Kerberos improvements, bug fixes in LDAP (#4709)

Author: gpotter2

scapy/config.py

@@ -619,11 +619,15 @@ def load(self):
                 for k, v in distr.metadata.items() if k == 'Classifier'
             ):
                 try:
-                    pkg = next(
-                        k
-                        for k, v in importlib.metadata.packages_distributions().items()
-                        if distr.name in v
-                    )
+                    # Python 3.13 raises an internal warning when calling this
+                    with warnings.catch_warnings():
+                        warnings.filterwarnings("ignore", category=DeprecationWarning)
+                        pkg = next(
+                            k
+                            for k, v in
+                            importlib.metadata.packages_distributions().items()
+                            if distr.name in v
+                        )
                 except KeyError:
                     pkg = distr.name
                 if pkg in self._loaded:

scapy/layers/dcerpc.py

@@ -1805,12 +1805,14 @@ def m2i(self, pkt, m):
         return self.cls(m, ndr64=pkt.ndr64, ndrendian=pkt.ndrendian, _parent=pkt)
 
 
-# class _NDRPacketPadField(PadField):
-#     def padlen(self, flen, pkt):
-#         if pkt.ndr64:
-#             return -flen % self._align[1]
-#         else:
-#             return 0
+class _NDRPacketPadField(PadField):
+    # [MS-RPCE] 2.2.5.3.4.1 Structure with Trailing Gap
+    # Structures have extra alignment/padding in NDR64.
+    def padlen(self, flen, pkt):
+        if pkt.ndr64:
+            return -flen % self._align[1]
+        else:
+            return 0
 
 
 class NDRPacketField(NDRConstructedType, NDRAlign):
@@ -1819,9 +1821,7 @@ def __init__(self, name, default, pkt_cls, **kwargs):
         self.fld = _NDRPacketField(name, default, pkt_cls=pkt_cls, **kwargs)
         NDRAlign.__init__(
             self,
-            # There is supposed to be padding after a struct in NDR64?
-            # _NDRPacketPadField(fld, align=pkt_cls.ALIGNMENT),
-            self.fld,
+            _NDRPacketPadField(self.fld, align=pkt_cls.ALIGNMENT),
             align=pkt_cls.ALIGNMENT,
         )
         NDRConstructedType.__init__(self, pkt_cls.fields_desc)

scapy/layers/kerberos.py

@@ -695,10 +695,14 @@ def m2i(self, pkt, s):
         if pkt.padataType.val in _PADATA_CLASSES:
             cls = _PADATA_CLASSES[pkt.padataType.val]
             if isinstance(cls, tuple):
-                is_reply = (
-                    pkt.underlayer.underlayer is not None
-                    and isinstance(pkt.underlayer.underlayer, KRB_ERROR)
-                ) or isinstance(pkt.underlayer, (KRB_AS_REP, KRB_TGS_REP))
+                parent = pkt.underlayer or pkt.parent
+                is_reply = False
+                if parent is not None:
+                    if isinstance(parent, (KRB_AS_REP, KRB_TGS_REP)):
+                        is_reply = True
+                    else:
+                        parent = parent.underlayer or parent.parent
+                        is_reply = isinstance(parent, KRB_ERROR)
                 cls = cls[is_reply]
             if not val[0].val:
                 return val
@@ -1803,15 +1807,23 @@ def m2i(self, pkt, s):
             # 25: KDC_ERR_PREAUTH_REQUIRED
             # 36: KRB_AP_ERR_BADMATCH
             return MethodData(val[0].val, _underlayer=pkt), val[1]
-        elif pkt.errorCode.val in [6, 7, 13, 18, 29, 41, 60]:
+        elif pkt.errorCode.val in [6, 7, 12, 13, 18, 29, 41, 60]:
             # 6: KDC_ERR_C_PRINCIPAL_UNKNOWN
             # 7: KDC_ERR_S_PRINCIPAL_UNKNOWN
+            # 12: KDC_ERR_POLICY
             # 13: KDC_ERR_BADOPTION
             # 18: KDC_ERR_CLIENT_REVOKED
             # 29: KDC_ERR_SVC_UNAVAILABLE
             # 41: KRB_AP_ERR_MODIFIED
             # 60: KRB_ERR_GENERIC
-            return KERB_ERROR_DATA(val[0].val, _underlayer=pkt), val[1]
+            try:
+                return KERB_ERROR_DATA(val[0].val, _underlayer=pkt), val[1]
+            except BER_Decoding_Error:
+                if pkt.errorCode.val in [18]:
+                    # Some types can also happen in FAST sessions
+                    # 18: KDC_ERR_CLIENT_REVOKED
+                    return MethodData(val[0].val, _underlayer=pkt), val[1]
+                raise
         elif pkt.errorCode.val == 69:
             # KRB_AP_ERR_USER_TO_USER_REQUIRED
             return KRB_TGT_REP(val[0].val, _underlayer=pkt), val[1]
@@ -2669,6 +2681,7 @@ def __init__(
         armor_ticket=None,
         armor_ticket_upn=None,
         armor_ticket_skey=None,
+        key_list_req=[],
         etypes=None,
         port=88,
         timeout=5,
@@ -2769,6 +2782,7 @@ def __init__(
         self.armor_ticket = armor_ticket
         self.armor_ticket_upn = armor_ticket_upn
         self.armor_ticket_skey = armor_ticket_skey
+        self.key_list_req = key_list_req
         self.renew = renew
         self.additional_tickets = additional_tickets  # U2U + S4U2Proxy
         self.u2u = u2u  # U2U
@@ -3130,6 +3144,17 @@ def tgs_req(self):
             # "kdc-options field: MUST include the new cname-in-addl-tkt options flag"
             kdc_req.kdcOptions.set(14, 1)
 
