public EncryptionKey(
KerbInt32 param0,
Asn1OctetString param1)
{
this.keytype = param0;
this.keyvalue = param1;
}
public LastReqElement(
KerbInt32 param0,
KerberosTime param1)
{
this.lr_type = param0;
this.lr_value = param1;
}
public KERB_AD_RESTRICTION_ENTRY(
KerbInt32 param0,
Asn1OctetString param1)
{
this.restriction_type = param0;
this.restriction = param1;
}
//Added manually
public KERB_AD_RESTRICTION_ENTRY(
KerbInt32 param0,
LSAP_TOKEN_INFO_INTEGRITY param1)
{
this.restriction_type = param0;
this.restriction = param1.SetElements();
}
public HostAddress(
KerbInt32 param0,
Asn1OctetString param1)
{
this.addr_type = param0;
this.address = param1;
}
public ETYPE_INFO_ENTRY(
KerbInt32 param0,
Asn1OctetString param1)
{
this.etype = param0;
this.salt = param1;
}
public PrincipalName(
KerbInt32 param0,
Asn1SequenceOf<KerberosString> param1)
{
this.name_type = param0;
this.name_string = param1;
}
public ETYPE_INFO_ENTRY(
KerbInt32 param0,
Asn1OctetString param1)
{
this.etype = param0;
this.salt = param1;
}
public HostAddress(
KerbInt32 param0,
Asn1OctetString param1)
{
this.addr_type = param0;
this.address = param1;
}
public KrbFastArmor(
KerbInt32 param0,
Asn1OctetString param1)
{
this.armor_type = param0;
this.armor_value = param1;
}
public Checksum(
KerbInt32 param0,
Asn1OctetString param1)
{
this.cksumtype = param0;
this.checksum = param1;
}
public TYPED_DATAElement(
KerbInt32 param0,
Asn1OctetString param1)
{
this.data_type = param0;
this.data_value = param1;
}
public AuthorizationDataElement(
KerbInt32 param0,
Asn1OctetString param1)
{
this.ad_type = param0;
this.ad_data = param1;
}
public LastReqElement(
KerbInt32 param0,
KerberosTime param1)
{
this.lr_type = param0;
this.lr_value = param1;
}
/// <summary>
/// Construct a Kerberos test client
/// </summary>
/// <param name="domain">The realm part of the client's principal identifier.
/// This argument cannot be null.</param>
/// <param name="cName">The account to logon the remote machine. Either user account or computer account
/// This argument cannot be null.</param>
/// <param name="password">The password of the user. This argument cannot be null.</param>
/// <param name="accountType">The type of the logon account. User or Computer</param>
public KerberosFunctionalClient(string domain, string cName, string password, KerberosAccountType accountType, string kdcAddress, int kdcPort, TransportType transportType, KerberosConstValue.OidPkt oidPkt, ITestSite baseTestSite,string salt = null)
: base(domain, cName, password, accountType, kdcAddress, kdcPort, transportType, oidPkt, salt)
{
testSite = baseTestSite;
if (accountType == KerberosAccountType.Device)
{
testSite.Log.Add(LogEntryKind.Debug, "Construct Kerberos client using computer account: {0}@{1}.",
cName, domain);
}
else
{
testSite.Log.Add(LogEntryKind.Debug, "Construct Kerberos client using user account: {0}@{1}.",
cName, domain);
}
EncryptionType[] encryptionTypes = new EncryptionType[]
{
EncryptionType.AES256_CTS_HMAC_SHA1_96,
EncryptionType.AES128_CTS_HMAC_SHA1_96,
EncryptionType.RC4_HMAC,
EncryptionType.RC4_HMAC_EXP,
EncryptionType.DES_CBC_CRC,
EncryptionType.DES_CBC_MD5
};
KerbInt32[] etypes = new KerbInt32[encryptionTypes.Length];
for (int i = 0; i < encryptionTypes.Length; i++)
{
etypes[i] = new KerbInt32((int)encryptionTypes[i]);
}
Asn1SequenceOf<KerbInt32> etype = new Asn1SequenceOf<KerbInt32>(etypes);
Context.SupportedEType = etype;
Context.Pvno = KerberosConstValue.KERBEROSV5;
}
public Checksum(
