Added basic KRB_CRED parsing and decryption.

Author: tyranid

NtApiDotNet/NtApiDotNet.csproj

@@ -338,6 +338,7 @@
     <Compile Include="Win32\Security\Authentication\Kerberos\KerberosAuthenticator.cs" />
     <Compile Include="Win32\Security\Authentication\Kerberos\KerberosChecksum.cs" />
     <Compile Include="Win32\Security\Authentication\Kerberos\KerberosChecksumGSSApi.cs" />
+    <Compile Include="Win32\Security\Authentication\Kerberos\KerberosCredential.cs" />
     <Compile Include="Win32\Security\Authentication\Kerberos\KerberosHostAddress.cs" />
     <Compile Include="Win32\Security\Authentication\Kerberos\KerberosPreAuthenticationType.cs" />
     <Compile Include="Win32\Security\Authentication\Kerberos\KerberosTicketDecrypted.cs" />

NtApiDotNet/Win32/Security/Authentication/Kerberos/KerberosAPRequestAuthenticationToken.cs

@@ -102,7 +102,7 @@ public override KerberosAuthenticationToken Decrypt(KerberosKeySet keyset)
 
             if (Authenticator.Decrypt(tmp_keys, Ticket.Realm, Ticket.ServerName, KeyUsage.ApReqAuthSubKey, out byte[] auth_decrypt))
             {
-                if (!KerberosAuthenticator.Parse(Ticket, Authenticator, auth_decrypt, out authenticator))
+                if (!KerberosAuthenticator.Parse(Ticket, Authenticator, auth_decrypt, keyset, out authenticator))
                 {
                     authenticator = null;
                 }

NtApiDotNet/Win32/Security/Authentication/Kerberos/KerberosAuthenticator.cs

@@ -15,6 +15,7 @@
 using NtApiDotNet.Utilities.ASN1;
 using System.Collections.Generic;
 using System.IO;
+using System.Linq;
 using System.Text;
 
 namespace NtApiDotNet.Win32.Security.Authentication.Kerberos
@@ -102,7 +103,7 @@ private KerberosAuthenticator(KerberosEncryptedData orig_data)
             AuthenticatorVersion = 5;
         }
 
-        internal static bool Parse(KerberosTicket orig_ticket, KerberosEncryptedData orig_data, byte[] decrypted, out KerberosEncryptedData ticket)
+        internal static bool Parse(KerberosTicket orig_ticket, KerberosEncryptedData orig_data, byte[] decrypted, KerberosKeySet keyset, out KerberosEncryptedData ticket)
         {
             ticket = null;
             try
@@ -137,7 +138,7 @@ internal static bool Parse(KerberosTicket orig_ticket, KerberosEncryptedData ori
                         case 3:
                             if (!next.Children[0].CheckSequence())
                                 return false;
-                            ret.Checksum = Kerberos.KerberosChecksum.Parse(next.Children[0]);
+                            ret.Checksum = KerberosChecksum.Parse(next.Children[0]);
                             break;
                         case 4:
                             ret.ClientUSec = next.ReadChildInteger();
@@ -162,6 +163,18 @@ internal static bool Parse(KerberosTicket orig_ticket, KerberosEncryptedData ori
                             return false;
                     }
                 }
+
+                if (ret.Checksum is KerberosChecksumGSSApi gssapi && gssapi.Credentials != null)
+                {
+                    KerberosKeySet tmp_keyset = new KerberosKeySet(keyset.AsEnumerable() ?? new KerberosKey[0]);
+                    if (ret.SubKey != null)
+                    {
+                        tmp_keyset.Add(ret.SubKey);
+                    }
+
+                    gssapi.Decrypt(tmp_keyset);
+                }
+
                 ticket = ret;
             }
             catch (InvalidDataException)

NtApiDotNet/Win32/Security/Authentication/Kerberos/KerberosChecksumGssApi.cs

@@ -12,6 +12,7 @@
 //  See the License for the specific language governing permissions and
 //  limitations under the License.
 
