rex 2.0.5 → 2.0.7

data/lib/rex/proto/kerberos/crypto.rb

@@ -0,0 +1,21 @@
+# -*- coding: binary -*-
+require 'rex/proto/kerberos/crypto/rc4_hmac'
+require 'rex/proto/kerberos/crypto/rsa_md5'
+
+module Rex
+  module Proto
+    module Kerberos
+      module Crypto
+
+        include Rex::Proto::Kerberos::Crypto::Rc4Hmac
+        include Rex::Proto::Kerberos::Crypto::RsaMd5
+
+        RSA_MD5 = 7
+        RC4_HMAC = 23
+        ENC_KDC_REQUEST_BODY = 10
+        ENC_AS_RESPONSE = 8
+        ENC_TGS_RESPONSE = 9
+      end
+    end
+  end
+end

data/lib/rex/proto/kerberos/crypto/rc4_hmac.rb

@@ -0,0 +1,65 @@
+# -*- coding: binary -*-
+
+module Rex
+  module Proto
+    module Kerberos
+      module Crypto
+        module Rc4Hmac
+          # Decrypts the cipher using RC4-HMAC schema
+          #
+          # @param cipher [String] the data to decrypt
+          # @param key [String] the key to decrypt
+          # @param msg_type [Fixnum] the message type
+          # @return [String] the decrypted cipher
+          # @raise [RuntimeError] if decryption doesn't succeed
+          def decrypt_rc4_hmac(cipher, key, msg_type)
+            unless cipher && cipher.length > 16
+              raise ::RuntimeError, 'RC4-HMAC decryption failed'
+            end
+
+            checksum = cipher[0, 16]
+            data = cipher[16, cipher.length - 1]
+
+            k1 = OpenSSL::HMAC.digest('MD5', key, [msg_type].pack('V'))
+            k3 = OpenSSL::HMAC.digest('MD5', k1, checksum)
+
+            cipher = OpenSSL::Cipher::Cipher.new('rc4')
+            cipher.decrypt
+            cipher.key = k3
+            decrypted = cipher.update(data) + cipher.final
+
+            if OpenSSL::HMAC.digest('MD5', k1, decrypted) != checksum
+              raise ::RuntimeError, 'RC4-HMAC decryption failed, incorrect checksum verification'
+            end
+
+            decrypted
+          end
+
+          # Encrypts the cipher using RC4-HMAC schema
+          #
+          # @param data [String] the data to encrypt
+          # @param key [String] the key to encrypt
+          # @param msg_type [Fixnum] the message type
+          # @return [String] the encrypted data
+          def encrypt_rc4_hmac(data, key, msg_type)
+            k1 = OpenSSL::HMAC.digest('MD5', key, [msg_type].pack('V'))
+
+            data_encrypt = Rex::Text::rand_text(8) + data
+
+            checksum = OpenSSL::HMAC.digest('MD5', k1, data_encrypt)
+
+            k3 = OpenSSL::HMAC.digest('MD5', k1, checksum)
+
+            cipher = OpenSSL::Cipher::Cipher.new('rc4')
+            cipher.encrypt
+            cipher.key = k3
+            encrypted = cipher.update(data_encrypt) + cipher.final
+
+            res = checksum + encrypted
+            res
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rex/proto/kerberos/crypto/rsa_md5.rb

@@ -0,0 +1,15 @@
+# -*- coding: binary -*-
+
+module Rex
+  module Proto
+    module Kerberos
+      module Crypto
+        module RsaMd5
+          def checksum_rsa_md5(data)
+            Rex::Text.md5_raw(data)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rex/proto/kerberos/model.rb

