Exemplo n.º 1
0
        public PA_DATA(string crealm, string cname, Ticket providedTicket, byte[] clientKey, Interop.KERB_ETYPE etype, bool opsec = false, byte[] req_body = null)
        {
            // include an AP-REQ, so PA-DATA for a TGS-REQ

            type = Interop.PADATA_TYPE.AP_REQ;

            // build the AP-REQ
            AP_REQ ap_req = new AP_REQ(crealm, cname, providedTicket, clientKey, etype);

            // make authenticator look more realistic
            if (opsec)
            {
                var rand = new Random();
                ap_req.authenticator.seq_number = (UInt32)rand.Next(1, Int32.MaxValue);
                // Could be useful to output the sequence number in case we implement KRB_PRIV or KRB_SAFE messages
                Console.WriteLine("[+] Sequence number is: {0}", ap_req.authenticator.seq_number);

                // randomize cusec to avoid fingerprinting
                ap_req.authenticator.cusec = rand.Next(0, 999999);

                if (req_body != null)
                {
                    ap_req.authenticator.cksum = new Checksum(Interop.KERB_CHECKSUM_ALGORITHM.KERB_CHECKSUM_RSA_MD5, req_body);
                }
            }

            value = ap_req;
        }
Exemplo n.º 2
0
 public PA_DATA(string crealm, string cname, Ticket providedTicket, byte[] clientKey,
                Interop.KERB_ETYPE etype)
 {
     // include an AP-REQ, so PA-DATA for a TGS-REQ
     type = Interop.PADATA_TYPE.AP_REQ;
     // build the AP-REQ
     value = new AP_REQ(crealm, cname, providedTicket, clientKey, etype);
 }
Exemplo n.º 3
0
        public static void UserPassword(KRB_CRED kirbi, string newPassword, string domainController = "")
        {
            // implements the Kerberos-based password reset originally disclosed by Aorato
            //      This function is misc::changepw in Kekeo
            // Takes a valid TGT .kirbi and builds a MS Kpasswd password change sequence
            //      AP-REQ with randomized sub session key
            //      KRB-PRIV structure containing ChangePasswdData, enc w/ the sub session key
            // reference: Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols (RFC3244)

            Console.WriteLine("[*] Action: Reset User Password (AoratoPw)\r\n");

            string dcIP = Networking.GetDCIP(domainController);

            if (String.IsNullOrEmpty(dcIP))
            {
                return;
            }

            // extract the user and domain from the existing .kirbi ticket
            string userName   = kirbi.EncryptedPart.ticket_info[0].pname.name_string[0];
            string userDomain = kirbi.EncryptedPart.ticket_info[0].prealm;

            Console.WriteLine("[*] Changing password for user: {0}@{1}", userName, userDomain);
            Console.WriteLine("[*] New password value: {0}", newPassword);

            // build the AP_REQ using the user ticket's keytype and key
            Console.WriteLine("[*] Building AP-REQ for the MS Kpassword request");
            AP_REQ ap_req = new AP_REQ(userDomain, userName, kirbi.Tickets[0], kirbi.EncryptedPart.ticket_info[0].key.keyvalue, (Interop.KERB_ETYPE)kirbi.EncryptedPart.ticket_info[0].key.keytype, Interop.KRB_KEY_USAGE_AP_REQ_AUTHENTICATOR);

            // create a new session subkey for the Authenticator and match the encryption type of the user key
            Console.WriteLine("[*] Building Authenticator with encryption key type: {0}", (Interop.KERB_ETYPE)kirbi.EncryptedPart.ticket_info[0].key.keytype);
            ap_req.authenticator.subkey         = new EncryptionKey();
            ap_req.authenticator.subkey.keytype = kirbi.EncryptedPart.ticket_info[0].key.keytype;

            // generate a random session subkey
            Random random = new Random();

            byte[]             randKeyBytes;
            Interop.KERB_ETYPE randKeyEtype = (Interop.KERB_ETYPE)kirbi.EncryptedPart.ticket_info[0].key.keytype;
            switch (randKeyEtype)
            {
            case Interop.KERB_ETYPE.rc4_hmac:
                randKeyBytes = new byte[16];
                break;

            case Interop.KERB_ETYPE.aes256_cts_hmac_sha1:
                randKeyBytes = new byte[32];
                break;

            default:
                Console.WriteLine("[X] Only rc4_hmac and aes256_cts_hmac_sha1 key hashes supported at this time!");
                return;
            }
            random.NextBytes(randKeyBytes);
            ap_req.authenticator.subkey.keyvalue = randKeyBytes;
            Console.WriteLine("[*] base64(session subkey): {0}", Convert.ToBase64String(randKeyBytes));

