private void SendTgsRequest(string sName, KdcOptions kdcOptions, Asn1SequenceOf <PA_DATA> seqPadata = null, AuthorizationData dataInAuthentiator = null, AuthorizationData dataInEncAuthData = null, MsgType msgType = MsgType.KRB_TGS_REQ) { if (string.IsNullOrEmpty(sName)) { throw new ArgumentNullException("sName"); } PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName.Split('/'))); KDC_REQ_BODY kdcReqBody = this.CreateKdcRequestBody(kdcOptions, sname, dataInEncAuthData); // almost same as AS request Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer(); kdcReqBody.BerEncode(bodyBuffer); ChecksumType checksumType = KerberosUtility.GetChecksumType(this.Context.SelectedEType); PA_DATA paTgsReq = CreatePaTgsReqest(checksumType, bodyBuffer.Data, dataInAuthentiator); // use AS session key encrypt authenticator. Asn1SequenceOf <PA_DATA> tempPaData = null; if (seqPadata == null || seqPadata.Elements == null || seqPadata.Elements.Length == 0) { tempPaData = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paTgsReq }); } else { PA_DATA[] paDatas = new PA_DATA[seqPadata.Elements.Length + 1]; Array.Copy(seqPadata.Elements, paDatas, seqPadata.Elements.Length); paDatas[seqPadata.Elements.Length] = paTgsReq; tempPaData = new Asn1SequenceOf <PA_DATA>(paDatas); } KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, tempPaData, Context.TransportType); tgsRequest.Request.msg_type.Value = (long)msgType; this.client.SendPdu(tgsRequest); }
public PaEncTimeStamp(string timeStamp, int usec, EncryptionType eType, string password, string salt) { this.TimeStamp = timeStamp; this.Usec = usec; byte[] key = KeyGenerator.MakeKey(eType, password, salt); this.Key = new EncryptionKey(new KerbInt32((long)eType), new Asn1OctetString(key)); // create a timestamp PA_ENC_TS_ENC paEncTsEnc = new PA_ENC_TS_ENC(new KerberosTime(this.TimeStamp), new Microseconds(this.Usec)); Asn1BerEncodingBuffer currTimeStampBuffer = new Asn1BerEncodingBuffer(); paEncTsEnc.BerEncode(currTimeStampBuffer); var rawData = currTimeStampBuffer.Data; KerberosUtility.OnDumpMessage("KRB5:PA-ENC-TS-ENC", "Encrypted Timestamp Pre-authentication", KerberosUtility.DumpLevel.PartialMessage, rawData); // encrypt the timestamp byte[] encTimeStamp = KerberosUtility.Encrypt((EncryptionType)this.Key.keytype.Value, this.Key.keyvalue.ByteArrayValue, rawData, (int)KeyUsageNumber.PA_ENC_TIMESTAMP); // create an encrypted timestamp PA_ENC_TIMESTAMP paEncTimeStamp = new PA_ENC_TIMESTAMP(new KerbInt32(this.Key.keytype.Value), null, new Asn1OctetString(encTimeStamp)); Asn1BerEncodingBuffer paEncTimestampBuffer = new Asn1BerEncodingBuffer(); paEncTimeStamp.BerEncode(paEncTimestampBuffer, true); Data = new PA_DATA(new KerbInt32((long)PaDataType.PA_ENC_TIMESTAMP), new Asn1OctetString(paEncTimestampBuffer.Data)); }
/// <summary> /// Parse raw PA_DATA type to PaTgsReq object. /// </summary> /// <param name="data">Raw PA_DATA</param> /// <returns>Reference to PaTgsReq object</returns> public static PaTgsReq Parse(PA_DATA data) { if (data.padata_type.Value != (long)PaDataType.PA_TGS_REQ) { throw new Exception(); } AP_REQ apReq = new AP_REQ(); apReq.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue)); return(new PaTgsReq(apReq)); }
/// <summary> /// Parse raw PA_DATA type to PaFxFast object. /// </summary> /// <param name="data">Raw PA_DATA</param> /// <returns>Reference to PaFxFast object</returns> public static PaFxFastReq Parse(PA_DATA data) { if (data.padata_type.Value != (long)PaDataType.PA_FX_FAST) { throw new Exception(); } PA_FX_FAST_REQUEST request = new PA_FX_FAST_REQUEST(); request.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue)); return(new PaFxFastReq(request)); }
public static PaSvrReferralInfo Parse(PA_DATA data) { if (data.padata_type.Value != (long)PaDataType.PA_SVR_REFERRAL_INFO) { throw new Exception(); } PA_SVR_REFERRAL_DATA paSvrReferralData = new PA_SVR_REFERRAL_DATA(); paSvrReferralData.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue)); return(new PaSvrReferralInfo(paSvrReferralData)); }
