Página inicial Explorar Ajuda
Registrar Entrar
publics
/
gokrb5.v7
0
0
Fork 0
Arquivos Issues 0 Pull Requests 0 Wiki
Ver código fonte

experimenting with Negotiation of FAST and Detecting Modified Requests

Jonathan Turner 9 anos atrás
pai
ab8bb5c8bf
commit
16608b7634
7 arquivos alterados com 62 adições e 27 exclusões
Visão dividida Mostrar estatísticas do Diff
  1. 3 1
      README.md
  2. 23 6
      debug.go
  3. 13 12
      messages/KDCRep.go
  4. 1 0
      messages/constants.go
  5. 1 0
      types/KerberosFlags.go
  6. 7 2
      types/PAData.go
  7. 14 6
      types/constants.go

+ 3 - 1
README.md
Ver arquivo 

@@ -13,7 +13,9 @@ This is work in progress and does not yet work...
 
 [text](https://www.ietf.org/rfc/rfc3961.txt) [html](https://tools.ietf.org/html/rfc3961)
 
 * RFC 3962 Advanced Encryption Standard (AES) Encryption for Kerberos 5
 
 [text](https://www.ietf.org/rfc/rfc3962.txt) [html](https://tools.ietf.org/html/rfc3962)
 
-* Kerberos Principal Name Canonicalization and Cross-Realm Referrals [text](https://www.ietf.org/rfc/rfc6806.txt) [html](https://tools.ietf.org/html/rfc6806.html)
 
+* RFC 6806 Kerberos Principal Name Canonicalization and Cross-Realm Referrals [text](https://www.ietf.org/rfc/rfc6806.txt) [html](https://tools.ietf.org/html/rfc6806.html)
 
+* RFC 6113 A Generalized Framework for Kerberos Pre-Authentication [text](https://www.ietf.org/rfc/rfc6113.txt) [html](https://tools.ietf.org/html/rfc6113.html)
 
+* [IANA Assigned Kerberos Numbers](http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml)
 
 * [Microsoft PAC Validation](https://blogs.msdn.microsoft.com/openspecification/2009/04/24/understanding-microsoft-kerberos-pac-validation/)
 
 * [Microsoft Kerberos Protocol Extensions](https://msdn.microsoft.com/en-us/library/cc233855.aspx)

+ 23 - 6
debug.go
Ver arquivo 

@@ -1,17 +1,20 @@
 
 package main
 
 
 import (
 
+	"encoding/hex"
 
 	"fmt"
 
-	"os"
 
-	"github.com/jcmturner/gokrb5/config"
 
-	"github.com/jcmturner/gokrb5/messages"
 
+	"github.com/jcmturner/asn1"
 
 	"github.com/jcmturner/gokrb5/client"
 
-	"encoding/hex"
 
+	"github.com/jcmturner/gokrb5/config"
 
+	"github.com/jcmturner/gokrb5/crypto"
 
 	"github.com/jcmturner/gokrb5/keytab"
 
+	"github.com/jcmturner/gokrb5/messages"
 
+	"github.com/jcmturner/gokrb5/types"
 
+	"os"
 
 )
 
 
-const ktab = "05020000004b0001000b544553542e474f4b5242350009746573747573657231000000015898e0770100120020bbdc430aab7e2d4622a0b6951481453b0962e9db8e2f168942ad175cda6d9de900000001"
 
-const krb5conf =`[libdefaults]
 
+const ktab = "05020000003b0001000b544553542e474f4b524235000974657374757365723100000001589b9b2b0100110010698c4df8e9f60e7eea5a21bf4526ad25000000010000004b0001000b544553542e474f4b524235000974657374757365723100000001589b9b2b0100120020bbdc430aab7e2d4622a0b6951481453b0962e9db8e2f168942ad175cda6d9de900000001"
 
+const krb5conf = `[libdefaults]
 
   default_realm = TEST.GOKRB5
 
   dns_lookup_realm = false
 
   dns_lookup_kdc = false
 
@@ -59,5 +62,19 @@ func main() {
 
 		fmt.Fprintf(os.Stderr, "\nDecrypt err: %v\n", err)
 
 	} else {
 
 		fmt.Fprintf(os.Stdout, "\n\nAS REP decrypted with keytab: %+v\n", ar)
 
+		var p types.PAReqEncPARep
 
+		_, err = asn1.Unmarshal(ar.DecryptedEncPart.EncPAData[0].PADataValue, &p)
 
+		if err != nil {
 
+			fmt.Fprintf(os.Stderr, "Error unmarshal PAReqEncPARep: %v\n", err)
 
+		}
 
+		fmt.Fprintf(os.Stdout, "PAReqEncPARep: %+v\n", p)
 
+		var et crypto.Aes256CtsHmacSha96
 
+		cb, err := crypto.GetChecksum(b, ar.DecryptedEncPart.Key.KeyValue, messages.USAGE_KEY_USAGE_AS_REQ, et)
 
+		if err != nil {
 
+			fmt.Fprintf(os.Stderr, "Error getting checksum PAReqEncPARep: %v\n", err)
 
+		} else {
 
+			fmt.Fprintf(os.Stdout, "AS REQ checksum: %+v\n", cb[:et.GetHMACBitLength()/8])
 