            // randKeyBytes is now the session key used for the KRB-PRIV structure
            // MIMIKATZ_NONCE ;)
            ap_req.authenticator.seq_number = 1818848256;

            // now build the KRV-PRIV structure
            Console.WriteLine("[*] Building the KRV-PRIV structure");
            KRB_PRIV changePriv = new KRB_PRIV(randKeyEtype, randKeyBytes);

            // the new password to set for the user
            changePriv.enc_part = new EncKrbPrivPart(newPassword, "lol");

            // now build the final MS Kpasswd request
            byte[] apReqBytes      = ap_req.Encode().Encode();
            byte[] changePrivBytes = changePriv.Encode().Encode();
            byte[] packetBytes     = new byte[10 + apReqBytes.Length + changePrivBytes.Length];
            short  msgLength       = (short)(packetBytes.Length - 4);

            byte[] msgLengthBytes = BitConverter.GetBytes(msgLength);
            System.Array.Reverse(msgLengthBytes);

            // Record Mark
            packetBytes[2] = msgLengthBytes[0];
            packetBytes[3] = msgLengthBytes[1];

            // Message Length
            packetBytes[4] = msgLengthBytes[0];
            packetBytes[5] = msgLengthBytes[1];

            // Version (Reply)
            packetBytes[6] = 0x0;
            packetBytes[7] = 0x1;

            // AP_REQ Length
            short apReqLen = (short)(apReqBytes.Length);

            byte[] apReqLenBytes = BitConverter.GetBytes(apReqLen);
            System.Array.Reverse(apReqLenBytes);
            packetBytes[8] = apReqLenBytes[0];
            packetBytes[9] = apReqLenBytes[1];

            // AP_REQ
            Array.Copy(apReqBytes, 0, packetBytes, 10, apReqBytes.Length);

            // KRV-PRIV
            Array.Copy(changePrivBytes, 0, packetBytes, apReqBytes.Length + 10, changePrivBytes.Length);

            // KPASSWD_DEFAULT_PORT = 464
            byte[] response = Networking.SendBytes(dcIP, 464, packetBytes, true);
            if (null == response)
            {
                return;
            }

            try {
                AsnElt responseAsn = AsnElt.Decode(response, false);
                // check the response value
                if (30 == responseAsn.TagValue)
                {
                    // parse the response to an KRB-ERROR
                    long errorCode = new KRB_ERROR(responseAsn.FirstElement).ErrorCode;
                    Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", errorCode, (Interop.KERBEROS_ERROR)errorCode);
                    return;
                }
            }
            catch { }

            // otherwise parse the resulting KRB-PRIV from the server
            int responseIndex  = 0;
            int respRecordMark = Helpers.ParseBigEndianInt32(response, ref responseIndex);
            int respMsgLen     = Helpers.ParseBigEndianInt16(response, ref responseIndex);
            int respVersion    = Helpers.ParseBigEndianInt16(response, ref responseIndex);
            int respAPReqLen   = Helpers.ParseBigEndianInt16(response, ref responseIndex);

            int respKRBPrivLen = respMsgLen - respAPReqLen - 6;

            byte[] respKRBPriv = new byte[respKRBPrivLen];
            Array.Copy(response, responseIndex + respAPReqLen, respKRBPriv, 0, respKRBPrivLen);

            // decode the KRB-PRIV response
            foreach (AsnElt elem in AsnElt.Decode(respKRBPriv, false).FirstElement.EnumerateElements())
            {
                if (3 != elem.TagValue)
                {
                    continue;
                }
                byte[] encBytes    = elem.FirstElement.SecondElement.GetOctetString();
                byte[] decBytes    = Crypto.KerberosDecrypt(randKeyEtype, Interop.KRB_KEY_USAGE_KRB_PRIV_ENCRYPTED_PART, randKeyBytes, encBytes);
                AsnElt decBytesAsn = AsnElt.Decode(decBytes, false);

