Add ul_type 12 (UPN and DNS info) to pac bindata

[dwelch-r7]

Adds supported for the UPN and DNS info pac structure documented here: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/1c0d6e11-6443-4846-b744-f9f810a504eb

Bumped bindata version to include the fix from here: dmendel/bindata#149 (comment)

I tested around trying to make it so that when you didn't need to manually remember to call set_offsets! before writing out the UPN and DNS info element but I couldn't find a nice way of doing that which wouldn't also have the side effect of potentially altering the existing values at the time of reading the ticket, so I've just left it in a similar way to the Pac itself

Validation

• CI passes
• run the inspect ticket module against a ccache/kirbi containing the UPN and DNS info element

Example of a kirbi file in base64 with the extended UPN and DNS info included

doIFbTCCBWmgAwIBBaEDAgEWooIEZTCCBGFhggRdMIIEWaADAgEFoREbD1dJTkRPTUFJTi5MT0NBTKIp
MCegAwIBAqEgMB4bBGNpZnMbFmRjMjAxOS53aW5kb21haW4ubG9jYWyjggQSMIIEDqADAgEXoQMCAQOi
ggQABIID/DN1zTi+AIX9ekmkuGT7Rww/9Aikd7WC3SC6qNzGvfYjL20h04Em5iAiy+m1C12a1Z+0yA0h
XmxvDpma65wOEuxj+aunTDnXkYzPXNetp8n4dXtYvw4FVcE+9Y4o4PgshkdgMZJiJb0hzqCAfCTiTgMU
Yd5ZwUAmwP6ikTYJk6FY31a9xM67lXpE5hWmLYDwsnJby6P0uCuwNNrkYr3nLGbPolQoMO/Wr9mHK/ty
zzrWCmcRvbA+rlyV8Hy16YDMvdy4Mk40Hve7AVNbIoOO9j5hffSlEbzCMGMDqXEKZWBmg93aAWsDNZFS
n2KF3N1A9jv37q/jvEM3CBcZ5fYWQjemZ2s69alm/7HuMqL5KELVK2MpgUhzJUdBpQQoGYxN4KUpR7km
ac1eV87i6NJLh1EKdiUntwZs9VcJ0g2w3LsgMw4LHshihwWp1AtojX2J3SXPpvEW4GRKTfJfAqs6fge+
3d6Oc8vISKZhII7vbrW+41Y82QbPXuJk4NpfARF/BAFKp3jy/w8FIEVMYvSkdcUcx1Bft6VtxvotN5iZ
n+ZDV9VLXiRLK0qtUI0aIGV/ojCbuXOV3wCBEUy4rnvAoftmZjzl3p/o3L2d3mHyeOuzRb1l1y7UwXOm
KKIpZPpOSAzbCxzqrsPKNnb74eO3qb5l0eEUaRnB9i8rneDexl0IgHp7HFub4kFJj0WHjvdr4J03Bvt6
ExkE0g1SP8nC5v/2DKCS8DnWt34j98rfhP20xrcU9NQ/9IL6zM84uhI/OVolSqo3LClm5RHD87wFP4mZ
30PRGMyr8GHDLkcioJtc15olVjMPSlo+SkIBvZI7PIs8KVTwYI5PW/7t/TGkMOZuX7n7T/puJwG6Pok/
nS/XLLaMflxp0YQxnDlmn73JZkDjm1CONsBAkY/0FRq40xR2/LhhRG2RlUg+bcu0OThtmRpmi8BNQKyp
Sau3NoFL6nXmskKw9Opf6EOlzUfLXX/K3YlJccVIAhP+QtsjBLOKDtVAyXfVYftgRdIXUaTJg3cm2H9a
04SxL2njZhz0YpN55+MXTRjJsN5jnJrmrLKMW9Wian1IYsqTYAL3fnjOlOUH4PYM4h13ME0Q7s4BIXul
CBtqpAZ7ytwXNWQfPmN4dZHAz+JHt0ROssWenQpDFj9xcHTas+hIxaH4sIZyEwxbl55decdZv386z1HJ
xCmkN/eMKvJxfMsWSrfYr+Dg4iobkPo/IpdfoU7IJ8sWoiLTfIi/R3+XVRM3Gue+3CBOABWAD3Vjzp+s
t0S/DNR4WlUXEPRlEr8NsnfPHlvrcEr8cN3Qjcifre5lvzN1P9gDwCZHdlbmKq41MRFDj0TX9rMCe6r6
KQwDmYmcqqOB8zCB8KADAgEAooHoBIHlfYHiMIHfoIHcMIHZMIHWoBswGaADAgEXoRIEEPNKmCn0rEfa
UUhidlvInL6hERsPV0lORE9NQUlOLkxPQ0FMohEwD6ADAgEBoQgwBhsEdGVzdKMHAwUAQKAAAKQRGA8y
MDIzMDIwMjEzMDYzMVqlERgPMjAyMzAyMDIxMzA2MzFaphEYDzIwMjMwMjAyMjMwNjMxWqcRGA8yMDIz
MDIwOTEzMDYzMVqoERsPV0lORE9NQUlOLkxPQ0FMqSkwJ6ADAgECoSAwHhsEY2lmcxsWZGMyMDE5Lndp
bmRvbWFpbi5sb2NhbA==