KerbInt32 param0,
Asn1OctetString param1)
{
this.cksumtype = param0;
this.checksum = param1;
}
public KERB_AD_RESTRICTION_ENTRY(
KerbInt32 param0,
Asn1OctetString param1)
{
this.restriction_type = param0;
this.restriction = param1;
}
//Added manually
public KERB_AD_RESTRICTION_ENTRY(
KerbInt32 param0,
LSAP_TOKEN_INFO_INTEGRITY param1)
{
this.restriction_type = param0;
this.restriction = param1.SetElements();
}
public EncryptionKey(
KerbInt32 param0,
Asn1OctetString param1)
{
this.keytype = param0;
this.keyvalue = param1;
}
public AD_AND_OR(
KerbInt32 param0,
AuthorizationData param1)
{
this.condition_count = param0;
this.elements = param1;
}
public TransitedEncoding(
KerbInt32 param0,
Asn1OctetString param1)
{
this.tr_type = param0;
this.contents = param1;
}
public KRB_ERROR(
Asn1Integer param0,
Asn1Integer param1,
KerberosTime param2,
Microseconds param3,
KerberosTime param4,
Microseconds param5,
KerbInt32 param6,
Realm param7,
PrincipalName param8,
Realm param9,
PrincipalName param10,
KerberosString param11,
Asn1OctetString param12)
{
this.pvno = param0;
this.msg_type = param1;
this.ctime = param2;
this.cusec = param3;
this.stime = param4;
this.susec = param5;
this.error_code = param6;
this.crealm = param7;
this.cname = param8;
this.realm = param9;
this.sname = param10;
this.e_text = param11;
this.e_data = param12;
}
public AD_AND_OR(
KerbInt32 param0,
AuthorizationData param1)
{
this.condition_count = param0;
this.elements = param1;
}
public KRB_ERROR(
Asn1Integer param0,
Asn1Integer param1,
KerberosTime param2,
Microseconds param3,
KerberosTime param4,
Microseconds param5,
KerbInt32 param6,
Realm param7,
PrincipalName param8,
Realm param9,
PrincipalName param10,
KerberosString param11,
Asn1OctetString param12)
{
this.pvno = param0;
this.msg_type = param1;
this.ctime = param2;
this.cusec = param3;
this.stime = param4;
this.susec = param5;
this.error_code = param6;
this.crealm = param7;
this.cname = param8;
this.realm = param9;
this.sname = param10;
this.e_text = param11;
this.e_data = param12;
}
public AuthorizationDataElement(
KerbInt32 param0,
Asn1OctetString param1)
{
this.ad_type = param0;
this.ad_data = param1;
}
public TransitedEncoding(
KerbInt32 param0,
Asn1OctetString param1)
{
this.tr_type = param0;
this.contents = param1;
}
public PrincipalName(
KerbInt32 param0,
Asn1SequenceOf <KerberosString> param1)
{
this.name_type = param0;
this.name_string = param1;
}
public TYPED_DATAElement(
KerbInt32 param0,
Asn1OctetString param1)
{
this.data_type = param0;
this.data_value = param1;
}
private void UpdateDefaultSettings()
{
EncryptionType[] encryptionTypes = new EncryptionType[]
{
EncryptionType.AES256_CTS_HMAC_SHA1_96,
EncryptionType.AES128_CTS_HMAC_SHA1_96,
EncryptionType.RC4_HMAC,
EncryptionType.RC4_HMAC_EXP,
EncryptionType.UnusedValue_135,
EncryptionType.DES_CBC_MD5,
};
KerbInt32[] etypes = new KerbInt32[encryptionTypes.Length];
for (int i = 0; i < encryptionTypes.Length; i++)
{
etypes[i] = new KerbInt32((int)encryptionTypes[i]);
}
Asn1SequenceOf <KerbInt32> etype = new Asn1SequenceOf <KerbInt32>(etypes);
Context.SupportedEType = etype;
this.Context.Pvno = KerberosConstValue.KERBEROSV5;
contextSizes = new SecurityPackageContextSizes();
contextSizes.MaxTokenSize = KerberosConstValue.MAX_TOKEN_SIZE;
contextSizes.MaxSignatureSize = KerberosConstValue.MAX_SIGNATURE_SIZE;
contextSizes.BlockSize = KerberosConstValue.BLOCK_SIZE;
contextSizes.SecurityTrailerSize = KerberosConstValue.SECURITY_TRAILER_SIZE;