                byte[] responseCodeBytes = decBytesAsn.FirstElement.FirstElement.FirstElement.GetOctetString();
                Array.Reverse(responseCodeBytes);
                short responseCode = BitConverter.ToInt16(responseCodeBytes, 0);
                if (0 == responseCode)
                {
                    Console.WriteLine("[+] Password change success!");
                }
                else
                {
                    Console.WriteLine("[X] Password change error: {0}", (Interop.KADMIN_PASSWD_ERR)responseCode);
                }
            }
        }
Exemplo n.º 4
0
        public static void UserPassword(KRB_CRED kirbi, string newPassword, string domainController = "", string targetUser = null)
        {
            // implements the Kerberos-based password reset originally disclosed by Aorato
            //      This function is misc::changepw in Kekeo
            // Takes a valid TGT .kirbi and builds a MS Kpasswd password change sequence
            //      AP-REQ with randomized sub session key
            //      KRB-PRIV structure containing ChangePasswdData, enc w/ the sub session key
            // reference: Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols (RFC3244)

            string dcIP = Networking.GetDCIP(domainController);

            if (String.IsNullOrEmpty(dcIP))
            {
                return;
            }

            // extract the user and domain from the existing .kirbi ticket
            string userName   = kirbi.enc_part.ticket_info[0].pname.name_string[0];
            string userDomain = kirbi.enc_part.ticket_info[0].prealm;

            if (targetUser == null)
            {
                Console.WriteLine("[*] Changing password for user: {0}@{1}", userName, userDomain);
            }
            else
            {
                Console.WriteLine("[*] Resetting password for target user: {0}", targetUser);
            }

            Console.WriteLine("[*] New password value: {0}", newPassword);

            // build the AP_REQ using the user ticket's keytype and key
            Console.WriteLine("[*] Building AP-REQ for the MS Kpassword request");
            AP_REQ ap_req = new AP_REQ(userDomain, userName, kirbi.tickets[0], kirbi.enc_part.ticket_info[0].key.keyvalue, (Interop.KERB_ETYPE)kirbi.enc_part.ticket_info[0].key.keytype, Interop.KRB_KEY_USAGE_AP_REQ_AUTHENTICATOR);

            // create a new session subkey for the Authenticator and match the encryption type of the user key
            Console.WriteLine("[*] Building Authenticator with encryption key type: {0}", (Interop.KERB_ETYPE)kirbi.enc_part.ticket_info[0].key.keytype);
            ap_req.authenticator.subkey         = new EncryptionKey();
            ap_req.authenticator.subkey.keytype = kirbi.enc_part.ticket_info[0].key.keytype;

            // generate a random session subkey
            Random random = new Random();

            byte[]             randKeyBytes;
            Interop.KERB_ETYPE randKeyEtype = (Interop.KERB_ETYPE)kirbi.enc_part.ticket_info[0].key.keytype;
            if (randKeyEtype == Interop.KERB_ETYPE.rc4_hmac)
            {
                randKeyBytes = new byte[16];
                random.NextBytes(randKeyBytes);
                ap_req.authenticator.subkey.keyvalue = randKeyBytes;
            }
            else if (randKeyEtype == Interop.KERB_ETYPE.aes256_cts_hmac_sha1)
            {
                randKeyBytes = new byte[32];
                random.NextBytes(randKeyBytes);
                ap_req.authenticator.subkey.keyvalue = randKeyBytes;
            }
            else
            {
                Console.WriteLine("[X] Only rc4_hmac and aes256_cts_hmac_sha1 key hashes supported at this time!");
                return;
            }

            Console.WriteLine("[*] base64(session subkey): {0}", Convert.ToBase64String(randKeyBytes));

            // randKeyBytes is now the session key used for the KRB-PRIV structure

            var rand = new Random();

            ap_req.authenticator.seq_number = (UInt32)rand.Next(1, Int32.MaxValue);

            // now build the KRV-PRIV structure
            Console.WriteLine("[*] Building the KRV-PRIV structure");
            KRB_PRIV changePriv = new KRB_PRIV(randKeyEtype, randKeyBytes);

            // the new password to set for the user
            if (targetUser != null)
            {
                var userParts = targetUser.Split('\\');
                if (userParts.Length != 2)
                {
                    Console.WriteLine("[X] /targetuser should be in the format domain.com\\username!");
                    return;
                }
                changePriv.enc_part = new EncKrbPrivPart(userParts[1], userParts[0].ToUpper(), newPassword, "lol");
            }
            else
            {
                changePriv.enc_part = new EncKrbPrivPart(newPassword, "lol");
            }

            // now build the final MS Kpasswd request
            byte[] apReqBytes      = ap_req.Encode().Encode();
            byte[] changePrivBytes = changePriv.Encode().Encode();

            short messageLength = (short)(apReqBytes.Length + changePrivBytes.Length + 6);
            short version       = -128;