@@ -0,0 +1,133 @@
+# -*- coding: binary -*-
+
+module Rex
+  module Proto
+    module Kerberos
+      module Model
+        VERSION = 5
+
+        # Application Message Id's
+
+        AS_REQ = 10
+        AS_REP = 11
+        TGS_REQ = 12
+        TGS_REP = 13
+        KRB_ERROR = 30
+        TICKET = 1
+        AUTHENTICATOR = 2
+        AP_REQ = 14
+
+        # Kerberos error codes
+        ERROR_CODES = {
+          0 => ['KDC_ERR_NONE', 'No error'],
+          1 => ['KDC_ERR_NAME_EXP', 'Client\'s entry in database has expired'],
+          2 => ['KDC_ERR_SERVICE_EXP', 'Server\'s entry in database has expired'],
+          3 => ['KDC_ERR_BAD_PVNO', 'Requested protocol version number not supported'],
+          4 => ['KDC_ERR_C_OLD_MAST_KVNO', 'Client\'s key encrypted in old master key'],
+          5 => ['KDC_ERR_S_OLD_MAST_KVNO', 'Server\'s key encrypted in old master key'],
+          6 => ['KDC_ERR_C_PRINCIPAL_UNKNOWN', 'Client not found in Kerberos database'],
+          7 => ['KDC_ERR_S_PRINCIPAL_UNKNOWN', 'Server not found in Kerberos database'],
+          8 => ['KDC_ERR_PRINCIPAL_NOT_UNIQUE', 'Multiple principal entries in database'],
+          9 => ['KDC_ERR_NULL_KEY', 'The client or server has a null key'],
+          10 => ['KDC_ERR_CANNOT_POSTDATE', 'Ticket not eligible for postdating'],
+          11 => ['KDC_ERR_NEVER_VALID', 'Requested start time is later than end time'],
+          12 => ['KDC_ERR_POLICY', 'KDC policy rejects request'],
+          13 => ['KDC_ERR_BADOPTION', 'KDC cannot accommodate requested option'],
+          14 => ['KDC_ERR_ETYPE_NOSUPP', 'KDC has no support for encryption type'],
+          15 => ['KDC_ERR_SUMTYPE_NOSUPP', 'KDC has no support for checksum type'],
+          16 => ['KDC_ERR_PADATA_TYPE_NOSUPP', 'KDC has no support for padata type'],
+          17 => ['KDC_ERR_TRTYPE_NOSUPP', 'KDC has no support for transited type'],
+          18 => ['KDC_ERR_CLIENT_REVOKED', 'Clients credentials have been revoked'],
+          19 => ['KDC_ERR_SERVICE_REVOKED', 'Credentials for server have been revoked'],
+          20 => ['KDC_ERR_TGT_REVOKED', 'TGT has been revoked'],
+          21 => ['KDC_ERR_CLIENT_NOTYET', 'Client not yet valid - try again later'],
+          22 => ['KDC_ERR_SERVICE_NOTYET', 'Server not yet valid - try again later'],
+          23 => ['KDC_ERR_KEY_EXPIRED', 'Password has expired - change password to reset'],
+          24 => ['KDC_ERR_PREAUTH_FAILED', 'Pre-authentication information was invalid'],
+          25 => ['KDC_ERR_PREAUTH_REQUIRED', 'Additional pre-authentication required'],
+          31 => ['KRB_AP_ERR_BAD_INTEGRITY', 'Integrity check on decrypted field failed'],
+          32 => ['KRB_AP_ERR_TKT_EXPIRED', 'Ticket expired'],
+          33 => ['KRB_AP_ERR_TKT_NYV', 'Ticket not yet valid'],
+          34 => ['KRB_AP_ERR_REPEAT', 'Request is a replay'],
+          35 => ['KRB_AP_ERR_NOT_US', 'The ticket isn\'t for us'],
+          36 => ['KRB_AP_ERR_BADMATCH', 'Ticket and authenticator don\'t match'],
+          37 => ['KRB_AP_ERR_SKEW', 'Clock skew too great'],
+          38 => ['KRB_AP_ERR_BADADDR', 'Incorrect net address'],
