public PA_SVR_REFERRAL_DATA( PrincipalName param0, Realm param1) { this.referred_name = param0; this.referred_realm = param1; }
public KDC_REQ_BODY( KDCOptions param0, PrincipalName param1, Realm param2, PrincipalName param3, KerberosTime param4, KerberosTime param5, KerberosTime param6, KerbUInt32 param7, Asn1SequenceOf <KerbInt32> param8, HostAddresses param9, EncryptedData param10, Asn1SequenceOf <Ticket> param11) { this.kdc_options = param0; this.cname = param1; this.realm = param2; this.sname = param3; this.from = param4; this.till = param5; this.rtime = param6; this.nonce = param7; this.etype = param8; this.addresses = param9; this.enc_authorization_data = param10; this.additional_tickets = param11; }
private KDC_REQ_BODY CreateKdcRequestBody(KdcOptions kdcOptions, PrincipalName sName, AuthorizationData authData = null) { KDC_REQ_BODY kdcReqBody = this.CreateKdcRequestBody(kdcOptions, sName); if (authData == null) { return(kdcReqBody); } Asn1BerEncodingBuffer asnEncBuffer = new Asn1BerEncodingBuffer(); authData.BerEncode(asnEncBuffer, true); EncryptedData encryptData = new EncryptedData(); encryptData.etype = new KerbInt32(0); byte[] encryptAsnEncoded = asnEncBuffer.Data; if (this.Context.SessionKey != null && this.Context.SessionKey.keytype != null && this.Context.SessionKey.keyvalue != null && this.Context.SessionKey.keyvalue.Value != null) { encryptAsnEncoded = KerberosUtility.Encrypt( (EncryptionType)this.Context.SessionKey.keytype.Value, this.Context.SessionKey.keyvalue.ByteArrayValue, encryptAsnEncoded, (int)KeyUsageNumber.TGS_REQ_KDC_REQ_BODY_AuthorizationData ); encryptData.etype = new KerbInt32(this.Context.SessionKey.keytype.Value); } encryptData.cipher = new Asn1OctetString(encryptAsnEncoded); kdcReqBody.enc_authorization_data = encryptData; return(kdcReqBody); }
private void SendTgsRequest(string sName, KdcOptions kdcOptions, Asn1SequenceOf <PA_DATA> seqPadata = null, AuthorizationData dataInAuthentiator = null, AuthorizationData dataInEncAuthData = null, MsgType msgType = MsgType.KRB_TGS_REQ) { if (string.IsNullOrEmpty(sName)) { throw new ArgumentNullException("sName"); } PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName.Split('/'))); KDC_REQ_BODY kdcReqBody = this.CreateKdcRequestBody(kdcOptions, sname, dataInEncAuthData); // almost same as AS request Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer(); kdcReqBody.BerEncode(bodyBuffer); ChecksumType checksumType = KerberosUtility.GetChecksumType(this.Context.SelectedEType); PA_DATA paTgsReq = CreatePaTgsReqest(checksumType, bodyBuffer.Data, dataInAuthentiator); // use AS session key encrypt authenticator. Asn1SequenceOf <PA_DATA> tempPaData = null; if (seqPadata == null || seqPadata.Elements == null || seqPadata.Elements.Length == 0) { tempPaData = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paTgsReq }); } else { PA_DATA[] paDatas = new PA_DATA[seqPadata.Elements.Length + 1]; Array.Copy(seqPadata.Elements, paDatas, seqPadata.Elements.Length); paDatas[seqPadata.Elements.Length] = paTgsReq; tempPaData = new Asn1SequenceOf <PA_DATA>(paDatas); } KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, tempPaData, Context.TransportType); tgsRequest.Request.msg_type.Value = (long)msgType; this.client.SendPdu(tgsRequest); }
public EncASRepPart( EncryptionKey param0, LastReq param1, KerbUInt32 param2, KerberosTime param3, TicketFlags param4, KerberosTime param5, KerberosTime param6, KerberosTime param7, KerberosTime param8, Realm param9, PrincipalName param10, HostAddresses param11, Asn1SequenceOf <PA_DATA> param12) { this.key = param0; this.last_req = param1; this.nonce = param2; this.key_expiration = param3; this.flags = param4; this.authtime = param5; this.starttime = param6; this.endtime = param7; this.renew_till = param8; this.srealm = param9; this.sname = param10; this.caddr = param11; this.pa_datas = param12; }
public KrbCredInfo( EncryptionKey param0, Realm param1, PrincipalName param2, TicketFlags param3, KerberosTime param4, KerberosTime param5, KerberosTime param6, KerberosTime param7, Realm param8, PrincipalName param9, HostAddresses param10) { this.key = param0; this.prealm = param1; this.pname = param2; this.flags = param3; this.authtime = param4; this.starttime = param5; this.endtime = param6; this.renew_till = param7; this.srealm = param8; this.sname = param9; this.caddr = param10; }
public EncTicketPart( TicketFlags param0, EncryptionKey param1, Realm param2, PrincipalName param3, TransitedEncoding param4, KerberosTime param5, KerberosTime param6, KerberosTime param7, KerberosTime param8, HostAddresses param9, AuthorizationData param10) { this.flags = param0; this.key = param1; this.crealm = param2; this.cname = param3; this.transited = param4; this.authtime = param5; this.starttime = param6; this.endtime = param7; this.renew_till = param8; this.caddr = param9; this.authorization_data = param10; }
public EncTicketPart( TicketFlags param0, EncryptionKey param1, Realm param2, PrincipalName param3, TransitedEncoding param4, KerberosTime param5, KerberosTime param6, KerberosTime param7, KerberosTime param8, HostAddresses param9, AuthorizationData param10) { this.flags = param0; this.key = param1; this.crealm = param2; this.cname = param3; this.transited = param4; this.authtime = param5; this.starttime = param6; this.endtime = param7; this.renew_till = param8; this.caddr = param9; this.authorization_data = param10; }
public KDC_REQ_BODY( KDCOptions param0, PrincipalName param1, Realm param2, PrincipalName param3, KerberosTime param4, KerberosTime param5, KerberosTime param6, KerbUInt32 param7, Asn1SequenceOf<KerbInt32> param8, HostAddresses param9, EncryptedData param10, Asn1SequenceOf<Ticket> param11) { this.kdc_options = param0; this.cname = param1; this.realm = param2; this.sname = param3; this.from = param4; this.till = param5; this.rtime = param6; this.nonce = param7; this.etype = param8; this.addresses = param9; this.enc_authorization_data = param10; this.additional_tickets = param11; }
