public EncryptionKey( KerbInt32 param0, Asn1OctetString param1) { this.keytype = param0; this.keyvalue = param1; }
public LastReqElement( KerbInt32 param0, KerberosTime param1) { this.lr_type = param0; this.lr_value = param1; }
public KERB_AD_RESTRICTION_ENTRY( KerbInt32 param0, Asn1OctetString param1) { this.restriction_type = param0; this.restriction = param1; }
//Added manually public KERB_AD_RESTRICTION_ENTRY( KerbInt32 param0, LSAP_TOKEN_INFO_INTEGRITY param1) { this.restriction_type = param0; this.restriction = param1.SetElements(); }
public HostAddress( KerbInt32 param0, Asn1OctetString param1) { this.addr_type = param0; this.address = param1; }
public ETYPE_INFO_ENTRY( KerbInt32 param0, Asn1OctetString param1) { this.etype = param0; this.salt = param1; }
public PrincipalName( KerbInt32 param0, Asn1SequenceOf<KerberosString> param1) { this.name_type = param0; this.name_string = param1; }
public ETYPE_INFO_ENTRY( KerbInt32 param0, Asn1OctetString param1) { this.etype = param0; this.salt = param1; }
public HostAddress( KerbInt32 param0, Asn1OctetString param1) { this.addr_type = param0; this.address = param1; }
public KrbFastArmor( KerbInt32 param0, Asn1OctetString param1) { this.armor_type = param0; this.armor_value = param1; }
public Checksum( KerbInt32 param0, Asn1OctetString param1) { this.cksumtype = param0; this.checksum = param1; }
public TYPED_DATAElement( KerbInt32 param0, Asn1OctetString param1) { this.data_type = param0; this.data_value = param1; }
public AuthorizationDataElement( KerbInt32 param0, Asn1OctetString param1) { this.ad_type = param0; this.ad_data = param1; }
public LastReqElement( KerbInt32 param0, KerberosTime param1) { this.lr_type = param0; this.lr_value = param1; }
/// <summary> /// Construct a Kerberos test client /// </summary> /// <param name="domain">The realm part of the client's principal identifier. /// This argument cannot be null.</param> /// <param name="cName">The account to logon the remote machine. Either user account or computer account /// This argument cannot be null.</param> /// <param name="password">The password of the user. This argument cannot be null.</param> /// <param name="accountType">The type of the logon account. User or Computer</param> public KerberosFunctionalClient(string domain, string cName, string password, KerberosAccountType accountType, string kdcAddress, int kdcPort, TransportType transportType, KerberosConstValue.OidPkt oidPkt, ITestSite baseTestSite,string salt = null) : base(domain, cName, password, accountType, kdcAddress, kdcPort, transportType, oidPkt, salt) { testSite = baseTestSite; if (accountType == KerberosAccountType.Device) { testSite.Log.Add(LogEntryKind.Debug, "Construct Kerberos client using computer account: {0}@{1}.", cName, domain); } else { testSite.Log.Add(LogEntryKind.Debug, "Construct Kerberos client using user account: {0}@{1}.", cName, domain); } EncryptionType[] encryptionTypes = new EncryptionType[] { EncryptionType.AES256_CTS_HMAC_SHA1_96, EncryptionType.AES128_CTS_HMAC_SHA1_96, EncryptionType.RC4_HMAC, EncryptionType.RC4_HMAC_EXP, EncryptionType.DES_CBC_CRC, EncryptionType.DES_CBC_MD5 }; KerbInt32[] etypes = new KerbInt32[encryptionTypes.Length]; for (int i = 0; i < encryptionTypes.Length; i++) { etypes[i] = new KerbInt32((int)encryptionTypes[i]); } Asn1SequenceOf<KerbInt32> etype = new Asn1SequenceOf<KerbInt32>(etypes); Context.SupportedEType = etype; Context.Pvno = KerberosConstValue.KERBEROSV5; }
public Checksum( KerbInt32 param0, Asn1OctetString param1) { this.cksumtype = param0; this.checksum = param1; }
public KERB_AD_RESTRICTION_ENTRY( KerbInt32 param0, Asn1OctetString param1) { this.restriction_type = param0; this.restriction = param1; }
//Added manually public KERB_AD_RESTRICTION_ENTRY( KerbInt32 param0, LSAP_TOKEN_INFO_INTEGRITY param1) { this.restriction_type = param0; this.restriction = param1.SetElements(); }
public EncryptionKey( KerbInt32 param0, Asn1OctetString param1) { this.keytype = param0; this.keyvalue = param1; }
public AD_AND_OR( KerbInt32 param0, AuthorizationData param1) { this.condition_count = param0; this.elements = param1; }
public TransitedEncoding( KerbInt32 param0, Asn1OctetString param1) { this.tr_type = param0; this.contents = param1; }
public KRB_ERROR( Asn1Integer param0, Asn1Integer param1, KerberosTime param2, Microseconds param3, KerberosTime param4, Microseconds param5, KerbInt32 param6, Realm param7, PrincipalName param8, Realm param9, PrincipalName param10, KerberosString param11, Asn1OctetString param12) { this.pvno = param0; this.msg_type = param1; this.ctime = param2; this.cusec = param3; this.stime = param4; this.susec = param5; this.error_code = param6; this.crealm = param7; this.cname = param8; this.realm = param9; this.sname = param10; this.e_text = param11; this.e_data = param12; }