}
public EncryptedData(
KerbInt32 param0,
KerbInt32 param1,
Asn1OctetString param2)
{
this.etype = param0;
this.kvno = param1;
this.cipher = param2;
}
public PA_ENC_TIMESTAMP(
KerbInt32 param0,
KerbInt32 param1,
Asn1OctetString param2)
{
this.etype = param0;
this.kvno = param1;
this.cipher = param2;
}
public ETYPE_INFO2_ENTRY(
KerbInt32 param0,
KerberosString param1,
Asn1OctetString param2)
{
this.etype = param0;
this.salt = param1;
this.s2kparams = param2;
}
public ETYPE_INFO2_ENTRY(
KerbInt32 param0,
KerberosString param1,
Asn1OctetString param2)
{
this.etype = param0;
this.salt = param1;
this.s2kparams = param2;
}
public PA_AUTHENTICATION_SET_ELEM(
KerbInt32 param0,
Asn1OctetString param1,
Asn1OctetString param2)
{
this.pa_type = param0;
this.pa_hint = param1;
this.pa_value = param2;
}
public PA_ENC_TIMESTAMP(
KerbInt32 param0,
KerbInt32 param1,
Asn1OctetString param2)
{
this.etype = param0;
this.kvno = param1;
this.cipher = param2;
}
public EncryptedData(
KerbInt32 param0,
KerbInt32 param1,
Asn1OctetString param2)
{
this.etype = param0;
this.kvno = param1;
this.cipher = param2;
}
public PA_DATA(
KerbInt32 param0,
Asn1OctetString param1)
{
this.padata_type = param0;
if(param1 == null)
{
param1 = new Asn1OctetString(new byte[0]);
}
this.padata_value = param1;
}
public PA_DATA(
KerbInt32 param0,
Asn1OctetString param1)
{
this.padata_type = param0;
if (param1 == null)
{
param1 = new Asn1OctetString(new byte[0]);
}
this.padata_value = param1;
}
public void UsingPasswordWithRC4HMAC()
{
base.Logging();
//Create kerberos test client and connect
client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.User[1].Username,
this.testConfig.LocalRealm.User[1].Password, KerberosAccountType.User, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType,
testConfig.SupportedOid);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
//Define client supported encryption type
EncryptionType[] encryptionTypes = new EncryptionType[]
{
EncryptionType.RC4_HMAC
};
Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32[] etypes =
new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32[encryptionTypes.Length];
for (int i = 0; i < encryptionTypes.Length; i++)
{
etypes[i] = new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32((int)encryptionTypes[i]);
}
Asn1SequenceOf<KerbInt32> etype = new Asn1SequenceOf<KerbInt32>(etypes);
client.Context.SupportedEType = etype;
//Create and send AS request
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
client.SendAsRequest(options, null);
//Recieve preauthentication required error
METHOD_DATA methodData;
KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);
//Validate the methodData in preauthentication required error message
bool isExistPaEncTimestamp = false;
bool isExistPaEtypeInfo2 = false;
var padataCount = methodData.Elements.Length;
for (int i = 0; i < padataCount; i++)
{
var padata = PaDataParser.ParseRepPaData(methodData.Elements[i]);
if ((PaDataType)padata.Data.padata_type.Value == PaDataType.PA_ENC_TIMESTAMP)
{
isExistPaEncTimestamp = true;
}
else if (padata is PaETypeInfo2)
{
var etypeinfo = padata as PaETypeInfo2;
foreach (var entry in etypeinfo.ETypeInfo2.Elements)
{
if ((EncryptionType)entry.etype.Value == EncryptionType.RC4_HMAC)
{
isExistPaEtypeInfo2 = true;
}
}
}
}
BaseTestSite.Assert.IsTrue(isExistPaEncTimestamp, "When clients perform a password-based initial authentication, they MUST supply the PA-ENC-TIMESTAMP pre-authentication type when they construct the initial AS request.");
