Merge PR GhostPack#204 GhostPack#204 for dMSA improvements

int3x · int3x · commit 78a726811f31 · 2025-11-19T06:39:22.000-05:00
diff --git a/Rubeus/lib/Ask.cs b/Rubeus/lib/Ask.cs
@@ -626,14 +626,14 @@ public static byte[] TGS(string userName, string domain, Ticket providedTicket,
                 string keyListHash = null;
                 if (keyList)
                 {
-                    keyListHash = Helpers.ByteArrayToString(encRepPart.encryptedPaData.PA_KEY_LIST_REP.encryptionKey.keyvalue);
+                    keyListHash = Helpers.ByteArrayToString(encRepPart.encryptedPaData.PA_KEY_LIST_REP.EncryptionKeys[0].keyvalue);
                 }
 
                 // extract DMSA_KEY_PACKAGE for parsing to displayTicket.
-                PA_DMSA_KEY_PACKAGE dmsaCurrentKeys = null;
+                PA_DMSA_KEY_PACKAGE dmsaKeyPackage = null;
                 if (dmsa)
                 {
-                    dmsaCurrentKeys = encRepPart.encryptedPaData.PA_DMSA_KEY_PACKAGE;
+                    dmsaKeyPackage = encRepPart.encryptedPaData.PA_DMSA_KEY_PACKAGE;
                 }
 
                 // if using /opsec and the ticket is for a server configuration for unconstrained delegation, request a forwardable TGT
@@ -704,7 +704,7 @@ public static byte[] TGS(string userName, string domain, Ticket providedTicket,
                 string kirbiString = Convert.ToBase64String(kirbiBytes);
 
                 return ProcessTicketResponse(kirbiBytes, kirbiString, cred, ptt, servicekey, u2u, clientKey, display,
-                    asrepkey, keyListHash, outfile, printargs, dmsaCurrentKeys);
+                    asrepkey, keyListHash, outfile, printargs, dmsaKeyPackage);
           
             }
             else if (responseTag == (int)Interop.KERB_MESSAGE_TYPE.ERROR)
@@ -720,7 +720,7 @@ public static byte[] TGS(string userName, string domain, Ticket providedTicket,
             return null;
         }
 
-        static public byte[] ProcessTicketResponse(byte[] kirbiBytes, string kirbiString, KRB_CRED cred, bool ptt, string servicekey, bool u2u, byte[] clientKey, bool display, string asrepkey, string keyListHash, string outfile, bool printargs, PA_DMSA_KEY_PACKAGE dmsaCurrentKeys) {
+        static public byte[] ProcessTicketResponse(byte[] kirbiBytes, string kirbiString, KRB_CRED cred, bool ptt, string servicekey, bool u2u, byte[] clientKey, bool display, string asrepkey, string keyListHash, string outfile, bool printargs, PA_DMSA_KEY_PACKAGE dmsaKeyPackage) {
 
             if (ptt) {
                 // pass-the-ticket -> import into LSASS
@@ -746,7 +746,7 @@ static public byte[] ProcessTicketResponse(byte[] kirbiBytes, string kirbiString
 
                 LSA.DisplayTicket(kirbi, 2, false, false, false, false,
                     string.IsNullOrEmpty(servicekey) ? null : Helpers.StringToByteArray(servicekey), string.IsNullOrEmpty(asrepkey) ? null : Helpers.StringToByteArray(asrepkey),
-                    null, null, null, string.IsNullOrEmpty(keyListHash) ? null : Helpers.StringToByteArray(keyListHash), null, dmsaCurrentKeys);
+                    null, null, null, string.IsNullOrEmpty(keyListHash) ? null : Helpers.StringToByteArray(keyListHash), null, dmsaKeyPackage);
             }
 
             if (!String.IsNullOrEmpty(outfile)) {
diff --git a/Rubeus/lib/LSA.cs b/Rubeus/lib/LSA.cs
@@ -488,7 +488,7 @@ public static void DisplaySessionCreds(List<SESSION_CRED> sessionCreds, TicketDi
             }
         }
 
-        public static void DisplayTicket(KRB_CRED cred, int indentLevel = 2, bool displayTGT = false, bool displayB64ticket = false, bool extractKerberoastHash = true, bool nowrap = false, byte[] serviceKey = null, byte[] asrepKey = null, string serviceUser = "", string serviceDomain = "", byte[] krbKey = null, byte[] keyList = null, string desPlainText = "", PA_DMSA_KEY_PACKAGE dmsaCurrentKeys = null)
+        public static void DisplayTicket(KRB_CRED cred, int indentLevel = 2, bool displayTGT = false, bool displayB64ticket = false, bool extractKerberoastHash = true, bool nowrap = false, byte[] serviceKey = null, byte[] asrepKey = null, string serviceUser = "", string serviceDomain = "", byte[] krbKey = null, byte[] keyList = null, string desPlainText = "", PA_DMSA_KEY_PACKAGE dmsaKeyPackage = null)
         {
             // displays a given .kirbi (KRB_CRED) object, with display options
 
