rex 2.0.5 → 2.0.7
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/rex/exploitation/egghunter.rb +4 -6
- data/lib/rex/exploitation/powershell/psh_methods.rb +9 -0
- data/lib/rex/java/serialization.rb +2 -1
- data/lib/rex/java/serialization/builder.rb +94 -0
- data/lib/rex/java/serialization/model.rb +29 -18
- data/lib/rex/java/serialization/model/annotation.rb +2 -2
- data/lib/rex/java/serialization/model/field.rb +2 -2
- data/lib/rex/java/serialization/model/new_array.rb +8 -3
- data/lib/rex/java/serialization/model/new_class_desc.rb +3 -3
- data/lib/rex/java/serialization/model/new_enum.rb +4 -4
- data/lib/rex/java/serialization/model/new_object.rb +17 -10
- data/lib/rex/ole/direntry.rb +1 -1
- data/lib/rex/ole/samples/create_ole.rb +0 -0
- data/lib/rex/ole/samples/dir.rb +0 -0
- data/lib/rex/ole/samples/dump_stream.rb +0 -0
- data/lib/rex/ole/samples/ole_info.rb +0 -0
- data/lib/rex/parser/foundstone_nokogiri.rb +1 -1
- data/lib/rex/parser/fs/ntfs.rb +252 -0
- data/lib/rex/parser/openvas_nokogiri.rb +2 -0
- data/lib/rex/payloads/win32/kernel.rb +3 -3
- data/lib/rex/post/meterpreter/client_core.rb +172 -64
- data/lib/rex/post/meterpreter/extensions/priv/priv.rb +3 -2
- data/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb +12 -10
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/api_constants.rb +64 -37
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll.rb +8 -2
- data/lib/rex/post/meterpreter/extensions/stdapi/ui.rb +15 -3
- data/lib/rex/post/meterpreter/packet.rb +41 -38
- data/lib/rex/post/meterpreter/packet_dispatcher.rb +7 -1
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +17 -4
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb +11 -4
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb +1 -1
- data/lib/rex/proto.rb +2 -0
- data/lib/rex/proto/acpp.rb +17 -0
- data/lib/rex/proto/acpp/client.rb +29 -0
- data/lib/rex/proto/acpp/message.rb +183 -0
- data/lib/rex/proto/http/client.rb +1 -2
- data/lib/rex/proto/iax2/call.rb +22 -3
- data/lib/rex/proto/iax2/client.rb +1 -0
- data/lib/rex/proto/kerberos.rb +13 -0
- data/lib/rex/proto/kerberos/client.rb +213 -0
- data/lib/rex/proto/kerberos/credential_cache.rb +19 -0
- data/lib/rex/proto/kerberos/credential_cache/cache.rb +81 -0
- data/lib/rex/proto/kerberos/credential_cache/credential.rb +151 -0
- data/lib/rex/proto/kerberos/credential_cache/element.rb +49 -0
- data/lib/rex/proto/kerberos/credential_cache/key_block.rb +62 -0
- data/lib/rex/proto/kerberos/credential_cache/principal.rb +70 -0
- data/lib/rex/proto/kerberos/credential_cache/time.rb +69 -0
- data/lib/rex/proto/kerberos/crypto.rb +21 -0
- data/lib/rex/proto/kerberos/crypto/rc4_hmac.rb +65 -0
- data/lib/rex/proto/kerberos/crypto/rsa_md5.rb +15 -0
- data/lib/rex/proto/kerberos/model.rb +133 -0
- data/lib/rex/proto/kerberos/model/ap_req.rb +98 -0