public KrbCredInfo( EncryptionKey param0, Realm param1, PrincipalName param2, TicketFlags param3, KerberosTime param4, KerberosTime param5, KerberosTime param6, KerberosTime param7, Realm param8, PrincipalName param9, HostAddresses param10) { this.key = param0; this.prealm = param1; this.pname = param2; this.flags = param3; this.authtime = param4; this.starttime = param5; this.endtime = param6; this.renew_till = param7; this.srealm = param8; this.sname = param9; this.caddr = param10; }
public PA_SVR_REFERRAL_DATA( PrincipalName param0, Realm param1) { this.referred_name = param0; this.referred_realm = param1; }
public EncASRepPart( EncryptionKey param0, LastReq param1, KerbUInt32 param2, KerberosTime param3, TicketFlags param4, KerberosTime param5, KerberosTime param6, KerberosTime param7, KerberosTime param8, Realm param9, PrincipalName param10, HostAddresses param11, Asn1SequenceOf<PA_DATA> param12) { this.key = param0; this.last_req = param1; this.nonce = param2; this.key_expiration = param3; this.flags = param4; this.authtime = param5; this.starttime = param6; this.endtime = param7; this.renew_till = param8; this.srealm = param9; this.sname = param10; this.caddr = param11; this.pa_datas = param12; }
public KRB_ERROR( Asn1Integer param0, Asn1Integer param1, KerberosTime param2, Microseconds param3, KerberosTime param4, Microseconds param5, KerbInt32 param6, Realm param7, PrincipalName param8, Realm param9, PrincipalName param10, KerberosString param11, Asn1OctetString param12) { this.pvno = param0; this.msg_type = param1; this.ctime = param2; this.cusec = param3; this.stime = param4; this.susec = param5; this.error_code = param6; this.crealm = param7; this.cname = param8; this.realm = param9; this.sname = param10; this.e_text = param11; this.e_data = param12; }
public KRB_ERROR( Asn1Integer param0, Asn1Integer param1, KerberosTime param2, Microseconds param3, KerberosTime param4, Microseconds param5, KerbInt32 param6, Realm param7, PrincipalName param8, Realm param9, PrincipalName param10, KerberosString param11, Asn1OctetString param12) { this.pvno = param0; this.msg_type = param1; this.ctime = param2; this.cusec = param3; this.stime = param4; this.susec = param5; this.error_code = param6; this.crealm = param7; this.cname = param8; this.realm = param9; this.sname = param10; this.e_text = param11; this.e_data = param12; }
/// <summary> /// Create context /// </summary> /// <param name="domain">Domain name</param> /// <param name="cName">Principal name</param> /// <param name="password">Password of principal</param> /// <param name="accountType">Accoundtype, user or device</param> public KerberosContext(string domain, string cName, string password, KerberosAccountType accountType, string salt = null) : this() { if (domain == null) { throw new ArgumentNullException("domain"); } if (cName == null) { throw new ArgumentNullException("cName"); } if (password == null) { throw new ArgumentNullException("password"); } this.Realm = new Realm(domain); PrincipalName name = new PrincipalName(new KerbInt32((int)PrincipalType.NT_PRINCIPAL), KerberosUtility.String2SeqKerbString(cName)); if (null == salt) { if (accountType == KerberosAccountType.User) salt = KerberosUtility.GenerateSalt(domain, cName, accountType); else if (accountType == KerberosAccountType.Device) salt = KerberosUtility.GenerateSalt(domain, cName, accountType); else { throw new ArgumentOutOfRangeException("Account type not support"); } } this.CName = new Principal(accountType, this.Realm, name, password, salt); }
/// <summary> /// Constructor /// </summary> /// <param name="type">Type of Principal</param> /// <param name="name">Principal name</param> /// <param name="password">Password of principal</param> /// <param name="salt">Salt of principal</param> public Principal(KerberosAccountType type, string realm, string name, string password, string salt) { Type = type; Realm = new Realm(realm); Name = new PrincipalName(new KerbInt32((int)PrincipalType.NT_PRINCIPAL), KerberosUtility.String2SeqKerbString(name)); Password = password; Salt = salt; }
/// <summary> /// Constructor /// </summary> /// <param name="type">Type of Principal</param> /// <param name="name">Principal name</param> /// <param name="password">Password of principal</param> public Principal(KerberosAccountType type, Realm realm, PrincipalName name, string password, string salt) { Type = type; Realm = realm; Name = name; Password = password; Salt = salt; }
public ChangePasswdData( Asn1OctetString param0, PrincipalName param1, Realm param2) { this.newpasswd = param0; this.targname = param1; this.targrealm = param2; }
public ChangePasswdData( Asn1OctetString param0, PrincipalName param1, Realm param2) { this.newpasswd = param0; this.targname = param1; this.targrealm = param2; }
public AD_KDCIssued( Checksum param0, Realm param1, PrincipalName param2, AuthorizationData param3) { this.ad_checksum = param0; this.i_realm = param1; this.i_sname = param2; this.elements = param3; }
public Ticket( Asn1Integer param0, Realm param1, PrincipalName param2, EncryptedData param3) { this.tkt_vno = param0; this.realm = param1; this.sname = param2; this.enc_part = param3; }
public AD_KDCIssued( Checksum param0, Realm param1, PrincipalName param2, AuthorizationData param3) { this.ad_checksum = param0; this.i_realm = param1; this.i_sname = param2; this.elements = param3; }
public Ticket( Asn1Integer param0, Realm param1, PrincipalName param2, EncryptedData param3) { this.tkt_vno = param0; this.realm = param1; this.sname = param2; this.enc_part = param3; }
public KrbFastFinished( KerberosTime param0, Microseconds param1, Realm param2, PrincipalName param3, Checksum param4) { this.timestamp = param0; this.usec = param1; this.crealm = param2; this.cname = param3; this.ticket_checksum = param4; }
private KerberosAsRequest SendAsRequest(KdcOptions kdcOptions, Asn1SequenceOf <PA_DATA> seqPaData) { string sName = KerberosConstValue.KERBEROS_SNAME; string domain = this.Context.Realm.Value; PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain)); KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname); KerberosAsRequest asRequest = this.CreateAsRequest(kdcReqBody, seqPaData); this.client.SendPdu(asRequest); return(asRequest); }