@@ -552,13 +552,29 @@ public static void DisplayTicket(KRB_CRED cred, int indentLevel = 2, bool displa
                     Console.WriteLine("{0}Password Hash            :  {2}", indent, userName, Helpers.ByteArrayToString(keyList));
                 }
 
-                if(dmsaCurrentKeys != null)
+                if (dmsaKeyPackage != null)
                 {
-                    string etypeName = Enum.GetName(typeof(Interop.KERB_ETYPE), dmsaCurrentKeys.currentKeys.encryptionKey.keytype);
-                    string cKeyValue = Helpers.ByteArrayToString(dmsaCurrentKeys.currentKeys.encryptionKey.keyvalue);
+                    string etypeName, cKeyValue;
+                    foreach (var encryptionKey in dmsaKeyPackage.currentKeys.EncryptionKeys)
+                    {
+                        etypeName = Enum.GetName(typeof(Interop.KERB_ETYPE), encryptionKey.keytype);
+                        cKeyValue = Helpers.ByteArrayToString(encryptionKey.keyvalue);
+
 
+                        Console.WriteLine("{0}Current Keys for {1}: ({2}) {3}", indent, userName, etypeName, cKeyValue);
+                    }
 
-                    Console.WriteLine("{0}Current Keys for {1}: ({2}) {3}", indent, userName, etypeName, cKeyValue);
+                    if (dmsaKeyPackage.previousKeys != null)
+                    {
+                        foreach (var encryptionKey in dmsaKeyPackage.previousKeys.EncryptionKeys)
+                        {
+                            etypeName = Enum.GetName(typeof(Interop.KERB_ETYPE), encryptionKey.keytype);
+                            cKeyValue = Helpers.ByteArrayToString(encryptionKey.keyvalue);
+
+
+                            Console.WriteLine("{0}Previous Keys for {1}: ({2}) {3}", indent, userName, etypeName, cKeyValue);
+                        }
+                    }
                 }
 
 
diff --git a/Rubeus/lib/krb_structures/EncryptionKey.cs b/Rubeus/lib/krb_structures/EncryptionKey.cs
@@ -21,7 +21,18 @@ public EncryptionKey()
 
         public EncryptionKey(AsnElt body)
         {
-            foreach (AsnElt s in body.Sub[0].Sub)
+            // Unwrap a wrapper if present, or use body directly if it's already a SEQUENCE
+            AsnElt seq;
+            if (body.TagValue == AsnElt.SEQUENCE)
+            {
+                seq = body;
+            }
+            else
+            {
+                seq = body.Sub[0];
+            }
+
+            foreach (AsnElt s in seq.Sub)
             {
                 switch (s.TagValue)
                 {
diff --git a/Rubeus/lib/krb_structures/PA_DMSA_KEY_PACKAGE.cs b/Rubeus/lib/krb_structures/PA_DMSA_KEY_PACKAGE.cs
@@ -26,11 +26,21 @@ public PA_DMSA_KEY_PACKAGE()
 
 		public PA_DMSA_KEY_PACKAGE(AsnElt body) 
 		{
-			currentKeys = new PA_KEY_LIST_REP(body.Sub[0].Sub[0]);
-			previousKeys = new PA_KEY_LIST_REP(body.Sub[1].Sub[0]);
-			expirationInterval = body.Sub[2].Sub[0].GetTime();
-			fetchInterval = body.Sub[3].Sub[0].GetTime();
-		}
+            currentKeys = new PA_KEY_LIST_REP(body.Sub[0].Sub[0]);
+
+            // previous-keys is OPTIONAL
+            if (body.Sub.Length == 4)
+            {
+                previousKeys = new PA_KEY_LIST_REP(body.Sub[1].Sub[0]);
+                expirationInterval = body.Sub[2].Sub[0].GetTime();
+                fetchInterval = body.Sub[3].Sub[0].GetTime();
+            }
+            else
+            {
+                expirationInterval = body.Sub[1].Sub[0].GetTime();
+                fetchInterval = body.Sub[2].Sub[0].GetTime();
+            }
+        }
 
 		public AsnElt Encode()
 		{
diff --git a/Rubeus/lib/krb_structures/PA_KEY_LIST_REP.cs b/Rubeus/lib/krb_structures/PA_KEY_LIST_REP.cs
@@ -1,29 +1,41 @@
 ﻿using Asn1;
 using System;
+using System.Collections.Generic;
+using System.Linq;
 using System.Text;
 
