Exemple #1
0
/*
 * Wrapper arround initializeSecurityContext.  Supplies several
 * default parameters as well as logging in case of errors.
 */
static SECURITY_STATUS
initializeSecurityContext(CredHandle * credentials, CtxtHandle * context,
                          char *spn, ULONG contextReq,
                          SecBufferDesc * inBuffer, CtxtHandle * newContext,
                          SecBufferDesc * outBuffer)
{
    ULONG contextAttributes;
    SECURITY_STATUS status;

    status =
        pSFT->InitializeSecurityContext(credentials, context, spn, contextReq,
                                        0, SECURITY_NETWORK_DREP, inBuffer, 0,
                                        newContext, outBuffer,
                                        &contextAttributes, NULL);

    if (!SEC_SUCCESS(status)) {
        if (status == SEC_E_INVALID_TOKEN) {
            NE_DEBUG(NE_DBG_HTTPAUTH,
                     "InitializeSecurityContext [fail] SEC_E_INVALID_TOKEN.\n");
        } else if (status == SEC_E_UNSUPPORTED_FUNCTION) {
            NE_DEBUG(NE_DBG_HTTPAUTH,
                     "InitializeSecurityContext [fail] SEC_E_UNSUPPORTED_FUNCTION.\n");
        } else {
            NE_DEBUG(NE_DBG_HTTPAUTH,
                     "InitializeSecurityContext [fail] [%x].\n", status);
        }
    }

    return status;
}
BOOL 
PackageConnectLookup(
    HANDLE *pLogonHandle, 
    ULONG *pPackageId
    )
{
    LSA_STRING Name;
    NTSTATUS Status;

    Status = LsaConnectUntrusted(
                pLogonHandle
                );

    if (!SEC_SUCCESS(Status))
    {
        ShowNTError("LsaConnectUntrusted", Status);
        return FALSE;
    }

    Name.Buffer = MICROSOFT_KERBEROS_NAME_A;
    Name.Length = strlen(Name.Buffer);
    Name.MaximumLength = Name.Length + 1;

    Status = LsaLookupAuthenticationPackage(
                *pLogonHandle,
                &Name,
                pPackageId
                );

    if (!SEC_SUCCESS(Status))
    {
        ShowNTError("LsaLookupAuthenticationPackage", Status);
        return FALSE;
    }

    return TRUE;

}
Exemple #3
0
BOOL AcquireCreds()
{
    SECURITY_STATUS   ss;
    TimeStamp         Lifetime;
    PSecPkgInfo       pkgInfo;

    //  Set the default package to negotiate.
    tstrcpy_s(g_lpPackageName, 1024, TEXT("Negotiate"));

    // Initialize the security package.
    ss = QuerySecurityPackageInfo(g_lpPackageName, &pkgInfo);

    // get the max token size
    g_cbMaxMessage = pkgInfo->cbMaxToken;
    FreeContextBuffer(pkgInfo);

    // set the max token sizes
    g_pInBuf = (PBYTE)malloc(g_cbMaxMessage);
    g_pOutBuf = (PBYTE)malloc(g_cbMaxMessage);

    // get the security handles
    ss = AcquireCredentialsHandle(
        NULL,
        g_lpPackageName,
        SECPKG_CRED_INBOUND,
        NULL,
        NULL,
        NULL,
        NULL,
        &hcred,
        &Lifetime);

    if (!SEC_SUCCESS(ss))
    {
        fprintf(stderr, "AcquireCreds failed: 0x%08x\n", ss);
        return(FALSE);
    }

    return (TRUE);
}
Exemple #4
0
BOOL GenServerContext ( BYTE *pIn, DWORD cbIn, BYTE *pOut, DWORD *pcbOut, BOOL *pfDone, BOOL fNewConversation,  CredHandle *hcred, struct _SecHandle *hctxt)
{
	SECURITY_STATUS   ss;
	TimeStamp         Lifetime;
	SecBufferDesc     OutBuffDesc;
	SecBuffer         OutSecBuff;
	SecBufferDesc     InBuffDesc;
	SecBuffer         InSecBuff;
	ULONG             Attribs = 0;
	 
	OutBuffDesc.ulVersion = 0;
	OutBuffDesc.cBuffers = 1;
	OutBuffDesc.pBuffers = &OutSecBuff;

	OutSecBuff.cbBuffer = *pcbOut;
	OutSecBuff.BufferType = SECBUFFER_TOKEN;
	OutSecBuff.pvBuffer = pOut;

	InBuffDesc.ulVersion = 0;
	InBuffDesc.cBuffers = 1;
	InBuffDesc.pBuffers = &InSecBuff;

	InSecBuff.cbBuffer = cbIn;
	InSecBuff.BufferType = SECBUFFER_TOKEN;
	InSecBuff.pvBuffer = pIn;

	ss = AcceptSecurityContext (hcred, fNewConversation ? NULL : hctxt, &InBuffDesc, Attribs, SECURITY_NATIVE_DREP, hctxt, &OutBuffDesc, &Attribs, &Lifetime);

	if (!SEC_SUCCESS (ss))  
	{
	    fprintf (stderr, "AcceptSecurityContext failed: 0x%08x\n", ss);
	    return FALSE;
	}
	*pcbOut = OutSecBuff.cbBuffer;
	*pfDone = !((SEC_I_CONTINUE_NEEDED == ss)    || (SEC_I_COMPLETE_AND_CONTINUE == ss));
	return TRUE;
}
Exemple #5
0
PBYTE VerifyThis(
PBYTE   pBuffer, 
LPDWORD pcbMessage,
struct _SecHandle *hCtxt,
ULONG   cbMaxSignature)
{

	SECURITY_STATUS   ss;
	SecBufferDesc     BuffDesc;
	SecBuffer         SecBuff[2];
	ULONG             ulQop = 0;
	PBYTE             pSigBuffer;
	PBYTE             pDataBuffer;
	
	//-------------------------------------------------------------------
	//  The global cbMaxSignature is the size of the signature
	//  in the message received.

	printf ("data before verifying (including signature):\n");
	PrintHexDump (*pcbMessage, pBuffer);

	//--------------------------------------------------------------------
	//  By agreement with the server, 
	//  the signature is at the beginning of the message received,
	//  and the data that was signed comes after the signature.

	pSigBuffer = pBuffer;
	pDataBuffer = pBuffer + cbMaxSignature;

	//-------------------------------------------------------------------
	//  The size of the message is reset to the size of the data only.