- data/lib/rex/proto/kerberos/model/authenticator.rb +143 -0
- data/lib/rex/proto/kerberos/model/authorization_data.rb +85 -0
- data/lib/rex/proto/kerberos/model/checksum.rb +59 -0
- data/lib/rex/proto/kerberos/model/element.rb +67 -0
- data/lib/rex/proto/kerberos/model/enc_kdc_response.rb +215 -0
- data/lib/rex/proto/kerberos/model/encrypted_data.rb +171 -0
- data/lib/rex/proto/kerberos/model/encryption_key.rb +106 -0
- data/lib/rex/proto/kerberos/model/kdc_request.rb +166 -0
- data/lib/rex/proto/kerberos/model/kdc_request_body.rb +315 -0
- data/lib/rex/proto/kerberos/model/kdc_response.rb +141 -0
- data/lib/rex/proto/kerberos/model/krb_error.rb +219 -0
- data/lib/rex/proto/kerberos/model/last_request.rb +82 -0
- data/lib/rex/proto/kerberos/model/pre_auth_data.rb +104 -0
- data/lib/rex/proto/kerberos/model/pre_auth_enc_time_stamp.rb +126 -0
- data/lib/rex/proto/kerberos/model/pre_auth_pac_request.rb +81 -0
- data/lib/rex/proto/kerberos/model/principal_name.rb +116 -0
- data/lib/rex/proto/kerberos/model/ticket.rb +151 -0
- data/lib/rex/proto/kerberos/pac.rb +36 -0
- data/lib/rex/proto/kerberos/pac/client_info.rb +53 -0
- data/lib/rex/proto/kerberos/pac/element.rb +52 -0
- data/lib/rex/proto/kerberos/pac/logon_info.rb +566 -0
- data/lib/rex/proto/kerberos/pac/priv_svr_checksum.rb +29 -0
- data/lib/rex/proto/kerberos/pac/server_checksum.rb +30 -0
- data/lib/rex/proto/kerberos/pac/type.rb +121 -0
- data/lib/rex/proto/rmi.rb +7 -0
- data/lib/rex/proto/rmi/model.rb +31 -0
- data/lib/rex/proto/rmi/model/call.rb +60 -0
- data/lib/rex/proto/rmi/model/continuation.rb +76 -0
- data/lib/rex/proto/rmi/model/dgc_ack.rb +62 -0
- data/lib/rex/proto/rmi/model/element.rb +143 -0
- data/lib/rex/proto/rmi/model/output_header.rb +86 -0
- data/lib/rex/proto/rmi/model/ping.rb +41 -0
- data/lib/rex/proto/rmi/model/ping_ack.rb +41 -0
- data/lib/rex/proto/rmi/model/protocol_ack.rb +100 -0
- data/lib/rex/proto/rmi/model/return_data.rb +60 -0
- data/lib/rex/socket.rb +9 -1
- data/lib/rex/socket/tcp_server.rb +3 -0
- data/lib/rex/ui/text/dispatcher_shell.rb +4 -4
- data/lib/rex/ui/text/output/tee.rb +2 -0
- data/lib/rex/zip/samples/comment.rb +0 -0
- data/lib/rex/zip/samples/mkwar.rb +0 -0
- data/lib/rex/zip/samples/mkzip.rb +0 -0
- data/lib/rex/zip/samples/recursive.rb +0 -0
- data/rex.gemspec +1 -1
- metadata +56 -2
@@ -0,0 +1,21 @@
|
|
1
|
+
# -*- coding: binary -*-
|
2
|
+
require 'rex/proto/kerberos/crypto/rc4_hmac'
|
3
|
+
require 'rex/proto/kerberos/crypto/rsa_md5'
|
4
|
+
|
5
|
+
module Rex
|
6
|
+
module Proto
|
7
|
+
module Kerberos
|
8
|
+
module Crypto
|
9
|
+
|
10
|
+
include Rex::Proto::Kerberos::Crypto::Rc4Hmac
|
11
|
+
include Rex::Proto::Kerberos::Crypto::RsaMd5
|
12
|
+
|
13
|
+
RSA_MD5 = 7
|
14
|
+
RC4_HMAC = 23
|
15
|
+
ENC_KDC_REQUEST_BODY = 10
|
16
|
+