 namespace Rubeus
 {
     public class PA_KEY_LIST_REP
     {
         // KERB-KEY-LIST-REP ::= SEQUENCE OF EncryptionKey
+
         public PA_KEY_LIST_REP()
         {
-            encryptionKey = new EncryptionKey();
+            EncryptionKeys = new List<EncryptionKey>();
         }
+
         public PA_KEY_LIST_REP(AsnElt body)
         {
-            encryptionKey = new EncryptionKey(body);
+            if (body.TagValue != AsnElt.SEQUENCE)
+                throw new ArgumentException("KERB-KEY-LIST-REP must be a SEQUENCE", nameof(body));
+
+            EncryptionKeys = new List<EncryptionKey>(body.Sub.Length);
+            foreach (var child in body.Sub)
+            {
+                EncryptionKeys.Add(new EncryptionKey(child));
+            }
         }
 
         public AsnElt Encode()
         {
-            AsnElt encryptionKeyAsn = encryptionKey.Encode();
-            AsnElt encryptionKeySeq = AsnElt.Make(AsnElt.SEQUENCE, new[] { encryptionKeyAsn });
-            return encryptionKeySeq;
-        }
+            var encodedKeys = EncryptionKeys
+                .Select(key => key.Encode())
+                .ToArray();
 
-        public EncryptionKey encryptionKey { get; set; }
+            return AsnElt.Make(AsnElt.SEQUENCE, encodedKeys);
+        }
 
