Add target_name for KerberosSSP

Author: gpotter2

doc/scapy/layers/smb.rst

@@ -76,7 +76,7 @@ You might be wondering if you can pass the ``HashNT`` of the password of the use
 
 .. code:: python
 
-    >>> smbclient("server1.domain.local", ssp=KerberosSSP(SPN="cifs/server1", UPN="Administrator@domain.local", PASSWORD="password"))
+    >>> smbclient("server1.domain.local", ssp=KerberosSSP(UPN="Administrator@domain.local", PASSWORD="password"))
 
 **smbclient using a** :class:`~scapy.layers.ntlm.KerberosSSP` **created by** `Ticketer++ <kerberos.html#ticketer>`_:
 
@@ -155,7 +155,6 @@ Let's write a script that connects to a share and list the files in the root fol
         KerberosSSP(
             UPN="Administrator@domain.local",
             PASSWORD=password,
-            SPN="cifs/server1",
         )
     ])
     # Connect to the server

scapy/layers/gssapi.py

@@ -455,6 +455,7 @@ def GSS_Init_sec_context(
         self,
         Context: CONTEXT,
         token=None,
+        target_name: Optional[str] = None,
         req_flags: Optional[GSS_C_FLAGS] = None,
         chan_bindings: GssChannelBindings = GSS_C_NO_CHANNEL_BINDINGS,
     ):

scapy/layers/http.py

@@ -942,6 +942,7 @@ def request(
                     self.sspcontext, token, status = self.ssp.GSS_Init_sec_context(
                         self.sspcontext,
                         ssp_blob,
+                        target_name="http/" + host,
                         req_flags=0,
                         chan_bindings=self.chan_bindings,
                     )

scapy/layers/kerberos.py

@@ -4014,7 +4014,8 @@ class KerberosSSP(SSP):
 
     :param ST: the service ticket to use for access.
                If not provided, will be retrieved
-    :param SPN: the SPN of the service to use
+    :param SPN: the SPN of the service to use. If not provided, will use the
+                target_name provided in the GSS_Init_sec_context
     :param UPN: The client UPN
     :param DC_IP: (optional) is ST+KEY are not provided, will need to contact
                   the KDC at this IP. If not provided, will perform dc locator.
@@ -4512,6 +4513,7 @@ def GSS_Init_sec_context(
         self,
         Context: CONTEXT,
         token=None,
+        target_name: Optional[str] = None,
         req_flags: Optional[GSS_C_FLAGS] = None,
         chan_bindings: GssChannelBindings = GSS_C_NO_CHANNEL_BINDINGS,
     ):
@@ -4542,8 +4544,8 @@ def GSS_Init_sec_context(
             # Do we have a ST?
             if self.ST is None:
                 # Client sends an AP-req
-                if not self.SPN:
-                    raise ValueError("Missing SPN attribute")
+                if not self.SPN and not target_name:
+                    raise ValueError("Missing SPN/target_name attribute")
                 additional_tickets = []
                 if self.U2U:
                     try:
@@ -4565,7 +4567,7 @@ def GSS_Init_sec_context(
                     # Use TGT
                     res = krb_tgs_req(
                         upn=self.UPN,
-                        spn=self.SPN,
+                        spn=self.SPN or target_name,
                         ip=self.DC_IP,
                         sessionkey=self.KEY,
                         ticket=self.TGT,
@@ -4577,7 +4579,7 @@ def GSS_Init_sec_context(
                     # Ask for TGT then ST
                     res = krb_as_and_tgs(
                         upn=self.UPN,
-                        spn=self.SPN,
+                        spn=self.SPN or target_name,
                         ip=self.DC_IP,
                         key=self.KEY,
                         password=self.PASSWORD,

scapy/layers/ldap.py

@@ -1800,6 +1800,7 @@ def __init__(
         verb=True,
     ):
         self.sock = None
+        self.host = None
         self.verb = verb
         self.ssl = False
         self.sslcontext = None
@@ -1815,7 +1816,7 @@ def __init__(
 
     def connect(
         self,
-        ip,
+        host,
         port=None,
         use_ssl=False,
         sslcontext=None,
@@ -1826,7 +1827,7 @@ def connect(
         """
         Initiate a connection
 
-        :param ip: the IP or hostname to connect to.
+        :param host: the IP or hostname to connect to.
         :param port: the port to connect to. (Default: 389 or 636)
 