	*pcbMessage = *pcbMessage - (cbMaxSignature);

	//--------------------------------------------------------------------
	//  Prepare the buffers to be passed to the signature verification 
	//  function.

	BuffDesc.ulVersion    = 0;
	BuffDesc.cBuffers     = 2;
	BuffDesc.pBuffers     = SecBuff;

	SecBuff[0].cbBuffer   = cbMaxSignature;
	SecBuff[0].BufferType = SECBUFFER_TOKEN;
	SecBuff[0].pvBuffer   = pSigBuffer;

	SecBuff[1].cbBuffer   = *pcbMessage;
	SecBuff[1].BufferType = SECBUFFER_DATA;
	SecBuff[1].pvBuffer   = pDataBuffer;

	ss = VerifySignature(
	hCtxt,
	&BuffDesc,
	0,
	&ulQop
	);

	if (!SEC_SUCCESS(ss)) 
	{
		fprintf(stderr, "VerifyMessage failed");
	}
	else
	{
		printf("Message was properly signed.\n");
	}

	return pDataBuffer;

}  // end VerifyThis
Exemple #6
0
PBYTE DecryptThis(
PBYTE              pBuffer, 
LPDWORD            pcbMessage,
struct _SecHandle *hCtxt,
ULONG              cbSecurityTrailer)
{
	SECURITY_STATUS   ss;
	SecBufferDesc     BuffDesc;
	SecBuffer         SecBuff[2];
	ULONG             ulQop = 0;
	PBYTE             pSigBuffer;
	PBYTE             pDataBuffer;
	DWORD             SigBufferSize;

	//-------------------------------------------------------------------
	//  By agreement, the server encrypted the message and set the size
	//  of the trailer block to be just what it needed. DecryptMessage 
	//  needs the size of the trailer block. 
	//  The size of the trailer is in the first DWORD of the
	//  message received. 

	SigBufferSize = *((DWORD *) pBuffer);
	printf ("data before decryption including trailer (%lu bytes):\n",
	*pcbMessage);
	PrintHexDump (*pcbMessage, (PBYTE) pBuffer);

	//--------------------------------------------------------------------
	//  By agreement, the server placed the trailer at the beginning 
	//  of the message that was sent immediately following the trailer 
	//  size DWORD.

	pSigBuffer = pBuffer + sizeof(DWORD);

	//--------------------------------------------------------------------
	//  The data comes after the trailer.

	pDataBuffer = pSigBuffer + SigBufferSize;

	//--------------------------------------------------------------------
	//  *pcbMessage is reset to the size of just the encrypted bytes.

	*pcbMessage = *pcbMessage - SigBufferSize - sizeof(DWORD);

	//--------------------------------------------------------------------
	//  Prepare the buffers to be passed to the DecryptMessage function.

	BuffDesc.ulVersion    = 0;
	BuffDesc.cBuffers     = 2;
	BuffDesc.pBuffers     = SecBuff;

	SecBuff[0].cbBuffer   = SigBufferSize;
	SecBuff[0].BufferType = SECBUFFER_TOKEN;
	SecBuff[0].pvBuffer   = pSigBuffer;

	SecBuff[1].cbBuffer   = *pcbMessage;
	SecBuff[1].BufferType = SECBUFFER_DATA;
	SecBuff[1].pvBuffer   = pDataBuffer;

	ss = DecryptMessage(
	hCtxt,
	&BuffDesc,
	0,
	&ulQop);

	if (!SEC_SUCCESS(ss)) 
	{
		fprintf(stderr, "DecryptMessage failed");
	}

	//-------------------------------------------------------------------
	//  Return a pointer to the decrypted data. The trailer data
	//  is discarded.

	return pDataBuffer;

}
Exemple #7
0
BOOL GenClientContext (
BYTE       *pIn,
DWORD       cbIn,
BYTE       *pOut,
DWORD      *pcbOut,
BOOL       *pfDone,
CHAR       *pszTarget,
CredHandle *hCred,
struct _SecHandle *hcText)
{
	SECURITY_STATUS   ss;
	TimeStamp         Lifetime;
	SecBufferDesc     OutBuffDesc;
	SecBuffer         OutSecBuff;
	SecBufferDesc     InBuffDesc;
	SecBuffer         InSecBuff;
	ULONG             ContextAttributes;
	static TCHAR      lpPackageName[1024];

	if( NULL == pIn )  
	{   
		strcpy_s(lpPackageName, 1024 * sizeof(TCHAR), "Negotiate");
		ss = AcquireCredentialsHandle (
		NULL, 
		lpPackageName,
		SECPKG_CRED_OUTBOUND,
		NULL, 
		NULL, 
		NULL, 
		NULL, 
		hCred,
		&Lifetime);

		if (!(SEC_SUCCESS (ss)))
		{
			MyHandleError("AcquireCreds failed ");
		}
	}

	//--------------------------------------------------------------------
	//  Prepare the buffers.