public static PaPacOptions Parse(PA_DATA data) { if (data.padata_type.Value != (long)PaDataType.PA_PAC_OPTION) { throw new Exception(); } KERB_PA_PAC_OPTIONS paPacOptions = new KERB_PA_PAC_OPTIONS(); paPacOptions.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue)); throw new NotImplementedException();//need to convert from bytd[] to integer }
/// <summary> /// Parse raw PA_DATA type to PaFxFast object. /// </summary> /// <param name="data">Raw PA_DATA</param> /// <returns>Reference to PaFxFast object</returns> public static PaETypeInfo2 Parse(PA_DATA data) { if (data.padata_type.Value != (long)PaDataType.PA_ETYPE_INFO2) { throw new Exception(); } ETYPE_INFO2 eTypeInfo = new ETYPE_INFO2(); eTypeInfo.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue)); return(new PaETypeInfo2(eTypeInfo)); }
/// <summary> /// Parse raw PA_DATA type to PaPacRequest object. /// </summary> /// <param name="data">Raw PA_DATA</param> /// <returns>Reference to PaPacRequest object</returns> public static PaPacRequest Parse(PA_DATA data) { if (data.padata_type.Value != (long)PaDataType.PA_PAC_REQUEST) { throw new Exception(); } KERB_PA_PAC_REQUEST request = new KERB_PA_PAC_REQUEST(); request.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue)); return(new PaPacRequest(request.include_pac.Value)); }
/// <summary> /// Parse raw PA_DATA type to PaFxFastReq object. /// </summary> /// <param name="data">Raw PA_DATA</param> /// <returns>Reference to PaFxFast object</returns> public static PaFxFastRep Parse(PA_DATA data) { if (data.padata_type.Value != (long)PaDataType.PA_FX_FAST) { throw new Exception(); } if (data.padata_value != null && data.padata_value.Value.Length > 0) { PA_FX_FAST_REPLY reply = new PA_FX_FAST_REPLY(); reply.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue)); return(new PaFxFastRep(reply)); } return(new PaFxFastRep(null)); }
/// <summary> /// Parse raw PA_DATA type to IPaData object. /// </summary> /// <param name="data">Raw PA_DATA</param> /// <returns>Reference to IPaData object</returns> public static IPaData ParseReqPaData(PA_DATA data) { switch (data.padata_type.Value) { case (long)PaDataType.PA_FX_FAST: return PaFxFastReq.Parse(data); case (long)PaDataType.PA_PAC_REQUEST: return PaPacRequest.Parse(data); case (long)PaDataType.PA_TGS_REQ: return PaTgsReq.Parse(data); case (long)PaDataType.PA_ETYPE_INFO2: return PaETypeInfo2.Parse(data); } return PaRawData.Parse(data); }
/// <summary> /// Parse raw PA_DATA type to IPaData object. /// </summary> /// <param name="data">Raw PA_DATA</param> /// <returns>Reference to IPaData object</returns> public static IPaData ParseReqPaData(PA_DATA data) { switch (data.padata_type.Value) { case (long)PaDataType.PA_FX_FAST: return(PaFxFastReq.Parse(data)); case (long)PaDataType.PA_PAC_REQUEST: return(PaPacRequest.Parse(data)); case (long)PaDataType.PA_TGS_REQ: return(PaTgsReq.Parse(data)); case (long)PaDataType.PA_ETYPE_INFO2: return(PaETypeInfo2.Parse(data)); } return(PaRawData.Parse(data)); }
/// <summary> /// Parse raw PA_DATA type to IPaData object. /// </summary> /// <param name="data">Raw PA_DATA</param> /// <returns>Reference to IPaData object</returns> public static IPaData ParseRepPaData(PA_DATA data) { switch (data.padata_type.Value) { case (long)PaDataType.PA_FX_FAST: return PaFxFastRep.Parse(data); case (long)PaDataType.PA_ETYPE_INFO2: return PaETypeInfo2.Parse(data); case (long)PaDataType.PA_FX_ERROR: return PaFxError.Parse(data); case (long)PaDataType.PA_FX_COOKIE: return PaFxCookie.Parse(data); case (long)PaDataType.PA_SUPPORTED_ENCTYPES: return PaSupportedEncTypes.Parse(data); case (long)PaDataType.PA_SVR_REFERRAL_INFO: return PaSvrReferralInfo.Parse(data); } return PaRawData.Parse(data); }
/// <summary> /// Parse raw PA_DATA type to IPaData object. /// </summary> /// <param name="data">Raw PA_DATA</param> /// <returns>Reference to IPaData object</returns> public static IPaData ParseRepPaData(PA_DATA data) { switch (data.padata_type.Value) { case (long)PaDataType.PA_FX_FAST: return(PaFxFastRep.Parse(data)); case (long)PaDataType.PA_ETYPE_INFO2: return(PaETypeInfo2.Parse(data)); case (long)PaDataType.PA_FX_ERROR: return(PaFxError.Parse(data)); case (long)PaDataType.PA_FX_COOKIE: return(PaFxCookie.Parse(data)); case (long)PaDataType.PA_SUPPORTED_ENCTYPES: return(PaSupportedEncTypes.Parse(data)); case (long)PaDataType.PA_SVR_REFERRAL_INFO: return(PaSvrReferralInfo.Parse(data)); } return(PaRawData.Parse(data)); }
