Added Ticket logon and data to KerberosTicket.

Author: tyranid

NtApiDotNet/Win32/LogonUtils.cs

@@ -14,6 +14,7 @@
 
 using NtApiDotNet.Win32.SafeHandles;
 using NtApiDotNet.Win32.Security.Authentication;
+using NtApiDotNet.Win32.Security.Authentication.Kerberos;
 using NtApiDotNet.Win32.Security.Native;
 using NtApiDotNet.Win32.Security.Policy;
 using System;
@@ -152,6 +153,36 @@ public static NtToken Logon(string user, string domain, string password, Securit
             }
         }
 
+        /// <summary>
+        /// Logon user using Kerberos Ticket.
+        /// </summary>
+        /// <param name="type">The type of logon token.</param>
+        /// <param name="service_ticket">The service ticket.</param>
+        /// <param name="tgt_ticket">Optional TGT.</param>
+        /// <param name="throw_on_error">True to throw on error.</param>
+        /// <returns>The logged on token.</returns>
+        public static NtResult<NtToken> LsaLogonTicket(SecurityLogonType type, KerberosTicket service_ticket, KerberosCredential tgt_ticket, bool throw_on_error)
+        {
+            if (service_ticket is null)
+            {
+                throw new ArgumentNullException(nameof(service_ticket));
+            }
+
+            return LsaLogonTicket(type, service_ticket.TicketData, tgt_ticket?.ToArray(), throw_on_error);
+        }
+
+        /// <summary>
+        /// Logon user using Kerberos Ticket.
+        /// </summary>
+        /// <param name="type">The type of logon token.</param>
+        /// <param name="service_ticket">The service ticket.</param>
+        /// <param name="tgt_ticket">Optional TGT.</param>
+        /// <returns>The logged on token.</returns>
+        public static NtToken LsaLogonTicket(SecurityLogonType type, KerberosTicket service_ticket, KerberosCredential tgt_ticket)
+        {
+            return LsaLogonTicket(type, service_ticket, tgt_ticket, true).Result;
+        }
+
         /// <summary>
         /// Logon user using Kerberos Ticket.
         /// </summary>
@@ -466,10 +497,10 @@ private static NtResult<NtToken> LsaLogonUser(SecurityLogonType type, string aut
                 var hlsa = list.AddResource(SafeLsaLogonHandle.Connect(throw_on_error));
                 if (!hlsa.IsSuccess)
                     return hlsa.Cast<NtToken>();
-                NtStatus status = SecurityNativeMethods.LsaLookupAuthenticationPackage(
-                    hlsa.Result, new LsaString(auth_package), out uint auth_pkg);
-                if (!status.IsSuccess())
-                    return status.CreateResultFromError<NtToken>(throw_on_error);
+
+                var auth_pkg = hlsa.Result.LookupAuthPackage(auth_package, throw_on_error);
+                if (!auth_pkg.IsSuccess)
+                    return auth_pkg.Cast<NtToken>();
 
                 var groups = local_groups == null ? SafeTokenGroupsBuffer.Null 
                     : list.AddResource(SafeTokenGroupsBuffer.Create(local_groups));
@@ -478,7 +509,7 @@ private static NtResult<NtToken> LsaLogonUser(SecurityLogonType type, string aut
                 SecurityNativeMethods.AllocateLocallyUniqueId(out tokenSource.SourceIdentifier);
                 QUOTA_LIMITS quota_limits = new QUOTA_LIMITS();
                 return SecurityNativeMethods.LsaLogonUser(hlsa.Result, new LsaString(origin_name),
-                    type, auth_pkg, buffer, buffer.GetLength(), groups,
+                    type, auth_pkg.Result, buffer, buffer.GetLength(), groups,
                     tokenSource, out SafeLsaReturnBufferHandle profile,
                     out int cbProfile, out Luid logon_id, out SafeKernelObjectHandle token_handle,
                     quota_limits, out NtStatus subStatus).CreateResult(throw_on_error, () =>

NtApiDotNet/Win32/SafeHandles/SafeLsaLogonHandle.cs

@@ -15,9 +15,21 @@
 using Microsoft.Win32.SafeHandles;
 using NtApiDotNet.Win32.Security.Native;
 using System;
+using System.Runtime.InteropServices;
 