public static string PrincipalName2String(PrincipalName name) { StringBuilder sb = new StringBuilder(); for (int i = 0; i < name.name_string.Elements.Length; i++) { sb.Append(name.name_string.Elements[i]); if (i != name.name_string.Elements.Length - 1) { sb.Append("/"); } } return(sb.ToString()); }
private KDC_REQ_BODY CreateKdcRequestBody(KdcOptions kdcOptions, PrincipalName sName) { KerbUInt32 nonce = new KerbUInt32((uint)Math.Abs((int)DateTime.Now.Ticks)); KerberosTime till = new KerberosTime(KerberosConstValue.TGT_TILL_TIME); KerberosTime rtime = new KerberosTime(KerberosConstValue.TGT_RTIME); HostAddresses addresses = new HostAddresses(new HostAddress[1] { new HostAddress(new KerbInt32((int)AddressType.NetBios), new Asn1OctetString(Encoding.ASCII.GetBytes(System.Net.Dns.GetHostName()))) }); KDCOptions options = new KDCOptions(KerberosUtility.ConvertInt2Flags((int)kdcOptions)); KDC_REQ_BODY kdcReqBody = new KDC_REQ_BODY(options, Context.CName.Name, Context.Realm, sName, null, till, rtime, nonce, Context.SupportedEType, addresses, null, null); return(kdcReqBody); }
public AS_REP( Asn1Integer param0, Asn1Integer param1, Asn1SequenceOf <PA_DATA> param2, Realm param3, PrincipalName param4, Ticket param5, EncryptedData param6) { this.pvno = param0; this.msg_type = param1; this.padata = param2; this.crealm = param3; this.cname = param4; this.ticket = param5; this.enc_part = param6; }
public AS_REP( Asn1Integer param0, Asn1Integer param1, Asn1SequenceOf<PA_DATA> param2, Realm param3, PrincipalName param4, Ticket param5, EncryptedData param6) { this.pvno = param0; this.msg_type = param1; this.padata = param2; this.crealm = param3; this.cname = param4; this.ticket = param5; this.enc_part = param6; }
public Authenticator( Asn1Integer param0, Realm param1, PrincipalName param2, Checksum param3, Microseconds param4, KerberosTime param5, EncryptionKey param6, KerbUInt32 param7, AuthorizationData param8) { this.authenticator_vno = param0; this.crealm = param1; this.cname = param2; this.cksum = param3; this.cusec = param4; this.ctime = param5; this.subkey = param6; this.seq_number = param7; this.authorization_data = param8; }
public Authenticator( Asn1Integer param0, Realm param1, PrincipalName param2, Checksum param3, Microseconds param4, KerberosTime param5, EncryptionKey param6, KerbUInt32 param7, AuthorizationData param8) { this.authenticator_vno = param0; this.crealm = param1; this.cname = param2; this.cksum = param3; this.cusec = param4; this.ctime = param5; this.subkey = param6; this.seq_number = param7; this.authorization_data = param8; }
/// <summary> /// Create context /// </summary> /// <param name="domain">Domain name</param> /// <param name="cName">Principal name</param> /// <param name="password">Password of principal</param> /// <param name="accountType">Accoundtype, user or device</param> public KerberosContext(string domain, string cName, string password, KerberosAccountType accountType, string salt = null) : this() { if (domain == null) { throw new ArgumentNullException("domain"); } if (cName == null) { throw new ArgumentNullException("cName"); } if (password == null) { throw new ArgumentNullException("password"); } this.Realm = new Realm(domain); PrincipalName name = new PrincipalName(new KerbInt32((int)PrincipalType.NT_PRINCIPAL), KerberosUtility.String2SeqKerbString(cName)); if (null == salt) { if (accountType == KerberosAccountType.User) { salt = KerberosUtility.GenerateSalt(domain, cName, accountType); } else if (accountType == KerberosAccountType.Device) { salt = KerberosUtility.GenerateSalt(domain, cName, accountType); } else { throw new ArgumentOutOfRangeException("Account type not support"); } } this.CName = new Principal(accountType, this.Realm, name, password, salt); }
public PaFxFastReq CreateAsPaFxFast( EncryptionKey subKey, FastOptions fastOptions, ApOptions apOptions, Asn1SequenceOf<PA_DATA> seqPaData, string sName, KDC_REQ_BODY kdcReqBody, KrbFastArmorType armorType ) { string domain = this.Context.Realm.Value; PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain)); var armorKey = KerberosUtility.MakeArmorKey( Context.SelectedEType, subKey.keyvalue.ByteArrayValue, Context.ArmorSessionKey.keyvalue.ByteArrayValue); Context.FastArmorkey = new EncryptionKey(new KerbInt32((long)Context.SelectedEType), new Asn1OctetString(armorKey)); Asn1BerEncodingBuffer encodebuf = new Asn1BerEncodingBuffer(); kdcReqBody.BerEncode(encodebuf); var checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType); var chksum = KerberosUtility.GetChecksum( armorKey, encodebuf.Data, (int)KeyUsageNumber.FAST_REQ_CHECKSUM, checksumType); Checksum checkSum = new Checksum(new KerbInt32((int)checksumType), new Asn1OctetString(chksum)); Authenticator plaintextAuthenticator = CreateAuthenticator(Context.ArmorTicket, null, subKey); KerberosApRequest apReq = new KerberosApRequest(Context.Pvno, new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions)), Context.ArmorTicket, plaintextAuthenticator, KeyUsageNumber.AP_REQ_Authenticator); KDC_REQ_BODY innerKdcReqBody = CreateKdcRequestBody(KdcOptions.CANONICALIZE | KdcOptions.FORWARDABLE | KdcOptions.RENEWABLE, sname); KerberosFastRequest fastReq = new KerberosFastRequest(fastOptions, seqPaData, innerKdcReqBody); FastArmorApRequest fastArmor = new FastArmorApRequest(apReq.Request); fastArmor.armorType = armorType; KerberosArmoredRequest armoredReq = new KerberosArmoredRequest(fastArmor, checkSum, (long)Context.SelectedEType, armorKey, fastReq); PA_FX_FAST_REQUEST paFxFastReq = new PA_FX_FAST_REQUEST(); paFxFastReq.SetData(PA_FX_FAST_REQUEST.armored_data, armoredReq.FastArmoredReq); PaFxFastReq paFxfast = new PaFxFastReq(paFxFastReq); return paFxfast; }
/// <summary> /// Constructor /// </summary> /// <param name="type">Type of Principal</param> /// <param name="name">Principal name</param> /// <param name="password">Password of principal</param> /// <param name="salt">Salt of principal</param> public Principal(KerberosAccountType type, string realm, string name, string password, string salt) { Type = type; Realm = new Realm(realm); Name = new PrincipalName(new KerbInt32((int)PrincipalType.NT_PRINCIPAL), KerberosUtility.String2SeqKerbString(name)); Password = password; Salt = salt; }