BaseTestSite.Assert.IsTrue(isExistPaEtypeInfo2, "KILE MAY support the other following encryption types: RC4-HMAC[23].");
//Create sequence of PA data
string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp, 0, this.client.Context.SelectedEType, this.client.Context.CName.Password, this.client.Context.CName.Salt);
PaPacRequest paPacRequest = new PaPacRequest(true);
Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data });
//Create and send AS request
client.SendAsRequest(options, seqOfPaData);
KerberosAsResponse asResponse = client.ExpectAsResponse();
BaseTestSite.Assert.AreEqual(EncryptionType.RC4_HMAC, (EncryptionType)asResponse.Response.enc_part.etype.Value, "The encrypted part of the AS reply should be encrypted with AES256.");
BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT.");
//Create and send TGS request
client.SendTgsRequest(this.testConfig.LocalRealm.ClientComputer.DefaultServiceName, options);
KerberosTgsResponse tgsResponse = client.ExpectTgsResponse();
BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.RealmName.ToLower(),
tgsResponse.Response.ticket.realm.Value.ToLower(),
"The realm in ticket should match expected.");
BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.ClientComputer.DefaultServiceName,
KerberosUtility.PrincipalName2String(tgsResponse.Response.ticket.sname),
"The Service principal name in ticket should match expected.");
EncryptionKey key = testConfig.QueryKey(this.testConfig.LocalRealm.ClientComputer.DefaultServiceName, this.testConfig.LocalRealm.RealmName, this.client.Context.SelectedEType);
tgsResponse.DecryptTicket(key);
//tgsResponse.DecryptTicket(this.testConfig.LocalRealm.ClientComputer.Password, this.testConfig.LocalRealm.ClientComputer.ServiceSalt);
BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.RealmName.ToLower(),
tgsResponse.TicketEncPart.crealm.Value.ToLower(),
"The realm in ticket encrypted part should match expected.");
BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.User[1].Username.ToLower(),
KerberosUtility.PrincipalName2String(tgsResponse.TicketEncPart.cname).ToLower(),
"The client principal name in ticket encrypted part should match expected.");
}
public void KrbErrorETypeNoSupp()
{
base.Logging();
//Create kerberos test client
client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.User[1].Username,
this.testConfig.LocalRealm.User[1].Password,
KerberosAccountType.User,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
EncryptionType[] encryptionTypes = new EncryptionType[] { EncryptionType.None };
Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32[] etypes =
new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32[encryptionTypes.Length];
for (int i = 0; i < encryptionTypes.Length; i++)
{
etypes[i] = new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32((int)encryptionTypes[i]);
}
client.Context.SupportedEType = new Asn1SequenceOf<KerbInt32>(etypes);
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
client.SendAsRequest(options, null);
KerberosKrbError krbError = client.ExpectKrbError();
BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KDC_ERR_ETYPE_NOTSUPP,
krbError.ErrorCode,
"If the server cannot accommodate any encryption type requested by the client, an error message with the code KDC_ERR_ETYPE_NOTSUPP is returned.");
}
/// <summary>
/// Construct a Kerberos test client for FAST
/// </summary>
/// <param name="domain">The realm part of the client's principal identifier.