 namespace NtApiDotNet.Win32.SafeHandles
 {
+    internal struct LsaCallPackageResponse : IDisposable
+    {
+        public NtStatus Status;
+        public SafeLsaReturnBufferHandle Buffer;
+
+        public void Dispose()
+        {
+            ((IDisposable)Buffer)?.Dispose();
+        }
+    }
+
     internal class SafeLsaLogonHandle : SafeHandleZeroOrMinusOneIsInvalid
     {
         public SafeLsaLogonHandle(IntPtr handle, bool ownsHandle) : base(ownsHandle)
@@ -42,5 +54,30 @@ internal static NtResult<SafeLsaLogonHandle> Connect(bool throw_on_error)
             }
             return hlsa.CreateResult();
         }
+
+        public NtResult<uint> LookupAuthPackage(string auth_package, bool throw_on_error)
+        {
+            return SecurityNativeMethods.LsaLookupAuthenticationPackage(
+                    this, new LsaString(auth_package), out uint auth_pkg).CreateResult(throw_on_error, () => auth_pkg);
+        }
+
+        private static LsaCallPackageResponse CreateResponse(NtStatus status, SafeLsaReturnBufferHandle buffer, int length)
+        {
+            if (!(buffer?.IsInvalid ?? true))
+            {
+                buffer?.Initialize((uint)length);
+            }
+            return new LsaCallPackageResponse()
+            {
+                Status = status,
+                Buffer = buffer
+            };
+        }
+
+        public NtResult<LsaCallPackageResponse> CallPackage(uint auth_package, SafeBuffer buffer, bool throw_on_error)
+        {
+            return SecurityNativeMethods.LsaCallAuthenticationPackage(this, auth_package, buffer, buffer.GetLength(),
+                out SafeLsaReturnBufferHandle ret, out int ret_length, out NtStatus status).CreateResult(throw_on_error, () => CreateResponse(status, ret, ret_length));
+        }
     }
 }

NtApiDotNet/Win32/Security/Authentication/Kerberos/KerberosAPRequestAuthenticationToken.cs

@@ -65,7 +65,7 @@ public class KerberosAPRequestAuthenticationToken : KerberosAuthenticationToken
         private protected KerberosAPRequestAuthenticationToken(byte[] data, DERValue[] values)
             : base(data, values, KerberosMessageType.KRB_AP_REQ)
         {
-            Ticket = new KerberosTicket();
+            Ticket = new KerberosTicket(new byte[0]);
             Authenticator = new KerberosEncryptedData();
         }
         #endregion
@@ -176,7 +176,7 @@ internal static bool TryParse(byte[] data, DERValue[] values, out KerberosAuthen
                         case 3:
                             if (!next.HasChildren())
                                 return false;
-                            ret.Ticket = KerberosTicket.Parse(next.Children[0]);
+                            ret.Ticket = KerberosTicket.Parse(next.Children[0], next.Data);
                             break;
                         case 4:
                             if (!next.HasChildren())

NtApiDotNet/Win32/Security/Authentication/Kerberos/KerberosCredential.cs

@@ -137,7 +137,7 @@ internal static bool TryParse(byte[] data, DERValue[] values, out KerberosCreden
                             List<KerberosTicket> tickets = new List<KerberosTicket>();
                             foreach (var child in next.Children[0].Children)
                             {
-                                tickets.Add(KerberosTicket.Parse(child));
+                                tickets.Add(KerberosTicket.Parse(child, next.Children[0].Data));
                             }
                             ret.Tickets = tickets.AsReadOnly();
                             break;

NtApiDotNet/Win32/Security/Authentication/Kerberos/KerberosTGTReplyAuthenticationToken.cs

@@ -79,7 +79,7 @@ internal static bool TryParse(byte[] data, DERValue[] values, out KerberosAuthen
                         case 2:
                             if (!next.HasChildren())
                                 return false;
-                            ret.Ticket = KerberosTicket.Parse(next.Children[0]);
+                            ret.Ticket = KerberosTicket.Parse(next.Children[0], next.Data);
                             break;
                         default:
                             return false;

NtApiDotNet/Win32/Security/Authentication/Kerberos/KerberosTicket.cs

@@ -44,6 +44,8 @@ public class KerberosTicket
         /// </summary>
         public string Principal => ServerName.GetPrincipal(Realm);
 
+        internal byte[] TicketData { get; }
+
         internal bool Decrypt(KerberosKeySet keyset, KeyUsage key_usage, out KerberosTicket ticket)
         {
             if (this is KerberosTicketDecrypted)
@@ -78,28 +80,30 @@ private protected KerberosTicket(
             int ticket_version,
             string realm, 
             KerberosPrincipalName server_name, 
-            KerberosEncryptedData encrypted_data)
+            KerberosEncryptedData encrypted_data,
+            byte[] ticket_data)
         {
             TicketVersion = ticket_version;
             Realm = realm ?? string.Empty;
             ServerName = server_name ?? new KerberosPrincipalName();
             EncryptedData = encrypted_data;
+            TicketData = ticket_data;
         }
 
-        internal KerberosTicket() 
-            : this(5, null, null, null)
+        internal KerberosTicket(byte[] ticket_data) 
+            : this(5, null, null, null, ticket_data)
         {
         }
 
-        internal static KerberosTicket Parse(DERValue value)
+        internal static KerberosTicket Parse(DERValue value, byte[] data)
         {
             if (!value.CheckApplication(1) || !value.HasChildren())
                 throw new InvalidDataException();
 
             if (!value.Children[0].CheckSequence())
                 throw new InvalidDataException();
 