/// <summary> /// Create a Kerberos ticket /// </summary> /// <param name="ticket">Ticket</param> /// <param name="ticketOwner">Owner of ticket</param> /// <param name="sessionKey">Session key in ticket</param> public KerberosTicket(Ticket ticket, PrincipalName ticketOwner, EncryptionKey sessionKey) { this.Ticket = ticket; this.TicketOwner = ticketOwner; this.SessionKey = sessionKey; }
/// <summary> /// Create and send AS request for Password change /// </summary> /// <param name="kdcOptions">KDC options</param> /// <param name="seqPaData">A sequence of preauthentication data</param> public void SendAsRequestForPwdChange(KdcOptions kdcOptions, Asn1SequenceOf<PA_DATA> seqPaData) { PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(KerberosConstValue.KERBEROS_KADMIN_SNAME.Split('/'))); KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname); KerberosAsRequest asRequest = this.CreateAsRequest(kdcReqBody, seqPaData); this.SendPdu(asRequest); this.testSite.Log.Add(LogEntryKind.Debug, "Send AS Request for password change."); }
/// <summary> /// Create and send FAST AS request with an unknown armor type /// </summary> /// <param name="kdcOptions">KDC options</param> /// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param> /// <param name="outerSeqPaData">A sequence of preauthentication data</param> /// <param name="subKey">Sub-session key for authenticator in FAST armor field</param> /// <param name="fastOptions">FAST options</param> /// <param name="apOptions">AP options in FAST armor field</param> /// <param name="armorType">armorType</param> public void SendAsRequestWithFast( KdcOptions kdcOptions, Asn1SequenceOf<PA_DATA> innerSeqPaData, Asn1SequenceOf<PA_DATA> outerSeqPaData, EncryptionKey subKey, FastOptions fastOptions, ApOptions apOptions, KrbFastArmorType armorType ) { Context.Subkey = subKey; string sName = KerberosConstValue.KERBEROS_SNAME; string domain = this.Context.Realm.Value; PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain)); KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname); var pafxfast = CreateAsPaFxFast(subKey, fastOptions, apOptions, innerSeqPaData, sName, kdcReqBody, armorType); PA_DATA[] elements; if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0) { elements = new PA_DATA[outerSeqPaData.Elements.Length + 1]; Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length); elements[outerSeqPaData.Elements.Length] = pafxfast.Data; } else { elements = new PA_DATA[] { pafxfast.Data }; } Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>(); KerberosAsRequest asRequest = this.CreateAsRequest(kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements)); this.SendPdu(asRequest); this.testSite.Log.Add(LogEntryKind.Debug, "Send AS Request with FAST PA-DATA."); }
/// <summary> /// Create a Kerberos ticket /// </summary> /// <param name="ticket">Ticket</param> /// <param name="ticketOwner">Owner of ticket</param> /// <param name="sessionKey">Session key in ticket</param> public KerberosTicket(Ticket ticket, PrincipalName ticketOwner, EncryptionKey sessionKey) { this.Ticket = ticket; this.TicketOwner = ticketOwner; this.SessionKey = sessionKey; }
/// <summary> /// Create and send FAST AS request /// </summary> /// <param name="kdcOptions">KDC options</param> /// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param> /// <param name="outerSeqPaData">A sequence of preauthentication data</param> /// <param name="subKey">Sub-session key for authenticator in FAST armor field</param> /// <param name="fastOptions">FAST options</param> /// <param name="apOptions">AP options in FAST armor field</param> public void SendAsRequestWithFastHideCName( KdcOptions kdcOptions, string cName, Asn1SequenceOf<PA_DATA> innerSeqPaData, Asn1SequenceOf<PA_DATA> outerSeqPaData, EncryptionKey subKey, ApOptions apOptions) { var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions( KerberosUtility.ConvertInt2Flags((int)FastOptionFlags.Hide_Client_Names)); Context.Subkey = subKey; string sName = KerberosConstValue.KERBEROS_SNAME; string domain = this.Context.Realm.Value; PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain)); KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname); kdcReqBody.cname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_PRINCIPAL), KerberosUtility.String2SeqKerbString(cName)); var pafxfast = CreateAsPaFxFast(subKey, fastOptions, apOptions, innerSeqPaData, sName, kdcReqBody); PA_DATA[] elements; if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0) { elements = new PA_DATA[outerSeqPaData.Elements.Length + 1]; Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length); elements[outerSeqPaData.Elements.Length] = pafxfast.Data; } else { elements = new PA_DATA[] { pafxfast.Data }; } Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>(); KerberosAsRequest asRequest = this.CreateAsRequest(kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements)); this.SendPdu(asRequest); this.testSite.Log.Add(LogEntryKind.Debug, "Send AS Request with FAST PA-DATA."); }
/// <summary> /// Create and send TGS request /// </summary> /// <param name="sName">Service principal name</param> /// <param name="kdcOptions">KDC options</param> /// <param name="seqPadata">A sequence of preauthentication data</param> /// <param name="checksumType">Checksum type of PA-TGS-REQ</param> /// <param name="additionalTicket">Additional ticket</param> /// <param name="data">Authorization data</param> public void SendTgsRequest(string sName, KdcOptions kdcOptions, Asn1SequenceOf<PA_DATA> seqPadata = null, Ticket additionalTicket = null, AuthorizationData dataInAuthenticator = null, AuthorizationData dataInEncAuthData = null) { if (sName == null) { throw new ArgumentNullException("sName"); } PrincipalName sname = new PrincipalName( new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName.Split('/'))); KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname, dataInEncAuthData); Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer(); kdcReqBody.BerEncode(bodyBuffer); ChecksumType checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType); PA_DATA paTgsReq = CreatePaTgsReq(checksumType, bodyBuffer.Data, dataInAuthenticator); Asn1SequenceOf<PA_DATA> tempPaData = null; if (seqPadata == null || seqPadata.Elements == null || seqPadata.Elements.Length == 0) { tempPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paTgsReq }); } else { PA_DATA[] paDatas = new PA_DATA[seqPadata.Elements.Length + 1]; Array.Copy(seqPadata.Elements, paDatas, seqPadata.Elements.Length); paDatas[seqPadata.Elements.Length] = paTgsReq; tempPaData = new Asn1SequenceOf<PA_DATA>(paDatas); } KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, tempPaData, Context.TransportType); this.SendPdu(tgsRequest); this.testSite.Log.Add(LogEntryKind.Debug, "Send TGS request."); }