	OutBuffDesc.ulVersion = 0;
	OutBuffDesc.cBuffers  = 1;
	OutBuffDesc.pBuffers  = &OutSecBuff;

	OutSecBuff.cbBuffer   = *pcbOut;
	OutSecBuff.BufferType = SECBUFFER_TOKEN;
	OutSecBuff.pvBuffer   = pOut;

	//-------------------------------------------------------------------
	//  The input buffer is created only if a message has been received 
	//  from the server.

	if (pIn)   
	{
		InBuffDesc.ulVersion = 0;
		InBuffDesc.cBuffers  = 1;
		InBuffDesc.pBuffers  = &InSecBuff;

		InSecBuff.cbBuffer   = cbIn;
		InSecBuff.BufferType = SECBUFFER_TOKEN;
		InSecBuff.pvBuffer   = pIn;

		ss = InitializeSecurityContext (
		hCred,
		hcText,
		pszTarget,
		MessageAttribute, 
		0,
		SECURITY_NATIVE_DREP,
		&InBuffDesc,
		0, 
		hcText,
		&OutBuffDesc,
		&ContextAttributes,
		&Lifetime);
	}
	else
	{
		ss = InitializeSecurityContext (
		hCred,
		NULL,
		pszTarget,
		MessageAttribute, 
		0, 
		SECURITY_NATIVE_DREP,
		NULL,
		0, 
		hcText,
		&OutBuffDesc,
		&ContextAttributes,
		&Lifetime);
	}

	if (!SEC_SUCCESS (ss))  
	{
		MyHandleError ("InitializeSecurityContext failed " );
	}

	//-------------------------------------------------------------------
	//  If necessary, complete the token.

	if ((SEC_I_COMPLETE_NEEDED == ss) 
			|| (SEC_I_COMPLETE_AND_CONTINUE == ss))  
	{
		ss = CompleteAuthToken (hcText, &OutBuffDesc);
		if (!SEC_SUCCESS(ss))  
		{
			fprintf (stderr, "complete failed: 0x%08x\n", ss);
			return FALSE;
		}
	}

	*pcbOut = OutSecBuff.cbBuffer;

	*pfDone = !((SEC_I_CONTINUE_NEEDED == ss) ||
	(SEC_I_COMPLETE_AND_CONTINUE == ss));

	printf ("Token buffer generated (%lu bytes):\n", OutSecBuff.cbBuffer);
	PrintHexDump (OutSecBuff.cbBuffer, (PBYTE)OutSecBuff.pvBuffer);
	return TRUE;

}
Exemple #8
0
void main()
{

	SOCKET            Client_Socket;
	BYTE              Data[BIG_BUFF];
	PCHAR             pMessage;
	WSADATA           wsaData;
	CredHandle        hCred;
	struct _SecHandle hCtxt;
	SECURITY_STATUS   ss;
	DWORD             cbRead;
	ULONG             cbMaxSignature;
	ULONG             cbSecurityTrailer;
	SecPkgContext_Sizes            SecPkgContextSizes;
	SecPkgContext_NegotiationInfo  SecPkgNegInfo;
	BOOL DoAuthentication (SOCKET s);

	//-------------------------------------------------------------------
	//  Initialize the socket and the SSP security package.

	if(WSAStartup (0x0101, &wsaData))
	{
		MyHandleError("Could not initialize winsock ");
	}

	//--------------------------------------------------------------------
	//  Connect to a server.

	if (!ConnectAuthSocket (
				&Client_Socket,
				&hCred,
				&hCtxt))
	{
		MyHandleError("Authenticated server connection ");
	}

	//--------------------------------------------------------------------
	//   An authenticated session with a server has been established.
	//   Receive and manage a message from the server.
	//   First, find and display the name of the negotiated
	//   SSP and the size of the signature and the encryption 
	//   trailer blocks for this SSP.

	ss = QueryContextAttributes(
	&hCtxt,
	SECPKG_ATTR_NEGOTIATION_INFO,
	&SecPkgNegInfo );

	if (!SEC_SUCCESS(ss))  
	{
		MyHandleError("QueryContextAttributes failed ");
	}
	else
	{
		printf("Package Name: %s\n", SecPkgNegInfo.PackageInfo->Name);
	}

	ss = QueryContextAttributes(
	&hCtxt,
	SECPKG_ATTR_SIZES,
	&SecPkgContextSizes );

	if (!SEC_SUCCESS(ss))  
	{
		MyHandleError("Query context ");
	}

	cbMaxSignature = SecPkgContextSizes.cbMaxSignature;
	cbSecurityTrailer = SecPkgContextSizes.cbSecurityTrailer;

	printf("InitializeSecurityContext result = 0x%08x\n", ss);

	//--------------------------------------------------------------------
	//   Decrypt and display the message from the server.

	if (!ReceiveBytes(
				Client_Socket, 
				Data, 
				BIG_BUFF, 
				&cbRead))
	{
		MyHandleError("No response from server ");
	}

	if (0 == cbRead)
	{
		MyHandleError("Zero bytes received ");
	}

	pMessage = (PCHAR) DecryptThis(
	Data, 
	&cbRead,
	&hCtxt,
	cbSecurityTrailer);

	printf ("The message from the server is \n ->  %.*s \n",
	cbRead, pMessage);

	//--------------------------------------------------------------------
	//  Terminate socket and security package.