public static PaRawData Parse(PA_DATA data) { return(new PaRawData(data)); }
public static PaFxCookie Parse(PA_DATA data) { return(new PaFxCookie(data)); }
public static PaSupportedEncTypes Parse(PA_DATA data) { return(new PaSupportedEncTypes(data)); }
public PaRawData(PA_DATA data) { this.data = data; }
public static PaFxError Parse(PA_DATA data) { var paFxError = new PaFxError(data); return(paFxError); }
public static PaEncTimeStamp Parse(PA_DATA data) { throw new NotImplementedException(); }
public static PaFxCookie Parse(PA_DATA data) { return new PaFxCookie(data); }
/// <summary> /// Parse raw PA_DATA type to PaTgsReq object. /// </summary> /// <param name="data">Raw PA_DATA</param> /// <returns>Reference to PaTgsReq object</returns> public static PaTgsReq Parse(PA_DATA data) { if (data.padata_type.Value != (long)PaDataType.PA_TGS_REQ) throw new Exception(); AP_REQ apReq = new AP_REQ(); apReq.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue)); return new PaTgsReq(apReq); }
public PaEncryptedChallenge(EncryptionType type, string timeStamp, int usec, EncryptionKey armorKey, EncryptionKey userLongTermKey) { this.TimeStamp = timeStamp; this.Usec = usec; var keyvalue = KeyGenerator.KrbFxCf2( (EncryptionType)armorKey.keytype.Value, armorKey.keyvalue.ByteArrayValue, userLongTermKey.keyvalue.ByteArrayValue, "clientchallengearmor", "challengelongterm"); switch (type) { case EncryptionType.AES256_CTS_HMAC_SHA1_96: { var key = new EncryptionKey(new KerbInt32((long)EncryptionType.AES256_CTS_HMAC_SHA1_96), new Asn1OctetString(keyvalue)); this.Key = key; break; } case EncryptionType.RC4_HMAC: { var key = new EncryptionKey(new KerbInt32((long)EncryptionType.RC4_HMAC), new Asn1OctetString(keyvalue)); this.Key = key; break; } default: throw new ArgumentException("Unsupported encryption type."); } // create a timestamp PA_ENC_TS_ENC paEncTsEnc = new PA_ENC_TS_ENC(new KerberosTime(this.TimeStamp), new Microseconds(this.Usec)); Asn1BerEncodingBuffer currTimeStampBuffer = new Asn1BerEncodingBuffer(); paEncTsEnc.BerEncode(currTimeStampBuffer); var rawData = currTimeStampBuffer.Data; KerberosUtility.OnDumpMessage("KRB5:PA-ENC-TS-ENC", "Encrypted Timestamp Pre-authentication", KerberosUtility.DumpLevel.PartialMessage, rawData); // encrypt the timestamp byte[] encTimeStamp = KerberosUtility.Encrypt((EncryptionType)this.Key.keytype.Value, this.Key.keyvalue.ByteArrayValue, rawData, (int)KeyUsageNumber.ENC_CHALLENGE_CLIENT); EncryptedChallenge encryptedChallenge = new EncryptedChallenge(new KerbInt32((long)this.Key.keytype.Value), null, new Asn1OctetString(encTimeStamp)); Asn1BerEncodingBuffer paEncTimestampBuffer = new Asn1BerEncodingBuffer(); encryptedChallenge.BerEncode(paEncTimestampBuffer, true); Data = new PA_DATA(new KerbInt32((long)PaDataType.PA_ENCRYPTED_CHALLENGE), new Asn1OctetString(paEncTimestampBuffer.Data)); }
public static PaSupportedEncTypes Parse(PA_DATA data) { return new PaSupportedEncTypes(data); }
public static PaSvrReferralInfo Parse(PA_DATA data) { if (data.padata_type.Value != (long)PaDataType.PA_SVR_REFERRAL_INFO) throw new Exception(); PA_SVR_REFERRAL_DATA paSvrReferralData = new PA_SVR_REFERRAL_DATA(); paSvrReferralData.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue)); return new PaSvrReferralInfo(paSvrReferralData); }
public PaSupportedEncTypes(PA_DATA data) { uint value = BitConverter.ToUInt32(data.padata_value.ByteArrayValue, 0); SupportedEncTypes = (SupportedEncryptionTypes)value; }
/// <summary> /// Parse raw PA_DATA type to PaFxFastReq object. /// </summary> /// <param name="data">Raw PA_DATA</param> /// <returns>Reference to PaFxFast object</returns> public static PaFxFastRep Parse(PA_DATA data) { if (data.padata_type.Value != (long)PaDataType.PA_FX_FAST) throw new Exception(); if (data.padata_value != null && data.padata_value.Value.Length > 0) { PA_FX_FAST_REPLY reply = new PA_FX_FAST_REPLY(); reply.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue)); return new PaFxFastRep(reply); } return new PaFxFastRep(null); }
