Пример #1
0
        public static List <Dictionary <string, string> > ListKerberosTicketsAllUsers()
        {
            List <Dictionary <string, string> > results = new List <Dictionary <string, string> >();
            // adapted partially from Vincent LE TOUX' work
            //      https://github.com/vletoux/MakeMeEnterpriseAdmin/blob/master/MakeMeEnterpriseAdmin.ps1#L2939-L2950
            // and https://www.dreamincode.net/forums/topic/135033-increment-memory-pointer-issue/
            // also Jared Atkinson's work at https://github.com/Invoke-IR/ACE/blob/master/ACE-Management/PS-ACE/Scripts/ACE_Get-KerberosTicketCache.ps1

            IntPtr hLsa             = Helpers.LsaRegisterLogonProcessHelper();
            int    totalTicketCount = 0;

            // if the original call fails then it is likely we don't have SeTcbPrivilege
            // to get SeTcbPrivilege we can Impersonate a NT AUTHORITY\SYSTEM Token
            if (hLsa == IntPtr.Zero)
            {
                Helpers.GetSystem();
                // should now have the proper privileges to get a Handle to LSA
                hLsa = Helpers.LsaRegisterLogonProcessHelper();
                // we don't need our NT AUTHORITY\SYSTEM Token anymore so we can revert to our original token
                Advapi32.RevertToSelf();
            }

            try
            {
                // first return all the logon sessions

                DateTime systime = new DateTime(1601, 1, 1, 0, 0, 0, 0); //win32 systemdate
                UInt64   count;
                IntPtr   luidPtr = IntPtr.Zero;
                IntPtr   iter    = luidPtr;

                uint ret = Secur32.LsaEnumerateLogonSessions(out count, out luidPtr);  // get an array of pointers to LUIDs

                for (ulong i = 0; i < count; i++)
                {
                    IntPtr sessionData;
                    ret = Secur32.LsaGetLogonSessionData(luidPtr, out sessionData);
                    SECURITY_LOGON_SESSION_DATA data = (SECURITY_LOGON_SESSION_DATA)Marshal.PtrToStructure(sessionData, typeof(SECURITY_LOGON_SESSION_DATA));

                    // if we have a valid logon
                    if (data.PSiD != IntPtr.Zero)
                    {
                        // user session data
                        string username = Marshal.PtrToStringUni(data.Username.Buffer).Trim();
                        System.Security.Principal.SecurityIdentifier sid = new System.Security.Principal.SecurityIdentifier(data.PSiD);
                        string domain                 = Marshal.PtrToStringUni(data.LoginDomain.Buffer).Trim();
                        string authpackage            = Marshal.PtrToStringUni(data.AuthenticationPackage.Buffer).Trim();
                        SECURITY_LOGON_TYPE logonType = (SECURITY_LOGON_TYPE)data.LogonType;
                        DateTime            logonTime = systime.AddTicks((long)data.LoginTime);
                        string logonServer            = Marshal.PtrToStringUni(data.LogonServer.Buffer).Trim();
                        string dnsDomainName          = Marshal.PtrToStringUni(data.DnsDomainName.Buffer).Trim();
                        string upn = Marshal.PtrToStringUni(data.Upn.Buffer).Trim();

                        // now we want to get the tickets for this logon ID
                        string        name = "kerberos";
                        LSA_STRING_IN LSAString;
                        LSAString.Length        = (ushort)name.Length;
                        LSAString.MaximumLength = (ushort)(name.Length + 1);
                        LSAString.Buffer        = name;

                        IntPtr   ticketPointer  = IntPtr.Zero;
                        IntPtr   ticketsPointer = IntPtr.Zero;
                        DateTime sysTime        = new DateTime(1601, 1, 1, 0, 0, 0, 0);
                        int      authPack;
                        int      returnBufferLength = 0;
                        int      protocalStatus     = 0;
                        int      retCode;

                        KERB_QUERY_TKT_CACHE_REQUEST  tQuery  = new KERB_QUERY_TKT_CACHE_REQUEST();
                        KERB_QUERY_TKT_CACHE_RESPONSE tickets = new KERB_QUERY_TKT_CACHE_RESPONSE();
                        KERB_TICKET_CACHE_INFO        ticket;

                        // obtains the unique identifier for the kerberos authentication package.
                        retCode = Secur32.LsaLookupAuthenticationPackage(hLsa, ref LSAString, out authPack);

                        // input object for querying the ticket cache for a specific logon ID
                        LUID userLogonID = new LUID();
                        userLogonID.LowPart  = data.LoginID.LowPart;
                        userLogonID.HighPart = 0;
                        tQuery.LogonId       = userLogonID;
                        tQuery.MessageType   = KERB_PROTOCOL_MESSAGE_TYPE.KerbQueryTicketCacheMessage;