	DeleteSecurityContext (&hCtxt);
	FreeCredentialHandle (&hCred); 
	shutdown (Client_Socket, 2);
	closesocket (Client_Socket);
	if (SOCKET_ERROR == WSACleanup ())
	{
		MyHandleError("Problem with socket cleanup ");
	}

	exit (EXIT_SUCCESS);
}  // end main
DWORD 
GetEncodedTicket(
    HANDLE LogonHandle,
    ULONG PackageId,
    wchar_t *Server
    )
{
    NTSTATUS Status;
    PKERB_RETRIEVE_TKT_REQUEST CacheRequest = NULL;
    PKERB_RETRIEVE_TKT_RESPONSE CacheResponse = NULL;
    PKERB_EXTERNAL_TICKET Ticket;
    ULONG ResponseSize;
    NTSTATUS SubStatus;
    BOOLEAN Trusted = TRUE;
    BOOLEAN Success = FALSE;
    UNICODE_STRING Target = {0}; 
    UNICODE_STRING Target2 = {0};

    InitUnicodeString( &Target2, Server);

    CacheRequest = (PKERB_RETRIEVE_TKT_REQUEST)
            LocalAlloc(LMEM_ZEROINIT, Target2.Length + sizeof(KERB_RETRIEVE_TKT_REQUEST));

    CacheRequest->MessageType = KerbRetrieveEncodedTicketMessage ;
    CacheRequest->LogonId.LowPart = 0;
    CacheRequest->LogonId.HighPart = 0;

 
    Target.Buffer = (LPWSTR) (CacheRequest + 1);
    Target.Length = Target2.Length;
    Target.MaximumLength = Target2.MaximumLength;

    CopyMemory(
        Target.Buffer,
        Target2.Buffer,
        Target2.Length
        );

    CacheRequest->TargetName = Target;

    Status = LsaCallAuthenticationPackage(
                LogonHandle,
                PackageId,
                CacheRequest,
                Target2.Length + sizeof(KERB_RETRIEVE_TKT_REQUEST),
                (PVOID *) &CacheResponse,
                &ResponseSize,
                &SubStatus
                );

    if (!SEC_SUCCESS(Status) || !SEC_SUCCESS(SubStatus))
    {
        ShowNTError("LsaCallAuthenticationPackage", Status);
        printf("Substatus: 0x%x\n",SubStatus);
        ShowNTError("Substatus:", SubStatus);

    }
    else
    {
        Ticket = &(CacheResponse->Ticket);

        printf("\nEncoded Ticket:\n\n");

        printf("ServiceName: "); PrintKerbName(Ticket->ServiceName);

        printf("TargetName: "); PrintKerbName(Ticket->TargetName);

        printf("ClientName: "); PrintKerbName(Ticket->ClientName);
        
        printf("DomainName: %.*S\n",
            Ticket->DomainName.Length/sizeof(WCHAR),Ticket->DomainName.Buffer);

        printf("TargetDomainName: %.*S\n",
            Ticket->TargetDomainName.Length/sizeof(WCHAR),Ticket->TargetDomainName.Buffer);

        printf("AltTargetDomainName: %.*S\n",
            Ticket->AltTargetDomainName.Length/sizeof(WCHAR),Ticket->AltTargetDomainName.Buffer);

        printf("TicketFlags: (0x%x) ",Ticket->TicketFlags);
        PrintTktFlags(Ticket->TicketFlags);
        PrintTime("KeyExpirationTime: ",Ticket->KeyExpirationTime);
        PrintTime("StartTime: ",Ticket->StartTime);
        PrintTime("EndTime: ",Ticket->EndTime);
        PrintTime("RenewUntil: ",Ticket->RenewUntil);
        PrintTime("TimeSkew: ",Ticket->TimeSkew);
        PrintEType(Ticket->SessionKey.KeyType);

        Success = TRUE;
        
    }

    if (CacheResponse)
    {
        LsaFreeReturnBuffer(CacheResponse);
    }
    if (CacheRequest)
    {
        LocalFree(CacheRequest);
    }

    return Success;
}
BOOL 
ShowTgt(
    HANDLE LogonHandle,
    ULONG PackageId
    )
{
    NTSTATUS Status;
    KERB_QUERY_TKT_CACHE_REQUEST CacheRequest;
	PKERB_RETRIEVE_TKT_RESPONSE TicketEntry = NULL;
    PKERB_EXTERNAL_TICKET Ticket;
    ULONG ResponseSize;
    NTSTATUS SubStatus;
    BOOLEAN Trusted = TRUE;

    CacheRequest.MessageType = KerbRetrieveTicketMessage;
    CacheRequest.LogonId.LowPart = 0;
    CacheRequest.LogonId.HighPart = 0;

    Status = LsaCallAuthenticationPackage(
                LogonHandle,
                PackageId,
                &CacheRequest,
                sizeof(CacheRequest),
                (PVOID *) &TicketEntry,
                &ResponseSize,
                &SubStatus
                );

    if (!SEC_SUCCESS(Status) || !SEC_SUCCESS(SubStatus))
    {
        ShowNTError("LsaCallAuthenticationPackage", Status);
        printf("Substatus: 0x%x\n",SubStatus);
        return FALSE;
    }

    Ticket = &(TicketEntry->Ticket);

    printf("\nCached TGT:\n\n");

    printf("ServiceName: "); PrintKerbName(Ticket->ServiceName);

    printf("TargetName: "); PrintKerbName(Ticket->TargetName);

    printf("FullServiceName: "); PrintKerbName(Ticket->ClientName);

    printf("DomainName: %.*S\n",
        Ticket->DomainName.Length/sizeof(WCHAR),Ticket->DomainName.Buffer);

    printf("TargetDomainName: %.*S\n",
        Ticket->TargetDomainName.Length/sizeof(WCHAR),Ticket->TargetDomainName.Buffer);

    printf("AltTargetDomainName: %.*S\n",
        Ticket->AltTargetDomainName.Length/sizeof(WCHAR),Ticket->AltTargetDomainName.Buffer);
    