ENC_AS_RESPONSE = 8
|
17
|
+
ENC_TGS_RESPONSE = 9
|
18
|
+
end
|
19
|
+
end
|
20
|
+
end
|
21
|
+
end
|
@@ -0,0 +1,65 @@
|
|
1
|
+
# -*- coding: binary -*-
|
2
|
+
|
3
|
+
module Rex
|
4
|
+
module Proto
|
5
|
+
module Kerberos
|
6
|
+
module Crypto
|
7
|
+
module Rc4Hmac
|
8
|
+
# Decrypts the cipher using RC4-HMAC schema
|
9
|
+
#
|
10
|
+
# @param cipher [String] the data to decrypt
|
11
|
+
# @param key [String] the key to decrypt
|
12
|
+
# @param msg_type [Fixnum] the message type
|
13
|
+
# @return [String] the decrypted cipher
|
14
|
+
# @raise [RuntimeError] if decryption doesn't succeed
|
15
|
+
def decrypt_rc4_hmac(cipher, key, msg_type)
|
16
|
+
unless cipher && cipher.length > 16
|
17
|
+
raise ::RuntimeError, 'RC4-HMAC decryption failed'
|
18
|
+
end
|
19
|
+
|
20
|
+
checksum = cipher[0, 16]
|
21
|
+
data = cipher[16, cipher.length - 1]
|
22
|
+
|
23
|
+
k1 = OpenSSL::HMAC.digest('MD5', key, [msg_type].pack('V'))
|
24
|
+
k3 = OpenSSL::HMAC.digest('MD5', k1, checksum)
|
25
|
+
|
26
|
+
cipher = OpenSSL::Cipher::Cipher.new('rc4')
|
27
|
+
cipher.decrypt
|
28
|
+
cipher.key = k3
|
29
|
+
decrypted = cipher.update(data) + cipher.final
|
30
|
+
|
31
|
+
if OpenSSL::HMAC.digest('MD5', k1, decrypted) != checksum
|
32
|
+
raise ::RuntimeError, 'RC4-HMAC decryption failed, incorrect checksum verification'
|
33
|
+
end
|
34
|
+
|
35
|
+
decrypted
|
36
|
+
end
|
37
|
+
|
38
|
+
# Encrypts the cipher using RC4-HMAC schema
|
39
|
+
#
|
40
|
+
# @param data [String] the data to encrypt
|
41
|
+
# @param key [String] the key to encrypt
|
42
|
+
# @param msg_type [Fixnum] the message type
|
43
|
+
# @return [String] the encrypted data
|
44
|
+
def encrypt_rc4_hmac(data, key, msg_type)
|
45
|
+
k1 = OpenSSL::HMAC.digest('MD5', key, [msg_type].pack('V'))
|
46
|
+
|
47
|
+
data_encrypt = Rex::Text::rand_text(8) + data
|
48
|
+
|
49
|
+
checksum = OpenSSL::HMAC.digest('MD5', k1, data_encrypt)
|
50
|
+
|
51
|
+
k3 = OpenSSL::HMAC.digest('MD5', k1, checksum)
|
52
|
+
|
53
|
+
cipher = OpenSSL::Cipher::Cipher.new('rc4')
|
54
|
+
cipher.encrypt
|
55
|
+
cipher.key = k3
|
56
|
+
encrypted = cipher.update(data_encrypt) + cipher.final
|
57
|
+
|
58
|
+
res = checksum + encrypted
|
59
|
+
res
|
60
|
+
end
|
61
|
+
end
|
62
|
+
end
|
63
|
+
end
|
64
|
+
end
|
65
|
+
end
|
@@ -0,0 +1,133 @@
|
|
1
|
+
# -*- coding: binary -*-
|
2
|
+
|
3
|
+
module Rex
|
4
|
+
module Proto
|
5
|
+
module Kerberos
|
6
|
+
module Model
|
7
|
+
VERSION = 5
|
8
|
+
|
9
|
+
# Application Message Id's
|
10
|
+
|
11
|
+
AS_REQ = 10
|
12
|
+
AS_REP = 11
|
13
|
+
TGS_REQ = 12
|
14
|
+
TGS_REP = 13
|
15
|
+
KRB_ERROR = 30
|
16
|
+
TICKET = 1
|
17
|
+
AUTHENTICATOR = 2
|
18
|
+
AP_REQ = 14
|
19
|
+
|
20
|
+
# Kerberos error codes
|
21
|
+
ERROR_CODES = {
|
22
|
+
0 => ['KDC_ERR_NONE', 'No error'],
|
23
|
+
