private static string GetPasswordCharacterSet(PasswordProperties properties)
{
StringBuilder characterSet = new StringBuilder();
if ((properties & PasswordProperties.LowerCase) > 0)
{
characterSet.Append(CharacterSet.LowerCase);
}
if ((properties & PasswordProperties.UpperCase) > 0)
{
characterSet.Append(CharacterSet.UpperCase);
}
if ((properties & PasswordProperties.Numeric) > 0)
{
characterSet.Append(CharacterSet.Numeric);
}
if ((properties & PasswordProperties.SpecialCharacters) > 0)
{
characterSet.Append(CharacterSet.Special);
}
if ((properties & PasswordProperties.Spaces) > 0)
{
characterSet.Append(CharacterSet.Space);
}
return(characterSet.ToString());
}
public static string GeneratePassword(int lengthOfPassword = 16, PasswordProperties properties = PasswordProperties.Strong)
{
if (lengthOfPassword < Defaults.MinPasswordLength || lengthOfPassword > Defaults.MaxIdenticalConsecutiveChars)
{
throw new InvalidOperationException($"Password length must be between { Defaults.MinPasswordLength} and {Defaults.MaxIdenticalConsecutiveChars}.");
}
string characterSet = GetPasswordCharacterSet(properties);
char[] password = new char[lengthOfPassword];
int characterSetLength = characterSet.Length;
Random random = new Random();
for (int characterPosition = 0; characterPosition < lengthOfPassword; characterPosition++)
{
password[characterPosition] = characterSet[random.Next(characterSetLength - 1)];
bool moreThanTwoIdenticalInARow =
characterPosition > Defaults.MaxIdenticalConsecutiveChars &&
password[characterPosition] == password[characterPosition - 1] &&
password[characterPosition - 1] == password[characterPosition - 2];
if (moreThanTwoIdenticalInARow)
{
characterPosition--;
}
}
return(string.Join(null, password));
}
public MainForm()
{
InitializeComponent();
DefaultTextBackColor = txtGameTime.BackColor;
Current = new PasswordProperties();
UpdatePropertyDisplay();
}
private static PasswordProperties PropertiesWithLotsOfStuff()
{
var properties = new PasswordProperties
{
BombsRedDoor = true,
BombsTaken = true,
BrinstarEnergyTank1 = true,
BrinstarEnergyTank2 = true,
BrinstarEnergyTank3 = true,
BrinstarMissileContainer1 = true,
BrinstarMissileContainer2 = true,
BrinstarIceBeamRedDoor = true,
HasMorphBall = true,
HasBombs = true,
HasHighJumpBoots = true,
HasIceBeam = true,
HasLongBeam = true,
HasNormalBeam = true,
HasScrewAttack = true,
HasVariaSuit = true,
HasWaveBeam = true,
HighJumpBootsRedDoor = true,
HighJumpBootsTaken = true,
KraidLairMissileContainer1 = true,
KraidLairMissileContainer2 = true,
KraidLairMissileContainer3 = true,
KraidLairMissileContainer4 = true,
KraidDead = true,
KraidLairEnergyTank = true,
KraidLairRedDoor1 = true,
KraidLairRedDoor2 = true,
KraidLairRedDoor3 = true,
KraidLairRedDoor4 = true,
KraidRoomEnergyTank = true,
KraidRoomRedDoor = true,
KraidStatueRaised = true,
RidleyLairMissileContainer1 = true,
LongBeamRedDoor = true,
MissileCount = 255,
MorphBallTaken = true,
NorfairEnergyTank = true,
NorfairIceBeamRedDoor = true,
NorfairMissileContainer1 = true,
NorfairMissileContainer10 = true,
NorfairMissileContainer11 = true,
NorfairMissileContainer12 = true,
NorfairMissileContainer2 = true,
NorfairMissileContainer3 = true,
NorfairMissileContainer4 = true,
NorfairMissileContainer5 = true,
NorfairMissileContainer6 = true,
NorfairMissileContainer7 = true,
NorfairMissileContainer8 = true,
NorfairMissileContainer9 = true,
RidleyDead = true,
RidleyEnergyTank = true,
RidleyLairEnergyTank = true,
RidleyLairMissileContainer2 = true,
RidleyLairMissileContainer3 = true,