    printf("TicketFlags: (0x%x) ",Ticket->TicketFlags);
    PrintTktFlags(Ticket->TicketFlags);
    PrintTime("KeyExpirationTime: ",Ticket->KeyExpirationTime);
    PrintTime("StartTime: ",Ticket->StartTime);
    PrintTime("EndTime: ",Ticket->EndTime);
    PrintTime("RenewUntil: ",Ticket->RenewUntil);
    PrintTime("TimeSkew: ",Ticket->TimeSkew);
    PrintEType(Ticket->SessionKey.KeyType);


    if (TicketEntry != NULL)
    {
        LsaFreeReturnBuffer(TicketEntry);
    }

    return TRUE;
}
BOOL 
ShowTickets(
    HANDLE LogonHandle,
    ULONG PackageId,
    DWORD dwMode
    )
{
    NTSTATUS Status;
    KERB_QUERY_TKT_CACHE_REQUEST CacheRequest;
    PKERB_QUERY_TKT_CACHE_RESPONSE CacheResponse = NULL;
    ULONG ResponseSize;
    NTSTATUS SubStatus;
    ULONG Index;
    int ch;

    CacheRequest.MessageType = KerbQueryTicketCacheMessage;
    CacheRequest.LogonId.LowPart = 0;
    CacheRequest.LogonId.HighPart = 0;

    Status = LsaCallAuthenticationPackage(
                LogonHandle,
                PackageId,
                &CacheRequest,
                sizeof(CacheRequest),
                (PVOID *) &CacheResponse,
                &ResponseSize,
                &SubStatus
                );
    if (!SEC_SUCCESS(Status) || !SEC_SUCCESS(SubStatus))
    {
        ShowNTError("LsaCallAuthenticationPackage", Status);
        printf("Substatus: 0x%x\n",SubStatus);
        return FALSE;
    }

    printf("\nCached Tickets: (%lu)\n", CacheResponse->CountOfTickets);
    for (Index = 0; Index < CacheResponse->CountOfTickets ; Index++ )
    {
        printf("\n   Server: %wZ@%wZ\n",
            &CacheResponse->Tickets[Index].ServerName,
            &CacheResponse->Tickets[Index].RealmName);
        printf("      ");
        PrintEType(CacheResponse->Tickets[Index].EncryptionType);
        PrintTime("      End Time: ",CacheResponse->Tickets[Index].EndTime);
        PrintTime("      Renew Time: ",CacheResponse->Tickets[Index].RenewTime);
        printf("      TicketFlags: (0x%x) ", CacheResponse->Tickets[Index].TicketFlags);
        PrintTktFlags(CacheResponse->Tickets[Index].TicketFlags);
        printf("\n");

        if(dwMode == INTERACTIVE_PURGE)
        {
            printf("Purge? (y/n/q) : ");
            ch = _getche();
            if(ch == 'y' || ch == 'Y')
            {
                printf("\n");
                PurgeTicket( 
                    LogonHandle,
                    PackageId,
                    CacheResponse->Tickets[Index].ServerName.Buffer,
                    CacheResponse->Tickets[Index].ServerName.Length,
                    CacheResponse->Tickets[Index].RealmName.Buffer,
                    CacheResponse->Tickets[Index].RealmName.Length
                    );
            }
            else if(ch == 'q' || ch == 'Q')
                goto cleanup;
            else
                printf("\n\n");

        }
    }

cleanup:

    if (CacheResponse != NULL)
    {
        LsaFreeReturnBuffer(CacheResponse);
    }

    return TRUE;
}
BOOL 
PurgeTicket(
    HANDLE LogonHandle,
    ULONG PackageId,
    LPWSTR Server, 
    DWORD  cbServer,
    LPWSTR Realm,
    DWORD  cbRealm
    )
{
    NTSTATUS Status;
    PVOID Response;
    ULONG ResponseSize;
    NTSTATUS SubStatus=0;

    PKERB_PURGE_TKT_CACHE_REQUEST pCacheRequest = NULL;

    pCacheRequest = (PKERB_PURGE_TKT_CACHE_REQUEST)
        LocalAlloc(LMEM_ZEROINIT, 
        cbServer + cbRealm + sizeof(KERB_PURGE_TKT_CACHE_REQUEST));

    pCacheRequest->MessageType = KerbPurgeTicketCacheMessage;
    pCacheRequest->LogonId.LowPart = 0;
    pCacheRequest->LogonId.HighPart = 0;

    CopyMemory((LPBYTE)pCacheRequest+sizeof(KERB_PURGE_TKT_CACHE_REQUEST),
        Server,cbServer);
    CopyMemory((LPBYTE)pCacheRequest+sizeof(KERB_PURGE_TKT_CACHE_REQUEST)+cbServer,
        Realm,cbRealm);

    pCacheRequest->ServerName.Buffer = 
        (LPWSTR)((LPBYTE)pCacheRequest+sizeof(KERB_PURGE_TKT_CACHE_REQUEST));
    
    pCacheRequest->ServerName.Length = 
        (unsigned short)cbServer;
    
    pCacheRequest->ServerName.MaximumLength = 
        (unsigned short)cbServer;
    
    pCacheRequest->RealmName.Buffer = 
        (LPWSTR)((LPBYTE)pCacheRequest+sizeof(KERB_PURGE_TKT_CACHE_REQUEST)+cbServer);
    
    pCacheRequest->RealmName.Length = 
        (unsigned short)cbRealm;
    
    pCacheRequest->RealmName.MaximumLength = 
        (unsigned short)cbRealm;

    printf("\tDeleting ticket: \n");
    printf("\t   ServerName = %wZ (cb=%lu)\n",&pCacheRequest->ServerName,cbServer);
    printf("\t   RealmName  = %wZ (cb=%lu)\n",&pCacheRequest->RealmName,cbRealm);