         :param use_ssl: whether to use LDAPS or not. (Default: False)
@@ -1844,17 +1845,18 @@ def connect(
                 port = 389
         sock = socket.socket()
         self.timeout = timeout
+        self.host = host
         sock.settimeout(timeout)
         if self.verb:
             print(
                 "\u2503 Connecting to %s on port %s%s..."
                 % (
-                    ip,
+                    host,
                     port,
                     " with SSL" if self.ssl else "",
                 )
             )
-        sock.connect((ip, port))
+        sock.connect((host, port))
         if self.verb:
             print(
                 conf.color_theme.green(
@@ -1872,7 +1874,7 @@ def connect(
                     context = ssl.create_default_context()
             else:
                 context = self.sslcontext
-            sock = context.wrap_socket(sock, server_hostname=sni or ip)
+            sock = context.wrap_socket(sock, server_hostname=sni or host)
         # Wrap the socket in a Scapy socket
         if self.ssl:
             self.sock = SSLStreamSocket(sock, LDAP)
@@ -2042,6 +2044,7 @@ def bind(
             # 2. First exchange: Negotiate
             self.sspcontext, token, status = self.ssp.GSS_Init_sec_context(
                 self.sspcontext,
+                target_name="ldap/" + self.host,
                 req_flags=(
                     GSS_C_FLAGS.GSS_C_REPLAY_FLAG
                     | GSS_C_FLAGS.GSS_C_SEQUENCE_FLAG
@@ -2068,6 +2071,7 @@ def bind(
             self.sspcontext, token, status = self.ssp.GSS_Init_sec_context(
                 self.sspcontext,
                 GSSAPI_BLOB(val),
+                target_name="ldap/" + self.host,
                 chan_bindings=self.chan_bindings,
             )
             resp = self.sr1(
@@ -2090,6 +2094,7 @@ def bind(
             # GSSAPI or SPNEGO
             self.sspcontext, token, status = self.ssp.GSS_Init_sec_context(
                 self.sspcontext,
+                target_name="ldap/" + self.host,
                 req_flags=(
                     # Required flags for GSSAPI: RFC4752 sect 3.1
                     GSS_C_FLAGS.GSS_C_REPLAY_FLAG
@@ -2122,6 +2127,7 @@ def bind(
                 self.sspcontext, token, status = self.ssp.GSS_Init_sec_context(
                     self.sspcontext,
                     GSSAPI_BLOB(val),
+                    target_name="ldap/" + self.host,
                     chan_bindings=self.chan_bindings,
                 )
         else:

scapy/layers/msrpce/msnrpc.py

@@ -475,7 +475,12 @@ def GSS_VerifyMICEx(self, Context, msgs, signature):
         self._unsecure(Context, msgs, signature, False)
 
     def GSS_Init_sec_context(
-        self, Context, token=None, req_flags: Optional[GSS_C_FLAGS] = None
+        self,
+        Context: CONTEXT,
+        token=None,
+        target_name: Optional[str] = None,
+        req_flags: Optional[GSS_C_FLAGS] = None,
+        chan_bindings: bytes = GSS_C_NO_CHANNEL_BINDINGS,
     ):
         if Context is None:
             Context = self.CONTEXT(True, req_flags=req_flags, AES=self.AES)

scapy/layers/msrpce/rpcclient.py

@@ -76,6 +76,7 @@ def __init__(self, transport, ndr64=False, ndrendian="little", verb=True, **kwar
         self.ndr64 = ndr64
         self.ndrendian = ndrendian
         self.verb = verb
+        self.host = None
         self.auth_level = kwargs.pop("auth_level", DCE_C_AUTHN_LEVEL.NONE)
         self.auth_context_id = kwargs.pop("auth_context_id", 0)
         self.ssp = kwargs.pop("ssp", None)  # type: SSP
@@ -100,7 +101,7 @@ def from_smblink(cls, smbcli, smb_kwargs={}, **kwargs):
         )
         return client
 
-    def connect(self, ip, port=None, timeout=5, smb_kwargs={}):
+    def connect(self, host, port=None, timeout=5, smb_kwargs={}):
         """
         Initiate a connection
         """
@@ -113,14 +114,15 @@ def connect(self, ip, port=None, timeout=5, smb_kwargs={}):
                 raise ValueError(
                     "Can't guess the port for transport: %s" % self.transport
                 )
+        self.host = host
         sock = socket.socket()
         sock.settimeout(timeout)
         if self.verb:
             print(
                 "\u2503 Connecting to %s on port %s via %s..."
-                % (ip, port, repr(self.transport))
+                % (host, port, repr(self.transport))
             )
-        sock.connect((ip, port))
+        sock.connect((host, port))
         if self.verb:
             print(
                 conf.color_theme.green(
@@ -313,6 +315,7 @@ def _bind(self, interface, reqcls, respcls):
                         else 0
                     )
                 ),
+                target_name="host/" + self.host,
             )
             if status not in [GSS_S_CONTINUE_NEEDED, GSS_S_COMPLETE]:
                 # Authentication failed.
@@ -349,6 +352,7 @@ def _bind(self, interface, reqcls, respcls):
                 self.sspcontext, token, status = self.ssp.GSS_Init_sec_context(
                     self.sspcontext,
                     token=resp.auth_verifier.auth_value,
+                    target_name="host/" + self.host,
                 )
             if status in [GSS_S_CONTINUE_NEEDED, GSS_S_COMPLETE]:
                 # Authentication should continue, in two ways:
@@ -390,6 +394,7 @@ def _bind(self, interface, reqcls, respcls):
                         self.sspcontext, token, status = self.ssp.GSS_Init_sec_context(
                             self.sspcontext,
                             token=resp.auth_verifier.auth_value,
+                            target_name="host/" + self.host,
                         )
         # Check context acceptance
         if (