RidleyLairRedDoor = true,
RidleyLairYellowDoor = true,
RidleyStatueRaised = true,
ScrewAttackTaken = true,
Swimsuit = false,
ScrewAttackRedDoor = true,
TourianBridgeRedDoor = true,
TourianRedDoor1 = true,
TourianRedDoor2 = true,
TourianYellowDoor = true,
VariaSuitRedDoor = true,
VariaSuitTaken = true,
WaveBeamRedDoor = true,
Zebetite1Dead = true,
Zebetite2Dead = true,
Zebetite3Dead = true,
Zebetite4Dead = true,
Zebetite5Dead = true,
};
return(properties);
}
public static void UserPassword(KRB_CRED kirbi, string newPassword, string domainController = "", string targetUser = null)
{
// implements the Kerberos-based password reset originally disclosed by Aorato
// This function is misc::changepw in Kekeo
// Takes a valid TGT .kirbi and builds a MS Kpasswd password change sequence
// AP-REQ with randomized sub session key
// KRB-PRIV structure containing ChangePasswdData, enc w/ the sub session key
// reference: Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols (RFC3244)
string dcIP = Networking.GetDCIP(domainController);
if (String.IsNullOrEmpty(dcIP))
{
return;
}
// extract the user and domain from the existing .kirbi ticket
string userName = kirbi.enc_part.ticket_info[0].pname.name_string[0];
string userDomain = kirbi.enc_part.ticket_info[0].prealm;
if (targetUser == null)
{
Console.WriteLine("[*] Changing password for user: {0}@{1}", userName, userDomain);
}
else
{
Console.WriteLine("[*] Resetting password for target user: {0}", targetUser);
}
Console.WriteLine("[*] New password value: {0}", newPassword);
// build the AP_REQ using the user ticket's keytype and key
Console.WriteLine("[*] Building AP-REQ for the MS Kpassword request");
AP_REQ ap_req = new AP_REQ(userDomain, userName, kirbi.tickets[0], kirbi.enc_part.ticket_info[0].key.keyvalue, (Interop.KERB_ETYPE)kirbi.enc_part.ticket_info[0].key.keytype, Interop.KRB_KEY_USAGE_AP_REQ_AUTHENTICATOR);
// create a new session subkey for the Authenticator and match the encryption type of the user key
Console.WriteLine("[*] Building Authenticator with encryption key type: {0}", (Interop.KERB_ETYPE)kirbi.enc_part.ticket_info[0].key.keytype);
ap_req.authenticator.subkey = new EncryptionKey();
ap_req.authenticator.subkey.keytype = kirbi.enc_part.ticket_info[0].key.keytype;
// generate a random session subkey
Random random = new Random();
byte[] randKeyBytes;
Interop.KERB_ETYPE randKeyEtype = (Interop.KERB_ETYPE)kirbi.enc_part.ticket_info[0].key.keytype;
if (randKeyEtype == Interop.KERB_ETYPE.rc4_hmac)
{
randKeyBytes = new byte[16];
random.NextBytes(randKeyBytes);
ap_req.authenticator.subkey.keyvalue = randKeyBytes;
}
else if (randKeyEtype == Interop.KERB_ETYPE.aes256_cts_hmac_sha1)
{
randKeyBytes = new byte[32];
random.NextBytes(randKeyBytes);
ap_req.authenticator.subkey.keyvalue = randKeyBytes;
}
else
{
Console.WriteLine("[X] Only rc4_hmac and aes256_cts_hmac_sha1 key hashes supported at this time!");
return;
}
Console.WriteLine("[*] base64(session subkey): {0}", Convert.ToBase64String(randKeyBytes));
// randKeyBytes is now the session key used for the KRB-PRIV structure
var rand = new Random();
ap_req.authenticator.seq_number = (UInt32)rand.Next(1, Int32.MaxValue);
// now build the KRV-PRIV structure
Console.WriteLine("[*] Building the KRV-PRIV structure");
KRB_PRIV changePriv = new KRB_PRIV(randKeyEtype, randKeyBytes);
// the new password to set for the user
if (targetUser != null)
{
var userParts = targetUser.Split('\\');
if (userParts.Length != 2)
{
Console.WriteLine("[X] /targetuser should be in the format domain.com\\username!");