+using NtApiDotNet.Utilities.ASN1;
 using NtApiDotNet.Utilities.Text;
 using System;
 using System.IO;
@@ -60,7 +61,7 @@ public class KerberosChecksumGSSApi : KerberosChecksum
         /// <summary>
         /// KRB_CRED structure when in delegation.
         /// </summary>
-        public byte[] KerbCredential { get; private set; }
+        public KerberosCredential Credentials { get; private set; }
 
         /// <summary>
         /// Additional extension data.
@@ -72,14 +73,11 @@ internal override void Format(StringBuilder builder)
             builder.AppendLine("Checksum        : GSSAPI");
             builder.AppendLine($"Channel Binding : {NtObjectUtils.ToHexString(ChannelBinding)}");
             builder.AppendLine($"Context Flags   : {ContextFlags}");
-            if (KerbCredential != null)
+            if (Credentials != null)
             {
                 builder.AppendLine($"Delegate Opt ID : {DelegationOptionIdentifier}");
-                HexDumpBuilder hex = new HexDumpBuilder(false, true, false, false, 0);
-                hex.Append(KerbCredential);
-                hex.Complete();
                 builder.AppendLine("Kerb Credential :");
-                builder.Append(hex.ToString());
+                builder.AppendLine(Credentials.Format());
             }
             if (Extensions != null)
             {
@@ -95,6 +93,11 @@ private KerberosChecksumGSSApi(KerberosChecksumType type, byte[] data)
         {
         }
 
+        internal void Decrypt(KerberosKeySet keyset)
+        {
+            Credentials = (KerberosCredential)Credentials.Decrypt(keyset);
+        }
+
         internal static bool Parse(byte[] data, out KerberosChecksum checksum)
         {
             checksum = null;
@@ -111,7 +114,12 @@ internal static bool Parse(byte[] data, out KerberosChecksum checksum)
                 {
                     ret.DelegationOptionIdentifier = reader.ReadUInt16();
                     int cred_length = reader.ReadUInt16();
-                    ret.KerbCredential = reader.ReadAllBytes(cred_length);
+                    byte[] cred = reader.ReadAllBytes(cred_length);
+
+                    DERValue[] values = DERParser.ParseData(cred, 0);
+                    if (!KerberosCredential.TryParse(cred, values, out KerberosCredential cred_token))
+                        return false;
+                    ret.Credentials = cred_token;
                 }
                 if (reader.RemainingLength() > 0)
                 {