1 => ['KDC_ERR_NAME_EXP', 'Client\'s entry in database has expired'],
|
24
|
+
2 => ['KDC_ERR_SERVICE_EXP', 'Server\'s entry in database has expired'],
|
25
|
+
3 => ['KDC_ERR_BAD_PVNO', 'Requested protocol version number not supported'],
|
26
|
+
4 => ['KDC_ERR_C_OLD_MAST_KVNO', 'Client\'s key encrypted in old master key'],
|
27
|
+
5 => ['KDC_ERR_S_OLD_MAST_KVNO', 'Server\'s key encrypted in old master key'],
|
28
|
+
6 => ['KDC_ERR_C_PRINCIPAL_UNKNOWN', 'Client not found in Kerberos database'],
|
29
|
+
7 => ['KDC_ERR_S_PRINCIPAL_UNKNOWN', 'Server not found in Kerberos database'],
|
30
|
+
8 => ['KDC_ERR_PRINCIPAL_NOT_UNIQUE', 'Multiple principal entries in database'],
|
31
|
+
9 => ['KDC_ERR_NULL_KEY', 'The client or server has a null key'],
|
32
|
+
10 => ['KDC_ERR_CANNOT_POSTDATE', 'Ticket not eligible for postdating'],
|
33
|
+
11 => ['KDC_ERR_NEVER_VALID', 'Requested start time is later than end time'],
|
34
|
+
12 => ['KDC_ERR_POLICY', 'KDC policy rejects request'],
|
35
|
+
13 => ['KDC_ERR_BADOPTION', 'KDC cannot accommodate requested option'],
|
36
|
+
14 => ['KDC_ERR_ETYPE_NOSUPP', 'KDC has no support for encryption type'],
|
37
|
+
15 => ['KDC_ERR_SUMTYPE_NOSUPP', 'KDC has no support for checksum type'],
|
38
|
+
16 => ['KDC_ERR_PADATA_TYPE_NOSUPP', 'KDC has no support for padata type'],
|
39
|
+
17 => ['KDC_ERR_TRTYPE_NOSUPP', 'KDC has no support for transited type'],
|
40
|
+
18 => ['KDC_ERR_CLIENT_REVOKED', 'Clients credentials have been revoked'],
|
41
|
+
19 => ['KDC_ERR_SERVICE_REVOKED', 'Credentials for server have been revoked'],
|
42
|
+
20 => ['KDC_ERR_TGT_REVOKED', 'TGT has been revoked'],
|
43
|
+
21 => ['KDC_ERR_CLIENT_NOTYET', 'Client not yet valid - try again later'],
|
44
|
+
22 => ['KDC_ERR_SERVICE_NOTYET', 'Server not yet valid - try again later'],
|
45
|
+
23 => ['KDC_ERR_KEY_EXPIRED', 'Password has expired - change password to reset'],
|
46
|
+
24 => ['KDC_ERR_PREAUTH_FAILED', 'Pre-authentication information was invalid'],
|
47
|
+
25 => ['KDC_ERR_PREAUTH_REQUIRED', 'Additional pre-authentication required'],
|
48
|
+
31 => ['KRB_AP_ERR_BAD_INTEGRITY', 'Integrity check on decrypted field failed'],
|
49
|
+
32 => ['KRB_AP_ERR_TKT_EXPIRED', 'Ticket expired'],
|
50
|
+
33 => ['KRB_AP_ERR_TKT_NYV', 'Ticket not yet valid'],
|
51
|
+
34 => ['KRB_AP_ERR_REPEAT', 'Request is a replay'],
|
52
|
+
35 => ['KRB_AP_ERR_NOT_US', 'The ticket isn\'t for us'],
|
53
|
+
36 => ['KRB_AP_ERR_BADMATCH', 'Ticket and authenticator don\'t match'],
|
54
|
+
37 => ['KRB_AP_ERR_SKEW', 'Clock skew too great'],
|
55
|
+
38 => ['KRB_AP_ERR_BADADDR', 'Incorrect net address'],
|
56
|
+
39 => ['KRB_AP_ERR_BADVERSION', 'Protocol version mismatch'],
|
57
|
+
40 => ['KRB_AP_ERR_MSG_TYPE', 'Invalid msg type'],
|
58
|
+
41 => ['KRB_AP_ERR_MODIFIED', 'Message stream modified'],
|
59
|
+