return;
}
changePriv.enc_part = new EncKrbPrivPart(userParts[1], userParts[0].ToUpper(), newPassword, "lol");
}
else
{
changePriv.enc_part = new EncKrbPrivPart(newPassword, "lol");
}
// now build the final MS Kpasswd request
byte[] apReqBytes = ap_req.Encode().Encode();
byte[] changePrivBytes = changePriv.Encode().Encode();
short messageLength = (short)(apReqBytes.Length + changePrivBytes.Length + 6);
short version = -128;
BinaryWriter bw = new BinaryWriter(new MemoryStream());
//Message Length
bw.Write(IPAddress.NetworkToHostOrder(messageLength));
// Version (Reply)
bw.Write(IPAddress.NetworkToHostOrder(version));
//AP_REQ Length
bw.Write(IPAddress.NetworkToHostOrder((short)apReqBytes.Length));
//AP_REQ
bw.Write(apReqBytes);
//KRV-PRIV
bw.Write(changePrivBytes);
// KPASSWD_DEFAULT_PORT = 464
byte[] response = Networking.SendBytes(dcIP, 464, ((MemoryStream)bw.BaseStream).ToArray());
if (response == null)
{
return;
}
try
{
AsnElt responseAsn = AsnElt.Decode(response, false);
// check the response value
int responseTag = responseAsn.TagValue;
if (responseTag == 30)
{
// parse the response to an KRB-ERROR
KRB_ERROR error = new KRB_ERROR(responseAsn.Sub[0]);
Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", error.error_code, (Interop.KERBEROS_ERROR)error.error_code);
return;
}
}
catch { }
// otherwise parse the resulting KRB-PRIV from the server
BinaryReader br = new BinaryReader(new MemoryStream(response));
short respMsgLen = IPAddress.NetworkToHostOrder(br.ReadInt16());
short respVersion = IPAddress.NetworkToHostOrder(br.ReadInt16());
short respAPReqLen = IPAddress.NetworkToHostOrder(br.ReadInt16());
byte[] respAPReq = br.ReadBytes(respAPReqLen);
byte[] respKRBPriv = br.ReadBytes((int)(br.BaseStream.Length - br.BaseStream.Position));
// decode the KRB-PRIV response
AsnElt respKRBPrivAsn = AsnElt.Decode(respKRBPriv, false);
foreach (AsnElt elem in respKRBPrivAsn.Sub[0].Sub)
{
if (elem.TagValue == 3)
{
byte[] encBytes = elem.Sub[0].Sub[1].GetOctetString();
byte[] decBytes = Crypto.KerberosDecrypt(randKeyEtype, Interop.KRB_KEY_USAGE_KRB_PRIV_ENCRYPTED_PART, randKeyBytes, encBytes);
AsnElt decBytesAsn = AsnElt.Decode(decBytes, false);
byte[] responseCodeBytes = decBytesAsn.Sub[0].Sub[0].Sub[0].GetOctetString();
br = new BinaryReader(new MemoryStream(responseCodeBytes));
short resultCode = IPAddress.NetworkToHostOrder(br.ReadInt16());
if (resultCode == 0)
{
Console.WriteLine("[+] Password change success!");
}
else
{
byte[] resultMessage = br.ReadBytes((int)(br.BaseStream.Length - br.BaseStream.Position));
string resultError = "";
if (resultMessage.Length > 2)
{
if (resultMessage[0] == 0 && resultMessage[1] == 0)
{
br = new BinaryReader(new MemoryStream(resultMessage));
br.ReadUInt16();
int minPasswordLen = IPAddress.NetworkToHostOrder(br.ReadInt32());
int passwordHistory = IPAddress.NetworkToHostOrder(br.ReadInt32());
PasswordProperties pprops = (PasswordProperties)IPAddress.NetworkToHostOrder((br.ReadInt32()));
TimeSpan expire = TimeSpan.FromTicks(IPAddress.NetworkToHostOrder(br.ReadInt64()));
TimeSpan min_passwordage = TimeSpan.FromTicks(IPAddress.NetworkToHostOrder(br.ReadInt64()));
resultError = $"Policy: \n\tMinimum Length: {minPasswordLen}\n\tPassword History: {passwordHistory}\n\tFlags: {pprops}\n\tExpiry: {expire:%d} day(s)\n\tMinimum Password Age: {min_passwordage:%d} day(s)";
}
else
{
resultError = Encoding.UTF8.GetString(resultMessage);
}
}
Console.WriteLine("[X] Password change error: {0} {1}", (Interop.KADMIN_PASSWD_ERR)resultCode, resultError);
}
}
}
}