            BinaryWriter bw = new BinaryWriter(new MemoryStream());

            //Message Length
            bw.Write(IPAddress.NetworkToHostOrder(messageLength));

            // Version (Reply)
            bw.Write(IPAddress.NetworkToHostOrder(version));

            //AP_REQ Length
            bw.Write(IPAddress.NetworkToHostOrder((short)apReqBytes.Length));

            //AP_REQ
            bw.Write(apReqBytes);

            //KRV-PRIV
            bw.Write(changePrivBytes);

            // KPASSWD_DEFAULT_PORT = 464
            byte[] response = Networking.SendBytes(dcIP, 464, ((MemoryStream)bw.BaseStream).ToArray());
            if (response == null)
            {
                return;
            }

            try
            {
                AsnElt responseAsn = AsnElt.Decode(response, false);

                // check the response value
                int responseTag = responseAsn.TagValue;

                if (responseTag == 30)
                {
                    // parse the response to an KRB-ERROR
                    KRB_ERROR error = new KRB_ERROR(responseAsn.Sub[0]);
                    Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", error.error_code, (Interop.KERBEROS_ERROR)error.error_code);
                    return;
                }
            }
            catch { }

            // otherwise parse the resulting KRB-PRIV from the server
            BinaryReader br           = new BinaryReader(new MemoryStream(response));
            short        respMsgLen   = IPAddress.NetworkToHostOrder(br.ReadInt16());
            short        respVersion  = IPAddress.NetworkToHostOrder(br.ReadInt16());
            short        respAPReqLen = IPAddress.NetworkToHostOrder(br.ReadInt16());

            byte[] respAPReq   = br.ReadBytes(respAPReqLen);
            byte[] respKRBPriv = br.ReadBytes((int)(br.BaseStream.Length - br.BaseStream.Position));

            // decode the KRB-PRIV response
            AsnElt respKRBPrivAsn = AsnElt.Decode(respKRBPriv, false);

            foreach (AsnElt elem in respKRBPrivAsn.Sub[0].Sub)
            {
                if (elem.TagValue == 3)
                {
                    byte[] encBytes    = elem.Sub[0].Sub[1].GetOctetString();
                    byte[] decBytes    = Crypto.KerberosDecrypt(randKeyEtype, Interop.KRB_KEY_USAGE_KRB_PRIV_ENCRYPTED_PART, randKeyBytes, encBytes);
                    AsnElt decBytesAsn = AsnElt.Decode(decBytes, false);

                    byte[] responseCodeBytes = decBytesAsn.Sub[0].Sub[0].Sub[0].GetOctetString();

                    br = new BinaryReader(new MemoryStream(responseCodeBytes));
                    short resultCode = IPAddress.NetworkToHostOrder(br.ReadInt16());
                    if (resultCode == 0)
                    {
                        Console.WriteLine("[+] Password change success!");
                    }
                    else
                    {
                        byte[] resultMessage = br.ReadBytes((int)(br.BaseStream.Length - br.BaseStream.Position));
                        string resultError   = "";

                        if (resultMessage.Length > 2)
                        {
                            if (resultMessage[0] == 0 && resultMessage[1] == 0)
                            {
                                br = new BinaryReader(new MemoryStream(resultMessage));
                                br.ReadUInt16();
                                int minPasswordLen                 = IPAddress.NetworkToHostOrder(br.ReadInt32());
                                int passwordHistory                = IPAddress.NetworkToHostOrder(br.ReadInt32());
                                PasswordProperties pprops          = (PasswordProperties)IPAddress.NetworkToHostOrder((br.ReadInt32()));
                                TimeSpan           expire          = TimeSpan.FromTicks(IPAddress.NetworkToHostOrder(br.ReadInt64()));
                                TimeSpan           min_passwordage = TimeSpan.FromTicks(IPAddress.NetworkToHostOrder(br.ReadInt64()));
                                resultError = $"Policy: \n\tMinimum Length: {minPasswordLen}\n\tPassword History: {passwordHistory}\n\tFlags: {pprops}\n\tExpiry: {expire:%d} day(s)\n\tMinimum Password Age: {min_passwordage:%d} day(s)";
                            }
                            else
                            {
                                resultError = Encoding.UTF8.GetString(resultMessage);
                            }
                        }

                        Console.WriteLine("[X] Password change error: {0} {1}", (Interop.KADMIN_PASSWD_ERR)resultCode, resultError);
                    }
                }
            }
        }