/// This argument cannot be null.</param>
/// <param name="cName">The account to logon the remote machine. Either user account or computer account
/// This argument cannot be null.</param>
/// <param name="password">The password of the user. This argument cannot be null.</param>
/// <param name="accountType">The type of the logged on account. User or Computer</param>
public KerberosTestClient(string domain, string cName, string password, KerberosAccountType accountType, KerberosTicket armorTicket, EncryptionKey armorSessionKey, string kdcAddress, int kdcPort, TransportType transportType, KerberosConstValue.OidPkt omiPkt)
: base(domain, cName, password, accountType, armorTicket, armorSessionKey, kdcAddress, kdcPort, transportType, omiPkt)
{
testSite = TestClassBase.BaseTestSite;
if (accountType == KerberosAccountType.Device)
{
testSite.Log.Add(LogEntryKind.Comment, "Construct Kerberos client using computer account: {0}@{1}.",
cName, domain);
}
else
{
testSite.Log.Add(LogEntryKind.Comment, "Construct Kerberos client using user account: {0}@{1}.",
cName, domain);
}
EncryptionType[] encryptionTypes = new EncryptionType[]
{
EncryptionType.AES256_CTS_HMAC_SHA1_96,
EncryptionType.AES128_CTS_HMAC_SHA1_96,
EncryptionType.RC4_HMAC,
EncryptionType.RC4_HMAC_EXP,
EncryptionType.DES_CBC_CRC,
EncryptionType.DES_CBC_MD5
};
Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32[] etypes =
new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32[encryptionTypes.Length];
for (int i = 0; i < encryptionTypes.Length; i++)
{
etypes[i] = new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32((int)encryptionTypes[i]);
}
Asn1SequenceOf<KerbInt32> etype = new Asn1SequenceOf<KerbInt32>(etypes);
Context.SupportedEType = etype;
Context.Pvno = KerberosConstValue.KERBEROSV5;
}
/// <summary>
/// Set Supported Encryption Types
/// </summary>
/// <param name="EncryptionType[]">An array of encryption types</param>
public void SetSupportedEType(EncryptionType[] encryptionTypes)
{
Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32[] etypes =
new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32[encryptionTypes.Length];
for (int i = 0; i < encryptionTypes.Length; i++)
{
etypes[i] = new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32((int)encryptionTypes[i]);
}
Asn1SequenceOf<KerbInt32> etype = new Asn1SequenceOf<KerbInt32>(etypes);
Context.SupportedEType = etype;
}
private long negotiateEtype(ETYPE_INFO2_ENTRY[] eTypeInfoEntries, KerbInt32[] eTypes, out string salt)
{
foreach (var entry in eTypeInfoEntries)
{
foreach (var etype in eTypes)
{
if (entry.etype.Value == etype.Value)
{
if (entry.salt != null) salt = entry.salt.ToString();
else salt = null;
return (long) etype.Value;
}
}
}
throw new Exception("Negotiage e-type failed.");
}
public void DesDowngradeProtection()
{
base.Logging();
//Create kerberos test client and connect
//UseDESOnly is not set for user[1]
client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.User[1].Username,
this.testConfig.LocalRealm.User[1].Password, KerberosAccountType.User, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType,
testConfig.SupportedOid);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
//Define client supported encryption type
EncryptionType[] encryptionTypes = new EncryptionType[]
{
EncryptionType.DES_CBC_MD5
};
Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32[] etypes =
new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32[encryptionTypes.Length];
for (int i = 0; i < encryptionTypes.Length; i++)
{
etypes[i] = new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32((int)encryptionTypes[i]);
}
Asn1SequenceOf<KerbInt32> etype = new Asn1SequenceOf<KerbInt32>(etypes);
client.Context.SupportedEType = etype;
//Create and send AS request
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
client.SendAsRequest(options, null);
//Recieve preauthentication required error
METHOD_DATA methodData;
KerberosKrbError krbError;
//DES downgrade protection is not supported in Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 KDCs.
if (int.Parse(this.testConfig.LocalRealm.DomainControllerFunctionality) < 6)
{
krbError = client.ExpectPreauthRequiredError(out methodData); //pre-authentication error
}
//For Windows 2012R2 or later: If DES is used for pre-authentication, the KDC MUST:
//If UseDESOnly is not set: the KDC MUST return KDC_ERR_ETYPE_NOTSUPP.
else
{
krbError = client.ExpectKrbError();
BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KDC_ERR_ETYPE_NOTSUPP,
krbError.ErrorCode,
"If UseDESOnly is not set: the KDC MUST return KDC_ERR_ETYPE_NOTSUPP");
}
}