+		}
 
 	}
 
+
 
 }

+ 13 - 12
messages/KDCRep.go
Ver arquivo 

@@ -41,18 +41,19 @@ type ASRep KDCRep
 
 type TGSRep KDCRep
 
 
 type EncKDCRepPart struct {
 
-	Key           types.EncryptionKey `asn1:"explicit,tag:0"`
 
-	LastReqs      []LastReq           `asn1:"explicit,tag:1"`
 
-	Nonce         int                 `asn1:"explicit,tag:2"`
 
-	KeyExpiration time.Time           `asn1:"generalized,explicit,optional,tag:3"`
 
-	Flags         asn1.BitString      `asn1:"explicit,tag:4"`
 
-	AuthTime      time.Time           `asn1:"generalized,explicit,tag:5"`
 
-	StartTime     time.Time           `asn1:"generalized,explicit,optional,tag:6"`
 
-	EndTime       time.Time           `asn1:"generalized,explicit,tag:7"`
 
-	RenewTill     time.Time           `asn1:"generalized,explicit,optional,tag:8"`
 
-	SRealm        string              `asn1:"generalstring,explicit,tag:9"`
 
-	SName         types.PrincipalName `asn1:"explicit,tag:10"`
 
-	CAddr         []types.HostAddress `asn1:"explicit,optional,tag:11"`
 
+	Key           types.EncryptionKey  `asn1:"explicit,tag:0"`
 
+	LastReqs      []LastReq            `asn1:"explicit,tag:1"`
 
+	Nonce         int                  `asn1:"explicit,tag:2"`
 
+	KeyExpiration time.Time            `asn1:"generalized,explicit,optional,tag:3"`
 
+	Flags         asn1.BitString       `asn1:"explicit,tag:4"`
 
+	AuthTime      time.Time            `asn1:"generalized,explicit,tag:5"`
 
+	StartTime     time.Time            `asn1:"generalized,explicit,optional,tag:6"`
 
+	EndTime       time.Time            `asn1:"generalized,explicit,tag:7"`
 
+	RenewTill     time.Time            `asn1:"generalized,explicit,optional,tag:8"`
 
+	SRealm        string               `asn1:"generalstring,explicit,tag:9"`
 
+	SName         types.PrincipalName  `asn1:"explicit,tag:10"`
 
+	CAddr         []types.HostAddress  `asn1:"explicit,optional,tag:11"`
 
+	EncPAData     types.PADataSequence `asn1:"explicit,optional,tag:12"`
 
 }
 
 
 type LastReq struct {

+ 1 - 0
messages/constants.go
Ver arquivo 

@@ -26,6 +26,7 @@ const (
 
 	USAGE_GSSAPI_ACCEPTOR_SIGN  = 23
 
 	USAGE_GSSAPI_INITIATOR_SEAL = 24
 
 	USAGE_GSSAPI_INITIATOR_SIGN = 25
 
+	USAGE_KEY_USAGE_AS_REQ      = 56
 
 	//26-511.  Reserved for future use in Kerberos and related protocols.
 
 	//512-1023.  Reserved for uses internal to a Kerberos implementation.
 
 	//1024.  Encryption for application use in protocols that do not specify key usage values

+ 1 - 0
types/KerberosFlags.go
Ver arquivo 

@@ -81,6 +81,7 @@ const (
 
 	RequestAnonymous       = 12
 
 	TransitedPolicyChecked = 12
 
 	OKAsDelegate           = 13
 
+	EncPARep               = 15
 
 	Canonicalize           = 15
 
 	DisableTransitedCheck  = 26
 
 	RenewableOK            = 27

+ 7 - 2
types/PAData.go
Ver arquivo 

@@ -23,11 +23,11 @@ type PAEncTSEnc struct {
 
 	PAUSec      int       `asn1:"explicit,optional,tag:1"`
 
 }
 
 
-func GetPAEncTSEncAsnMarshalled() ([]byte, error){
 
+func GetPAEncTSEncAsnMarshalled() ([]byte, error) {
 
 	t := time.Now()
 
 	p := PAEncTSEnc{
 
 		PATimestamp: t,
 
-		PAUSec: int((t.UnixNano() / int64(time.Microsecond)) - (t.Unix() * 1e6)),
 
+		PAUSec:      int((t.UnixNano() / int64(time.Microsecond)) - (t.Unix() * 1e6)),
 
 	}
 
 	b, err := asn1.Marshal(p)
 
 	if err != nil {
 
@@ -51,6 +51,11 @@ type ETypeInfo2Entry struct {
 
 
 type ETypeInfo2 []ETypeInfo2Entry
 
 
+type PAReqEncPARep struct {
 
+	ChksumType int    `asn1:"explicit,tag:0"`
 
+	Chksum     []byte `asn1:"explicit,tag:1"`
 
+}
 
+
 
 func (pa *PAData) Unmarshal(b []byte) error {
 
 	_, err := asn1.Unmarshal(b, pa)
 
 	return err

+ 14 - 6
types/constants.go
Ver arquivo 

@@ -2,12 +2,20 @@ package types
 
 
 const (
 
 	//PA Types
 
-	PA_TGS_REQ        = 1
 
-	PA_ENC_TIMESTAMP  = 2
 
-	PA_PW_SALT        = 3
 
-	PA_ETYPE_INFO     = 11
 
-	PA_ETYPE_INFO2    = 19
 
-	PA_REQ_ENC_PA_REP = 149 //RFC6806 Section 11
 
+	PA_TGS_REQ       = 1
 
+	PA_ENC_TIMESTAMP = 2
 
+	PA_PW_SALT       = 3
 
+	PA_ETYPE_INFO    = 11
 
+	PA_ETYPE_INFO2   = 19
 
+	//From RFC 6113
 
+	PA_FX_COOKIE           = 133
 
+	PA_AUTHENTICATION_SET  = 134
 
+	PA_AUTH_SET_SELECTED   = 135
 
+	PA_FX_FAST             = 136
 
+	PA_FX_ERROR            = 137
 
+	PA_ENCRYPTED_CHALLENGE = 138
 
+	//RFC6806 Section 11
 
+	PA_REQ_ENC_PA_REP = 149
 
 
 	//Name types
 
 	KRB_NT_UNKNOWN        = 0  //Name type not known