public AD_AND_OR( KerbInt32 param0, AuthorizationData param1) { this.condition_count = param0; this.elements = param1; }
public KRB_ERROR( Asn1Integer param0, Asn1Integer param1, KerberosTime param2, Microseconds param3, KerberosTime param4, Microseconds param5, KerbInt32 param6, Realm param7, PrincipalName param8, Realm param9, PrincipalName param10, KerberosString param11, Asn1OctetString param12) { this.pvno = param0; this.msg_type = param1; this.ctime = param2; this.cusec = param3; this.stime = param4; this.susec = param5; this.error_code = param6; this.crealm = param7; this.cname = param8; this.realm = param9; this.sname = param10; this.e_text = param11; this.e_data = param12; }
public AuthorizationDataElement( KerbInt32 param0, Asn1OctetString param1) { this.ad_type = param0; this.ad_data = param1; }
public TransitedEncoding( KerbInt32 param0, Asn1OctetString param1) { this.tr_type = param0; this.contents = param1; }
public PrincipalName( KerbInt32 param0, Asn1SequenceOf <KerberosString> param1) { this.name_type = param0; this.name_string = param1; }
public TYPED_DATAElement( KerbInt32 param0, Asn1OctetString param1) { this.data_type = param0; this.data_value = param1; }
private void UpdateDefaultSettings() { EncryptionType[] encryptionTypes = new EncryptionType[] { EncryptionType.AES256_CTS_HMAC_SHA1_96, EncryptionType.AES128_CTS_HMAC_SHA1_96, EncryptionType.RC4_HMAC, EncryptionType.RC4_HMAC_EXP, EncryptionType.UnusedValue_135, EncryptionType.DES_CBC_MD5, }; KerbInt32[] etypes = new KerbInt32[encryptionTypes.Length]; for (int i = 0; i < encryptionTypes.Length; i++) { etypes[i] = new KerbInt32((int)encryptionTypes[i]); } Asn1SequenceOf <KerbInt32> etype = new Asn1SequenceOf <KerbInt32>(etypes); Context.SupportedEType = etype; this.Context.Pvno = KerberosConstValue.KERBEROSV5; contextSizes = new SecurityPackageContextSizes(); contextSizes.MaxTokenSize = KerberosConstValue.MAX_TOKEN_SIZE; contextSizes.MaxSignatureSize = KerberosConstValue.MAX_SIGNATURE_SIZE; contextSizes.BlockSize = KerberosConstValue.BLOCK_SIZE; contextSizes.SecurityTrailerSize = KerberosConstValue.SECURITY_TRAILER_SIZE; }
public EncryptedData( KerbInt32 param0, KerbInt32 param1, Asn1OctetString param2) { this.etype = param0; this.kvno = param1; this.cipher = param2; }
public PA_ENC_TIMESTAMP( KerbInt32 param0, KerbInt32 param1, Asn1OctetString param2) { this.etype = param0; this.kvno = param1; this.cipher = param2; }
public ETYPE_INFO2_ENTRY( KerbInt32 param0, KerberosString param1, Asn1OctetString param2) { this.etype = param0; this.salt = param1; this.s2kparams = param2; }
public ETYPE_INFO2_ENTRY( KerbInt32 param0, KerberosString param1, Asn1OctetString param2) { this.etype = param0; this.salt = param1; this.s2kparams = param2; }
public PA_AUTHENTICATION_SET_ELEM( KerbInt32 param0, Asn1OctetString param1, Asn1OctetString param2) { this.pa_type = param0; this.pa_hint = param1; this.pa_value = param2; }
public PA_ENC_TIMESTAMP( KerbInt32 param0, KerbInt32 param1, Asn1OctetString param2) { this.etype = param0; this.kvno = param1; this.cipher = param2; }
public EncryptedData( KerbInt32 param0, KerbInt32 param1, Asn1OctetString param2) { this.etype = param0; this.kvno = param1; this.cipher = param2; }
public PA_DATA( KerbInt32 param0, Asn1OctetString param1) { this.padata_type = param0; if(param1 == null) { param1 = new Asn1OctetString(new byte[0]); } this.padata_value = param1; }
public PA_DATA( KerbInt32 param0, Asn1OctetString param1) { this.padata_type = param0; if (param1 == null) { param1 = new Asn1OctetString(new byte[0]); } this.padata_value = param1; }
public void UsingPasswordWithRC4HMAC() { base.Logging(); //Create kerberos test client and connect client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.User[1].Username, this.testConfig.LocalRealm.User[1].Password, KerberosAccountType.User, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } //Define client supported encryption type EncryptionType[] encryptionTypes = new EncryptionType[] { EncryptionType.RC4_HMAC }; Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32[] etypes = new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32[encryptionTypes.Length]; for (int i = 0; i < encryptionTypes.Length; i++) { etypes[i] = new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32((int)encryptionTypes[i]); } Asn1SequenceOf<KerbInt32> etype = new