Merge pull request #32 from skelsec/main

skelsec · web-flow · commit 572292b3a1c8 · 2023-09-14T14:47:46.000-07:00
Main
diff --git a/minikerberos/_version.py b/minikerberos/_version.py
@@ -1,5 +1,5 @@
 
-__version__ = "0.4.1"
+__version__ = "0.4.2"
 __banner__ = \
 """
 # minikerberos %s 
diff --git a/minikerberos/aioclient.py b/minikerberos/aioclient.py
@@ -355,7 +355,7 @@ def tgs_from_ccache(self, spn_user:KerberosSPN):
 		except Exception as e:
 			return None, None, None, e
 
-	async def get_TGS(self, spn_user:KerberosSPN, override_etype = None, is_linux = False):
+	async def get_TGS(self, spn_user:KerberosSPN, override_etype = None, is_linux = False, flags = ['forwardable','renewable','renewable_ok', 'canonicalize']):
 		"""
 		Requests a TGS ticket for the specified user.
 		Retruns the TGS ticket, end the decrpyted encTGSRepPart.
@@ -380,7 +380,7 @@ async def get_TGS(self, spn_user:KerberosSPN, override_etype = None, is_linux =
 		logger.debug('Constructing TGS request for user %s' % spn_user.get_formatted_pname())
 		now = datetime.datetime.now(datetime.timezone.utc)
 		kdc_req_body = {}
-		kdc_req_body['kdc-options'] = KDCOptions(set(['forwardable','renewable','renewable_ok', 'canonicalize']))
+		kdc_req_body['kdc-options'] = KDCOptions(set(flags))
 		kdc_req_body['realm'] = spn_user.domain.upper()
 		kdc_req_body['sname'] = PrincipalName({'name-type': NAME_TYPE.SRV_INST.value, 'name-string': spn_user.get_principalname()})
 		kdc_req_body['till'] = (now + datetime.timedelta(days=1)).replace(microsecond=0)
@@ -778,4 +778,32 @@ def truncate_key(value, keysize):
 		encasrep = EncASRepPart.load(dec_data).native
 		cipher = _enctype_table[ int(encasrep['key']['keytype'])]
 		session_key = Key(cipher.enctype, encasrep['key']['keyvalue'])
-		return encasrep, session_key, cipher
+		return encasrep, session_key, cipher
+	
+	async def get_referral_ticket(self, target_domain, target_ip = None):
+		"""Cross domain TGT referral"""
+		"""If target_ip is not set, the target domain will be used as the hostname for the newly created connection"""
+		from minikerberos.common.factory import KerberosClientFactory
+		from minikerberos.common.kirbi import Kirbi
+
+		crossrealm_spn = KerberosSPN()
+		crossrealm_spn.username = target_domain
+		crossrealm_spn.service = 'krbtgt'
+		crossrealm_spn.domain = self.credential.domain.upper()
+
+		await self.get_TGT()
+		logger.debug('Getting TGS for otherdomain krbtgt')
+		tgs, encpart, key = await self.get_TGS(crossrealm_spn)
+		logger.debug('Got referral ticket!')
+
+
+		kirbi = Kirbi.from_ticketdata(tgs, encpart)
+
+		target_addr = target_domain
+		if target_ip is not None:
+			target_addr = target_ip
+		newt = self.target.get_newtarget(target_addr)
+		newc = KerberosCredential.from_kirbi(kirbi, encoding='kirbi')
+		new_factory = KerberosClientFactory(newt, newc, newt.proxies)
+
+		return tgs, encpart, key, new_factory
diff --git a/minikerberos/common/creds.py b/minikerberos/common/creds.py
@@ -5,6 +5,7 @@
 import platform
 import copy
 from typing import List
+import os
 
