public static byte[] TGT(string userName, string domain, string certFile, string certPass, Interop.KERB_ETYPE etype, string outfile, bool ptt, string domainController = "", LUID luid = new LUID(), bool describe = false, bool verifyCerts = false, string servicekey = "", bool getCredentials = false)
{
try {
X509Certificate2 cert = FindCertificate(certFile, certPass);
// Check for Base64 encoded certificate second in case certFile was a hex-encoded fingerprint
if (cert == null && Helpers.IsBase64String(certFile))
{
cert = new X509Certificate2(Convert.FromBase64String(certFile), certPass);
}
if (cert == null)
{
Console.WriteLine("[!] Failed to find certificate for {0}", certFile);
return(null);
}
KDCKeyAgreement agreement = new KDCKeyAgreement();
Console.WriteLine("[*] Using PKINIT with etype {0} and subject: {1} ", etype, cert.Subject);
Console.WriteLine("[*] Building AS-REQ (w/ PKINIT preauth) for: '{0}\\{1}'", domain, userName);
AS_REQ pkinitASREQ = AS_REQ.NewASReq(userName, domain, cert, agreement, etype, verifyCerts);
return(InnerTGT(pkinitASREQ, etype, outfile, ptt, domainController, luid, describe, true, false, servicekey, getCredentials));
} catch (KerberosErrorException ex) {
KRB_ERROR error = ex.krbError;
Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", error.error_code, (Interop.KERBEROS_ERROR)error.error_code);
} catch (RubeusException ex) {
Console.WriteLine("\r\n" + ex.Message + "\r\n");
}
return(null);
}
public static byte[] TGT(string userName, string domain, string certFile, string certPass, Interop.KERB_ETYPE etype, string outfile, bool ptt, string domainController = "", LUID luid = new LUID(), bool describe = false)
{
try {
X509Certificate2 cert = FindCertificate(certFile, certPass);
if (cert == null)
{
Console.WriteLine("[!] Failed to find certificate for {0}", certFile);
return(null);
}
KDCKeyAgreement agreement = new KDCKeyAgreement();
Console.WriteLine("[*] Using PKINIT with etype {0} and subject: {1} ", etype, cert.Subject);
Console.WriteLine("[*] Building AS-REQ (w/ PKINIT preauth) for: '{0}\\{1}'", domain, userName);
AS_REQ pkinitASREQ = AS_REQ.NewASReq(userName, domain, cert, agreement, etype);
return(InnerTGT(pkinitASREQ, etype, outfile, ptt, domainController, luid, describe, true));
} catch (KerberosErrorException ex) {
KRB_ERROR error = ex.krbError;
Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", error.error_code, (Interop.KERBEROS_ERROR)error.error_code);
} catch (RubeusException ex) {
Console.WriteLine("\r\n" + ex.Message + "\r\n");
}
return(null);
}
public PA_PK_AS_REQ(KrbAuthPack krbAuthPack, X509Certificate2 pkCert, KDCKeyAgreement agreement, bool verifyCerts = false)
{
AuthPack = krbAuthPack;
PKCert = pkCert;
Agreement = agreement;
VerifyCerts = verifyCerts;
}
public AS_REQ(X509Certificate2 pkCert, KDCKeyAgreement agreement, bool verifyCerts = false)
{
// default, for creation
pvno = 5;
msg_type = 10;
padata = new List <PA_DATA>();
req_body = new KDCReqBody();
// add the include-pac == true
padata.Add(new PA_DATA());
// add the encrypted timestamp
padata.Add(new PA_DATA(pkCert, agreement, req_body, verifyCerts));
}
public PA_DATA(X509Certificate2 pkInitCert, KDCKeyAgreement agreement, KDCReqBody kdcRequestBody, bool verifyCerts = false)
{
DateTime now = DateTime.UtcNow;
KrbPkAuthenticator authenticator = new KrbPkAuthenticator((uint)now.Millisecond, now, now.Millisecond, kdcRequestBody);
KrbAuthPack authPack = new KrbAuthPack(authenticator, pkInitCert);
byte[] pubKeyInfo = AsnElt.Make(AsnElt.SEQUENCE, new AsnElt[] {
AsnElt.MakeInteger(agreement.P),
AsnElt.MakeInteger(agreement.G),
}).Encode();
authPack.ClientPublicValue = new KrbSubjectPublicKeyInfo(new KrbAlgorithmIdentifier(DiffieHellman, pubKeyInfo),
AsnElt.MakeInteger(agreement.Y).Encode());
type = Interop.PADATA_TYPE.PK_AS_REQ;
value = new PA_PK_AS_REQ(authPack, pkInitCert, agreement, verifyCerts);
}
public PA_PK_AS_REQ(KrbAuthPack krbAuthPack, X509Certificate2 pkCert, KDCKeyAgreement agreement)
{
AuthPack = krbAuthPack;
PKCert = pkCert;
Agreement = agreement;
}
//TODO: Insert DHKeyPair parameter also.
public static AS_REQ NewASReq(string userName, string domain, X509Certificate2 cert, KDCKeyAgreement agreement, Interop.KERB_ETYPE etype, bool verifyCerts = false)
{
// build a new AS-REQ for the given userName, domain, and etype, w/ PA-ENC-TIMESTAMP
// used for "legit" AS-REQs w/ pre-auth
// set pre-auth
AS_REQ req = new AS_REQ(cert, agreement, verifyCerts);
// req.padata.Add()
// set the username to request a TGT for
req.req_body.cname.name_string.Add(userName);
// the realm (domain) the user exists in
req.req_body.realm = domain;
// KRB_NT_SRV_INST = 2
// service and other unique instance (krbtgt)
req.req_body.sname.name_type = Interop.PRINCIPAL_TYPE.NT_SRV_INST;
req.req_body.sname.name_string.Add("krbtgt");
req.req_body.sname.name_string.Add(domain);
// add in our encryption type
req.req_body.etypes.Add(etype);
return(req);
}
