private NetworkLayerObject GetKerberosTicketsHash(string source, string destination, byte[] data) { var kerberosPacket = KerberosPacketParser.GetKerberosPacket(data); if (kerberosPacket is null) { return(null); } if (kerberosPacket is KerberosTgsRepPacket) { var kerberosTgsRepPacket = kerberosPacket as KerberosTgsRepPacket; if (kerberosTgsRepPacket.Ticket.EncrytedPart.Etype == 23) { return(new KerberosTgsRepHash() { Source = source, Destination = destination, Realm = kerberosTgsRepPacket.Ticket.Realm, Etype = 23, Username = kerberosTgsRepPacket.Cname.Name, ServiceName = kerberosTgsRepPacket.Ticket.Sname.Name, Hash = NtlmsspHashParser.ByteArrayToHexString(kerberosTgsRepPacket.Ticket.EncrytedPart.Cipher), Protocol = "UDP", HashType = "Kerberos TGS Rep Etype 23" }); } } return(null); }
private NetworkLayerObject GetKerberosTicketsHash(string source, string destination, string protocol, byte[] data) { var kerberosPacket = KerberosPacketParser.GetKerberosPacket(data); if (kerberosPacket is null) { return(null); } // TODO: refactor this boilerplate code if (kerberosPacket is KerberosTgsRepPacket) { var kerberosTgsRepPacket = kerberosPacket as KerberosTgsRepPacket; if (kerberosTgsRepPacket.Ticket.EncrytedPart.Etype == 23) { return(new KerberosTgsRepHash() { Source = source, Destination = destination, Realm = kerberosTgsRepPacket.Ticket.Realm, Etype = 23, Username = kerberosTgsRepPacket.Cname.Name, ServiceName = kerberosTgsRepPacket.Ticket.Sname.Name, Hash = NtlmsspHashParser.ByteArrayToHexString(kerberosTgsRepPacket.Ticket.EncrytedPart.Cipher), Protocol = protocol, HashType = "Kerberos V5 TGS-REP etype 23" }); } } else if (kerberosPacket is KerberosAsRepPacket) { var kerberosAsRepPacket = kerberosPacket as KerberosAsRepPacket; if (kerberosAsRepPacket.Ticket.EncrytedPart.Etype == 23) { return(new KerberosAsRepHash() { Source = source, Destination = destination, Realm = kerberosAsRepPacket.Ticket.Realm, Etype = 23, Username = kerberosAsRepPacket.Cname.Name, ServiceName = kerberosAsRepPacket.Ticket.Sname.Name, Hash = NtlmsspHashParser.ByteArrayToHexString(kerberosAsRepPacket.Ticket.EncrytedPart.Cipher), Protocol = protocol, HashType = "Kerberos V5 AS-REP etype 23" }); } } return(null); }
private NetworkLayerObject GetKerberosTicketsHash(string source, string destination, string protocol, byte[] data) { var kerberosPacket = KerberosPacketParser.GetKerberosPacket(data, protocol); if (kerberosPacket is null) { return(null); } // TODO: use enum for hashes types if (kerberosPacket is KerberosTgsRepPacket) { var kerberosTgsRepPacket = kerberosPacket as KerberosTgsRepPacket; if (kerberosTgsRepPacket.Ticket.EncrytedPart.Etype == 23 || kerberosTgsRepPacket.Ticket.EncrytedPart.Etype == 18 || kerberosTgsRepPacket.Ticket.EncrytedPart.Etype == 17) { return(new KerberosTgsRepHash() { Source = source, Destination = destination, Realm = kerberosTgsRepPacket.Ticket.Realm, Etype = kerberosTgsRepPacket.Ticket.EncrytedPart.Etype, Username = kerberosTgsRepPacket.Cname.Name, ServiceName = kerberosTgsRepPacket.Ticket.Sname.Name, Hash = NtlmsspHashParser.ByteArrayToHexString(kerberosTgsRepPacket.Ticket.EncrytedPart.Cipher), Protocol = protocol, HashType = $"Kerberos V5 TGS-REP etype {kerberosTgsRepPacket.Ticket.EncrytedPart.Etype}" }); } } else if (kerberosPacket is KerberosAsRepPacket) { var kerberosAsRepPacket = kerberosPacket as KerberosAsRepPacket; if (kerberosAsRepPacket.Ticket.EncrytedPart.Etype == 23 || kerberosAsRepPacket.Ticket.EncrytedPart.Etype == 18) { return(new KerberosAsRepHash() { Source = source, Destination = destination, Realm = kerberosAsRepPacket.Ticket.Realm, Etype = kerberosAsRepPacket.Ticket.EncrytedPart.Etype, Username = kerberosAsRepPacket.Cname.Name, ServiceName = kerberosAsRepPacket.Ticket.Sname.Name, Hash = NtlmsspHashParser.ByteArrayToHexString(kerberosAsRepPacket.Ticket.EncrytedPart.Cipher), Protocol = protocol, HashType = $"Kerberos V5 AS-REP etype {kerberosAsRepPacket.Ticket.EncrytedPart.Etype}" }); } } return(null); }
private readonly byte[] pa_data_signiture2 = new byte[] { 0xa2, 0x35, 0x04, 0x33 }; // Hash length = 0x35 = 53 public NetworkLayerObject Parse(UdpPacket udpPacket) { if (!isKerberos(udpPacket)) { return(null); } byte[] sig_part = udpPacket.Data.SubArray(40, 4); if (Utilities.SearchForSubarray(sig_part, this.pa_data_signiture) == 0 || Utilities.SearchForSubarray(sig_part, this.pa_data_signiture2) == 0) { var paddingLen = 0; var hashOffset = 44; var userNameOffset = 144; var hashItemLen = (int)udpPacket.Data[41]; if (hashItemLen == 53) { paddingLen = 1; } if (hashItemLen != 54 && hashItemLen != 53) { hashItemLen = (int)udpPacket.Data[48]; hashOffset = 49; userNameOffset = hashItemLen + 97; } var hashLen = 52 - paddingLen; byte[] hash = udpPacket.Data.SubArray(hashOffset, hashLen); byte[] switchedHash = new byte[hashLen]; hash.SubArray(16, 36).CopyTo(switchedHash, 0); hash.SubArray(0, 16).CopyTo(switchedHash, 36); string hashString = NtlmsspHashParser.ByteArrayToHexString(switchedHash); var userName = ExtractKerberosMessageItem(udpPacket.Data, userNameOffset - paddingLen, out int userNameLength); string domain = ExtractKerberosMessageItem(udpPacket.Data, userNameOffset + userNameLength - paddingLen + 4, out int domainLength); return(new KerberosHash() { HashType = "Kerberos V5 AS-REQ Pre-Auth etype 23", Protocol = "UDP", Source = udpPacket.DestinationIp, Destination = udpPacket.SourceIp, User = userName, Domain = domain, Hash = hashString }); } return(null); }