infosecn1nja
/
Rubeus
mirror of https://github.com/infosecn1nja/Rubeus.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add RBCD support

master
Elad Shamir 2018-10-18 09:36:18 +00:00
parent 1a24e0c5c0
commit 8549a3bae2
6 changed files with 69 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Rubeus/Rubeus.csproj
View File

@ -92,6 +92,7 @@
<Compile Include="lib\krb_structures\PA_DATA.cs" />
<Compile Include="lib\krb_structures\PA_ENC_TS_ENC.cs" />
<Compile Include="lib\krb_structures\PA_FOR_USER.cs" />
<Compile Include="lib\krb_structures\PA_PAC_OPTIONS.cs" />
<Compile Include="lib\krb_structures\PrincipalName.cs" />
<Compile Include="lib\krb_structures\TGS_REP.cs" />
<Compile Include="lib\krb_structures\TGS_REQ.cs" />

1
Rubeus/lib/Interop.cs
View File

@ -168,6 +168,7 @@ namespace Rubeus
TD_REQ_SEQ = 108,
PA_PAC_REQUEST = 128,
S4U2SELF = 129,
PA_PAC_OPTIONS = 167,
PK_AS_09_BINDING = 132,
CLIENT_CANONICALIZED = 133
}

6
Rubeus/lib/S4U.cs
View File

@ -91,6 +91,8 @@ namespace Rubeus
TGS_REQ s4u2proxyReq = new TGS_REQ();
PA_DATA padata = new PA_DATA(domain, userName, ticket, clientKey, etype);
s4u2proxyReq.padata.Add(padata);
PA_DATA pac_options = new PA_DATA(false, false, false, true);
s4u2proxyReq.padata.Add(pac_options);
s4u2proxyReq.req_body.kdcOptions = s4u2proxyReq.req_body.kdcOptions | Interop.KdcOptions.CNAMEINADDLTKT;
@ -116,7 +118,7 @@ namespace Rubeus
Console.WriteLine("[*] Sending S4U2proxy request");
byte[] response2 = Networking.SendBytes(dcIP, 88, s4ubytes);
if (response == null)
if (response2 == null)
{
return;
}
@ -287,7 +289,7 @@ namespace Rubeus
}
}
}
else if (responseTag == 30)
else if (responseTag2 == 30)
{
// parse the response to an KRB-ERROR
KRB_ERROR error = new KRB_ERROR(responseAsn.Sub[0]);

18
Rubeus/lib/krb_structures/PA_DATA.cs
View File

@ -20,6 +20,13 @@ namespace Rubeus
value = new KERB_PA_PAC_REQUEST();
}
public PA_DATA(bool claims, bool branch, bool fullDC, bool rbcd)
{
// defaults for creation
type = Interop.PADATA_TYPE.PA_PAC_OPTIONS;
value = new PA_PAC_OPTIONS(claims, branch, fullDC, rbcd);
}
public PA_DATA(string keyString, Interop.KERB_ETYPE etype)
{
// include pac, supply enc timestamp
@ -136,6 +143,17 @@ namespace Rubeus
AsnElt seq = AsnElt.Make(AsnElt.SEQUENCE, new AsnElt[] { nameTypeSeq, paDataElt });
return seq;
}
else if (type == Interop.PADATA_TYPE.PA_PAC_OPTIONS)
{
paDataElt = ((PA_PAC_OPTIONS)value).Encode();
AsnElt blob = AsnElt.MakeBlob(((PA_PAC_OPTIONS)value).Encode().Encode());
AsnElt blobSeq = AsnElt.Make(AsnElt.SEQUENCE, new AsnElt[] { blob });
paDataElt = AsnElt.MakeImplicit(AsnElt.CONTEXT, 2, blobSeq);
AsnElt seq = AsnElt.Make(AsnElt.SEQUENCE, new AsnElt[] { nameTypeSeq, paDataElt });
return seq;
}
else
{

42
Rubeus/lib/krb_structures/PA_PAC_OPTIONS.cs Normal file
View File

@ -0,0 +1,42 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using Asn1;
namespace Rubeus
{
/* PA-PAC-OPTIONS ::= SEQUENCE {
KerberosFlags
-- Claims(0)
-- Branch Aware(1)
-- Forward to Full DC(2)
-- Resource-based Constrained Delegation (3)
}
*/
public class PA_PAC_OPTIONS
{
public byte[] kerberosFlags { get; set; }
public PA_PAC_OPTIONS(bool claims, bool branch, bool fullDC, bool rbcd)
{
kerberosFlags = new byte[4] { 0, 0, 0, 0 };
if (claims) kerberosFlags[0] = (byte)(kerberosFlags[0] | 8);
if (branch) kerberosFlags[0] = (byte)(kerberosFlags[0] | 4);
if (fullDC) kerberosFlags[0] = (byte)(kerberosFlags[0] | 2);
if (rbcd) kerberosFlags[0] = (byte)(kerberosFlags[0] | 1);
kerberosFlags[0] = (byte)(kerberosFlags[0] * 0x10);
}
public AsnElt Encode()
{
List<AsnElt> allNodes = new List<AsnElt>();
AsnElt kerberosFlagsAsn = AsnElt.MakeBitString(kerberosFlags);
kerberosFlagsAsn = AsnElt.MakeImplicit(AsnElt.UNIVERSAL, AsnElt.BIT_STRING, kerberosFlagsAsn);
AsnElt parent = AsnElt.MakeExplicit(0, kerberosFlagsAsn);
allNodes.Add(parent);
AsnElt seq = AsnElt.Make(AsnElt.SEQUENCE, allNodes.ToArray());
return seq;
}
}
}