+          39 => ['KRB_AP_ERR_BADVERSION', 'Protocol version mismatch'],
+          40 => ['KRB_AP_ERR_MSG_TYPE', 'Invalid msg type'],
+          41 => ['KRB_AP_ERR_MODIFIED', 'Message stream modified'],
+          42 => ['KRB_AP_ERR_BADORDER', 'Message out of order'],
+          44 => ['KRB_AP_ERR_BADKEYVER', 'Specified version of key is not available'],
+          45 => ['KRB_AP_ERR_NOKEY', 'Service key not available'],
+          46 => ['KRB_AP_ERR_MUT_FAIL', 'Mutual authentication failed'],
+          47 => ['KRB_AP_ERR_BADDIRECTION', 'Incorrect message direction'],
+          48 => ['KRB_AP_ERR_METHOD', 'Alternative authentication method required'],
+          49 => ['KRB_AP_ERR_BADSEQ', 'Incorrect sequence number in message'],
+          50 => ['KRB_AP_ERR_INAPP_CKSUM', 'Inappropriate type of checksum in message'],
+          60 => ['KRB_ERR_GENERIC', 'Generic error'],
+          61 => ['KRB_ERR_FIELD_TOOLONG', 'Field is too long for this implementation']
+        }
+
+        KDC_OPTION_RESERVED        = 0
+        KDC_OPTION_FORWARDABLE     = 1
+        KDC_OPTION_FORWARDED       = 2
+        KDC_OPTION_PROXIABLE       = 3
+        KDC_OPTION_PROXY           = 4
+        KDC_OPTION_ALLOW_POST_DATE = 5
+        KDC_OPTION_POST_DATED      = 6
+        KDC_OPTION_UNUSED_7        = 7
+        KDC_OPTION_RENEWABLE       = 8
+        KDC_OPTION_UNUSED_9        = 9
+        KDC_OPTION_UNUSED_10       = 10
+        KDC_OPTION_UNUSED_11       = 11
+        KDC_OPTION_RENEWABLE_OK    = 27
+        KDC_OPTION_ENC_TKT_IN_SKEY = 28
+        KDC_OPTION_RENEW           = 30
+        KDC_OPTION_VALIDATE        = 31
+
+        # From Principal
+
+        # Name type not known
+        NT_UNKNOWN = 0
+        # The name of the principal
+        NT_PRINCIPAL = 1
+        # Service and other unique instances
+        NT_SRV_INST = 2
+        # Service with host name and instance
+        NT_SRV_HST = 3
+        # Service with host as remaining component
+        NT_SRV_XHST = 4
+        # Unique ID
+        NT_UID = 5
+
+        # From padata
+
+        PA_TGS_REQ = 1
+        PA_ENC_TIMESTAMP = 2
+        PA_PW_SALT = 3
+        PA_PAC_REQUEST = 128
+
+        AD_IF_RELEVANT = 1
+      end
+    end
+  end
+end
+
+require 'rex/proto/kerberos/model/element'
+require 'rex/proto/kerberos/model/principal_name'
+require 'rex/proto/kerberos/model/encrypted_data'
+require 'rex/proto/kerberos/model/checksum'
+require 'rex/proto/kerberos/model/pre_auth_pac_request'
+require 'rex/proto/kerberos/model/pre_auth_enc_time_stamp'
+require 'rex/proto/kerberos/model/pre_auth_data'
+require 'rex/proto/kerberos/model/ap_req'
+require 'rex/proto/kerberos/model/krb_error'
+require 'rex/proto/kerberos/model/authorization_data'
+require 'rex/proto/kerberos/model/encryption_key'
+require 'rex/proto/kerberos/model/authenticator'
+require 'rex/proto/kerberos/model/ticket'
+require 'rex/proto/kerberos/model/last_request'
+require 'rex/proto/kerberos/model/kdc_request_body'
+require 'rex/proto/kerberos/model/kdc_request'
+require 'rex/proto/kerberos/model/enc_kdc_response'
+require 'rex/proto/kerberos/model/kdc_response'

