => a.Type == AuthorizationDataType.AdWin2kPac) ).First(); return(new PrivilegedAttributeCertificate(pac.First().Data.ToArray())); }
private static async Task <DecryptedKrbApReq> GeneratePacWithoutClaims() { var validator = new KerberosValidator( new KeyTable( new KerberosKey( "P@ssw0rd!", principalName: new PrincipalName( PrincipalNameType.NT_PRINCIPAL, "CORP.IDENTITYINTERVENTION.com", new[] { "*****@*****.**" } ), saltType: SaltType.ActiveDirectoryUser ) ) ) { ValidateAfterDecrypt = DefaultActions }; return(await validator.Validate(Convert.FromBase64String(S4UProxyTicket))); }
private static async System.Threading.Tasks.Task MainAsync() { foreach (var f in Files) { var data = File.ReadAllBytes("data\\" + f.Key); var key = File.ReadAllBytes("data\\" + f.Value); W($"Decrypting {f.Key} with key {f.Value}", ConsoleColor.Green); var validator = new KerberosValidator(key) { //Logger = W, ValidateAfterDecrypt = ValidationActions.Replay }; var authenticator = new KerberosAuthenticator(validator); var result = await authenticator.Authenticate(data); ; if (result == null) { throw new InvalidDataException("Could not decrypt token"); } foreach (var c in result.Claims.OrderBy(c => c.Type)) { W($"{c.Type}: {c.Value}"); } W(""); ; } ; }