    Status = LsaCallAuthenticationPackage(
                LogonHandle,
                PackageId,
                pCacheRequest,
                sizeof(KERB_PURGE_TKT_CACHE_REQUEST)+cbServer+cbRealm,
                &Response,
                &ResponseSize,
                &SubStatus
                );

    if (!SEC_SUCCESS(Status) || !SEC_SUCCESS(Status))
    {
        ShowNTError("LsaCallAuthenticationPackage(purge)", Status);
        printf("Substatus: 0x%x\n",SubStatus);
        ShowNTError("LsaCallAuthenticationPackage(purge SubStatus)", SubStatus);
        return FALSE;
    }
    else 
    {
        printf("\tTicket purged!\n");
        return TRUE;
    }

}
Exemple #13
0
void test_imperson(){
    SECURITY_STATUS ss;
    SecPkgContext_Sizes SecPkgContextSizes;
    SecPkgContext_NegotiationInfo SecPkgNegInfo;
    ULONG cbMaxSignature;
    ULONG cbSecurityTrailer;
    //username bullshit
    LPTSTR pUserName = NULL;
    DWORD cbUserName = 0;
    

    ss = QueryContextAttributes(&hctxt, SECPKG_ATTR_SIZES, &SecPkgContextSizes);

    if (!SEC_SUCCESS(ss))
    {
        fprintf(stderr, "QueryContextAttributes failed: 0x%08x\n", ss);
        exit(1);
    }

    //----------------------------------------------------------------
    //  The following values are used for encryption and signing.
    cbMaxSignature = SecPkgContextSizes.cbMaxSignature;
    cbSecurityTrailer = SecPkgContextSizes.cbSecurityTrailer;

    ss = QueryContextAttributes(
        &hctxt,
        SECPKG_ATTR_NEGOTIATION_INFO,
        &SecPkgNegInfo);

    if (!SEC_SUCCESS(ss))
    {
        fprintf(stderr, "QueryContextAttributes failed: 0x%08x\n", ss);
        exit(1);
    }
    else
    {
        wprintf(L"PackageName: %s\n", (SecPkgNegInfo.PackageInfo->Name));
        wprintf(L"PackageName: %s\n", (SecPkgNegInfo.PackageInfo->Comment));
    }

    //  Free the allocated buffer.
    FreeContextBuffer(SecPkgNegInfo.PackageInfo);


    printf("Now impersonating via thread\n");
    ss = ImpersonateSecurityContext(&hctxt);
    // error check
    if (!SEC_SUCCESS(ss))
    {
        fprintf(stderr, "Impersonate failed: 0x%08x\n", ss);
        cleanup();
    }
    else
    {
        printf("Impersonation worked. \n");
    }


    DWORD dwErrorCode = 0;
    if (OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &letToken))
    {
        printf("it WORKED!\n");
    }
    else
   {
      dwErrorCode = GetLastError();
      wprintf(L"OpenProcessToken failed. GetLastError returned: %d\n", dwErrorCode);

   }


    DWORD dwBufferSize = 0;
    GetTokenInformation(
        letToken,
        TokenUser,      // Request for a TOKEN_USER structure.
        NULL,
        0,
        &dwBufferSize
        );


    // username bullshit
    TCHAR username[UNLEN + 1];
    DWORD size = UNLEN + 1;
    GetUserName((TCHAR*)username, &size);
    std::cout << "Username: "******"\n" << std::endl;

    /*
    SecPkgContext_SessionKey      SecPackSess;
    SecPkgContext_KeyInfo         SecPackKey;
    ss = QueryContextAttributes(&hctxt, SECPKG_ATTR_SESSION_KEY, &SecPackSess);
    ss = QueryContextAttributes(&hctxt, SECPKG_ATTR_KEY_INFO, &SecPackKey);
    */

    /*
    printf("OHHH YESSSSS!\n";
    printf("OHHH YESSSSS!\n";
    printf("Test calc.exe\n");
    if (!system("calc.exe")) {
        printf("test failed\n");
    }
    */

    //////////////////////////////////////////////////////////////////////
    printf("Check your tokens now bro!\n"); // sleep
    printf("Sleeping for 5min");
    Sleep(300000); //just a test
    //  Revert to self.
    
    ss = RevertSecurityContext(&hctxt);
    if (!SEC_SUCCESS(ss))
    {
        fprintf(stderr, "Revert failed: 0x%08x\n", ss);
        cleanup();
    }
    else
    {
        printf("Reverted to self.\n");
    }
}
Exemple #14
0
BOOL GenServerContext(BYTE *pIn, DWORD cbIn, BYTE *pOut, DWORD *pcbOut, BOOL *pfDone, BOOL fNewConversation)
{
    SECURITY_STATUS   ss;
    TimeStamp         Lifetime;
    SecBufferDesc     OutBuffDesc;
    SecBuffer         OutSecBuff;
    SecBufferDesc     InBuffDesc;
    SecBuffer         InSecBuff;
    ULONG             Attribs = ASC_REQ_DELEGATE; //0

    // prepare output buffers.
    OutBuffDesc.ulVersion = 0;
    OutBuffDesc.cBuffers = 1;
    OutBuffDesc.pBuffers = &OutSecBuff;

    // prepare output security buffers.
    OutSecBuff.cbBuffer = *pcbOut;
    OutSecBuff.BufferType = SECBUFFER_TOKEN;
    OutSecBuff.pvBuffer = pOut;

    // prepare input buffers.
    InBuffDesc.ulVersion = 0;
    InBuffDesc.cBuffers = 1;
    InBuffDesc.pBuffers = &InSecBuff;

    // prepare input security buffers
    InSecBuff.cbBuffer = cbIn;
    InSecBuff.BufferType = SECBUFFER_TOKEN;
    InSecBuff.pvBuffer = pIn;

    printf("Token buffer received (%lu bytes):\n", InSecBuff.cbBuffer);
    // PrintHexDump(InSecBuff.cbBuffer, (PBYTE)InSecBuff.pvBuffer);