private Authenticator CreateAuthenticator(PrincipalName cname, Realm realm, EncryptionKey subkey = null, AuthorizationData data = null) { BaseTestSite.Log.Add(LogEntryKind.TestStep, "Create authenticator"); Random r = new Random(); int seqNum = r.Next(); Authenticator plaintextAuthenticator = new Authenticator { authenticator_vno = new Asn1Integer(KerberosConstValue.KERBEROSV5), crealm = realm, cusec = new Microseconds(0), ctime = KerberosUtility.CurrentKerberosTime, seq_number = new KerbUInt32(seqNum), cname = cname, subkey = subkey, authorization_data = data }; AuthCheckSum checksum = new AuthCheckSum { Lgth = KerberosConstValue.AUTHENTICATOR_CHECKSUM_LENGTH }; checksum.Bnd = new byte[checksum.Lgth]; checksum.Flags = (int)(ChecksumFlags.GSS_C_MUTUAL_FLAG | ChecksumFlags.GSS_C_INTEG_FLAG); byte[] checkData = ArrayUtility.ConcatenateArrays(BitConverter.GetBytes(checksum.Lgth), checksum.Bnd, BitConverter.GetBytes(checksum.Flags)); plaintextAuthenticator.cksum = new Checksum(new KerbInt32((int)ChecksumType.ap_authenticator_8003), new Asn1OctetString(checkData)); return plaintextAuthenticator; }
private KDC_REQ_BODY CreateKdcRequestBody( KdcOptions kdcOptions, PrincipalName sName, AuthorizationData data = null ) { KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sName); if (data == null) return kdcReqBody; Asn1BerEncodingBuffer asnBuffer = new Asn1BerEncodingBuffer(); // Fix me: NullReferenceException if data is null. if (data != null) data.BerEncode(asnBuffer, true); EncryptedData eData = new EncryptedData(); eData.etype = new KerbInt32(0); byte[] encAsnEncoded = asnBuffer.Data; if (Context.SessionKey != null && Context.SessionKey.keytype != null && Context.SessionKey.keyvalue != null && Context.SessionKey.keyvalue.Value != null) { encAsnEncoded = KerberosUtility.Encrypt((EncryptionType)Context.SessionKey.keytype.Value, Context.SessionKey.keyvalue.ByteArrayValue, asnBuffer.Data, (int)KeyUsageNumber.TGS_REQ_KDC_REQ_BODY_AuthorizationData); eData.etype = new KerbInt32(Context.SessionKey.keytype.Value); } eData.cipher = new Asn1OctetString(encAsnEncoded); kdcReqBody.enc_authorization_data = eData; return kdcReqBody; }
/// <summary> /// Constructor /// </summary> /// <param name="type">Type of Principal</param> /// <param name="name">Principal name</param> /// <param name="password">Password of principal</param> public Principal(KerberosAccountType type, Realm realm, PrincipalName name, string password, string salt) { Type = type; Realm = realm; Name = name; Password = password; Salt = salt; }
/// <summary> /// Create and send FAST TGS request /// </summary> /// <param name="sName">Service principal name</param> /// <param name="kdcOptions">KDC options</param> /// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param> /// <param name="outerSeqPaData">A sequence of preauthentication data</param> /// <param name="subKey">Sub-session key for authenticator in FAST armor field</param> /// <param name="fastOptions">FAST options</param> /// <param name="apOptions">AP options in FAST armor field</param> /// <param name="data">Authorization data</param> public void SendTgsRequestWithExplicitFast( string sName, KdcOptions kdcOptions, Asn1SequenceOf<PA_DATA> innerSeqPaData, Asn1SequenceOf<PA_DATA> outerSeqPaData, EncryptionKey subKey, FastOptions fastOptions, ApOptions apOptions, AuthorizationData data = null) { Context.Subkey = subKey; Context.ReplyKey = subKey; string domain = this.Context.Realm.Value; PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName.Split('/'))); KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname, data); Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer(); kdcReqBody.BerEncode(bodyBuffer); //Create PA-TGS-REQ APOptions option = new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.None)); ChecksumType checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType); KerberosApRequest apRequest = CreateApRequest( option, Context.Ticket, subKey, data, KeyUsageNumber.TG_REQ_PA_TGS_REQ_padataOR_AP_REQ_Authenticator, checksumType, bodyBuffer.Data); PaTgsReq paTgsReq = new PaTgsReq(apRequest.Request); Asn1SequenceOf<PA_DATA> tempPaData = null; if (outerSeqPaData == null || outerSeqPaData.Elements == null || outerSeqPaData.Elements.Length == 0) { tempPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paTgsReq.Data }); } else { tempPaData.Elements = new PA_DATA[outerSeqPaData.Elements.Length + 1]; Array.Copy(outerSeqPaData.Elements, tempPaData.Elements, outerSeqPaData.Elements.Length); tempPaData.Elements[outerSeqPaData.Elements.Length] = paTgsReq.Data; } //Create explicit FAST armor EncryptionKey explicitSubkey = KerberosUtility.MakeKey( Context.SelectedEType, "Password04!", "This is a salt"); Authenticator plaintextAuthenticator = CreateAuthenticator(Context.ArmorTicket, null, explicitSubkey); KerberosApRequest apReq = new KerberosApRequest(Context.Pvno, new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions)), Context.ArmorTicket, plaintextAuthenticator, KeyUsageNumber.AP_REQ_Authenticator); FastArmorApRequest explicitArmor = new FastArmorApRequest(apReq.Request); //Create armor key var armorKey = GetArmorKey(Context.ArmorSessionKey, subKey, explicitSubkey); Context.FastArmorkey = armorKey; //Create PA-FX-FAST var pafxfast = CreateTgsPaFxFast(armorKey, Context.ArmorTicket, fastOptions, apOptions, tempPaData, sName, paTgsReq.Data.padata_value.ByteArrayValue, explicitArmor); PA_DATA[] elements; if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0) { elements = new PA_DATA[outerSeqPaData.Elements.Length + 1]; Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length); elements[outerSeqPaData.Elements.Length] = pafxfast.Data; elements[outerSeqPaData.Elements.Length + 1] = paTgsReq.Data; } else { elements = new PA_DATA[] { pafxfast.Data, paTgsReq.Data }; } Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>(); KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements), Context.TransportType); this.SendPdu(tgsRequest); this.testSite.Log.Add(LogEntryKind.Debug, "Send FAST TGS request."); }
