188 lines
5.4 KiB
Ruby
188 lines
5.4 KiB
Ruby
# -*- coding: binary -*-
|
|
require 'rex/proto/kerberos'
|
|
|
|
module Msf
|
|
module Kerberos
|
|
module Client
|
|
module TgsRequest
|
|
|
|
def build_tgs_request(opts = {})
|
|
subkey = opts[:subkey] || build_subkey(opts)
|
|
|
|
if opts[:enc_auth_data]
|
|
enc_auth_data = opts[:enc_auth_data]
|
|
elsif opts[:auth_data]
|
|
enc_auth_data = build_enc_auth_data(
|
|
auth_data: opts[:auth_data],
|
|
subkey: subkey
|
|
)
|
|
else
|
|
enc_auth_data = nil
|
|
end
|
|
|
|
body = build_tgs_request_body(opts.merge(
|
|
enc_auth_data: enc_auth_data
|
|
))
|
|
|
|
checksum = opts[:checksum] || build_tgs_body_checksum(body)
|
|
|
|
if opts[:auhtenticator]
|
|
authenticator = opts[:authenticator]
|
|
else
|
|
authenticator = build_authenticator(opts.merge(
|
|
subkey: subkey,
|
|
checksum: checksum
|
|
))
|
|
end
|
|
|
|
if opts[:ap_req]
|
|
ap_req = opts[:ap_req]
|
|
else
|
|
ap_req = build_ap_req(opts.merge(:authenticator => authenticator))
|
|
end
|
|
|
|
pa_ap_req = Rex::Proto::Kerberos::Model::PreAuthData.new(
|
|
type: Rex::Proto::Kerberos::Model::PA_TGS_REQ,
|
|
value: ap_req.encode
|
|
)
|
|
|
|
pa_data = []
|
|
pa_data.push(pa_ap_req)
|
|
if opts[:pa_data]
|
|
opts[:pa_data].each { |pa| pa_data.push(pa) }
|
|
end
|
|
|
|
request = Rex::Proto::Kerberos::Model::KdcRequest.new(
|
|
pvno: 5,
|
|
msg_type: Rex::Proto::Kerberos::Model::TGS_REQ,
|
|
pa_data: pa_data,
|
|
req_body: body
|
|
)
|
|
|
|
request
|
|
end
|
|
|
|
def build_enc_auth_data(opts)
|
|
auth_data = opts[:auth_data]
|
|
key = opts[:subkey].value #|| ''
|
|
etype = opts[:subkey].type #|| Rex::Proto::Kerberos::Model::KERB_ETYPE_RC4_HMAC
|
|
|
|
encrypted = auth_data.encrypt(etype, key)
|
|
|
|
e_data = Rex::Proto::Kerberos::Model::EncryptedData.new(
|
|
etype: etype,
|
|
cipher: encrypted
|
|
)
|
|
|
|
e_data
|
|
end
|
|
|
|
def build_ap_req(opts = {})
|
|
pvno = opts[:pvno] || Rex::Proto::Kerberos::Model::VERSION
|
|
msg_type = opts[:msg_type] || Rex::Proto::Kerberos::Model::AP_REQ
|
|
options = opts[:ap_req_options] || 0
|
|
ticket = opts[:ticket]
|
|
authenticator = opts[:authenticator]
|
|
session_key = opts[:session_key]
|
|
|
|
if ticket.nil?
|
|
raise ::RuntimeError, 'Building a AP-REQ without ticket not supported'
|
|
end
|
|
|
|
if authenticator.nil?
|
|
raise ::RuntimeError, 'Building an AP-REQ without authenticator not supported'
|
|
end
|
|
|
|
enc_authenticator = Rex::Proto::Kerberos::Model::EncryptedData.new(
|
|
etype: session_key.type,
|
|
cipher: authenticator.encrypt(session_key.type, session_key.value)
|
|
)
|
|
|
|
ap_req = Rex::Proto::Kerberos::Model::ApReq.new(
|
|
pvno: pvno,
|
|
msg_type: msg_type,
|
|
options: options,
|
|
ticket: ticket,
|
|
authenticator: enc_authenticator
|
|
)
|
|
|
|
ap_req
|
|
end
|
|
|
|
def build_subkey(opts={})
|
|
subkey_type = opts[:subkey_type] || 23
|
|
subkey_value = opts[:subkey_value] || Rex::Text.rand_text(16)
|
|
|
|
subkey = Rex::Proto::Kerberos::Model::EncryptionKey.new(
|
|
type: subkey_type,
|
|
#value: Rex::Text.rand_text(16)
|
|
value: "AAAABBBBCCCCDDDD"
|
|
)
|
|
|
|
subkey
|
|
end
|
|
|
|
def build_authenticator(opts = {})
|
|
cname = opts[:cname] || build_client_name(opts)
|
|
realm = opts[:realm] || ''
|
|
ctime = opts[:ctime] || Time.now
|
|
cusec = opts[:cusec] || ctime.usec
|
|
checksum = opts[:checksum] || ''
|
|
subkey = opts[:subkey]
|
|
|
|
authenticator = Rex::Proto::Kerberos::Model::Authenticator.new(
|
|
vno: 5,
|
|
crealm: realm,
|
|
cname: cname,
|
|
checksum: checksum,
|
|
cusec: cusec,
|
|
ctime: ctime,
|
|
subkey: subkey
|
|
)
|
|
|
|
authenticator
|
|
end
|
|
|
|
def build_tgs_request_body(opts = {})
|
|
options = opts[:options] || 0x50800000 # Forwardable, Proxiable, Renewable
|
|
from = opts[:from] || Time.utc('1970-01-01-01 00:00:00')
|
|
till = opts[:till] || Time.utc('1970-01-01-01 00:00:00')
|
|
rtime = opts[:rtime] || Time.utc('1970-01-01-01 00:00:00')
|
|
nonce = opts[:nonce] || Rex::Text.rand_text_numeric(6).to_i
|
|
etype = opts[:etype] || [Rex::Proto::Kerberos::Model::KERB_ETYPE_RC4_HMAC]
|
|
cname = opts[:cname] || build_client_name(opts)
|
|
realm = opts[:realm] || ''
|
|
sname = opts[:sname] || build_server_name(opts)
|
|
enc_auth_data = opts[:enc_auth_data] || nil
|
|
|
|
|
|
body = Rex::Proto::Kerberos::Model::KdcRequestBody.new(
|
|
options: options,
|
|
cname: cname,
|
|
realm: realm,
|
|
sname: sname,
|
|
from: from,
|
|
till: till,
|
|
rtime: rtime,
|
|
nonce: nonce,
|
|
etype: etype,
|
|
enc_auth_data: enc_auth_data
|
|
)
|
|
|
|
body
|
|
end
|
|
|
|
def build_tgs_body_checksum(body)
|
|
checksum_body = body.checksum(7)
|
|
checksum = Rex::Proto::Kerberos::Model::Checksum.new(
|
|
type: 7,
|
|
checksum: checksum_body
|
|
)
|
|
|
|
checksum
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|