    // Get the security context
    ss = AcceptSecurityContext(
        &hcred,
        fNewConversation ? NULL : &hctxt,
        &InBuffDesc,
        Attribs, //ASC_REQ_DELEGATE
        SECURITY_NATIVE_DREP,
        &hctxt,
        &OutBuffDesc,
        &Attribs,
        &Lifetime);

    if (!SEC_SUCCESS(ss))
    {
        fprintf(stderr, "AcceptSecurityContext failed: 0x%08x\n", ss);
        return FALSE;
    }

    //  Complete token if applicable.
    if ((SEC_I_COMPLETE_NEEDED == ss) || (SEC_I_COMPLETE_AND_CONTINUE == ss))
    {
        printf("Calling complete auth token\n");
        ss = CompleteAuthToken(&hctxt, &OutBuffDesc);
        if (!SEC_SUCCESS(ss))
        {
            fprintf(stderr, "complete failed: 0x%08x\n", ss);
            return FALSE;
        }
    }

    // IT WORKED HERE!!!
    *pcbOut = OutSecBuff.cbBuffer;


    *pfDone = !((SEC_I_CONTINUE_NEEDED == ss) || (SEC_I_COMPLETE_AND_CONTINUE == ss));

    // at the end print if its accepted
    printf("AcceptSecurityContext result = 0x%08x\n", ss);

    return TRUE;
}
Exemple #15
0
BOOL DoAuthentication (void)
{
	SECURITY_STATUS   	ss;
	DWORD 			  	cbIn;
	DWORD		      	cbOut;
	DWORD 			  	g_cbMaxMessage;
	BOOL              	done = FALSE;
	BOOL		      	fDone = FALSE;
	BOOL              	fNewConversation = TRUE;
	TimeStamp         	Lifetime;
	PSecPkgInfoA	  	pkgInfo;
	CredHandle        	hcred;
	CredHandle 	      	hCcred;
	struct _SecHandle 	hctxt;
	struct _SecHandle 	hCctxt;
	PBYTE 			  	g_pInBuf = NULL;
	PBYTE 			  	g_pOutBuf = NULL;
	SEC_CHAR          	g_lpPackageName[1024];
	PBYTE				nonce, clientnonce, lmhash, nthash;
	PCHAR pUserName = NULL;
	DWORD cbUserName = 0;



	lstrcpynA (g_lpPackageName, "NTLM",5);
	ss = QuerySecurityPackageInfoA ( g_lpPackageName, &pkgInfo);
	if (!SEC_SUCCESS(ss)) MyHandleError("Could not query package");

	g_cbMaxMessage = pkgInfo->cbMaxToken;
	FreeContextBuffer(pkgInfo);
	g_pInBuf = (PBYTE) malloc (g_cbMaxMessage);
	g_pOutBuf = (PBYTE) malloc (g_cbMaxMessage);
   
	if (NULL == g_pInBuf || NULL == g_pOutBuf) MyHandleError("Memory allocation");

	ss = AcquireCredentialsHandleA (NULL, g_lpPackageName, SECPKG_CRED_INBOUND, NULL, NULL, NULL, NULL, &hcred, &Lifetime);

	if (!SEC_SUCCESS (ss)) MyHandleError("AcquireCreds failed");
	cbOut = g_cbMaxMessage;

	if (!GenClientContext ( NULL, 0, g_pOutBuf, &cbOut, &fDone, "NTLM", &hCcred, &hCctxt))
		MyHandleError("Cant't generate client context");

	printf ("Type%hhd message (%lu bytes):\n",g_pOutBuf[8], cbOut);//type1
	PrintHexDump (cbOut, (PBYTE)g_pOutBuf);

	memcpy(g_pInBuf,g_pOutBuf, cbOut);
	cbIn = cbOut;
	cbOut = g_cbMaxMessage;


	if (!GenServerContext (g_pInBuf, cbIn, g_pOutBuf, &cbOut, &done, fNewConversation, &hcred, &hctxt))
		MyHandleError("GenServerContext failed");

	fNewConversation = FALSE;

	printf ("Type%hhd message (%lu bytes):\n",g_pOutBuf[8], cbOut); //type2
	PrintHexDump (cbOut, (PBYTE)g_pOutBuf);
	
	memcpy(g_pInBuf,g_pOutBuf, cbOut);
	cbIn = cbOut;
	cbOut = g_cbMaxMessage;

	nonce = (PBYTE) malloc (16);
	memcpy (nonce, (void *)&g_pOutBuf[24], 8);
	
	if (!GenClientContext (g_pInBuf, cbIn, g_pOutBuf, &cbOut, &fDone, "NTLM", &hCcred, &hCctxt))
		MyHandleError("GenClientContext failed");

	printf ("Type%hhd message (%lu bytes):\n",g_pOutBuf[8], cbOut);//type3
	PrintHexDump (cbOut, (PBYTE)g_pOutBuf);