 
 from unicrypto import hashlib
@@ -210,6 +211,11 @@ def from_keytab(keytab_file_path: str, principal: str, realm: str, encoding = 'f
 	@staticmethod
 	def from_ccache(data, principal: str = None, realm: str = None, encoding = 'file') -> KerberosCredential:
 		"""Returns a kerberos credential object with CCACHE database"""
+		if data is None:
+			ccache_path = os.environ.get('KRB5CCNAME')
+			if ccache_path is None:
+				raise Exception('No CCACHE data or path provided!')
+			data = ccache_path
 		data = get_encoded_data(data, encoding=encoding)
 		k = KerberosCredential()
 		k.username = principal
diff --git a/minikerberos/common/spn.py b/minikerberos/common/spn.py
@@ -38,7 +38,7 @@ def from_spn(s, override_realm:str = None):
 			kt.service, kt.username = t.split('/')
 		else:
 			if s.find('@') != -1:
-				kt.username, kt.domain = s.split('@')
+				kt.username, kt.domain = s.rsplit('@', 1)
 			else:
 				kt.username = s
 				if override_realm is None or override_realm == '':
diff --git a/minikerberos/common/target.py b/minikerberos/common/target.py
@@ -1,10 +1,20 @@
 
 from asysocks.unicomm.common.target import UniTarget, UniProto
+import copy
 
 class KerberosTarget(UniTarget):
 	def __init__(self, ip:str = None, proxies = None, protocol = UniProto.CLIENT_TCP, timeout = 10, port = 88):
 		UniTarget.__init__(self, ip, port , protocol, timeout=timeout, proxies = proxies, dc_ip = ip)
 
+	def get_newtarget(self, ip, port=88, hostname = None):
+		return KerberosTarget(
+			ip, 
+			port = port, 
+			protocol = self.protocol, 
+			timeout = self.timeout, 
+			proxies=copy.deepcopy(self.proxies)
+		)
+
 	def __str__(self):
 		t = '===KerberosTarget===\r\n'
 		for k in self.__dict__:
diff --git a/minikerberos/examples/crosstest.py b/minikerberos/examples/crosstest.py
@@ -0,0 +1,51 @@
+import os
+import logging
+import asyncio
+import copy
+from minikerberos.common.factory import KerberosClientFactory, kerberos_url_help_epilog
+from minikerberos.common.target import KerberosTarget
+from asysocks.unicomm.common.target import UniProto
+from minikerberos.common.spn import KerberosSPN
+from minikerberos.aioclient import AIOKerberosClient
+from minikerberos.common.kirbi import Kirbi
+from minikerberos.common.creds import KerberosCredential
+from minikerberos import logger
+
+async def getTGS(kerberos_url, kirbifile = None):
+	if isinstance(spn, str):
+		spn = KerberosSPN.from_spn(spn)
+
+	cu = KerberosClientFactory.from_url(kerberos_url)
+	client = cu.get_client()
+	logging.debug('Getting TGT')
+	await client.get_TGT()
+	logging.debug('Getting TGS for otherdomain krbtgt')
+	ref_tgs, ref_encpart, ref_key, new_factory = await client.get_referral_ticket(spn.domain)
+	kirbi = Kirbi.from_ticketdata(ref_tgs, ref_encpart)
+	print(str(kirbi))
+	if kirbifile is not None:
+		kirbi.to_file(kirbifile)
+	
+	logging.info('Done!')
+
+def main():
+	import argparse
+	
+	parser = argparse.ArgumentParser(description='Polls the kerberos service for a TGS for the sepcified user and specified service', formatter_class=argparse.RawDescriptionHelpFormatter, epilog = kerberos_url_help_epilog)
+	parser.add_argument('-v', '--verbose', action='count', default=0)
+	parser.add_argument('--kirbi', help='kirbi file to store the TGT ticket in, otherwise kirbi will be printed to stdout')
+	parser.add_argument('kerberos_url', help='the kerberos target string. ')
+
+	logger.setLevel(logging.DEBUG)
+	args = parser.parse_args()
+	if args.verbose == 0:
+		logging.basicConfig(level=logging.INFO)
+	elif args.verbose == 1:
+		logging.basicConfig(level=logging.DEBUG)
+	else:
+		logging.basicConfig(level=1)
+	
+	asyncio.run(getTGS(args.kerberos_url, args.kirbi))
+	
+if __name__ == '__main__':
+	main()
diff --git a/minikerberos/examples/getTGS.py b/minikerberos/examples/getTGS.py
@@ -6,14 +6,18 @@
 from minikerberos.aioclient import AIOKerberosClient
 from minikerberos.common.kirbi import Kirbi
 