+        # [MS-KILE] 2.2.11 KERB-KEY-LIST-REQ
+        if self.key_list_req:
+            padata.append(
+                PADATA(
+                    padataType=ASN1_INTEGER(161),  # KERB-KEY-LIST-REQ
+                    padataValue=KERB_KEY_LIST_REQ(keytypes=[
+                        ASN1_INTEGER(x) for x in self.key_list_req
+                    ])
+                )
+            )
+
         # 3. Build the AP-req inside a PA
         apreq = KRB_AP_REQ(ticket=self.ticket, authenticator=EncryptedData())
         pa_tgs_req = PADATA(

scapy/layers/ldap.py

@@ -1811,6 +1811,7 @@ def connect(self, ip, port=None, use_ssl=False, sslcontext=None, timeout=5):
             else:
                 port = 389
         sock = socket.socket()
+        self.timeout = timeout
         sock.settimeout(timeout)
         if self.verb:
             print(
@@ -2151,7 +2152,7 @@ def search(
         filter: str = "",
         scope=0,
         derefAliases=0,
-        sizeLimit=3000,
+        sizeLimit=300000,
         timeLimit=3000,
         attrsOnly=0,
         attributes: List[str] = [],
@@ -2202,7 +2203,7 @@ def search(
                                 controlType="1.2.840.113556.1.4.319",
                                 criticality=True,
                                 controlValue=LDAP_realSearchControlValue(
-                                    size=500,  # paging to 500 per 500
+                                    size=200,  # paging to 200 per 200
                                     cookie=cookie,
                                 ),
                             )
@@ -2211,7 +2212,7 @@ def search(
                         else []
                     )
                 ),
-                timeout=3,
+                timeout=self.timeout,
             )
             if LDAP_SearchResponseResultDone not in resp:
                 resp.show()
@@ -2294,7 +2295,7 @@ def modify(
                 changes=changes,
             ),
             controls=controls,
-            timeout=3,
+            timeout=self.timeout,
         )
         if (
             LDAP_ModifyResponse not in resp.protocolOp
@@ -2341,7 +2342,7 @@ def add(
                 attributes=attributes,
             ),
             controls=controls,
-            timeout=3,
+            timeout=self.timeout,
         )
         if LDAP_AddResponse not in resp.protocolOp or resp.protocolOp.resultCode != 0:
             raise LDAP_Exception(
@@ -2382,7 +2383,7 @@ def modifydn(
                 deleteoldrdn=deleteoldrdn,
             ),
             controls=controls,
-            timeout=3,
+            timeout=self.timeout,
         )
         if (
             LDAP_ModifyDNResponse not in resp.protocolOp

scapy/layers/msrpce/msdrsr.py

@@ -8,12 +8,60 @@
 """
 
 import uuid
+from dataclasses import dataclass
+
 from scapy.packet import Packet
 from scapy.fields import LEIntField, FlagsField, UUIDField, UTCTimeField
+from scapy.volatile import RandShort
 
+from scapy.asn1.asn1 import ASN1_OID
 from scapy.layers.msrpce.raw.ms_drsr import UUID
 from scapy.layers.msrpce.raw.ms_drsr import *  # noqa: F403,F401
 
+# [MS-DRSR] sect 5.16.4 ATTRTYP-to-OID Conversion
+
+
+@dataclass
+class Prefix:
+    prefixString: str
+    prefixIndex: int
+
+
+def MakeAttid(t, o):
+    """
+    MakeAttid per [MS-DRSR] sect 5.16.4
+    """
+    ToBinary = lambda x: bytes(ASN1_OID(x))
+
+    lastValue = int(o.split(".")[-1])
+
+    # "convert the dotted form of OID into a BER encoded binary"
+    binaryOID = ToBinary(o)
+
+    # "get the prefix of the OID"
+    if lastValue < 128:
+        oidPrefix = binaryOID[:-1]
+    else:
+        oidPrefix = binaryOID[:-2]
+
+    lowerWord = lastValue % 16384
+    if lastValue >= 16384:
+        lowerWord += 32768
+    try:
+        upperWord = next(x.prefixIndex for x in t if x.prefixString == oidPrefix)
+    except StopIteration:
+        # AddPrefixTableEntry
+        upperWord = int(RandShort())
+        t.append(
+            Prefix(
+                prefixString=oidPrefix,
+                prefixIndex=upperWord,
+            )
+        )
+
+    return upperWord * 65536 + lowerWord
+
+
 # [MS-DRSR] sect 5.39 DRS_EXTENSIONS_INT
 