NtApiDotNet/Win32/Security/Authentication/Kerberos/KerberosCredential.cs

@@ -0,0 +1,161 @@
+//  Copyright 2020 Google Inc. All Rights Reserved.
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//  http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+using NtApiDotNet.Utilities.ASN1;
+using System.Collections.Generic;
+using System.IO;
+using System.Text;
+
+namespace NtApiDotNet.Win32.Security.Authentication.Kerberos
+{
+    /// <summary>
+    /// Class representing a KRB-CRED structure.
+    /// </summary>
+    public class KerberosCredential : KerberosAuthenticationToken
+    {
+        #region Public Properties
+        /// <summary>
+        /// List of tickets in this credential.
+        /// </summary>
+        public IReadOnlyList<KerberosTicket> Tickets { get; private set; }
+        /// <summary>
+        /// Encrypted part contains sesssion keys etc.
+        /// </summary>
+        public KerberosEncryptedData EncryptedPart { get; private set; }
+        #endregion
+
+        private KerberosCredential(byte[] data, DERValue[] values) 
+            : base(data, values, KerberosMessageType.KRB_CRED)
+        {
+        }
+
+        /// <summary>
+        /// Format the Authentication Token.
+        /// </summary>
+        /// <returns>The Formatted Token.</returns>
+        public override string Format()
+        {
+            StringBuilder builder = new StringBuilder();
+            builder.AppendLine($"<KerberosV{ProtocolVersion} {MessageType}>");
+            for (int i = 0; i < Tickets.Count; ++i)
+            {
+                builder.AppendLine($"<Ticket {i}>");
+                builder.Append(Tickets[i].Format());
+            }
+            builder.AppendLine("<Encrypted Part>");
+            builder.Append(EncryptedPart.Format());
+            return builder.ToString();
+        }
+
+        /// <summary>
+        /// Decrypt the Authentication Token using a keyset.
+        /// </summary>
+        /// <param name="keyset">The set of keys to decrypt the </param>
+        /// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns>
+        public override KerberosAuthenticationToken Decrypt(KerberosKeySet keyset)
+        {
+            KerberosEncryptedData encdata = null;
+            KerberosKeySet tmp_keys = new KerberosKeySet(keyset);
+            List<KerberosTicket> dec_tickets = new List<KerberosTicket>();
+            bool decrypted_ticket = false;
+            foreach (var ticket in Tickets)
+            {
+                if (ticket.Decrypt(tmp_keys, KeyUsage.AsRepTgsRepTicket, out KerberosTicket dec_ticket))
+                {
+                    dec_tickets.Add(dec_ticket);
+                    decrypted_ticket = true;
+                }
+                else
+                {
+                    dec_tickets.Add(ticket);
+                }
+            }
+
+            if (EncryptedPart.Decrypt(tmp_keys, string.Empty, new KerberosPrincipalName(), KeyUsage.KrbCred, out byte[] decrypted))
+            {
+                // Needs session key from TGT request which we don't necessarily have.
+            }
+
+            if (decrypted_ticket || encdata != null)
+            {
+                KerberosCredential ret = (KerberosCredential)MemberwiseClone();
+                ret.Tickets = dec_tickets.AsReadOnly();
+                ret.EncryptedPart = encdata ?? ret.EncryptedPart;
+                return ret;
+            }
+            return base.Decrypt(keyset);
+        }
+
+        /// <summary>
+        /// Try and parse data into an ASN1 authentication token.
+        /// </summary>
+        /// <param name="data">The data to parse.</param>
+        /// <param name="token">The Negotiate authentication token.</param>
+        /// <param name="values">Parsed DER Values.</param>
+        internal static bool TryParse(byte[] data, DERValue[] values, out KerberosCredential token)
+        {
+            token = null;
+            try
+            {
+                var ret = new KerberosCredential(data, values);
+                if (values.Length != 1 || !values[0].CheckMsg(KerberosMessageType.KRB_CRED) || !values[0].HasChildren())
+                    return false;
+
+                values = values[0].Children;
+                if (values.Length != 1 || !values[0].CheckSequence() || !values[0].HasChildren())
+                    return false;
+
+                foreach (var next in values[0].Children)
+                {
+                    if (next.Type != DERTagType.ContextSpecific)
+                        return false;
+                    switch (next.Tag)
+                    {
+                        case 0:
+                            if (next.ReadChildInteger() != 5)
+                                return false;
+                            break;
+                        case 1:
+                            if ((KerberosMessageType)next.ReadChildInteger() != KerberosMessageType.KRB_CRED)
+                                return false;
+                            break;
+                        case 2:
+                            if (!next.Children[0].CheckSequence())
+                                return false;
+                            List<KerberosTicket> tickets = new List<KerberosTicket>();
+                            foreach (var child in next.Children[0].Children)
+                            {
+                                tickets.Add(KerberosTicket.Parse(child));
+                            }
+                            ret.Tickets = tickets.AsReadOnly();
+                            break;
+                        case 3:
+                            if (!next.HasChildren())
+                                return false;
+                            ret.EncryptedPart = KerberosEncryptedData.Parse(next.Children[0]);
+                            break;
+                        default:
+                            return false;
+                    }
+                }
+                token = ret;
+                return true;
+            }
+            catch (InvalidDataException)
+            {
+                return false;
+            }
+        }
+    }
+}