/// <summary> /// Create and send FAST TGS request /// </summary> /// <param name="sName">Service principal name</param> /// <param name="kdcOptions">KDC options</param> /// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param> /// <param name="outerSeqPaData">A sequence of preauthentication data</param> /// <param name="subKey">Sub-session key for authenticator in FAST armor field</param> /// <param name="fastOptions">FAST options</param> /// <param name="apOptions">AP options in FAST armor field</param> /// <param name="data">Authorization data</param> public void SendTgsRequestWithFastHideCName( string sName, PrincipalName cName, KdcOptions kdcOptions, Asn1SequenceOf<PA_DATA> innerSeqPaData, Asn1SequenceOf<PA_DATA> outerSeqPaData, EncryptionKey subKey, ApOptions apOptions, AuthorizationData data = null) { var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions( KerberosUtility.ConvertInt2Flags((int)FastOptionFlags.Hide_Client_Names)); Context.Subkey = subKey; Context.ReplyKey = subKey; string domain = this.Context.Realm.Value; PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName.Split('/'))); KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname, data); kdcReqBody.cname = cName; Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer(); kdcReqBody.BerEncode(bodyBuffer); APOptions option = new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.None)); ChecksumType checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType); KerberosApRequest apRequest = CreateApRequest( option, Context.Ticket, subKey, data, KeyUsageNumber.TG_REQ_PA_TGS_REQ_padataOR_AP_REQ_Authenticator, checksumType, bodyBuffer.Data); PaTgsReq paTgsReq = new PaTgsReq(apRequest.Request); Asn1SequenceOf<PA_DATA> tempPaData = null; if (outerSeqPaData == null || outerSeqPaData.Elements == null || outerSeqPaData.Elements.Length == 0) { tempPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paTgsReq.Data }); } else { tempPaData.Elements = new PA_DATA[outerSeqPaData.Elements.Length + 1]; Array.Copy(outerSeqPaData.Elements, tempPaData.Elements, outerSeqPaData.Elements.Length); tempPaData.Elements[outerSeqPaData.Elements.Length] = paTgsReq.Data; } var armorKey = GetArmorKey(Context.SessionKey, subKey); var pafxfast = CreateTgsPaFxFast(armorKey, Context.Ticket, fastOptions, apOptions, tempPaData, sName, paTgsReq.Data.padata_value.ByteArrayValue); Context.FastArmorkey = armorKey; PA_DATA[] elements; if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0) { elements = new PA_DATA[outerSeqPaData.Elements.Length + 1]; Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length); elements[outerSeqPaData.Elements.Length] = pafxfast.Data; elements[outerSeqPaData.Elements.Length + 1] = paTgsReq.Data; } else { elements = new PA_DATA[] { pafxfast.Data, paTgsReq.Data }; } Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>(); KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements), Context.TransportType); this.SendPdu(tgsRequest); this.testSite.Log.Add(LogEntryKind.Debug, "Send FAST TGS request."); }
private void Smb2KerberosAuthentication(CaseVariant variant) { BaseTestSite.Log.Add(LogEntryKind.TestStep, "Initialize Kerberos Functional Client"); KerberosFunctionalClient kerberosClient = new KerberosFunctionalClient( TestConfig.DomainName, TestConfig.UserName, TestConfig.UserPassword, KerberosAccountType.User, KDCIP, KDCPort, TransportType.TCP, OidPkt, BaseTestSite); #region Service Ticket EncryptionKey serviceKey; EncTicketPart encTicketPart = RetrieveAndDecryptServiceTicket(kerberosClient, out serviceKey); Ticket serviceTicket = kerberosClient.Context.Ticket.Ticket; Realm crealm = serviceTicket.realm; BaseTestSite.Assert.AreEqual(TestConfig.DomainName.ToLower(), encTicketPart.crealm.Value.ToLower(), "Realm name in service ticket encrypted part should match as expected, case insensitive"); BaseTestSite.Assert.AreEqual(TestConfig.UserName.ToLower(), KerberosUtility.PrincipalName2String(encTicketPart.cname).ToLower(), "User name in service ticket encrypted part should match as expected, case insensitive."); if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_TKT)) { BaseTestSite.Log.Add(LogEntryKind.TestStep, "Add a type-unknown AuthorizationData to the ticket"); AuthorizationDataElement unknownElement = GenerateUnKnownAuthorizationDataElement(); AppendNewAuthDataElement(encTicketPart.authorization_data, unknownElement); } if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_TKT_OPTIONAL)) { BaseTestSite.Log.Add(LogEntryKind.TestStep, "Add a type-unknown AuthorizationData which is inside AD_IF_RELEVANT to the ticket"); AuthorizationDataElement unknownElement = GenerateUnKnownAuthorizationDataElement(); AD_IF_RELEVANT ifRelavantElement = new AD_IF_RELEVANT(new[] { unknownElement }); var dataBuffer = new Asn1BerEncodingBuffer(); ifRelavantElement.BerEncode(dataBuffer); AuthorizationDataElement unknownElementOptional = new AuthorizationDataElement(new KerbInt32((long)AuthorizationData_elementType.AD_IF_RELEVANT), new Asn1OctetString(dataBuffer.Data)); AppendNewAuthDataElement(encTicketPart.authorization_data, unknownElementOptional); } if (variant.HasFlag(CaseVariant.TICKET_NOT_VALID)) { BaseTestSite.Log.Add(LogEntryKind.TestStep, "Change the Ticket start time to tomorrow"); DateTime tomorrow = DateTime.Now.AddDays(1); string