Merge branch 'master' of gitlab.com:CCob/rubeus

opoet7 · May 25, 2021 · 56fc5c9 · 56fc5c9
2 parents 358007d + 513a86a
commit 56fc5c9
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 4 deletions.
diff --git a/Rubeus/lib/Interop.cs b/Rubeus/lib/Interop.cs
@@ -650,6 +650,42 @@ public enum LSAP_TOKEN_INFO_INTEGRITY_TOKENIL : UInt32
             PROTECTED = 20480
         }
 
+        // from https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/4df07fab-1bbc-452f-8e92-7853a3c7e380 section 2.2.1.12
+        [Flags]
+        public enum PacUserAccountControl : Int32
+        {
+            ACCOUNTDISABLE = 1,
+            HOMEDIR_REQUIRED = 2,
+            PASSWD_NOTREQD = 4,
+            TEMP_DUPLICATE_ACCOUNT = 8,
+            NORMAL_ACCOUNT = 16,
+            MNS_LOGON_ACCOUNT = 32,
+            INTERDOMAIN_TRUST_ACCOUNT = 64,
+            WORKSTATION_TRUST_ACCOUNT = 128,
+            SERVER_TRUST_ACCOUNT = 256,
+            DONT_EXPIRE_PASSWORD = 512,
+            ACCOUNT_AUTO_LOCKED = 1024,
+            ENCRYPTED_TEXT_PASSWORD_ALLOWED = 2048,
+            SMARTCARD_REQUIRED = 4096,
+            TRUSTED_FOR_DELEGATION = 8192,
+            NOT_DELEGATED = 16384,
+            USE_DES_KEY_ONLY = 32768,
+            DONT_REQ_PREAUTH = 65536,
+            PASSWORD_EXPIRED = 131072,
+            TRUSTED_TO_AUTH_FOR_DELEGATION = 262144,
+            NO_AUTH_DATA_REQUIRED = 524288,
+            PARTIAL_SECRETS_ACCOUNT = 1048576,
+            USE_AES_KEYS = 2097152
+        }
+
+        // from https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/69e86ccc-85e3-41b9-b514-7d969cd0ed73
+        [Flags]
+        public enum PacUserFlags : Int32
+        {
+            EXTRA_SIDS = 32,
+            RESOURCE_GROUPS = 512
+        }
+
         // structs
 
         // // typedef struct _LSAP_TOKEN_INFO_INTEGRITY {

diff --git a/Rubeus/lib/LSA.cs b/Rubeus/lib/LSA.cs
@@ -541,6 +541,7 @@ public static void DisplayTicket(KRB_CRED cred, int indentLevel = 2, bool displa
             var flags = cred.enc_part.ticket_info[0].flags;            
             var base64ticket = Convert.ToBase64String(cred.Encode().Encode());
             string indent = new string(' ', indentLevel);
+            string serviceName = sname.Split('/')[0];
 
 
             if (displayTGT)
@@ -602,7 +603,7 @@ public static void DisplayTicket(KRB_CRED cred, int indentLevel = 2, bool displa
                     }
                 }
 
-                else if (extractKerberoastHash)
+                else if (extractKerberoastHash && (serviceName != "krbtgt"))
                 {
                     // if this isn't a TGT, try to display a Kerberoastable hash
                     if (!keyType.Equals("rc4_hmac") && !keyType.Equals("aes256_cts_hmac_sha1"))
@@ -663,7 +664,7 @@ public static void DisplayTicket(KRB_CRED cred, int indentLevel = 2, bool displa
                         }
                         else if (pacInfoBuffer is SignatureData sigData)
                         {
-                            Console.WriteLine("{0}  {1}                 :", indent, sigData.Type.ToString());
+                            Console.WriteLine("{0}  {1}        :", indent, sigData.Type.ToString());
                             Console.WriteLine("{0}    Signature Type    : {1}", indent, sigData.SignatureType);
                             Console.WriteLine("{0}    Signature         : {1}", indent, Helpers.ByteArrayToString(sigData.Signature));
                         }
@@ -688,12 +689,14 @@ public static void DisplayTicket(KRB_CRED cred, int indentLevel = 2, bool displa
                             Console.WriteLine("{0}   PrimaryGroupId     : {1}", indent, li.KerbValidationInfo.PrimaryGroupId);
                             Console.WriteLine("{0}   GroupCount         : {1}", indent, li.KerbValidationInfo.GroupCount);
                             Console.WriteLine("{0}   Groups             : {1}", indent, li.KerbValidationInfo.GroupIds.GetValue().Select(g => g.RelativeId.ToString()).Aggregate((cur, next) => cur + "," + next));
-                            Console.WriteLine("{0}   UserFlags          : {1}", indent, li.KerbValidationInfo.UserFlags);
+                            Console.WriteLine("{0}   UserFlags          : ({1}) {2}", indent, li.KerbValidationInfo.UserFlags, (Interop.PacUserFlags)li.KerbValidationInfo.UserFlags);
                             Console.WriteLine("{0}   UserSessionKey     : {1}", indent, Helpers.ByteArrayToString((byte[])(Array)li.KerbValidationInfo.UserSessionKey.data[0].data));
                             Console.WriteLine("{0}   LogonServer        : {1}", indent, li.KerbValidationInfo.LogonServer);
                             Console.WriteLine("{0}   LogonDomainName    : {1}", indent, li.KerbValidationInfo.LogonDomainName);
                             Console.WriteLine("{0}   LogonDomainId      : {1}", indent, li.KerbValidationInfo.LogonDomainId.GetValue());
-                            Console.WriteLine("{0}   UserAccountControl : {1}", indent, li.KerbValidationInfo.UserAccountControl);
+                            Console.WriteLine("{0}   UserAccountControl : ({1}) {2}", indent, li.KerbValidationInfo.UserAccountControl, (Interop.PacUserAccountControl)li.KerbValidationInfo.UserAccountControl);
+                            Console.WriteLine("{0}   Extra SID Count    : {1}", indent, li.KerbValidationInfo.SidCount);
+                            Console.WriteLine("{0}   Extra SIDs         : {1}", indent, li.KerbValidationInfo.ExtraSids.GetValue().Select(s => s.Sid.ToString()).Aggregate((cur, next) => cur + "," + next));
                         }
                         else if (pacInfoBuffer is PacCredentialInfo ci)
                         {