-async def getTGS(kerberos_url, spn, kirbifile = None, ccachefile = None):
+async def getTGS(kerberos_url, spn, kirbifile = None, ccachefile = None, cross_domain = False):
 	if isinstance(spn, str):
 		spn = KerberosSPN.from_spn(spn)
 
 	cu = KerberosClientFactory.from_url(kerberos_url)
 	client = cu.get_client()
 	logging.debug('Getting TGT')
 	await client.get_TGT()
+	if cross_domain is True:
+		logging.debug('Getting TGS for otherdomain krbtgt')
+		_, _, _, new_factory = await client.get_referral_ticket(spn.domain)
+		client = new_factory.get_client()
 	logging.debug('Getting TGS')
 	tgs, encpart, key = await client.get_TGS(spn)
 	if ccachefile is not None:
@@ -27,44 +31,14 @@ async def getTGS(kerberos_url, spn, kirbifile = None, ccachefile = None):
 		
 	logging.info('Done!')
 
-async def amain(args):
-
-	if args.spn.find('@') == -1:
-		raise Exception('SPN must contain @')
-	t, domain = args.spn.split('@')
-	if t.find('/') != -1:
-		service, hostname = t.split('/')
-	else:
-		hostname = t
-		service = None
-
-	spn = KerberosSPN()
-	spn.username = hostname
-	spn.service = service
-	spn.domain = domain
-
-	cu = KerberosClientFactory.from_url(args.kerberos_connection_url)
-	ccred = cu.get_creds()
-	target = cu.get_target()
-	
-	logging.debug('Getting TGT')
-
-	client = AIOKerberosClient(ccred, target)
-	logging.debug('Getting TGT')
-	await client.get_TGT()
-	logging.debug('Getting TGS')
-	await client.get_TGS(spn)
-				
-	client.ccache.to_file(args.ccache)
-	logging.info('Done!')
-
 def main():
 	import argparse
 	
 	parser = argparse.ArgumentParser(description='Polls the kerberos service for a TGS for the sepcified user and specified service', formatter_class=argparse.RawDescriptionHelpFormatter, epilog = kerberos_url_help_epilog)
 	parser.add_argument('-v', '--verbose', action='count', default=0)
 	parser.add_argument('--ccache', help='CCACHE file to store the TGT ticket in, otherwise kirbi will be printed to stdout')
 	parser.add_argument('--kirbi', help='kirbi file to store the TGT ticket in, otherwise kirbi will be printed to stdout')
+	parser.add_argument('--cross-domain', action='store_true', help='SPN is in another domain.')
 	parser.add_argument('kerberos_url', help='the kerberos target string. ')
 	parser.add_argument('spn', help='the SPN to request the TGS for. Must be in the format of service/host@domain')
 	
@@ -77,7 +51,7 @@ def main():
 	else:
 		logging.basicConfig(level=1)
 	
-	asyncio.run(amain(args))
+	asyncio.run(getTGS(args.kerberos_url, args.spn, args.kirbi, args.ccache, args.cross_domain))
 	
 if __name__ == '__main__':
 	main()
diff --git a/minikerberos/protocol/encryption.py b/minikerberos/protocol/encryption.py
@@ -696,6 +696,11 @@ def __init__(self, enctype:Enctype, contents:bytes):
 		self.enctype = enctype
 		self.contents = contents
 
+	def __str__(self):
+		temp = '<EMPTY>'
+		if self.contents is not None:
+			temp = self.contents.hex()
+		return 'Key(%d, %s)' % (self.enctype, temp)
 
 def random_to_key(enctype, seed):
 	e = _get_enctype_profile(enctype)
@@ -717,7 +722,7 @@ def encrypt(key, keyusage, plaintext, confounder=None):
 
 
 def decrypt(key, keyusage, ciphertext):
-	# Throw InvalidChecksum on checksum failure.  Throw ValueError on
+	# Throw InvalidChecksum on checksum failure. Throw ValueError on
 	# invalid key enctype or malformed ciphertext.
 	e = _get_enctype_profile(key.enctype)
 	return e.decrypt(key, keyusage, ciphertext)
diff --git a/setup.py b/setup.py
@@ -44,10 +44,10 @@
 		"Operating System :: OS Independent",
 	],
 	install_requires=[
-		'asn1crypto>=1.3.0',
-		'oscrypto>=1.2.1',
-		'asysocks==0.2.7',
-		'unicrypto==0.0.10',
+		'asn1crypto>=1.5.1',
+		'oscrypto>=1.3.0',
+		'asysocks>=0.2.8',
+		'unicrypto>=0.0.10',
 		'tqdm',
         'six',
 	],