public static PaRawData Parse(PA_DATA data) { return new PaRawData(data); }
public static PaPacOptions Parse(PA_DATA data) { if (data.padata_type.Value != (long)PaDataType.PA_PAC_OPTION) throw new Exception(); KERB_PA_PAC_OPTIONS paPacOptions = new KERB_PA_PAC_OPTIONS(); paPacOptions.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue)); throw new NotImplementedException();//need to convert from bytd[] to integer }
/// <summary> /// Create and send FAST AS request with an unknown armor type /// </summary> /// <param name="kdcOptions">KDC options</param> /// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param> /// <param name="outerSeqPaData">A sequence of preauthentication data</param> /// <param name="subKey">Sub-session key for authenticator in FAST armor field</param> /// <param name="fastOptions">FAST options</param> /// <param name="apOptions">AP options in FAST armor field</param> /// <param name="armorType">armorType</param> public void SendAsRequestWithFast( KdcOptions kdcOptions, Asn1SequenceOf<PA_DATA> innerSeqPaData, Asn1SequenceOf<PA_DATA> outerSeqPaData, EncryptionKey subKey, FastOptions fastOptions, ApOptions apOptions, KrbFastArmorType armorType ) { Context.Subkey = subKey; string sName = KerberosConstValue.KERBEROS_SNAME; string domain = this.Context.Realm.Value; PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain)); KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname); var pafxfast = CreateAsPaFxFast(subKey, fastOptions, apOptions, innerSeqPaData, sName, kdcReqBody, armorType); PA_DATA[] elements; if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0) { elements = new PA_DATA[outerSeqPaData.Elements.Length + 1]; Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length); elements[outerSeqPaData.Elements.Length] = pafxfast.Data; } else { elements = new PA_DATA[] { pafxfast.Data }; } Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>(); KerberosAsRequest asRequest = this.CreateAsRequest(kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements)); this.SendPdu(asRequest); this.testSite.Log.Add(LogEntryKind.Debug, "Send AS Request with FAST PA-DATA."); }
public static PaFxError Parse(PA_DATA data) { var paFxError = new PaFxError(data); return paFxError; }
/// <summary> /// Parse raw PA_DATA type to PaFxFast object. /// </summary> /// <param name="data">Raw PA_DATA</param> /// <returns>Reference to PaFxFast object</returns> public static PaETypeInfo2 Parse(PA_DATA data) { if (data.padata_type.Value != (long)PaDataType.PA_ETYPE_INFO2) throw new Exception(); ETYPE_INFO2 eTypeInfo = new ETYPE_INFO2(); eTypeInfo.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue)); return new PaETypeInfo2(eTypeInfo); }
public PaFxError(PA_DATA PaData) { paData = PaData; KrbError = new KerberosKrbError(); KrbError.FromBytes(PaData.padata_value.ByteArrayValue); }
public PaEncTimeStamp(string timeStamp, int usec, EncryptionType eType, string password, string salt) { this.TimeStamp = timeStamp; this.Usec = usec; byte[] key = KeyGenerator.MakeKey(eType, password, salt); this.Key = new EncryptionKey(new KerbInt32((long)eType), new Asn1OctetString(key)); // create a timestamp PA_ENC_TS_ENC paEncTsEnc = new PA_ENC_TS_ENC(new KerberosTime(this.TimeStamp), new Microseconds(this.Usec)); Asn1BerEncodingBuffer currTimeStampBuffer = new Asn1BerEncodingBuffer(); paEncTsEnc.BerEncode(currTimeStampBuffer); var rawData = currTimeStampBuffer.Data; KerberosUtility.OnDumpMessage("KRB5:PA-ENC-TS-ENC", "Encrypted Timestamp Pre-authentication", KerberosUtility.DumpLevel.PartialMessage, rawData); // encrypt the timestamp byte[] encTimeStamp = KerberosUtility.Encrypt((EncryptionType)this.Key.keytype.Value, this.Key.keyvalue.ByteArrayValue, rawData, (int)KeyUsageNumber.PA_ENC_TIMESTAMP); // create an encrypted timestamp PA_ENC_TIMESTAMP paEncTimeStamp = new PA_ENC_TIMESTAMP(new KerbInt32(this.Key.keytype.Value), null, new Asn1OctetString(encTimeStamp)); Asn1BerEncodingBuffer paEncTimestampBuffer = new Asn1BerEncodingBuffer(); paEncTimeStamp.BerEncode(paEncTimestampBuffer, true); Data = new PA_DATA(new KerbInt32((long)PaDataType.PA_ENC_TIMESTAMP), new Asn1OctetString(paEncTimestampBuffer.Data)); }