kerbTimeString = tomorrow.ToUniversalTime().ToString("yyyyMMddhhmmssZ"); encTicketPart.starttime = new KerberosTime(kerbTimeString, true); } if (variant.HasFlag(CaseVariant.TICKET_EXPIRED)) { BaseTestSite.Log.Add(LogEntryKind.TestStep, "Change the Ticket end time to yesterday"); DateTime yesterday = DateTime.Now.AddDays(-1); string kerbTimeString = yesterday.ToUniversalTime().ToString("yyyyMMddhhmmssZ"); encTicketPart.endtime = new KerberosTime(kerbTimeString, true); } if (variant.HasFlag(CaseVariant.TICKET_WRONG_ENC_KEY)) { BaseTestSite.Log.Add(LogEntryKind.TestStep, "Modify the Ticket, making it encrypted with wrong key"); serviceKey = KerberosUtility.GenerateKey(serviceKey); } EncryptedData data = EncryptTicket(encTicketPart, serviceKey); serviceTicket.enc_part = data; if (variant.HasFlag(CaseVariant.TICKET_WRONG_REALM)) { BaseTestSite.Log.Add(LogEntryKind.TestStep, "Change the Realm in the Ticket to an unknown realm"); serviceTicket.realm = new Realm("kerb.com"); } if (variant.HasFlag(CaseVariant.TICKET_WRONG_SNAME)) { BaseTestSite.Log.Add(LogEntryKind.TestStep, "Change the SNAME in the Ticket to an unknown service name"); serviceTicket.sname = new PrincipalName(new KerbInt32((long)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString("UnknownService", TestConfig.DomainName)); } if (variant.HasFlag(CaseVariant.TICKET_WRONG_KVNO)) { BaseTestSite.Log.Add(LogEntryKind.TestStep, "Change the KVNO in the Ticket to an invalid Key Version Number (Int32.MaxValue)"); const int invalidKvno = System.Int32.MaxValue; serviceTicket.enc_part.kvno = new KerbInt32(invalidKvno); } #endregion #region Authenticator BaseTestSite.Log.Add(LogEntryKind.TestStep, "Create Authenticator"); EncryptionKey subkey = KerberosUtility.GenerateKey(kerberosClient.Context.SessionKey); PrincipalName cname; if (variant.HasFlag(CaseVariant.AUTHENTICATOR_CNAME_NOT_MATCH)) { BaseTestSite.Log.Add(LogEntryKind.TestStep, "Use wrong cname in the Authenticator"); cname = new PrincipalName(new KerbInt32((long)PrincipalType.NT_PRINCIPAL), KerberosUtility.String2SeqKerbString(TestConfig.NonAdminUserName, TestConfig.DomainName)); } else { cname = kerberosClient.Context.CName.Name; } Authenticator authenticator = CreateAuthenticator(cname, crealm, subkey); if (variant.HasFlag(CaseVariant.AUTHENTICATOR_CREALM_NOT_MATCH)) { BaseTestSite.Log.Add(LogEntryKind.TestStep, "Use wrong crealm in the Authenticator"); authenticator.crealm = new Realm("kerb.com"); } if (variant.HasFlag(CaseVariant.AUTHENTICATOR_EXCEED_TIME_SKEW)) { BaseTestSite.Log.Add(LogEntryKind.TestStep, "Change the ctime in the Authenticator to one hour later"); DateTime oneHourLater = DateTime.Now.AddHours(1); string kerbTimeString = oneHourLater.ToUniversalTime().ToString("yyyyMMddhhmmssZ"); authenticator.ctime = new KerberosTime(kerbTimeString, true); } if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_AUTHENTICATOR)) { BaseTestSite.Log.Add(LogEntryKind.TestStep, "Add a type-unknown AuthorizationData to the Authenticator"); AuthorizationDataElement unknownElement = GenerateUnKnownAuthorizationDataElement(); authenticator.authorization_data = new AuthorizationData(new[] { unknownElement }); } if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_AUTHENTICATOR_OPTIONAL)) { BaseTestSite.Log.Add(LogEntryKind.TestStep, "Add a type-unknown AuthorizationData which is inside AD_IF_RELEVANT to the Authenticator"); AuthorizationDataElement unknownElement = GenerateUnKnownAuthorizationDataElement(); AD_IF_RELEVANT ifRelavantElement = new AD_IF_RELEVANT(new[] { unknownElement }); var dataBuffer = new Asn1BerEncodingBuffer(); ifRelavantElement.BerEncode(dataBuffer); AuthorizationDataElement unknownElementOptional = new AuthorizationDataElement(new KerbInt32((long)AuthorizationData_elementType.AD_IF_RELEVANT), new Asn1OctetString(dataBuffer.Data)); authenticator.authorization_data = new AuthorizationData(new[] { unknownElementOptional }); } #endregion #region AP Request BaseTestSite.Log.Add(LogEntryKind.TestStep, "Create AP Request"); if (variant.HasFlag(CaseVariant.AUTHENTICATOR_WRONG_ENC_KEY)) { BaseTestSite.Log.Add(LogEntryKind.TestStep, "Use wrong key to encrypt the Authenticator"); kerberosClient.Context.Ticket.SessionKey = KerberosUtility.GenerateKey(kerberosClient.Context.Ticket.SessionKey); } KerberosApRequest request = new KerberosApRequest( kerberosClient.Context.Pvno, new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.MutualRequired)), kerberosClient.Context.Ticket, authenticator, KeyUsageNumber.AP_REQ_Authenticator ); #endregion BaseTestSite.Log.Add(LogEntryKind.TestStep, "Create GSS Token"); byte[] token = KerberosUtility.AddGssApiTokenHeader(request, OidPkt, GssToken); Smb2FunctionalClientForKerbAuth smb2Client = new Smb2FunctionalClientForKerbAuth(TestConfig.Timeout, TestConfig, BaseTestSite); smb2Client.ConnectToServer(TestConfig.UnderlyingTransport, TestConfig.SutComputerName, TestConfig.SutIPAddress); #region Check the result byte[] repToken; uint status = DoSessionSetupWithGssToken(smb2Client, token, out repToken); if (variant.HasFlag(CaseVariant.AUTHENTICATOR_CNAME_NOT_MATCH) || variant.HasFlag(CaseVariant.AUTHENTICATOR_CREALM_NOT_MATCH)) { BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, status, "Session Setup should fail because the cname or crealm in the authenticator does not match the same field in the Ticket"); if (TestConfig.IsWindowsPlatform) { KerberosKrbError krbError = kerberosClient.GetKrbErrorFromToken(repToken); BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_BADMATCH, krbError.ErrorCode, "SMB Server should return {0}", KRB_ERROR_CODE.KRB_AP_ERR_BADMATCH); } smb2Client.Disconnect(); return; } if (variant.HasFlag(CaseVariant.AUTHENTICATOR_WRONG_ENC_KEY) || variant.HasFlag(CaseVariant.TICKET_WRONG_ENC_KEY)) { BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, status, "Session Setup should fail because Ticket or Authenticator cannot be correctly decrypted"); if (TestConfig.IsWindowsPlatform) { KerberosKrbError krbError = kerberosClient.GetKrbErrorFromToken(repToken); BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_MODIFIED, krbError.ErrorCode, "SMB