Permalink
Browse files

Add RBCD support

  • Loading branch information...
eladshamir committed Oct 18, 2018
1 parent 1a24e0c commit 8549a3bae237873278871da496f0c5de23568bed
@@ -45,10 +45,10 @@ public class AsnElt {
public const int CHARACTER_STRING = 29;
public const int BMPString = 30;

/*
/*
* Tag classes.
*/
public const int UNIVERSAL = 0;
public const int UNIVERSAL = 0;
public const int APPLICATION = 1;
public const int CONTEXT = 2;
public const int PRIVATE = 3;
@@ -92,6 +92,7 @@
<Compile Include="lib\krb_structures\PA_DATA.cs" />
<Compile Include="lib\krb_structures\PA_ENC_TS_ENC.cs" />
<Compile Include="lib\krb_structures\PA_FOR_USER.cs" />
<Compile Include="lib\krb_structures\PA_PAC_OPTIONS.cs" />
<Compile Include="lib\krb_structures\PrincipalName.cs" />
<Compile Include="lib\krb_structures\TGS_REP.cs" />
<Compile Include="lib\krb_structures\TGS_REQ.cs" />
@@ -168,6 +168,7 @@ public enum PADATA_TYPE : UInt32
TD_REQ_SEQ = 108,
PA_PAC_REQUEST = 128,
S4U2SELF = 129,
PA_PAC_OPTIONS = 167,
PK_AS_09_BINDING = 132,
CLIENT_CANONICALIZED = 133
}
@@ -91,7 +91,9 @@ public static void Execute(KRB_CRED kirbi, string targetUser, string targetSPN,
TGS_REQ s4u2proxyReq = new TGS_REQ();
PA_DATA padata = new PA_DATA(domain, userName, ticket, clientKey, etype);
s4u2proxyReq.padata.Add(padata);

PA_DATA pac_options = new PA_DATA(false, false, false, true);
s4u2proxyReq.padata.Add(pac_options);

s4u2proxyReq.req_body.kdcOptions = s4u2proxyReq.req_body.kdcOptions | Interop.KdcOptions.CNAMEINADDLTKT;

s4u2proxyReq.req_body.realm = domain;
@@ -116,7 +118,7 @@ public static void Execute(KRB_CRED kirbi, string targetUser, string targetSPN,

Console.WriteLine("[*] Sending S4U2proxy request");
byte[] response2 = Networking.SendBytes(dcIP, 88, s4ubytes);
if (response == null)
if (response2 == null)
{
return;
}
@@ -287,7 +289,7 @@ public static void Execute(KRB_CRED kirbi, string targetUser, string targetSPN,
}
}
}
else if (responseTag == 30)
else if (responseTag2 == 30)
{
// parse the response to an KRB-ERROR
KRB_ERROR error = new KRB_ERROR(responseAsn.Sub[0]);
@@ -20,6 +20,13 @@ public PA_DATA()
value = new KERB_PA_PAC_REQUEST();
}

public PA_DATA(bool claims, bool branch, bool fullDC, bool rbcd)
{
// defaults for creation
type = Interop.PADATA_TYPE.PA_PAC_OPTIONS;
value = new PA_PAC_OPTIONS(claims, branch, fullDC, rbcd);
}

public PA_DATA(string keyString, Interop.KERB_ETYPE etype)
{
// include pac, supply enc timestamp
@@ -136,6 +143,17 @@ public AsnElt Encode()
AsnElt seq = AsnElt.Make(AsnElt.SEQUENCE, new AsnElt[] { nameTypeSeq, paDataElt });
return seq;
}
else if (type == Interop.PADATA_TYPE.PA_PAC_OPTIONS)
{
paDataElt = ((PA_PAC_OPTIONS)value).Encode();
AsnElt blob = AsnElt.MakeBlob(((PA_PAC_OPTIONS)value).Encode().Encode());
AsnElt blobSeq = AsnElt.Make(AsnElt.SEQUENCE, new AsnElt[] { blob });

paDataElt = AsnElt.MakeImplicit(AsnElt.CONTEXT, 2, blobSeq);

AsnElt seq = AsnElt.Make(AsnElt.SEQUENCE, new AsnElt[] { nameTypeSeq, paDataElt });
return seq;
}

else
{
@@ -0,0 +1,42 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using Asn1;

namespace Rubeus
{
/* PA-PAC-OPTIONS ::= SEQUENCE {
KerberosFlags
-- Claims(0)
-- Branch Aware(1)
-- Forward to Full DC(2)
-- Resource-based Constrained Delegation (3)
}
*/

public class PA_PAC_OPTIONS
{
public byte[] kerberosFlags { get; set; }
public PA_PAC_OPTIONS(bool claims, bool branch, bool fullDC, bool rbcd)
{
kerberosFlags = new byte[4] { 0, 0, 0, 0 };
if (claims) kerberosFlags[0] = (byte)(kerberosFlags[0] | 8);
if (branch) kerberosFlags[0] = (byte)(kerberosFlags[0] | 4);
if (fullDC) kerberosFlags[0] = (byte)(kerberosFlags[0] | 2);
if (rbcd) kerberosFlags[0] = (byte)(kerberosFlags[0] | 1);
kerberosFlags[0] = (byte)(kerberosFlags[0] * 0x10);
}

public AsnElt Encode()
{
List<AsnElt> allNodes = new List<AsnElt>();
AsnElt kerberosFlagsAsn = AsnElt.MakeBitString(kerberosFlags);
kerberosFlagsAsn = AsnElt.MakeImplicit(AsnElt.UNIVERSAL, AsnElt.BIT_STRING, kerberosFlagsAsn);
AsnElt parent = AsnElt.MakeExplicit(0, kerberosFlagsAsn);
allNodes.Add(parent);
AsnElt seq = AsnElt.Make(AsnElt.SEQUENCE, allNodes.ToArray());
return seq;
}
}
}

0 comments on commit 8549a3b

Please sign in to comment.