Alternatively you can generate your own using rubeus with a command like:
rubeus.exe silver /service:cifs/dc2019.windomain.local /rc4:64FBAE31CC352FC26AF97CBDEF151E03 /creduser:windomain.local\test /credpassword:vagrant /user:test /krbkey:4b912be0366a6f37f4a7d571bee18b1173d93195ef76f8d1e3e81ef6172ab326 /krbenctype:aes256 /domain:windomain.local /ptt /sid:S-1-5-21-3541430928-2051711210-1391384369 /extendedupndns

[adfoster-r7]

A #write example would be good to add too, from a BinData object that doesn't have the offsets specified upfront 👍

[dwelch-r7]

We talked about this already but just to leave a paper trail I think this covers what you're asking for here:
https://github.com/rapid7/metasploit-framework/pull/17603/files#diff-4c294da130b0102eb5a73e30dc42d56ae8ac3bb3dc990dc7d41b230e2c956437R371-R381

[adfoster-r7]

I think I'm more used to seeing this sort of pattern that uses described_class instead, in conjunction with initialising the object values directly in the constructor instead of mutating subject, and compares to the expected binary result

https://github.com/rapid7/metasploit-framework/blob/master/spec/lib/rex/proto/kerberos/credential_cache/krb5_ccache_spec.rb#L45-L54

[dwelch-r7]

ok I think I've done what you're asking for, honestly didn;t even see that you'd left the comment on #read totally my fault for not realising I'd done that too

[sempervictus]

Neat, thank you.

[adfoster-r7]

Tested with the data from #17468 (comment)

Before:

            {:ul_type=>12, :cb_buffer_size=>72, :offset=>560, :buffer=>{:pac_element=>{:ul_type=>12, :unknown_element=>"\x1E\x00\x10\x00\x14\x000\x00\x01\x00\x00\x00\x00\x00\x00\x00D\x00C\x003\x00$\x00@\x00a\x00d\x00f\x003\x00.\x00l\x00o\x00c\x00a\x00l\x00\x00\x00A\x00D\x00F\x003\x00.\x00L\x00O\x00C\x00A\x00L\x00\x00\x00\x00\x00"}, :padding=>""}}

After:

            UPN and DNS Information:
              UPN: DC3$@adf3.local
              DNS Domain Name: ADF3.LOCAL
              Flags: 1

The Flags: 1 is a bit bare, but that should be easy to enhance in the future

[adfoster-r7]

Release Notes

Updates admin/kerberos/inspect_ticket to show the UPN and DNS Information within a decrypted PAC