Asn1SequenceOf<KerbInt32>(etypes); client.Context.SupportedEType = etype; //Create and send AS request KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE; client.SendAsRequest(options, null); //Recieve preauthentication required error METHOD_DATA methodData; KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData); //Validate the methodData in preauthentication required error message bool isExistPaEncTimestamp = false; bool isExistPaEtypeInfo2 = false; var padataCount = methodData.Elements.Length; for (int i = 0; i < padataCount; i++) { var padata = PaDataParser.ParseRepPaData(methodData.Elements[i]); if ((PaDataType)padata.Data.padata_type.Value == PaDataType.PA_ENC_TIMESTAMP) { isExistPaEncTimestamp = true; } else if (padata is PaETypeInfo2) { var etypeinfo = padata as PaETypeInfo2; foreach (var entry in etypeinfo.ETypeInfo2.Elements) { if ((EncryptionType)entry.etype.Value == EncryptionType.RC4_HMAC) { isExistPaEtypeInfo2 = true; } } } } BaseTestSite.Assert.IsTrue(isExistPaEncTimestamp, "When clients perform a password-based initial authentication, they MUST supply the PA-ENC-TIMESTAMP pre-authentication type when they construct the initial AS request."); BaseTestSite.Assert.IsTrue(isExistPaEtypeInfo2, "KILE MAY support the other following encryption types: RC4-HMAC[23]."); //Create sequence of PA data string timeStamp = KerberosUtility.CurrentKerberosTime.Value; PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp, 0, this.client.Context.SelectedEType, this.client.Context.CName.Password, this.client.Context.CName.Salt); PaPacRequest paPacRequest = new PaPacRequest(true); Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data }); //Create and send AS request client.SendAsRequest(options, seqOfPaData); KerberosAsResponse asResponse = client.ExpectAsResponse(); BaseTestSite.Assert.AreEqual(EncryptionType.RC4_HMAC, (EncryptionType)asResponse.Response.enc_part.etype.Value, "The encrypted part of the AS reply should be encrypted with AES256."); BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT."); //Create and send TGS request client.SendTgsRequest(this.testConfig.LocalRealm.ClientComputer.DefaultServiceName, options); KerberosTgsResponse tgsResponse = client.ExpectTgsResponse(); BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.RealmName.ToLower(), tgsResponse.Response.ticket.realm.Value.ToLower(), "The realm in ticket should match expected."); BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.ClientComputer.DefaultServiceName, KerberosUtility.PrincipalName2String(tgsResponse.Response.ticket.sname), "The Service principal name in ticket should match expected."); EncryptionKey key = testConfig.QueryKey(this.testConfig.LocalRealm.ClientComputer.DefaultServiceName, this.testConfig.LocalRealm.RealmName, this.client.Context.SelectedEType); tgsResponse.DecryptTicket(key); //tgsResponse.DecryptTicket(this.testConfig.LocalRealm.ClientComputer.Password, this.testConfig.LocalRealm.ClientComputer.ServiceSalt); BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.RealmName.ToLower(), tgsResponse.TicketEncPart.crealm.Value.ToLower(), "The realm in ticket encrypted part should match expected."); BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.User[1].Username.ToLower(), KerberosUtility.PrincipalName2String(tgsResponse.TicketEncPart.cname).ToLower(), "The client principal name in ticket encrypted part should match expected."); }
public void KrbErrorETypeNoSupp() { base.Logging(); //Create kerberos test client client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.User[1].Username, this.testConfig.LocalRealm.User[1].Password, KerberosAccountType.User, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } EncryptionType[] encryptionTypes = new EncryptionType[] { EncryptionType.None }; Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32[] etypes = new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32[encryptionTypes.Length]; for (int i = 0; i < encryptionTypes.Length; i++) { etypes[i] = new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32((int)encryptionTypes[i]); } client.Context.SupportedEType = new Asn1SequenceOf<KerbInt32>(etypes); KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE; client.SendAsRequest(options, null); KerberosKrbError krbError = client.ExpectKrbError(); BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KDC_ERR_ETYPE_NOTSUPP, krbError.ErrorCode, "If the server cannot accommodate any encryption type requested by the client, an error message with the code KDC_ERR_ETYPE_NOTSUPP is returned."); }