                        // query LSA, specifying we want the ticket cache
                        retCode = Secur32.LsaCallAuthenticationPackage(hLsa, authPack, ref tQuery, Marshal.SizeOf(tQuery), out ticketPointer, out returnBufferLength, out protocalStatus);

                        /*Console.WriteLine("\r\n  UserName                 : {0}", username);
                         * Console.WriteLine("  Domain                   : {0}", domain);
                         * Console.WriteLine("  LogonId                  : {0}", data.LoginID.LowPart);
                         * Console.WriteLine("  UserSID                  : {0}", sid.AccountDomainSid);
                         * Console.WriteLine("  AuthenticationPackage    : {0}", authpackage);
                         * Console.WriteLine("  LogonType                : {0}", logonType);
                         * Console.WriteLine("  LogonType                : {0}", logonTime);
                         * Console.WriteLine("  LogonServer              : {0}", logonServer);
                         * Console.WriteLine("  LogonServerDNSDomain     : {0}", dnsDomainName);
                         * Console.WriteLine("  UserPrincipalName        : {0}\r\n", upn);*/

                        if (ticketPointer != IntPtr.Zero)
                        {
                            // parse the returned pointer into our initial KERB_QUERY_TKT_CACHE_RESPONSE structure
                            tickets = (KERB_QUERY_TKT_CACHE_RESPONSE)Marshal.PtrToStructure((System.IntPtr)ticketPointer, typeof(KERB_QUERY_TKT_CACHE_RESPONSE));
                            int count2 = tickets.CountOfTickets;

                            if (count2 != 0)
                            {
                                Console.WriteLine("    [*] Enumerated {0} ticket(s):\r\n", count2);
                                totalTicketCount += count2;
                                // get the size of the structures we're iterating over
                                Int32 dataSize = Marshal.SizeOf(typeof(KERB_TICKET_CACHE_INFO));

                                for (int j = 0; j < count2; j++)
                                {
                                    // iterate through the structures
                                    IntPtr currTicketPtr = (IntPtr)(long)((ticketPointer.ToInt64() + (int)(8 + j * dataSize)));

                                    // parse the new ptr to the appropriate structure
                                    ticket = (KERB_TICKET_CACHE_INFO)Marshal.PtrToStructure(currTicketPtr, typeof(KERB_TICKET_CACHE_INFO));

                                    // extract our fields
                                    string   serverName     = Marshal.PtrToStringUni(ticket.ServerName.Buffer, ticket.ServerName.Length / 2);
                                    string   realmName      = Marshal.PtrToStringUni(ticket.RealmName.Buffer, ticket.RealmName.Length / 2);
                                    DateTime startTime      = DateTime.FromFileTime(ticket.StartTime);
                                    DateTime endTime        = DateTime.FromFileTime(ticket.EndTime);
                                    DateTime renewTime      = DateTime.FromFileTime(ticket.RenewTime);
                                    string   encryptionType = ((KERB_ENCRYPTION_TYPE)ticket.EncryptionType).ToString();
                                    string   ticketFlags    = ((KERB_TICKET_FLAGS)ticket.TicketFlags).ToString();

                                    results.Add(new Dictionary <string, string>()
                                    {
                                        { "UserPrincipalName", upn },
                                        { "serverName", serverName },
                                        { "RealmName", realmName },
                                        { "StartTime", string.Format("{0}", startTime) },
                                        { "EndTime", string.Format("{0}", endTime) },
                                        { "RenewTime", string.Format("{0}", renewTime) },
                                        { "EncryptionType", encryptionType },
                                        { "TicketFlags", ticketFlags },
                                    });
                                }
                            }
                        }
                    }
                    // move the pointer forward
                    luidPtr = (IntPtr)((long)luidPtr.ToInt64() + Marshal.SizeOf(typeof(LUID)));
                    Secur32.LsaFreeReturnBuffer(sessionData);
                }
                Secur32.LsaFreeReturnBuffer(luidPtr);

                // disconnect from LSA
                Secur32.LsaDeregisterLogonProcess(hLsa);
            }
            catch (Exception ex)
            {
                Beaprint.PrintException(ex.Message);
            }
            return(results);
        }
Пример #2
0
        public static List <Dictionary <string, string> > ListKerberosTicketsCurrentUser()
        {
            List <Dictionary <string, string> > results = new List <Dictionary <string, string> >();