42 => ['KRB_AP_ERR_BADORDER', 'Message out of order'],
|
60
|
+
44 => ['KRB_AP_ERR_BADKEYVER', 'Specified version of key is not available'],
|
61
|
+
45 => ['KRB_AP_ERR_NOKEY', 'Service key not available'],
|
62
|
+
46 => ['KRB_AP_ERR_MUT_FAIL', 'Mutual authentication failed'],
|
63
|
+
47 => ['KRB_AP_ERR_BADDIRECTION', 'Incorrect message direction'],
|
64
|
+
48 => ['KRB_AP_ERR_METHOD', 'Alternative authentication method required'],
|
65
|
+
49 => ['KRB_AP_ERR_BADSEQ', 'Incorrect sequence number in message'],
|
66
|
+
50 => ['KRB_AP_ERR_INAPP_CKSUM', 'Inappropriate type of checksum in message'],
|
67
|
+
60 => ['KRB_ERR_GENERIC', 'Generic error'],
|
68
|
+
61 => ['KRB_ERR_FIELD_TOOLONG', 'Field is too long for this implementation']
|
69
|
+
}
|
70
|
+
|
71
|
+
KDC_OPTION_RESERVED = 0
|
72
|
+
KDC_OPTION_FORWARDABLE = 1
|
73
|
+
KDC_OPTION_FORWARDED = 2
|
74
|
+
KDC_OPTION_PROXIABLE = 3
|
75
|
+
KDC_OPTION_PROXY = 4
|
76
|
+
KDC_OPTION_ALLOW_POST_DATE = 5
|
77
|
+
KDC_OPTION_POST_DATED = 6
|
78
|
+
KDC_OPTION_UNUSED_7 = 7
|
79
|
+
KDC_OPTION_RENEWABLE = 8
|
80
|
+
KDC_OPTION_UNUSED_9 = 9
|
81
|
+
KDC_OPTION_UNUSED_10 = 10
|
82
|
+
KDC_OPTION_UNUSED_11 = 11
|
83
|
+
KDC_OPTION_RENEWABLE_OK = 27
|
84
|
+
KDC_OPTION_ENC_TKT_IN_SKEY = 28
|
85
|
+
KDC_OPTION_RENEW = 30
|
86
|
+
KDC_OPTION_VALIDATE = 31
|
87
|
+
|
88
|
+
# From Principal
|
89
|
+
|
90
|
+
# Name type not known
|
91
|
+
NT_UNKNOWN = 0
|
92
|
+
# The name of the principal
|
93
|
+
NT_PRINCIPAL = 1
|
94
|
+
# Service and other unique instances
|
95
|
+
NT_SRV_INST = 2
|
96
|
+
# Service with host name and instance
|
97
|
+
NT_SRV_HST = 3
|
98
|
+
# Service with host as remaining component
|
99
|
+
NT_SRV_XHST = 4
|
100
|
+
# Unique ID
|
101
|
+
NT_UID = 5
|
102
|
+
|
103
|
+
# From padata
|
104
|
+
|
105
|
+
PA_TGS_REQ = 1
|
106
|
+
PA_ENC_TIMESTAMP = 2
|
107
|
+
PA_PW_SALT = 3
|
108
|
+
PA_PAC_REQUEST = 128
|
109
|
+
|
110
|
+
AD_IF_RELEVANT = 1
|
111
|
+
end
|
112
|
+
end
|
113
|
+
end
|
114
|
+
end
|
115
|
+
|
116
|
+
require 'rex/proto/kerberos/model/element'
|
117
|
+
require 'rex/proto/kerberos/model/principal_name'
|
118
|
+
require 'rex/proto/kerberos/model/encrypted_data'
|
119
|
+
require 'rex/proto/kerberos/model/checksum'
|
120
|
+
require 'rex/proto/kerberos/model/pre_auth_pac_request'
|
121
|
+
require 'rex/proto/kerberos/model/pre_auth_enc_time_stamp'
|
122
|
+
require 'rex/proto/kerberos/model/pre_auth_data'
|
123
|
+
require 'rex/proto/kerberos/model/ap_req'
|
124
|
+
require 'rex/proto/kerberos/model/krb_error'
|
125
|
+
require 'rex/proto/kerberos/model/authorization_data'
|
126
|
+
require 'rex/proto/kerberos/model/encryption_key'
|
127
|
+
require 'rex/proto/kerberos/model/authenticator'
|
128
|
+
require 'rex/proto/kerberos/model/ticket'
|
129
|
+
require 'rex/proto/kerberos/model/last_request'