/// <summary> /// Construct a Kerberos test client for FAST /// </summary> /// <param name="domain">The realm part of the client's principal identifier. /// This argument cannot be null.</param> /// <param name="cName">The account to logon the remote machine. Either user account or computer account /// This argument cannot be null.</param> /// <param name="password">The password of the user. This argument cannot be null.</param> /// <param name="accountType">The type of the logged on account. User or Computer</param> public KerberosTestClient(string domain, string cName, string password, KerberosAccountType accountType, KerberosTicket armorTicket, EncryptionKey armorSessionKey, string kdcAddress, int kdcPort, TransportType transportType, KerberosConstValue.OidPkt omiPkt) : base(domain, cName, password, accountType, armorTicket, armorSessionKey, kdcAddress, kdcPort, transportType, omiPkt) { testSite = TestClassBase.BaseTestSite; if (accountType == KerberosAccountType.Device) { testSite.Log.Add(LogEntryKind.Comment, "Construct Kerberos client using computer account: {0}@{1}.", cName, domain); } else { testSite.Log.Add(LogEntryKind.Comment, "Construct Kerberos client using user account: {0}@{1}.", cName, domain); } EncryptionType[] encryptionTypes = new EncryptionType[] { EncryptionType.AES256_CTS_HMAC_SHA1_96, EncryptionType.AES128_CTS_HMAC_SHA1_96, EncryptionType.RC4_HMAC, EncryptionType.RC4_HMAC_EXP, EncryptionType.DES_CBC_CRC, EncryptionType.DES_CBC_MD5 }; Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32[] etypes = new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32[encryptionTypes.Length]; for (int i = 0; i < encryptionTypes.Length; i++) { etypes[i] = new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32((int)encryptionTypes[i]); } Asn1SequenceOf<KerbInt32> etype = new Asn1SequenceOf<KerbInt32>(etypes); Context.SupportedEType = etype; Context.Pvno = KerberosConstValue.KERBEROSV5; }
/// <summary> /// Set Supported Encryption Types /// </summary> /// <param name="EncryptionType[]">An array of encryption types</param> public void SetSupportedEType(EncryptionType[] encryptionTypes) { Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32[] etypes = new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32[encryptionTypes.Length]; for (int i = 0; i < encryptionTypes.Length; i++) { etypes[i] = new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32((int)encryptionTypes[i]); } Asn1SequenceOf<KerbInt32> etype = new Asn1SequenceOf<KerbInt32>(etypes); Context.SupportedEType = etype; }
private long negotiateEtype(ETYPE_INFO2_ENTRY[] eTypeInfoEntries, KerbInt32[] eTypes, out string salt) { foreach (var entry in eTypeInfoEntries) { foreach (var etype in eTypes) { if (entry.etype.Value == etype.Value) { if (entry.salt != null) salt = entry.salt.ToString(); else salt = null; return (long) etype.Value; } } } throw new Exception("Negotiage e-type failed."); }
public void DesDowngradeProtection() { base.Logging(); //Create kerberos test client and connect //UseDESOnly is not set for user[1] client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.User[1].Username, this.testConfig.LocalRealm.User[1].Password, KerberosAccountType.User, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } //Define client supported encryption type EncryptionType[] encryptionTypes = new EncryptionType[] { EncryptionType.DES_CBC_MD5 }; Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32[] etypes = new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32[encryptionTypes.Length]; for (int i = 0; i < encryptionTypes.Length; i++) { etypes[i] = new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32((int)encryptionTypes[i]); } Asn1SequenceOf<KerbInt32> etype = new Asn1SequenceOf<KerbInt32>(etypes); client.Context.SupportedEType = etype; //Create and send AS request KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE; client.SendAsRequest(options, null); //Recieve preauthentication required error METHOD_DATA methodData; KerberosKrbError krbError; //DES downgrade protection is not supported in Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 KDCs. if (int.Parse(this.testConfig.LocalRealm.DomainControllerFunctionality) < 6) { krbError = client.ExpectPreauthRequiredError(out methodData); //pre-authentication error } //For Windows 2012R2 or later: If DES is used for pre-authentication, the KDC MUST: //If UseDESOnly is not set: the KDC MUST return KDC_ERR_ETYPE_NOTSUPP. else { krbError = client.ExpectKrbError(); BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KDC_ERR_ETYPE_NOTSUPP, krbError.ErrorCode, "If UseDESOnly is not set: the KDC MUST return KDC_ERR_ETYPE_NOTSUPP"); } }