scapy/layers/ntlm.py

@@ -1388,6 +1388,7 @@ def GSS_Init_sec_context(
         self,
         Context: CONTEXT,
         token=None,
+        target_name: Optional[str] = None,
         req_flags: Optional[GSS_C_FLAGS] = None,
         chan_bindings: GssChannelBindings = GSS_C_NO_CHANNEL_BINDINGS,
     ):

scapy/layers/smbclient.py

@@ -136,7 +136,7 @@ def __init__(self, sock, ssp=None, *args, **kwargs):
         self.REQUIRE_ENCRYPTION = kwargs.pop("REQUIRE_ENCRYPTION", False)
         self.RETRY = kwargs.pop("RETRY", 0)  # optionally: retry n times session setup
         self.SMB2 = kwargs.pop("SMB2", False)  # optionally: start directly in SMB2
-        self.SERVER_NAME = kwargs.pop("SERVER_NAME", "")
+        self.HOST = kwargs.pop("HOST", "")
         # Store supported dialects
         if "DIALECTS" in kwargs:
             self.DIALECTS = kwargs.pop("DIALECTS")
@@ -351,7 +351,7 @@ def on_negotiate_smb2(self):
                 # TODO support compression and RDMA
                 SMB2_Negotiate_Context()
                 / SMB2_Netname_Negotiate_Context_ID(
-                    NetName=self.SERVER_NAME,
+                    NetName=self.HOST,
                 ),
                 SMB2_Negotiate_Context()
                 / SMB2_Signing_Capabilities(
@@ -448,6 +448,7 @@ def NEGOTIATED(self, ssp_blob=None):
         ssp_tuple = self.session.ssp.GSS_Init_sec_context(
             self.session.sspcontext,
             token=ssp_blob,
+            target_name="cifs/" + self.HOST if self.HOST else None,
             req_flags=(
                 GSS_C_FLAGS.GSS_C_MUTUAL_FLAG
                 | (GSS_C_FLAGS.GSS_C_INTEG_FLAG if self.session.SigningRequired else 0)
@@ -608,6 +609,7 @@ def AUTHENTICATED(self, ssp_blob=None):
         self.session.sspcontext, _, status = self.session.ssp.GSS_Init_sec_context(
             self.session.sspcontext,
             token=ssp_blob,
+            target_name="cifs/" + self.HOST if self.HOST else None,
         )
         if status != GSS_S_COMPLETE:
             raise ValueError("Internal error: the SSP completed with an error.")
@@ -1175,7 +1177,7 @@ def __init__(
         self.extra_create_options = []
         # Wrap with the automaton
         self.timeout = timeout
-        kwargs.setdefault("SERVER_NAME", target)
+        kwargs.setdefault("HOST", target)
         self.sock = SMB_Client.from_tcpsock(
             sock,
             ssp=ssp,

scapy/layers/spnego.py

@@ -838,6 +838,7 @@ def _common_spnego_handler(
         Context,
         IsClient,
         token=None,
+        target_name: Optional[str] = None,
         req_flags=None,
         chan_bindings: GssChannelBindings = GSS_C_NO_CHANNEL_BINDINGS,
     ):
@@ -906,6 +907,7 @@ def _common_spnego_handler(
                 ) = Context.ssp.GSS_Init_sec_context(
                     Context.sub_context,
                     token=token,
+                    target_name=target_name,
                     req_flags=Context.req_flags,
                     chan_bindings=chan_bindings,
                 )
@@ -1066,13 +1068,15 @@ def GSS_Init_sec_context(
         self,
         Context: CONTEXT,
         token=None,
+        target_name: Optional[str] = None,
         req_flags: Optional[GSS_C_FLAGS] = None,
         chan_bindings: GssChannelBindings = GSS_C_NO_CHANNEL_BINDINGS,
     ):
         return self._common_spnego_handler(
             Context,
             True,
             token=token,
+            target_name=target_name,
             req_flags=req_flags,
             chan_bindings=chan_bindings,
         )