public PaFxCookie(PA_DATA data) { this.data = data; }
/// <summary> /// Parse raw PA_DATA type to PaPacRequest object. /// </summary> /// <param name="data">Raw PA_DATA</param> /// <returns>Reference to PaPacRequest object</returns> public static PaPacRequest Parse(PA_DATA data) { if (data.padata_type.Value != (long)PaDataType.PA_PAC_REQUEST) throw new Exception(); KERB_PA_PAC_REQUEST request = new KERB_PA_PAC_REQUEST(); request.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue)); return new PaPacRequest(request.include_pac.Value); }
public static PaEncTimeStamp Parse(PA_DATA data) { throw new NotImplementedException(); }
public static PaEncryptedChallenge Parse(PA_DATA data) { throw new NotImplementedException(); }
public PaFxError(PA_DATA PaData) { paData = PaData; KrbError = new KerberosKrbError(); KrbError.FromBytes(PaData.padata_value.ByteArrayValue); }
/// <summary> /// Create and send FAST TGS request /// </summary> /// <param name="sName">Service principal name</param> /// <param name="kdcOptions">KDC options</param> /// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param> /// <param name="outerSeqPaData">A sequence of preauthentication data</param> /// <param name="subKey">Sub-session key for authenticator in FAST armor field</param> /// <param name="fastOptions">FAST options</param> /// <param name="apOptions">AP options in FAST armor field</param> /// <param name="data">Authorization data</param> public void SendTgsRequestWithExplicitFast( string sName, KdcOptions kdcOptions, Asn1SequenceOf<PA_DATA> innerSeqPaData, Asn1SequenceOf<PA_DATA> outerSeqPaData, EncryptionKey subKey, FastOptions fastOptions, ApOptions apOptions, AuthorizationData data = null) { Context.Subkey = subKey; Context.ReplyKey = subKey; string domain = this.Context.Realm.Value; PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName.Split('/'))); KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname, data); Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer(); kdcReqBody.BerEncode(bodyBuffer); //Create PA-TGS-REQ APOptions option = new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.None)); ChecksumType checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType); KerberosApRequest apRequest = CreateApRequest( option, Context.Ticket, subKey, data, KeyUsageNumber.TG_REQ_PA_TGS_REQ_padataOR_AP_REQ_Authenticator, checksumType, bodyBuffer.Data); PaTgsReq paTgsReq = new PaTgsReq(apRequest.Request); Asn1SequenceOf<PA_DATA> tempPaData = null; if (outerSeqPaData == null || outerSeqPaData.Elements == null || outerSeqPaData.Elements.Length == 0) { tempPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paTgsReq.Data }); } else { tempPaData.Elements = new PA_DATA[outerSeqPaData.Elements.Length + 1]; Array.Copy(outerSeqPaData.Elements, tempPaData.Elements, outerSeqPaData.Elements.Length); tempPaData.Elements[outerSeqPaData.Elements.Length] = paTgsReq.Data; } //Create explicit FAST armor EncryptionKey explicitSubkey = KerberosUtility.MakeKey( Context.SelectedEType, "Password04!", "This is a salt"); Authenticator plaintextAuthenticator = CreateAuthenticator(Context.ArmorTicket, null, explicitSubkey); KerberosApRequest apReq = new KerberosApRequest(Context.Pvno, new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions)), Context.ArmorTicket, plaintextAuthenticator, KeyUsageNumber.AP_REQ_Authenticator); FastArmorApRequest explicitArmor = new FastArmorApRequest(apReq.Request); //Create armor key var armorKey = GetArmorKey(Context.ArmorSessionKey, subKey, explicitSubkey); Context.FastArmorkey = armorKey; //Create PA-FX-FAST var pafxfast = CreateTgsPaFxFast(armorKey, Context.ArmorTicket, fastOptions, apOptions, tempPaData, sName, paTgsReq.Data.padata_value.ByteArrayValue, explicitArmor); PA_DATA[] elements; if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0) { elements = new PA_DATA[outerSeqPaData.Elements.Length + 1]; Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length); elements[outerSeqPaData.Elements.Length] = pafxfast.Data; elements[outerSeqPaData.Elements.Length + 1] = paTgsReq.Data; } else { elements = new PA_DATA[] { pafxfast.Data, paTgsReq.Data }; } Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>(); KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements), Context.TransportType); this.SendPdu(tgsRequest); this.testSite.Log.Add(LogEntryKind.Debug, "Send FAST TGS request."); }