+        public List<EncryptionKey> EncryptionKeys { get; set; }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -626,14 +626,14 @@ public static byte[] TGS(string userName, string domain, Ticket providedTicket,`
`626`	`626`	`string keyListHash = null;`
`627`	`627`	`if (keyList)`
`628`	`628`	`{`
`629`		`- keyListHash = Helpers.ByteArrayToString(encRepPart.encryptedPaData.PA_KEY_LIST_REP.encryptionKey.keyvalue);`
	`629`	`+ keyListHash = Helpers.ByteArrayToString(encRepPart.encryptedPaData.PA_KEY_LIST_REP.EncryptionKeys[0].keyvalue);`
`630`	`630`	`}`
`631`	`631`
`632`	`632`	`// extract DMSA_KEY_PACKAGE for parsing to displayTicket.`
`633`		`- PA_DMSA_KEY_PACKAGE dmsaCurrentKeys = null;`
	`633`	`+ PA_DMSA_KEY_PACKAGE dmsaKeyPackage = null;`
`634`	`634`	`if (dmsa)`
`635`	`635`	`{`
`636`		`- dmsaCurrentKeys = encRepPart.encryptedPaData.PA_DMSA_KEY_PACKAGE;`
	`636`	`+ dmsaKeyPackage = encRepPart.encryptedPaData.PA_DMSA_KEY_PACKAGE;`
`637`	`637`	`}`
`638`	`638`
`639`	`639`	`// if using /opsec and the ticket is for a server configuration for unconstrained delegation, request a forwardable TGT`
`@@ -704,7 +704,7 @@ public static byte[] TGS(string userName, string domain, Ticket providedTicket,`
`704`	`704`	`string kirbiString = Convert.ToBase64String(kirbiBytes);`
`705`	`705`
`706`	`706`	`return ProcessTicketResponse(kirbiBytes, kirbiString, cred, ptt, servicekey, u2u, clientKey, display,`
`707`		`- asrepkey, keyListHash, outfile, printargs, dmsaCurrentKeys);`
	`707`	`+ asrepkey, keyListHash, outfile, printargs, dmsaKeyPackage);`
`708`	`708`
`709`	`709`	`}`
`710`	`710`	`else if (responseTag == (int)Interop.KERB_MESSAGE_TYPE.ERROR)`
`@@ -720,7 +720,7 @@ public static byte[] TGS(string userName, string domain, Ticket providedTicket,`
`720`	`720`	`return null;`
`721`	`721`	`}`
`722`	`722`
`723`		`- static public byte[] ProcessTicketResponse(byte[] kirbiBytes, string kirbiString, KRB_CRED cred, bool ptt, string servicekey, bool u2u, byte[] clientKey, bool display, string asrepkey, string keyListHash, string outfile, bool printargs, PA_DMSA_KEY_PACKAGE dmsaCurrentKeys) {`
	`723`	`+ static public byte[] ProcessTicketResponse(byte[] kirbiBytes, string kirbiString, KRB_CRED cred, bool ptt, string servicekey, bool u2u, byte[] clientKey, bool display, string asrepkey, string keyListHash, string outfile, bool printargs, PA_DMSA_KEY_PACKAGE dmsaKeyPackage) {`
`724`	`724`
`725`	`725`	`if (ptt) {`
`726`	`726`	`// pass-the-ticket -> import into LSASS`
`@@ -746,7 +746,7 @@ static public byte[] ProcessTicketResponse(byte[] kirbiBytes, string kirbiString`
`746`	`746`
`747`	`747`	`LSA.DisplayTicket(kirbi, 2, false, false, false, false,`
`748`	`748`	`string.IsNullOrEmpty(servicekey) ? null : Helpers.StringToByteArray(servicekey), string.IsNullOrEmpty(asrepkey) ? null : Helpers.StringToByteArray(asrepkey),`
`749`		`- null, null, null, string.IsNullOrEmpty(keyListHash) ? null : Helpers.StringToByteArray(keyListHash), null, dmsaCurrentKeys);`
	`749`	`+ null, null, null, string.IsNullOrEmpty(keyListHash) ? null : Helpers.StringToByteArray(keyListHash), null, dmsaKeyPackage);`
`750`	`750`	`}`
`751`	`751`
`752`	`752`	`if (!String.IsNullOrEmpty(outfile)) {`
Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,18 @@ public EncryptionKey()`
`21`	`21`
`22`	`22`	`public EncryptionKey(AsnElt body)`
`23`	`23`	`{`
`24`		`- foreach (AsnElt s in body.Sub[0].Sub)`
	`24`	`+ // Unwrap a wrapper if present, or use body directly if it's already a SEQUENCE`
	`25`	`+ AsnElt seq;`
	`26`	`+ if (body.TagValue == AsnElt.SEQUENCE)`
	`27`	`+ {`
	`28`	`+ seq = body;`
	`29`	`+ }`
	`30`	`+ else`
	`31`	`+ {`
	`32`	`+ seq = body.Sub[0];`
	`33`	`+ }`
	`34`	`+`
	`35`	`+ foreach (AsnElt s in seq.Sub)`
`25`	`36`	`{`
`26`	`37`	`switch (s.TagValue)`
`27`	`38`	`{`
Original file line number	Diff line number	Diff line change
`@@ -1,29 +1,41 @@`
`1`	`1`	`using Asn1;`
`2`	`2`	`using System;`
	`3`	`+using System.Collections.Generic;`
	`4`	`+using System.Linq;`
`3`	`5`	`using System.Text;`
`4`	`6`
`5`	`7`	`namespace Rubeus`
`6`	`8`	`{`
`7`	`9`	`public class PA_KEY_LIST_REP`
`8`	`10`	`{`
`9`	`11`	`// KERB-KEY-LIST-REP ::= SEQUENCE OF EncryptionKey`
	`12`	`+`
`10`	`13`	`public PA_KEY_LIST_REP()`
`11`	`14`	`{`
`12`		`- encryptionKey = new EncryptionKey();`
	`15`	`+ EncryptionKeys = new List<EncryptionKey>();`
`13`	`16`	`}`
	`17`	`+`
`14`	`18`	`public PA_KEY_LIST_REP(AsnElt body)`
`15`	`19`	`{`
`16`		`- encryptionKey = new EncryptionKey(body);`
	`20`	`+ if (body.TagValue != AsnElt.SEQUENCE)`
	`21`	`+ throw new ArgumentException("KERB-KEY-LIST-REP must be a SEQUENCE", nameof(body));`
	`22`	`+`
	`23`	`+ EncryptionKeys = new List<EncryptionKey>(body.Sub.Length);`
	`24`	`+ foreach (var child in body.Sub)`
	`25`	`+ {`
	`26`	`+ EncryptionKeys.Add(new EncryptionKey(child));`
	`27`	`+ }`
`17`	`28`	`}`
`18`	`29`
`19`	`30`	`public AsnElt Encode()`
`20`	`31`	`{`
`21`		`- AsnElt encryptionKeyAsn = encryptionKey.Encode();`
`22`		`- AsnElt encryptionKeySeq = AsnElt.Make(AsnElt.SEQUENCE, new[] { encryptionKeyAsn });`
`23`		`- return encryptionKeySeq;`
`24`		`- }`
	`32`	`+ var encodedKeys = EncryptionKeys`
	`33`	`+ .Select(key => key.Encode())`
	`34`	`+ .ToArray();`
`25`	`35`
`26`		`- public EncryptionKey encryptionKey { get; set; }`
	`36`	`+ return AsnElt.Make(AsnElt.SEQUENCE, encodedKeys);`
	`37`	`+ }`
`27`	`38`
	`39`	`+ public List<EncryptionKey> EncryptionKeys { get; set; }`
`28`	`40`	`}`
`29`	`41`	`}`