Server should return {0}", KRB_ERROR_CODE.KRB_AP_ERR_MODIFIED); } smb2Client.Disconnect(); return; } if (variant.HasFlag(CaseVariant.AUTHENTICATOR_EXCEED_TIME_SKEW)) { BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, status, "Session Setup should fail because the server time and the client time " + "in the Authenticator differ by (1 hour) more than the allowable clock skew"); if (TestConfig.IsWindowsPlatform) { KerberosKrbError krbError = kerberosClient.GetKrbErrorFromToken(repToken); BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_SKEW, krbError.ErrorCode, "SMB Server should return {0}", KRB_ERROR_CODE.KRB_AP_ERR_SKEW); } smb2Client.Disconnect(); return; } if (variant.HasFlag(CaseVariant.TICKET_WRONG_KVNO) || variant.HasFlag(CaseVariant.TICKET_WRONG_REALM) || variant.HasFlag(CaseVariant.TICKET_WRONG_SNAME)) { BaseTestSite.Log.Add(LogEntryKind.Comment, "If decryption fails, server would try other keys"); } if (variant.HasFlag(CaseVariant.TICKET_NOT_VALID)) { BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, status, "Session Setup should fail because the starttime (tomorrow) in the Ticket " + "is later than the current time by more than the allowable clock skew"); if (TestConfig.IsWindowsPlatform) { KerberosKrbError krbError = kerberosClient.GetKrbErrorFromToken(repToken); BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_TKT_NYV, krbError.ErrorCode, "SMB Server should return {0}", KRB_ERROR_CODE.KRB_AP_ERR_TKT_NYV); } smb2Client.Disconnect(); return; } if (variant.HasFlag(CaseVariant.TICKET_EXPIRED)) { BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, status, "Session Setup should fail because the current time is later than the endtime (yesterday)" + " in the Ticket by more than the allowable clock skew"); if (TestConfig.IsWindowsPlatform) { KerberosKrbError krbError = kerberosClient.GetKrbErrorFromToken(repToken); BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_TKT_EXPIRED, krbError.ErrorCode, "SMB Server should return {0}", KRB_ERROR_CODE.KRB_AP_ERR_TKT_EXPIRED); } smb2Client.Disconnect(); return; } if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_TKT)) { BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, status, "Session Setup should fail because of the unknown AutherizationData in the ticket"); smb2Client.Disconnect(); return; } if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_AUTHENTICATOR)) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Unknown AuthorizationData in the Authenticator should not fail the request"); } if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_TKT_OPTIONAL) || variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_AUTHENTICATOR_OPTIONAL)) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Unknown AuthorizationData in AD_IF_RELEVANT is optional. " + "Server should not fail the request."); } KerberosApResponse apRep = kerberosClient.GetApResponseFromToken(repToken, GssToken); // Get subkey from AP response, which used for signing in smb2 apRep.Decrypt(kerberosClient.Context.Ticket.SessionKey.keyvalue.ByteArrayValue); smb2Client.SetSessionSigningAndEncryption(true, false, apRep.ApEncPart.subkey.keyvalue.ByteArrayValue); string path = Smb2Utility.GetUncPath(TestConfig.SutComputerName, TestConfig.BasicFileShare); AccessFile(smb2Client, path); #endregion smb2Client.LogOff(); smb2Client.Disconnect(); }
private KDC_REQ_BODY CreateKdcRequestBody( KdcOptions kdcOptions, PrincipalName sName, KerberosTime from, KerberosTime till ) { KerbUInt32 nonce = new KerbUInt32((uint)Math.Abs((int)DateTime.Now.Ticks)); KerberosTime rtime = new KerberosTime(KerberosConstValue.TGT_RTIME); HostAddresses addresses = new HostAddresses(new HostAddress[1] { new HostAddress(new KerbInt32((int)AddressType.NetBios), new Asn1OctetString(Encoding.ASCII.GetBytes(System.Net.Dns.GetHostName()))) }); KDCOptions options = new KDCOptions(KerberosUtility.ConvertInt2Flags((int)kdcOptions)); KDC_REQ_BODY kdcReqBody = new KDC_REQ_BODY(options, Context.CName.Name, Context.Realm, sName, from, till, rtime, nonce, Context.SupportedEType, addresses, null, null); return kdcReqBody; }
public PaFxFastReq CreateTgsPaFxFast( EncryptionKey armorKey, KerberosTicket armorTicket, FastOptions fastOptions, ApOptions apOptions, Asn1SequenceOf<PA_DATA> seqPaData, string sName, byte[] apReq, IFastArmor armor = null ) { string domain = this.Context.Realm.Value; PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName.Split('/'))); KDC_REQ_BODY innerKdcReqBody = CreateKdcRequestBody(KdcOptions.CANONICALIZE | KdcOptions.FORWARDABLE | KdcOptions.RENEWABLE, sname); //Generate checksum var checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType); var chksum = KerberosUtility.GetChecksum( armorKey.keyvalue.ByteArrayValue, apReq, (int)KeyUsageNumber.FAST_REQ_CHECKSUM, checksumType); Checksum checkSum = new Checksum(new KerbInt32((int)checksumType), new Asn1OctetString(chksum)); KerberosFastRequest fastReq = new KerberosFastRequest(fastOptions, seqPaData, innerKdcReqBody); KerberosArmoredRequest armoredReq = new KerberosArmoredRequest(armor, checkSum, (long)Context.SelectedEType, armorKey.keyvalue.ByteArrayValue, fastReq); PA_FX_FAST_REQUEST paFxFastReq = new PA_FX_FAST_REQUEST(); paFxFastReq.SetData(PA_FX_FAST_REQUEST.armored_data, armoredReq.FastArmoredReq); PaFxFastReq paFxfast = new PaFxFastReq(paFxFastReq); return paFxfast; }
/// <summary> /// Create and send AS request /// </summary> /// <param name="kdcOptions">KDC options</param> /// <param name="seqPaData">A sequence of preauthentication data</param> public void SendAsRequest(KdcOptions kdcOptions, Asn1SequenceOf<PA_DATA> seqPaData, KerberosTime from, KerberosTime till) { string sName = KerberosConstValue.KERBEROS_SNAME; string domain = this.Context.Realm.Value; PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain)); KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname, from, till); KerberosAsRequest asRequest = this.CreateAsRequest(kdcReqBody, seqPaData); this.SendPdu(asRequest); this.testSite.Log.Add(LogEntryKind.Debug, "Send AS Request."); }