public PaFxCookie(PA_DATA data) { this.data = data; }
/// <summary> /// Create and send FAST TGS request /// </summary> /// <param name="sName">Service principal name</param> /// <param name="kdcOptions">KDC options</param> /// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param> /// <param name="outerSeqPaData">A sequence of preauthentication data</param> /// <param name="subKey">Sub-session key for authenticator in FAST armor field</param> /// <param name="fastOptions">FAST options</param> /// <param name="apOptions">AP options in FAST armor field</param> /// <param name="data">Authorization data</param> public void SendTgsRequestWithFastHideCName( string sName, PrincipalName cName, KdcOptions kdcOptions, Asn1SequenceOf<PA_DATA> innerSeqPaData, Asn1SequenceOf<PA_DATA> outerSeqPaData, EncryptionKey subKey, ApOptions apOptions, AuthorizationData data = null) { var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions( KerberosUtility.ConvertInt2Flags((int)FastOptionFlags.Hide_Client_Names)); Context.Subkey = subKey; Context.ReplyKey = subKey; string domain = this.Context.Realm.Value; PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName.Split('/'))); KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname, data); kdcReqBody.cname = cName; Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer(); kdcReqBody.BerEncode(bodyBuffer); APOptions option = new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.None)); ChecksumType checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType); KerberosApRequest apRequest = CreateApRequest( option, Context.Ticket, subKey, data, KeyUsageNumber.TG_REQ_PA_TGS_REQ_padataOR_AP_REQ_Authenticator, checksumType, bodyBuffer.Data); PaTgsReq paTgsReq = new PaTgsReq(apRequest.Request); Asn1SequenceOf<PA_DATA> tempPaData = null; if (outerSeqPaData == null || outerSeqPaData.Elements == null || outerSeqPaData.Elements.Length == 0) { tempPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paTgsReq.Data }); } else { tempPaData.Elements = new PA_DATA[outerSeqPaData.Elements.Length + 1]; Array.Copy(outerSeqPaData.Elements, tempPaData.Elements, outerSeqPaData.Elements.Length); tempPaData.Elements[outerSeqPaData.Elements.Length] = paTgsReq.Data; } var armorKey = GetArmorKey(Context.SessionKey, subKey); var pafxfast = CreateTgsPaFxFast(armorKey, Context.Ticket, fastOptions, apOptions, tempPaData, sName, paTgsReq.Data.padata_value.ByteArrayValue); Context.FastArmorkey = armorKey; PA_DATA[] elements; if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0) { elements = new PA_DATA[outerSeqPaData.Elements.Length + 1]; Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length); elements[outerSeqPaData.Elements.Length] = pafxfast.Data; elements[outerSeqPaData.Elements.Length + 1] = paTgsReq.Data; } else { elements = new PA_DATA[] { pafxfast.Data, paTgsReq.Data }; } Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>(); KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements), Context.TransportType); this.SendPdu(tgsRequest); this.testSite.Log.Add(LogEntryKind.Debug, "Send FAST TGS request."); }
public PaSupportedEncTypes(PA_DATA data) { uint value = BitConverter.ToUInt32(data.padata_value.ByteArrayValue, 0); SupportedEncTypes = (SupportedEncryptionTypes)value; }
public PaEncryptedChallenge(EncryptionType type, string timeStamp, int usec, EncryptionKey armorKey, EncryptionKey userLongTermKey) { this.TimeStamp = timeStamp; this.Usec = usec; var keyvalue = KeyGenerator.KrbFxCf2( (EncryptionType)armorKey.keytype.Value, armorKey.keyvalue.ByteArrayValue, userLongTermKey.keyvalue.ByteArrayValue, "clientchallengearmor", "challengelongterm"); switch (type) { case EncryptionType.AES256_CTS_HMAC_SHA1_96: { var key = new EncryptionKey(new KerbInt32((long)EncryptionType.AES256_CTS_HMAC_SHA1_96), new Asn1OctetString(keyvalue)); this.Key = key; break; } case EncryptionType.RC4_HMAC: { var key = new EncryptionKey(new KerbInt32((long)EncryptionType.RC4_HMAC), new