diff --git a/Rubeus/Asn1/AsnElt.cs b/Rubeus/Asn1/AsnElt.cs
index 9be6680..ed430e3 100755
--- a/Rubeus/Asn1/AsnElt.cs
+++ b/Rubeus/Asn1/AsnElt.cs
@@ -45,10 +45,10 @@ public class AsnElt {
public const int CHARACTER_STRING = 29;
public const int BMPString = 30;
- /*
+ /*
* Tag classes.
*/
- public const int UNIVERSAL = 0;
+ public const int UNIVERSAL = 0;
public const int APPLICATION = 1;
public const int CONTEXT = 2;
public const int PRIVATE = 3;
diff --git a/Rubeus/Rubeus.csproj b/Rubeus/Rubeus.csproj
index be53f95..114639c 100755
--- a/Rubeus/Rubeus.csproj
+++ b/Rubeus/Rubeus.csproj
@@ -92,6 +92,7 @@
+
diff --git a/Rubeus/lib/Interop.cs b/Rubeus/lib/Interop.cs
index 5c399f4..7c3148a 100755
--- a/Rubeus/lib/Interop.cs
+++ b/Rubeus/lib/Interop.cs
@@ -168,6 +168,7 @@ namespace Rubeus
TD_REQ_SEQ = 108,
PA_PAC_REQUEST = 128,
S4U2SELF = 129,
+ PA_PAC_OPTIONS = 167,
PK_AS_09_BINDING = 132,
CLIENT_CANONICALIZED = 133
}
diff --git a/Rubeus/lib/S4U.cs b/Rubeus/lib/S4U.cs
index a40abc6..509283d 100755
--- a/Rubeus/lib/S4U.cs
+++ b/Rubeus/lib/S4U.cs
@@ -91,7 +91,9 @@ namespace Rubeus
TGS_REQ s4u2proxyReq = new TGS_REQ();
PA_DATA padata = new PA_DATA(domain, userName, ticket, clientKey, etype);
s4u2proxyReq.padata.Add(padata);
-
+ PA_DATA pac_options = new PA_DATA(false, false, false, true);
+ s4u2proxyReq.padata.Add(pac_options);
+
s4u2proxyReq.req_body.kdcOptions = s4u2proxyReq.req_body.kdcOptions | Interop.KdcOptions.CNAMEINADDLTKT;
s4u2proxyReq.req_body.realm = domain;
@@ -116,7 +118,7 @@ namespace Rubeus
Console.WriteLine("[*] Sending S4U2proxy request");
byte[] response2 = Networking.SendBytes(dcIP, 88, s4ubytes);
- if (response == null)
+ if (response2 == null)
{
return;
}
@@ -287,7 +289,7 @@ namespace Rubeus
}
}
}
- else if (responseTag == 30)
+ else if (responseTag2 == 30)
{
// parse the response to an KRB-ERROR
KRB_ERROR error = new KRB_ERROR(responseAsn.Sub[0]);
diff --git a/Rubeus/lib/krb_structures/PA_DATA.cs b/Rubeus/lib/krb_structures/PA_DATA.cs
index 9ea92b4..a92cc61 100755
--- a/Rubeus/lib/krb_structures/PA_DATA.cs
+++ b/Rubeus/lib/krb_structures/PA_DATA.cs
@@ -20,6 +20,13 @@ namespace Rubeus
value = new KERB_PA_PAC_REQUEST();
}
+ public PA_DATA(bool claims, bool branch, bool fullDC, bool rbcd)
+ {
+ // defaults for creation
+ type = Interop.PADATA_TYPE.PA_PAC_OPTIONS;
+ value = new PA_PAC_OPTIONS(claims, branch, fullDC, rbcd);
+ }
+
public PA_DATA(string keyString, Interop.KERB_ETYPE etype)
{
// include pac, supply enc timestamp
@@ -136,6 +143,17 @@ namespace Rubeus
AsnElt seq = AsnElt.Make(AsnElt.SEQUENCE, new AsnElt[] { nameTypeSeq, paDataElt });
return seq;
}
+ else if (type == Interop.PADATA_TYPE.PA_PAC_OPTIONS)
+ {
+ paDataElt = ((PA_PAC_OPTIONS)value).Encode();
+ AsnElt blob = AsnElt.MakeBlob(((PA_PAC_OPTIONS)value).Encode().Encode());
+ AsnElt blobSeq = AsnElt.Make(AsnElt.SEQUENCE, new AsnElt[] { blob });
+
+ paDataElt = AsnElt.MakeImplicit(AsnElt.CONTEXT, 2, blobSeq);
+
+ AsnElt seq = AsnElt.Make(AsnElt.SEQUENCE, new AsnElt[] { nameTypeSeq, paDataElt });
+ return seq;
+ }
else
{
diff --git a/Rubeus/lib/krb_structures/PA_PAC_OPTIONS.cs b/Rubeus/lib/krb_structures/PA_PAC_OPTIONS.cs
new file mode 100644
index 0000000..626aeb4
--- /dev/null
+++ b/Rubeus/lib/krb_structures/PA_PAC_OPTIONS.cs
@@ -0,0 +1,42 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using Asn1;
+
+namespace Rubeus
+{
+ /* PA-PAC-OPTIONS ::= SEQUENCE {
+ KerberosFlags
+ -- Claims(0)
+ -- Branch Aware(1)
+ -- Forward to Full DC(2)
+ -- Resource-based Constrained Delegation (3)
+ }
+ */
+
+ public class PA_PAC_OPTIONS
+ {
+ public byte[] kerberosFlags { get; set; }
+ public PA_PAC_OPTIONS(bool claims, bool branch, bool fullDC, bool rbcd)
+ {
+ kerberosFlags = new byte[4] { 0, 0, 0, 0 };
+ if (claims) kerberosFlags[0] = (byte)(kerberosFlags[0] | 8);
+ if (branch) kerberosFlags[0] = (byte)(kerberosFlags[0] | 4);
+ if (fullDC) kerberosFlags[0] = (byte)(kerberosFlags[0] | 2);
+ if (rbcd) kerberosFlags[0] = (byte)(kerberosFlags[0] | 1);
+ kerberosFlags[0] = (byte)(kerberosFlags[0] * 0x10);
+ }
+
+ public AsnElt Encode()
+ {
+ List allNodes = new List();
+ AsnElt kerberosFlagsAsn = AsnElt.MakeBitString(kerberosFlags);
+ kerberosFlagsAsn = AsnElt.MakeImplicit(AsnElt.UNIVERSAL, AsnElt.BIT_STRING, kerberosFlagsAsn);
+ AsnElt parent = AsnElt.MakeExplicit(0, kerberosFlagsAsn);
+ allNodes.Add(parent);
+ AsnElt seq = AsnElt.Make(AsnElt.SEQUENCE, allNodes.ToArray());
+ return seq;
+ }
+ }
+}