 

scapy/layers/msrpce/rpcclient.py

@@ -490,6 +490,7 @@ def connect_and_bind(
         ip,
         interface,
         port=None,
+        timeout=5,
         smb_kwargs={},
     ):
         """
@@ -527,7 +528,7 @@ def connect_and_bind(
             else:
                 return
             # 2. connect to the SMB server
-            self.connect(ip, port=port, smb_kwargs=smb_kwargs)
+            self.connect(ip, port=port, timeout=timeout, smb_kwargs=smb_kwargs)
             # 3. open the new named pipe
             self.open_smbpipe(pipename)
         # Bind in RPC

scapy/layers/smbclient.py

@@ -1229,7 +1229,7 @@ def __init__(
         )
         try:
             # Wrap with SMB_SOCKET
-            self.smbsock = SMB_SOCKET(self.sock)
+            self.smbsock = SMB_SOCKET(self.sock, timeout=self.timeout)
             # Wait for either the atmt to fail, or the smb_sock_ready to timeout
             _t = time.time()
             while True:

scapy/modules/ticketer.py

@@ -358,16 +358,25 @@ def open_file(self, fname):
         with open(self.fname, "rb") as fd:
             self.ccache = CCache(fd.read())
 
-    def save(self, fname=None):
+    def save(self, fname=None, i=None):
         """
         Save opened CCache file
+
+        :param fname: if provided, save to a specific file.
+        :param i: if provided, only save the ticket n°i.
         """
         if fname:
             self.fname = fname
         if not self.fname:
             raise ValueError("No file opened. Specify the 'fname' argument !")
+        if i is not None:
+            ccache = self.ccache.copy()
+            ccache.credentials = [ccache.credentials[i]]
+            data = bytes(ccache)
+        else:
+            data = bytes(self.ccache)
         with open(self.fname, "wb") as fd:
-            return fd.write(bytes(self.ccache))
+            return fd.write(data)
 
     def show(self, utc=False):
         """
@@ -502,6 +511,14 @@ def update_ticket(self, i, decTkt, resign=False, hash=None, kdc_hash=None):
             decTkt,
         )
 
+    def remove_krb(self, i):
+        """
+        Remove a ticket from the store.
+
+        :param i: the ticket to remove.
+        """
+        del self.ccache.credentials[i]
+
     def import_krb(self, res, key=None, hash=None, _inplace=None):
         """
         Import the result of krb_[tgs/as]_req or a Ticket into the CCache.
@@ -2151,12 +2168,20 @@ def request_st(
         additional_tickets=[],
         fast=False,
         armor_with=None,
+        for_user=None,
+        s4u2proxy=None,
         **kwargs,
     ):
         """
-        Request a Kerberos TS and add it to the local CCache using another ticket
+        Request a Kerberos TS and add it to the local CCache using another ticket.
 
-        :param i: the ticket/sessionkey to use in the TGS request
+        :param i: the index of the ticket/sessionkey to use in the TGS request.
+        :param spn: the SPN to request a ticket for.
+        :param armor_with: the index of the ticket/sessionkey to armor this request.
+        :param s4u2proxy: if an index, the index of the additional ticket to send along
+                          a S4U2PROXY request. If True, it will use additional_tickets
+                          as usual.
+        :param for_user: if provided, requests S4U2SELF for that user.
 
         See :func:`~scapy.layers.kerberos.krb_tgs_req` for the the other parameters.
         """
@@ -2170,6 +2195,11 @@ def request_st(
                 armor_with
             )
 
+        # If `s4u2proxy` is an index, get the ticket to armor with
+        if isinstance(s4u2proxy, int):
+            additional_tickets.append(self.export_krb(s4u2proxy)[0])
+            s4u2proxy = True
+
         res = krb_tgs_req(
             upn,
             spn,
@@ -2180,6 +2210,7 @@ def request_st(
             realm=realm,
             additional_tickets=additional_tickets,
             fast=fast,
+            for_user=for_user,
             armor_ticket=armor_ticket,
             armor_ticket_upn=armor_ticket_upn,
             armor_ticket_skey=armor_ticket_skey,
@@ -2190,7 +2221,7 @@ def request_st(
 
         self.import_krb(res)
 
-    def kpasswdset(self, i, targetupn=None):
+    def kpasswdset(self, i, targetupn=None, newpassword=None):
         """
         Use kpasswd in 'Set Password' mode to set the password of an account.
 
@@ -2203,6 +2234,7 @@ def kpasswdset(self, i, targetupn=None):
             setpassword=True,
             ticket=ticket,
             key=sessionkey,
+            newpassword=newpassword,
         )
 
     def renew(self, i, ip=None, additional_tickets=[], **kwargs):