Asn1OctetString(keyvalue)); this.Key = key; break; } default: throw new ArgumentException("Unsupported encryption type."); } // create a timestamp PA_ENC_TS_ENC paEncTsEnc = new PA_ENC_TS_ENC(new KerberosTime(this.TimeStamp), new Microseconds(this.Usec)); Asn1BerEncodingBuffer currTimeStampBuffer = new Asn1BerEncodingBuffer(); paEncTsEnc.BerEncode(currTimeStampBuffer); var rawData = currTimeStampBuffer.Data; KerberosUtility.OnDumpMessage("KRB5:PA-ENC-TS-ENC", "Encrypted Timestamp Pre-authentication", KerberosUtility.DumpLevel.PartialMessage, rawData); // encrypt the timestamp byte[] encTimeStamp = KerberosUtility.Encrypt((EncryptionType)this.Key.keytype.Value, this.Key.keyvalue.ByteArrayValue, rawData, (int)KeyUsageNumber.ENC_CHALLENGE_CLIENT); EncryptedChallenge encryptedChallenge = new EncryptedChallenge(new KerbInt32((long)this.Key.keytype.Value), null, new Asn1OctetString(encTimeStamp)); Asn1BerEncodingBuffer paEncTimestampBuffer = new Asn1BerEncodingBuffer(); encryptedChallenge.BerEncode(paEncTimestampBuffer, true); Data = new PA_DATA(new KerbInt32((long)PaDataType.PA_ENCRYPTED_CHALLENGE), new Asn1OctetString(paEncTimestampBuffer.Data)); }
public PaRawData(PA_DATA data) { this.data = data; }
public static PaEncryptedChallenge Parse(PA_DATA data) { throw new NotImplementedException(); }
/// <summary> /// Create and send FAST AS request /// </summary> /// <param name="kdcOptions">KDC options</param> /// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param> /// <param name="outerSeqPaData">A sequence of preauthentication data</param> /// <param name="subKey">Sub-session key for authenticator in FAST armor field</param> /// <param name="fastOptions">FAST options</param> /// <param name="apOptions">AP options in FAST armor field</param> public void SendAsRequestWithFastHideCName( KdcOptions kdcOptions, string cName, Asn1SequenceOf<PA_DATA> innerSeqPaData, Asn1SequenceOf<PA_DATA> outerSeqPaData, EncryptionKey subKey, ApOptions apOptions) { var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions( KerberosUtility.ConvertInt2Flags((int)FastOptionFlags.Hide_Client_Names)); Context.Subkey = subKey; string sName = KerberosConstValue.KERBEROS_SNAME; string domain = this.Context.Realm.Value; PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain)); KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname); kdcReqBody.cname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_PRINCIPAL), KerberosUtility.String2SeqKerbString(cName)); var pafxfast = CreateAsPaFxFast(subKey, fastOptions, apOptions, innerSeqPaData, sName, kdcReqBody); PA_DATA[] elements; if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0) { elements = new PA_DATA[outerSeqPaData.Elements.Length + 1]; Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length); elements[outerSeqPaData.Elements.Length] = pafxfast.Data; } else { elements = new PA_DATA[] { pafxfast.Data }; } Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>(); KerberosAsRequest asRequest = this.CreateAsRequest(kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements)); this.SendPdu(asRequest); this.testSite.Log.Add(LogEntryKind.Debug, "Send AS Request with FAST PA-DATA."); }
/// <summary> /// Parse raw PA_DATA type to PaFxFast object. /// </summary> /// <param name="data">Raw PA_DATA</param> /// <returns>Reference to PaFxFast object</returns> public static PaFxFastReq Parse(PA_DATA data) { if (data.padata_type.Value != (long)PaDataType.PA_FX_FAST) throw new Exception(); PA_FX_FAST_REQUEST request = new PA_FX_FAST_REQUEST(); request.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue)); return new PaFxFastReq(request); }