data/lib/rex/proto/kerberos/model/ap_req.rb

@@ -0,0 +1,98 @@
+# -*- coding: binary -*-
+
+module Rex
+  module Proto
+    module Kerberos
+      module Model
+        # This class provides a representation of a KRB_AP_REQ definition, containing the Kerberos protocol version number,
+        # the message type KRB_AP_REQ, an options field to indicate any options in use, and the ticket and authenticator
+        # themselves
+        class ApReq < Element
+          # @!attribute pvno
+          #   @return [Fixnum] The protocol version number
+          attr_accessor :pvno
+          # @!attribute msg_type
+          #   @return [Fixnum] The type of the protocol message
+          attr_accessor :msg_type
+          # @!attribute options
+          #   @return [Fixnum] request options, affects processing
+          attr_accessor :options
+          # @!attribute ticket
+          #   @return [Rex::Proto::Kerberos::Model::Ticket] The ticket authenticating the client to the server
+          attr_accessor :ticket
+          # @!attribute authenticator
+          #   @return [Rex::Proto::Kerberos::Model::EncryptedData] This contains the authenticator, which includes the
+          #   client's choice of a subkey
+          attr_accessor :authenticator
+
+          # Rex::Proto::Kerberos::Model::ApReq decoding isn't supported
+          #
+          # @raise [NotImplementedError]
+          def decode(input)
+            raise ::NotImplementedError, 'AP-REQ decoding not supported'
+          end
+
+          # Encodes the Rex::Proto::Kerberos::Model::ApReq into an ASN.1 String
+          #
+          # @return [String]
+          def encode
+            elems = []
+            elems << OpenSSL::ASN1::ASN1Data.new([encode_pvno], 0, :CONTEXT_SPECIFIC)
+            elems << OpenSSL::ASN1::ASN1Data.new([encode_msg_type], 1, :CONTEXT_SPECIFIC)
+            elems << OpenSSL::ASN1::ASN1Data.new([encode_options], 2, :CONTEXT_SPECIFIC)
+            elems << OpenSSL::ASN1::ASN1Data.new([encode_ticket], 3, :CONTEXT_SPECIFIC)
+            elems << OpenSSL::ASN1::ASN1Data.new([encode_authenticator], 4, :CONTEXT_SPECIFIC)
+            seq = OpenSSL::ASN1::Sequence.new(elems)
+
+            seq_asn1 = OpenSSL::ASN1::ASN1Data.new([seq], AP_REQ, :APPLICATION)
+
+            seq_asn1.to_der
+          end
+
+          private
+
+          # Encodes the pvno field
+          #
+          # @return [OpenSSL::ASN1::Integer]
+          def encode_pvno
+            bn = OpenSSL::BN.new(pvno.to_s)
+            int = OpenSSL::ASN1::Integer.new(bn)
+
+            int
+          end
+
+          # Encodes the msg_type field
+          #
+          # @return [OpenSSL::ASN1::Integer]
+          def encode_msg_type
+            bn = OpenSSL::BN.new(msg_type.to_s)
+            int = OpenSSL::ASN1::Integer.new(bn)
+
+            int
+          end
+
+          # Encodes the options field
+          #
+          # @return [OpenSSL::ASN1::BitString]
+          def encode_options
+            OpenSSL::ASN1::BitString.new([options].pack('N'))
+          end
+
+          # Encodes the ticket field
+          #
+          # @return [String]
+          def encode_ticket
+            ticket.encode
+          end
+
+          # Encodes the authenticator field
+          #
+          # @return [String]
+          def encode_authenticator
+            authenticator.encode
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rex/proto/kerberos/model/authenticator.rb