|
130
|
+
require 'rex/proto/kerberos/model/kdc_request_body'
|
131
|
+
require 'rex/proto/kerberos/model/kdc_request'
|
132
|
+
require 'rex/proto/kerberos/model/enc_kdc_response'
|
133
|
+
require 'rex/proto/kerberos/model/kdc_response'
|
@@ -0,0 +1,98 @@
|
|
1
|
+
# -*- coding: binary -*-
|
2
|
+
|
3
|
+
module Rex
|
4
|
+
module Proto
|
5
|
+
module Kerberos
|
6
|
+
module Model
|
7
|
+
# This class provides a representation of a KRB_AP_REQ definition, containing the Kerberos protocol version number,
|
8
|
+
# the message type KRB_AP_REQ, an options field to indicate any options in use, and the ticket and authenticator
|
9
|
+
# themselves
|
10
|
+
class ApReq < Element
|
11
|
+
# @!attribute pvno
|
12
|
+
# @return [Fixnum] The protocol version number
|
13
|
+
attr_accessor :pvno
|
14
|
+
# @!attribute msg_type
|
15
|
+
# @return [Fixnum] The type of the protocol message
|
16
|
+
attr_accessor :msg_type
|
17
|
+
# @!attribute options
|
18
|
+
# @return [Fixnum] request options, affects processing
|
19
|
+
attr_accessor :options
|
20
|
+
# @!attribute ticket
|
21
|
+
# @return [Rex::Proto::Kerberos::Model::Ticket] The ticket authenticating the client to the server
|
22
|
+
attr_accessor :ticket
|
23
|
+
# @!attribute authenticator
|
24
|
+
# @return [Rex::Proto::Kerberos::Model::EncryptedData] This contains the authenticator, which includes the
|
25
|
+
# client's choice of a subkey
|
26
|
+
attr_accessor :authenticator
|
27
|
+
|
28
|
+
# Rex::Proto::Kerberos::Model::ApReq decoding isn't supported
|
29
|
+
#
|
30
|
+
# @raise [NotImplementedError]
|
31
|
+
def decode(input)
|
32
|
+
raise ::NotImplementedError, 'AP-REQ decoding not supported'
|
33
|
+
end
|
34
|
+
|
35
|
+
# Encodes the Rex::Proto::Kerberos::Model::ApReq into an ASN.1 String
|
36
|
+
#
|
37
|
+
# @return [String]
|
38
|
+
def encode
|
39
|
+
elems = []
|
40
|
+
elems << OpenSSL::ASN1::ASN1Data.new([encode_pvno], 0, :CONTEXT_SPECIFIC)
|
41
|
+
elems << OpenSSL::ASN1::ASN1Data.new([encode_msg_type], 1, :CONTEXT_SPECIFIC)
|
42
|
+
elems << OpenSSL::ASN1::ASN1Data.new([encode_options], 2, :CONTEXT_SPECIFIC)
|
43
|
+
elems << OpenSSL::ASN1::ASN1Data.new([encode_ticket], 3, :CONTEXT_SPECIFIC)
|
44
|
+
elems << OpenSSL::ASN1::ASN1Data.new([encode_authenticator], 4, :CONTEXT_SPECIFIC)
|
45
|
+
seq = OpenSSL::ASN1::Sequence.new(elems)
|
46
|
+
|
47
|
+
seq_asn1 = OpenSSL::ASN1::ASN1Data.new([seq], AP_REQ, :APPLICATION)
|
48
|
+
|
49
|
+
seq_asn1.to_der
|
50
|
+
end
|
51
|
+
|
52
|
+
private
|
53
|
+
|
54
|
+
# Encodes the pvno field
|
55
|
+
#
|
56
|
+
# @return [OpenSSL::ASN1::Integer]
|
57
|
+
def encode_pvno
|
58
|
+
bn = OpenSSL::BN.new(pvno.to_s)
|
59
|
+
int = OpenSSL::ASN1::Integer.new(bn)
|
60
|
+
|
61
|
+
int
|
62
|
+
end
|
63
|
+
|
64
|
+
# Encodes the msg_type field
|
65
|
+
#
|
66
|
+