            // adapted partially from Vincent LE TOUX' work
            //      https://github.com/vletoux/MakeMeEnterpriseAdmin/blob/master/MakeMeEnterpriseAdmin.ps1#L2939-L2950
            // and https://www.dreamincode.net/forums/topic/135033-increment-memory-pointer-issue/
            // also Jared Atkinson's work at https://github.com/Invoke-IR/ACE/blob/master/ACE-Management/PS-ACE/Scripts/ACE_Get-KerberosTicketCache.ps1

            try
            {
                string        name = "kerberos";
                LSA_STRING_IN LSAString;
                LSAString.Length        = (ushort)name.Length;
                LSAString.MaximumLength = (ushort)(name.Length + 1);
                LSAString.Buffer        = name;

                IntPtr   ticketPointer  = IntPtr.Zero;
                IntPtr   ticketsPointer = IntPtr.Zero;
                DateTime sysTime        = new DateTime(1601, 1, 1, 0, 0, 0, 0);
                int      authPack;
                int      returnBufferLength = 0;
                int      protocalStatus     = 0;
                IntPtr   lsaHandle;
                int      retCode;

                // If we want to look at tickets from a session other than our own
                // then we need to use LsaRegisterLogonProcess instead of LsaConnectUntrusted
                retCode = Secur32.LsaConnectUntrusted(out lsaHandle);

                KERB_QUERY_TKT_CACHE_REQUEST  tQuery  = new KERB_QUERY_TKT_CACHE_REQUEST();
                KERB_QUERY_TKT_CACHE_RESPONSE tickets = new KERB_QUERY_TKT_CACHE_RESPONSE();
                KERB_TICKET_CACHE_INFO        ticket;

                // obtains the unique identifier for the kerberos authentication package.
                retCode = Secur32.LsaLookupAuthenticationPackage(lsaHandle, ref LSAString, out authPack);

                // input object for querying the ticket cache (https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/ns-ntsecapi-_kerb_query_tkt_cache_request)
                tQuery.LogonId     = new LUID();
                tQuery.MessageType = KERB_PROTOCOL_MESSAGE_TYPE.KerbQueryTicketCacheMessage;

                // query LSA, specifying we want the ticket cache
                retCode = Secur32.LsaCallAuthenticationPackage(lsaHandle, authPack, ref tQuery, Marshal.SizeOf(tQuery), out ticketPointer, out returnBufferLength, out protocalStatus);

                // parse the returned pointer into our initial KERB_QUERY_TKT_CACHE_RESPONSE structure
                tickets = (KERB_QUERY_TKT_CACHE_RESPONSE)Marshal.PtrToStructure((System.IntPtr)ticketPointer, typeof(KERB_QUERY_TKT_CACHE_RESPONSE));
                int count = tickets.CountOfTickets;

                // get the size of the structures we're iterating over
                Int32 dataSize = Marshal.SizeOf(typeof(KERB_TICKET_CACHE_INFO));

                for (int i = 0; i < count; i++)
                {
                    // iterate through the structures
                    IntPtr currTicketPtr = (IntPtr)(long)((ticketPointer.ToInt64() + (int)(8 + i * dataSize)));

                    // parse the new ptr to the appropriate structure
                    ticket = (KERB_TICKET_CACHE_INFO)Marshal.PtrToStructure(currTicketPtr, typeof(KERB_TICKET_CACHE_INFO));

                    // extract our fields
                    string   serverName     = Marshal.PtrToStringUni(ticket.ServerName.Buffer, ticket.ServerName.Length / 2);
                    string   realmName      = Marshal.PtrToStringUni(ticket.RealmName.Buffer, ticket.RealmName.Length / 2);
                    DateTime startTime      = DateTime.FromFileTime(ticket.StartTime);
                    DateTime endTime        = DateTime.FromFileTime(ticket.EndTime);
                    DateTime renewTime      = DateTime.FromFileTime(ticket.RenewTime);
                    string   encryptionType = ((KERB_ENCRYPTION_TYPE)ticket.EncryptionType).ToString();
                    string   ticketFlags    = ((KERB_TICKET_FLAGS)ticket.TicketFlags).ToString();

                    results.Add(new Dictionary <string, string>()
                    {
                        { "serverName", serverName },
                        { "RealmName", realmName },
                        { "StartTime", string.Format("{0}", startTime) },
                        { "EndTime", string.Format("{0}", endTime) },
                        { "RenewTime", string.Format("{0}", renewTime) },
                        { "EncryptionType", encryptionType },
                        { "TicketFlags", ticketFlags },
                    });
                }

                // disconnect from LSA
                Secur32.LsaDeregisterLogonProcess(lsaHandle);
            }
            catch (Exception ex)
            {
                Beaprint.PrintException(ex.Message);
            }
            return(results);
        }