@@ -0,0 +1,143 @@
+# -*- coding: binary -*-
+
+module Rex
+  module Proto
+    module Kerberos
+      module Model
+        # This class provides a representation of an Authenticator, sent with a
+        # ticket to the server to certify the client's knowledge of the encryption
+        # key in the ticket.
+        class Authenticator < Element
+          # @!attribute vno
+          #   @return [Fixnum] The authenticator version number
+          attr_accessor :vno
+          # @!attribute crealm
+          #   @return [String] The realm in which the client is registered
+          attr_accessor :crealm
+          # @!attribute cname
+          #   @return [Rex::Proto::Kerberos::Model::PrincipalName] The name part of the client's principal
+          #   identifier
+          attr_accessor :cname
+          # @!attribute checksum
+          #   @return [Rex::Proto::Kerberos::Model::Checksum] The checksum of the application data that
+          #   accompanies the KRB_AP_REQ.
+          attr_accessor :checksum
+          # @!attribute cusec
+          #   @return [Fixnum] The microsecond part of the client's timestamp
+          attr_accessor :cusec
+          # @!attribute ctime
+          #   @return [Time] The current time of the client's host
+          attr_accessor :ctime
+          # @!attribute subkey
+          #   @return [Rex::Proto::Kerberos::Model::EncryptionKey] the client's choice for an encryption
+          #   key which is to be used to protect this specific application session
+          attr_accessor :subkey
+
+          # Rex::Proto::Kerberos::Model::Authenticator decoding isn't supported
+          #
+          # @raise [NotImplementedError]
+          def decode(input)
+            raise ::NotImplementedError, 'Authenticator decoding not supported'
+          end
+
+          # Encodes the Rex::Proto::Kerberos::Model::Authenticator into an ASN.1 String
+          #
+          # @return [String]
+          def encode
+            elems = []
+            elems << OpenSSL::ASN1::ASN1Data.new([encode_vno], 0, :CONTEXT_SPECIFIC)
+            elems << OpenSSL::ASN1::ASN1Data.new([encode_crealm], 1, :CONTEXT_SPECIFIC)
+            elems << OpenSSL::ASN1::ASN1Data.new([encode_cname], 2, :CONTEXT_SPECIFIC)
+            elems << OpenSSL::ASN1::ASN1Data.new([encode_checksum], 3, :CONTEXT_SPECIFIC) if checksum
+            elems << OpenSSL::ASN1::ASN1Data.new([encode_cusec], 4, :CONTEXT_SPECIFIC)
+            elems << OpenSSL::ASN1::ASN1Data.new([encode_ctime], 5, :CONTEXT_SPECIFIC)
+            elems << OpenSSL::ASN1::ASN1Data.new([encode_subkey], 6, :CONTEXT_SPECIFIC) if subkey
+
+            seq = OpenSSL::ASN1::Sequence.new(elems)
+            seq_asn1 = OpenSSL::ASN1::ASN1Data.new([seq], AUTHENTICATOR, :APPLICATION)
+
+            seq_asn1.to_der
+          end
+
+          # Encrypts the Rex::Proto::Kerberos::Model::Authenticator
+          #
+          # @param etype [Fixnum] the crypto schema to encrypt
+          # @param key [String] the key to encrypt
+          # @return [String] the encrypted result
+          # @raise [NotImplementedError] if the encryption schema isn't supported
+          def encrypt(etype, key)
+            data = self.encode
+
+            res = ''
+            case etype
+            when RC4_HMAC
+              res = encrypt_rc4_hmac(data, key, 7)
+            else
+              raise ::NotImplementedError, 'EncryptedData schema is not supported'
+            end
+
+            res
+          end
+
+
+          private
+
+          # Encodes the vno field
+          #
+          # @return [OpenSSL::ASN1::Integer]
+          def encode_vno
+            bn = OpenSSL::BN.new(vno.to_s)
+            int = OpenSSL::ASN1::Integer.new(bn)
+
+            int
+          end
+
+          # Encodes the crealm field
+          #
+          # @return [OpenSSL::ASN1::GeneralString]
+          def encode_crealm
+            OpenSSL::ASN1::GeneralString.new(crealm)
+          end
+
+          # Encodes the cname field
+          #
+          # @return [String]
+          def encode_cname
+            cname.encode
+          end
+
+          # Encodes the checksum field
+          #
+          # @return [String]
+          def encode_checksum
+            checksum.encode
+          end
+
+          # Encodes the cusec field
+          #
+          # @return [OpenSSL::ASN1::Integer]
+          def encode_cusec
+            bn = OpenSSL::BN.new(cusec.to_s)
+            int = OpenSSL::ASN1::Integer.new(bn)
+
+            int
+          end
+
+          # Encodes the ctime field
+          #
+          # @return [OpenSSL::ASN1::GeneralizedTime]
+          def encode_ctime
+            OpenSSL::ASN1::GeneralizedTime.new(ctime)
+          end
+
+          # Encodes the subkey field
+          #
+          # @return [String]
+          def encode_subkey
+            subkey.encode
+          end
+        end
+      end
+    end
+  end
+end