# @return [OpenSSL::ASN1::Integer]
|
67
|
+
def encode_msg_type
|
68
|
+
bn = OpenSSL::BN.new(msg_type.to_s)
|
69
|
+
int = OpenSSL::ASN1::Integer.new(bn)
|
70
|
+
|
71
|
+
int
|
72
|
+
end
|
73
|
+
|
74
|
+
# Encodes the options field
|
75
|
+
#
|
76
|
+
# @return [OpenSSL::ASN1::BitString]
|
77
|
+
def encode_options
|
78
|
+
OpenSSL::ASN1::BitString.new([options].pack('N'))
|
79
|
+
end
|
80
|
+
|
81
|
+
# Encodes the ticket field
|
82
|
+
#
|
83
|
+
# @return [String]
|
84
|
+
def encode_ticket
|
85
|
+
ticket.encode
|
86
|
+
end
|
87
|
+
|
88
|
+
# Encodes the authenticator field
|
89
|
+
#
|
90
|
+
# @return [String]
|
91
|
+
def encode_authenticator
|
92
|
+
authenticator.encode
|
93
|
+
end
|
94
|
+
end
|
95
|
+
end
|
96
|
+
end
|
97
|
+
end
|
98
|
+
end
|
@@ -0,0 +1,143 @@
|
|
1
|
+
# -*- coding: binary -*-
|
2
|
+
|
3
|
+
module Rex
|
4
|
+
module Proto
|
5
|
+
module Kerberos
|
6
|
+
module Model
|
7
|
+
# This class provides a representation of an Authenticator, sent with a
|
8
|
+
# ticket to the server to certify the client's knowledge of the encryption
|
9
|
+
# key in the ticket.
|
10
|
+
class Authenticator < Element
|
11
|
+
# @!attribute vno
|
12
|
+
# @return [Fixnum] The authenticator version number
|
13
|
+
attr_accessor :vno
|
14
|
+
# @!attribute crealm
|
15
|
+
# @return [String] The realm in which the client is registered
|
16
|
+
attr_accessor :crealm
|
17
|
+
# @!attribute cname
|
18
|
+
# @return [Rex::Proto::Kerberos::Model::PrincipalName] The name part of the client's principal
|
19
|
+
# identifier
|
20
|
+
attr_accessor :cname
|
21
|
+
# @!attribute checksum
|
22
|
+
# @return [Rex::Proto::Kerberos::Model::Checksum] The checksum of the application data that
|
23
|
+
# accompanies the KRB_AP_REQ.
|
24
|
+
attr_accessor :checksum
|
25
|
+
# @!attribute cusec
|
26
|
+
# @return [Fixnum] The microsecond part of the client's timestamp
|
27
|
+
attr_accessor :cusec
|
28
|
+
# @!attribute ctime
|
29
|
+
# @return [Time] The current time of the client's host
|
30
|
+
attr_accessor :ctime
|
31
|
+
# @!attribute subkey
|
32
|
+
# @return [Rex::Proto::Kerberos::Model::EncryptionKey] the client's choice for an encryption
|
33
|
+
# key which is to be used to protect this specific application session
|
34
|
+
attr_accessor :subkey
|
35
|
+
|
36
|
+
# Rex::Proto::Kerberos::Model::Authenticator decoding isn't supported
|
37
|
+
#
|
38
|
+
# @raise [NotImplementedError]
|
39
|
+
def decode(input)
|
40
|
+
raise ::NotImplementedError, 'Authenticator decoding not supported'
|
41
|
+
end
|
42
|
+
|
43
|
+
# Encodes the Rex::Proto::Kerberos::Model::Authenticator into an ASN.1 String
|
44
|
+
#
|
45
|
+
# @return [String]
|
46
|
+
def encode
|
47
|
+
elems = []
|
48
|
+
elems << OpenSSL::ASN1::ASN1Data.new([encode_vno], 0, :CONTEXT_SPECIFIC)
|
49
|
+