-            KerberosTicket ret = new KerberosTicket();
+            KerberosTicket ret = new KerberosTicket(data);
             foreach (var next in value.Children[0].Children)
             {
                 if (next.Type != DERTagType.ContextSpecific)

NtApiDotNet/Win32/Security/Authentication/Kerberos/KerberosTicketDecrypted.cs

@@ -155,7 +155,7 @@ private protected override void FormatTicketData(StringBuilder builder)
 
         private KerberosTicketDecrypted(
             KerberosTicket ticket) 
-            : base(ticket.TicketVersion, ticket.Realm, ticket.ServerName, ticket.EncryptedData)
+            : base(ticket.TicketVersion, ticket.Realm, ticket.ServerName, ticket.EncryptedData, ticket.TicketData)
         {
             HostAddresses = new List<KerberosHostAddress>().AsReadOnly();
             AuthorizationData = new List<KerberosAuthorizationData>().AsReadOnly();

NtApiDotNet/Win32/Security/Native/SecurityNativeMethods.cs

@@ -571,6 +571,17 @@ internal static extern NtStatus LsaEnumerateAccountsWithUserRight(
           out int CountReturned
         );
 
+        [DllImport("Secur32.dll", CharSet = CharSet.Unicode)]
+        internal static extern NtStatus LsaCallAuthenticationPackage(
+              SafeLsaLogonHandle LsaHandle,
+              uint AuthenticationPackage,
+              SafeBuffer ProtocolSubmitBuffer,
+              int SubmitBufferLength,
+              out SafeLsaReturnBufferHandle ProtocolReturnBuffer,
+              out int ReturnBufferLength,
+              out NtStatus ProtocolStatus
+        );
+
         [DllImport("sspicli.dll", CharSet = CharSet.Unicode)]
         internal static extern SecStatusCode QueryContextAttributesEx(
           SecHandle phContext,

NtObjectManager/Cmdlets/Object/GetNtTokenCmdlet.cs

@@ -20,6 +20,8 @@
 using NtApiDotNet.Win32;
 using System.Security;
 using System.Runtime.InteropServices;
+using NtApiDotNet.Win32.Security.Authentication;
+using NtApiDotNet.Win32.Security.Authentication.Kerberos;
 
 namespace NtObjectManager.Cmdlets.Object
 {
@@ -305,9 +307,21 @@ public sealed class GetNtTokenCmdlet : PSCmdlet
         /// <summary>
         /// <para type="description">Specify logon type for logon token.</para>
         /// </summary>
-        [Parameter(ParameterSetName = "Logon"), Parameter(ParameterSetName = "S4U")]
+        [Parameter(ParameterSetName = "Logon"), Parameter(ParameterSetName = "S4U"), Parameter(ParameterSetName = "Ticket")]
         public SecurityLogonType LogonType { get; set; }
 
+        /// <summary>
+        /// <para type="description">Specify Service Ticket for Logon.</para>
+        /// </summary>
+        [Parameter(Position = 0, ParameterSetName = "Ticket", Mandatory = true)]
+        public KerberosTicket Ticket { get; }
+
+        /// <summary>
+        /// <para type="description">Specify optional TGT for logon.</para>
+        /// </summary>
+        [Parameter(ParameterSetName = "Ticket", Mandatory = true)]
+        public KerberosCredential KerbCred { get; }
+
         /// <summary>
         /// <para type="description">Get anonymous token.</para>
         /// </summary>
@@ -582,7 +596,19 @@ private NtToken GetLogonToken(TokenAccessRights desired_access)
 
         private NtToken GetS4UToken(TokenAccessRights desired_access)
         {
-            using (NtToken token = LogonUtils.LsaLogonS4U(User, Domain, LogonType, "Negotiate"))
+            using (NtToken token = LogonUtils.LsaLogonS4U(User, Domain, LogonType, AuthenticationPackage.NEGOSSP_NAME))
+            {
+                if (desired_access == TokenAccessRights.MaximumAllowed)
+                {
+                    return token.Duplicate();
+                }
+                return token.Duplicate(desired_access);
+            }
+        }
+
+        private NtToken GetTicketToken(TokenAccessRights desired_access)
+        {
+            using (NtToken token = LogonUtils.LsaLogonTicket(LogonType, Ticket, KerbCred))
             {
                 if (desired_access == TokenAccessRights.MaximumAllowed)
                 {
@@ -722,6 +748,10 @@ private NtToken GetToken(TokenAccessRights desired_access)
             {
                 return GetS4UToken(desired_access);
             }
+            else if (Ticket != null)
+            {
+                return GetTicketToken(desired_access);
+            }
             else if (Anonymous)
             {
                 return GetAnonymousToken(desired_access);