Add RBCD support

GhostPack · Oct 18, 2018 · 8549a3b · 8549a3b
1 parent 1a24e0c
commit 8549a3b
Show file tree

Hide file tree

Showing 6 changed files with 69 additions and 5 deletions.
diff --git a/Rubeus/Asn1/AsnElt.cs b/Rubeus/Asn1/AsnElt.cs
@@ -45,10 +45,10 @@ public class AsnElt {
 	public const int CHARACTER_STRING  = 29;
 	public const int BMPString         = 30;
 
-	/*
+    /*
 	 * Tag classes.
 	 */
-	public const int UNIVERSAL   = 0;
+    public const int UNIVERSAL   = 0;
 	public const int APPLICATION = 1;
 	public const int CONTEXT     = 2;
 	public const int PRIVATE     = 3;

diff --git a/Rubeus/Rubeus.csproj b/Rubeus/Rubeus.csproj
@@ -92,6 +92,7 @@
     <Compile Include="lib\krb_structures\PA_DATA.cs" />
     <Compile Include="lib\krb_structures\PA_ENC_TS_ENC.cs" />
     <Compile Include="lib\krb_structures\PA_FOR_USER.cs" />
+    <Compile Include="lib\krb_structures\PA_PAC_OPTIONS.cs" />
     <Compile Include="lib\krb_structures\PrincipalName.cs" />
     <Compile Include="lib\krb_structures\TGS_REP.cs" />
     <Compile Include="lib\krb_structures\TGS_REQ.cs" />

diff --git a/Rubeus/lib/Interop.cs b/Rubeus/lib/Interop.cs
@@ -168,6 +168,7 @@ public enum PADATA_TYPE : UInt32
             TD_REQ_SEQ = 108,
             PA_PAC_REQUEST = 128,
             S4U2SELF = 129,
+            PA_PAC_OPTIONS = 167,
             PK_AS_09_BINDING = 132,
             CLIENT_CANONICALIZED = 133
         }

diff --git a/Rubeus/lib/S4U.cs b/Rubeus/lib/S4U.cs
@@ -91,7 +91,9 @@ public static void Execute(KRB_CRED kirbi, string targetUser, string targetSPN,
                 TGS_REQ s4u2proxyReq = new TGS_REQ();
                 PA_DATA padata = new PA_DATA(domain, userName, ticket, clientKey, etype);
                 s4u2proxyReq.padata.Add(padata);
-
+                PA_DATA pac_options = new PA_DATA(false, false, false, true);
+                s4u2proxyReq.padata.Add(pac_options);
+
                 s4u2proxyReq.req_body.kdcOptions = s4u2proxyReq.req_body.kdcOptions | Interop.KdcOptions.CNAMEINADDLTKT;
 
                 s4u2proxyReq.req_body.realm = domain;
@@ -116,7 +118,7 @@ public static void Execute(KRB_CRED kirbi, string targetUser, string targetSPN,
 
                 Console.WriteLine("[*] Sending S4U2proxy request");
                 byte[] response2 = Networking.SendBytes(dcIP, 88, s4ubytes);
-                if (response == null)
+                if (response2 == null)
                 {
                     return;
                 }
@@ -287,7 +289,7 @@ public static void Execute(KRB_CRED kirbi, string targetUser, string targetSPN,
                         }
                     }
                 }
-                else if (responseTag == 30)
+                else if (responseTag2 == 30)
                 {
                     // parse the response to an KRB-ERROR
                     KRB_ERROR error = new KRB_ERROR(responseAsn.Sub[0]);

diff --git a/Rubeus/lib/krb_structures/PA_DATA.cs b/Rubeus/lib/krb_structures/PA_DATA.cs
@@ -20,6 +20,13 @@ public PA_DATA()
             value = new KERB_PA_PAC_REQUEST();
         }
 
+        public PA_DATA(bool claims, bool branch, bool fullDC, bool rbcd)
+        {
+            // defaults for creation
+            type = Interop.PADATA_TYPE.PA_PAC_OPTIONS;
+            value = new PA_PAC_OPTIONS(claims, branch, fullDC, rbcd);
+        }
+
         public PA_DATA(string keyString, Interop.KERB_ETYPE etype)
         {
             // include pac, supply enc timestamp
@@ -136,6 +143,17 @@ public AsnElt Encode()
                 AsnElt seq = AsnElt.Make(AsnElt.SEQUENCE, new AsnElt[] { nameTypeSeq, paDataElt });
                 return seq;
             }
+            else if (type == Interop.PADATA_TYPE.PA_PAC_OPTIONS)
+            {
+                paDataElt = ((PA_PAC_OPTIONS)value).Encode();
+                AsnElt blob = AsnElt.MakeBlob(((PA_PAC_OPTIONS)value).Encode().Encode());
+                AsnElt blobSeq = AsnElt.Make(AsnElt.SEQUENCE, new AsnElt[] { blob });
+
+                paDataElt = AsnElt.MakeImplicit(AsnElt.CONTEXT, 2, blobSeq);
+
+                AsnElt seq = AsnElt.Make(AsnElt.SEQUENCE, new AsnElt[] { nameTypeSeq, paDataElt });
+                return seq;
+            }
 
             else
             {

diff --git a/Rubeus/lib/krb_structures/PA_PAC_OPTIONS.cs b/Rubeus/lib/krb_structures/PA_PAC_OPTIONS.cs
@@ -0,0 +1,42 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using Asn1;
+
+namespace Rubeus
+{
+    /* PA-PAC-OPTIONS ::= SEQUENCE {
+        KerberosFlags
+        -- Claims(0)
+        -- Branch Aware(1)
+        -- Forward to Full DC(2)
+        -- Resource-based Constrained Delegation (3)
+       }
+    */
+
+    public class PA_PAC_OPTIONS
+    {
+        public byte[] kerberosFlags { get; set; }
+        public PA_PAC_OPTIONS(bool claims, bool branch, bool fullDC, bool rbcd)
+        {
+            kerberosFlags = new byte[4] { 0, 0, 0, 0 };
+            if (claims) kerberosFlags[0] = (byte)(kerberosFlags[0] | 8);
+            if (branch) kerberosFlags[0] = (byte)(kerberosFlags[0] | 4);
+            if (fullDC) kerberosFlags[0] = (byte)(kerberosFlags[0] | 2);
+            if (rbcd) kerberosFlags[0] = (byte)(kerberosFlags[0] | 1);
+            kerberosFlags[0] = (byte)(kerberosFlags[0] * 0x10);
+        }
+
+        public AsnElt Encode()
+        {
+            List<AsnElt> allNodes = new List<AsnElt>();
+            AsnElt kerberosFlagsAsn = AsnElt.MakeBitString(kerberosFlags);
+            kerberosFlagsAsn = AsnElt.MakeImplicit(AsnElt.UNIVERSAL, AsnElt.BIT_STRING, kerberosFlagsAsn);
+            AsnElt parent = AsnElt.MakeExplicit(0, kerberosFlagsAsn);
+            allNodes.Add(parent);
+            AsnElt seq = AsnElt.Make(AsnElt.SEQUENCE, allNodes.ToArray());
+            return seq;
+        }
+    }
+}