elems << OpenSSL::ASN1::ASN1Data.new([encode_crealm], 1, :CONTEXT_SPECIFIC)
|
50
|
+
elems << OpenSSL::ASN1::ASN1Data.new([encode_cname], 2, :CONTEXT_SPECIFIC)
|
51
|
+
elems << OpenSSL::ASN1::ASN1Data.new([encode_checksum], 3, :CONTEXT_SPECIFIC) if checksum
|
52
|
+
elems << OpenSSL::ASN1::ASN1Data.new([encode_cusec], 4, :CONTEXT_SPECIFIC)
|
53
|
+
elems << OpenSSL::ASN1::ASN1Data.new([encode_ctime], 5, :CONTEXT_SPECIFIC)
|
54
|
+
elems << OpenSSL::ASN1::ASN1Data.new([encode_subkey], 6, :CONTEXT_SPECIFIC) if subkey
|
55
|
+
|
56
|
+
seq = OpenSSL::ASN1::Sequence.new(elems)
|
57
|
+
seq_asn1 = OpenSSL::ASN1::ASN1Data.new([seq], AUTHENTICATOR, :APPLICATION)
|
58
|
+
|
59
|
+
seq_asn1.to_der
|
60
|
+
end
|
61
|
+
|
62
|
+
# Encrypts the Rex::Proto::Kerberos::Model::Authenticator
|
63
|
+
#
|
64
|
+
# @param etype [Fixnum] the crypto schema to encrypt
|
65
|
+
# @param key [String] the key to encrypt
|
66
|
+
# @return [String] the encrypted result
|
67
|
+
# @raise [NotImplementedError] if the encryption schema isn't supported
|
68
|
+
def encrypt(etype, key)
|
69
|
+
data = self.encode
|
70
|
+
|
71
|
+
res = ''
|
72
|
+
case etype
|
73
|
+
when RC4_HMAC
|
74
|
+
res = encrypt_rc4_hmac(data, key, 7)
|
75
|
+
else
|
76
|
+
raise ::NotImplementedError, 'EncryptedData schema is not supported'
|
77
|
+
end
|
78
|
+
|
79
|
+
res
|
80
|
+
end
|
81
|
+
|
82
|
+
|
83
|
+
private
|
84
|
+
|
85
|
+
# Encodes the vno field
|
86
|
+
#
|
87
|
+
# @return [OpenSSL::ASN1::Integer]
|
88
|
+
def encode_vno
|
89
|
+
bn = OpenSSL::BN.new(vno.to_s)
|
90
|
+
int = OpenSSL::ASN1::Integer.new(bn)
|
91
|
+
|
92
|
+
int
|
93
|
+
end
|
94
|
+
|
95
|
+
# Encodes the crealm field
|
96
|
+
#
|
97
|
+
# @return [OpenSSL::ASN1::GeneralString]
|
98
|
+
def encode_crealm
|
99
|
+
OpenSSL::ASN1::GeneralString.new(crealm)
|
100
|
+
end
|
101
|
+
|
102
|
+
# Encodes the cname field
|
103
|
+
#
|
104
|
+
# @return [String]
|
105
|
+
def encode_cname
|
106
|
+
cname.encode
|
107
|
+
end
|
108
|
+
|
109
|
+
# Encodes the checksum field
|
110
|
+
#
|
111
|
+
# @return [String]
|
112
|
+
def encode_checksum
|
113
|
+
checksum.encode
|
114
|
+
end
|
115
|
+
|
116
|
+
# Encodes the cusec field
|
117
|
+
#
|
118
|
+
# @return [OpenSSL::ASN1::Integer]
|
119
|
+
def encode_cusec
|
120
|
+
bn = OpenSSL::BN.new(cusec.to_s)
|
121
|
+
int = OpenSSL::ASN1::Integer.new(bn)
|
122
|
+
|
123
|
+
int
|
124
|
+
end
|
125
|
+
|
126
|
+
# Encodes the ctime field
|
127
|
+
#
|
128
|
+
# @return [OpenSSL::ASN1::GeneralizedTime]
|
129
|
+
def encode_ctime
|
130
|
+
OpenSSL::ASN1::GeneralizedTime.new(ctime)
|
131
|
+
end
|
132
|
+
|
133
|
+
# Encodes the subkey field
|
134
|
+
#
|
135
|
+
# @return [String]
|
136
|
+
def encode_subkey
|
137
|
+
subkey.encode
|
138
|
+
end
|
139
|
+
end
|
140
|
+
end
|
141
|
+
end
|
142
|
+
end
|
143
|
+
end
|