	GetUserNameExA(NameSamCompatible, pUserName, &cbUserName);
	pUserName = (PCHAR) malloc (cbUserName);
	GetUserNameExA(NameSamCompatible, pUserName, &cbUserName);
	cbUserName = (DWORD)((int)strchr(pUserName,'\\'));
	*(char *)cbUserName = 0;

	printf("g_pOutBuf[22]=%d\n",g_pOutBuf[22]);

	if (g_pOutBuf[22] > 24) 
	{
		printf("NTLMv2\n");
		nthash = (PBYTE) malloc (16);
		cbIn = g_pOutBuf[24] + (g_pOutBuf[25] << 8);
		memcpy (nthash, (void *)&g_pOutBuf[cbIn], 16);

		cbIn += 16;
		clientnonce = (PBYTE) malloc (cbOut - cbIn - 16);
		//memcpy (clientnonce, (void *)&g_pOutBuf[cbIn], 84);
		memcpy (clientnonce, (void *)&g_pOutBuf[cbIn], cbOut - cbIn - 16);

		printf("Nonce:  ");
		PrintHex (8, nonce);
		printf("\nClientNonce: ");
		PrintHex (cbOut - cbIn - 16, clientnonce);
		printf("\nNThash: ");
		PrintHex (16, nthash);
		printf("\n");
		
		printf("\nJTR: %s::%s", (unsigned char *)((int)cbUserName+1), (unsigned char *)pUserName);
		printf(":");
		PrintHex (8, nonce);
		printf(":");
		PrintHex (16, nthash);
		printf(":");
		PrintHex (cbOut - cbIn - 16, clientnonce);

		printf("\n");
	}
	else if (g_pOutBuf[22] == 24)
	{
		printf("NTLM\n");
		lmhash = (PBYTE) malloc (24);
		cbIn = g_pOutBuf[16] + (g_pOutBuf[17] << 8);
		memcpy (lmhash, (void *)&g_pOutBuf[cbIn], 24);

		nthash = (PBYTE) malloc (24);
		cbIn = g_pOutBuf[24] + (g_pOutBuf[25] << 8);
		memcpy (nthash, (void *)&g_pOutBuf[cbIn], 24);

		printf("\nNonce:  ");
		PrintHex (8, nonce);
		printf("\nLMhash: ");
		PrintHex (24, lmhash);
		printf("\nNThash: ");
		PrintHex (24, nthash);

		printf("\nJTR: %s::%s", (unsigned char *)((int)cbUserName+1), (unsigned char *)pUserName);
		printf(":");
		PrintHex (24, lmhash);
		printf(":");
		PrintHex (24, nthash);
		printf(":");
		PrintHex (8, nonce);
		printf("\n");
		
	}
	else
	{
		printf("Unknown hashtype");
	}


	return(TRUE);
}
Exemple #16
-1
BOOL GenClientContext (BYTE *pIn, DWORD cbIn, BYTE *pOut, DWORD *pcbOut, BOOL *pfDone, SEC_CHAR *pszTarget, CredHandle *hCred, struct _SecHandle *hCtxt)
{
	SECURITY_STATUS   ss;
	TimeStamp         Lifetime;
	SecBufferDesc     OutBuffDesc;
	SecBuffer         OutSecBuff;
	SecBufferDesc     InBuffDesc;
	SecBuffer         InSecBuff;
	ULONG             ContextAttributes;
	SEC_CHAR	      lpPackageName[1024];
	_SEC_WINNT_AUTH_IDENTITY	auth_data;
	PCHAR pUserName = NULL;
	DWORD cbUserName = 0;
	DWORD dw;


	if( NULL == pIn )  
	{   
		GetUserNameExA(NameSamCompatible, pUserName, &cbUserName);
		pUserName = (PCHAR) malloc (cbUserName);
		GetUserNameExA(NameSamCompatible, pUserName, &cbUserName);

		cbUserName = (DWORD)((int)strchr(pUserName,'\\'));
		*(char *)cbUserName = 0;
		auth_data.Domain = (unsigned char *)pUserName;
		auth_data.User = (unsigned char *)((int)cbUserName+1);
		printf("%s@%s\n",(char *)auth_data.User,(char *)auth_data.Domain);

		auth_data.UserLength = strlen((char *)auth_data.User);
		auth_data.DomainLength = strlen((char *)auth_data.Domain);
		auth_data.Password = NULL;
		auth_data.PasswordLength = 0;
		auth_data.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;

	   	lstrcpynA (lpPackageName, "NTLM", 5);
	   	ss = AcquireCredentialsHandleA (NULL, lpPackageName, SECPKG_CRED_OUTBOUND, NULL, &auth_data, NULL, NULL, hCred, &Lifetime);
	   	if (!(SEC_SUCCESS (ss))) MyHandleError("AcquireCreds failed ");
	}

	OutBuffDesc.ulVersion = 0;
	OutBuffDesc.cBuffers  = 1;
	OutBuffDesc.pBuffers  = &OutSecBuff;

	OutSecBuff.cbBuffer   = *pcbOut;
	OutSecBuff.BufferType = SECBUFFER_TOKEN;
	OutSecBuff.pvBuffer   = pOut;

	if (pIn)
	{
		 InBuffDesc.ulVersion = 0;
		 InBuffDesc.cBuffers  = 1;
		 InBuffDesc.pBuffers  = &InSecBuff;

		 InSecBuff.cbBuffer   = cbIn;
		 InSecBuff.BufferType = SECBUFFER_TOKEN;
		 InSecBuff.pvBuffer   = pIn;
		ss = InitializeSecurityContextA (hCred,	hCtxt,	pszTarget,	ISC_REQ_CONFIDENTIALITY, 0,	SECURITY_NATIVE_DREP,	&InBuffDesc,	0, 	hCtxt,	&OutBuffDesc, &ContextAttributes,	&Lifetime);
	}
	else
	{
		 ss = InitializeSecurityContextA (hCred, NULL, pszTarget, ISC_REQ_CONFIDENTIALITY, 0, SECURITY_NATIVE_DREP, NULL, 0, hCtxt, &OutBuffDesc, &ContextAttributes, &Lifetime);
	}

	if (!SEC_SUCCESS (ss)) MyHandleError ("InitializeSecurityContext failed " );

	*pcbOut = OutSecBuff.cbBuffer;
	*pfDone = !((SEC_I_CONTINUE_NEEDED == ss) ||(SEC_I_COMPLETE_AND_CONTINUE == ss));
	return TRUE;
}