/// <summary> /// Create and send TGS request /// </summary> /// <param name="sName">Service principal name</param> /// <param name="kdcOptions">KDC options</param> /// <param name="seqPadata">A sequence of preauthentication data</param> /// <param name="checksumType">Checksum type of PA-TGS-REQ</param> /// <param name="additionalTicket">Additional ticket</param> /// <param name="data">Authorization data</param> public void SendTgsRequest(string sName, KdcOptions kdcOptions, Asn1SequenceOf<PA_DATA> seqPadata = null, Ticket additionalTicket = null, AuthorizationData dataInAuthenticator = null, AuthorizationData dataInEncAuthData = null) { if (sName == null) { throw new ArgumentNullException("sName"); } PrincipalName sname = new PrincipalName( new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName.Split('/'))); KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname, dataInEncAuthData); Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer(); kdcReqBody.BerEncode(bodyBuffer); ChecksumType checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType); PA_DATA paTgsReq = CreatePaTgsReq(checksumType, bodyBuffer.Data, dataInAuthenticator); Asn1SequenceOf<PA_DATA> tempPaData = null; if (seqPadata == null || seqPadata.Elements == null || seqPadata.Elements.Length == 0) { tempPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paTgsReq }); } else { PA_DATA[] paDatas = new PA_DATA[seqPadata.Elements.Length + 1]; Array.Copy(seqPadata.Elements, paDatas, seqPadata.Elements.Length); paDatas[seqPadata.Elements.Length] = paTgsReq; tempPaData = new Asn1SequenceOf<PA_DATA>(paDatas); } KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, tempPaData, Context.TransportType); this.SendPdu(tgsRequest); this.testSite.Log.Add(LogEntryKind.Debug, "Send TGS request."); }
public void UnknownPaType() { base.Logging(); //Create kerberos test client and connect client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.User[1].Username, this.testConfig.LocalRealm.User[1].Password, KerberosAccountType.User, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } //Create and send AS request KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE; client.SendAsRequest(options, null); //Recieve preauthentication required error METHOD_DATA methodData; KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData); //Create sequence of PA data string timeStamp = KerberosUtility.CurrentKerberosTime.Value; PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp, 0, this.client.Context.SelectedEType, this.client.Context.CName.Password, this.client.Context.CName.Salt); PaPacRequest paPacRequest = new PaPacRequest(true); //Create an unknown padata type int invalidPaDataType = 1234567890; byte[] invalidPaDataValue = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 }; PA_DATA invalidPaData = new PA_DATA(new KerbInt32(invalidPaDataType), new Asn1OctetString(invalidPaDataValue)); Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data, invalidPaData }); BaseTestSite.Log.Add(LogEntryKind.Comment, "Create a sequence of PA data with invalid PA data."); //Create and send AS request client.SendAsRequest(options, seqOfPaData); KerberosAsResponse asResponse = client.ExpectAsResponse(); BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "Unknown pre-authentication types MUST be ignored by KDCs. AS response should contain a TGT."); //Create and send TGS request client.SendTgsRequest(this.testConfig.LocalRealm.ClientComputer.DefaultServiceName, options); KerberosTgsResponse tgsResponse = client.ExpectTgsResponse(); BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.RealmName.ToLower(), tgsResponse.Response.ticket.realm.Value.ToLower(), "The realm in ticket should match expected."); BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.ClientComputer.DefaultServiceName, KerberosUtility.PrincipalName2String(tgsResponse.Response.ticket.sname), "The Service principal name in ticket should match expected."); EncryptionKey key = testConfig.QueryKey(this.testConfig.LocalRealm.ClientComputer.DefaultServiceName, this.testConfig.LocalRealm.RealmName, this.client.Context.SelectedEType); tgsResponse.DecryptTicket(key); //tgsResponse.DecryptTicket(this.testConfig.LocalRealm.ClientComputer.Password, this.testConfig.LocalRealm.ClientComputer.ServiceSalt); BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.RealmName.ToLower(), tgsResponse.TicketEncPart.crealm.Value.ToLower(), "The realm in ticket encrypted part should match expected."); BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.User[1].Username.ToLower(), KerberosUtility.PrincipalName2String(tgsResponse.TicketEncPart.cname).ToLower(), "The client principal name in ticket encrypted part should match expected."); }