kirbi support

skelsec · skelsec · commit d7344e9a3a50 · 2021-04-17T15:00:20.000+02:00
diff --git a/msldap/authentication/kerberos/native.py b/msldap/authentication/kerberos/native.py
@@ -12,15 +12,15 @@
 from minikerberos.common import *
 
 
-from minikerberos.protocol.asn1_structs import AP_REP, EncAPRepPart, EncryptedData, AP_REQ
+from minikerberos.protocol.asn1_structs import AP_REP, EncAPRepPart, EncryptedData, AP_REQ, Ticket
 from msldap.authentication.kerberos.gssapi import get_gssapi, KRB5_MECH_INDEP_TOKEN
 from msldap.commons.proxy import MSLDAPProxyType
 from minikerberos.protocol.structures import ChecksumFlags
 from minikerberos.protocol.encryption import Enctype, Key, _enctype_table
 from minikerberos.protocol.constants import MESSAGE_TYPE
 from minikerberos.aioclient import AIOKerberosClient
 from minikerberos.network.aioclientsockssocket import AIOKerberosClientSocksSocket
-
+from msldap import logger
 
 # SMBKerberosCredential
 
@@ -50,6 +50,7 @@ def __init__(self, settings):
 		self.etype = None
 		self.seq_number = 0
 		self.expected_server_seq_number = None
+		self.from_ccache = False
 	
 		self.setup()
 	
@@ -143,31 +144,46 @@ async def authenticate(self, authData, flags = None, seq_number = 0, cb_data = N
 					return None, None, err
 
 			if self.iterations == 0:
-				self.seq_number = 0 #int.from_bytes(os.urandom(4), byteorder='big', signed=False)
+				self.seq_number = 0
 				self.iterations += 1
-
-				#tgt = await self.kc.get_TGT()
-				tgt = await self.kc.get_TGT(override_etype = self.preferred_etypes)
-				tgs, encpart, self.session_key = await self.kc.get_TGS(self.spn)#, override_etype = self.preferred_etypes)
+				
+				try:
+					#check TGS first, maybe ccache already has what we need
+					for target in self.ccred.ccache.list_targets():
+						# just printing this to debug...
+						logger.debug('CCACHE SPN record: %s' % target)
+					tgs, encpart, self.session_key = await self.kc.get_TGS(self.spn)
+					
+					self.from_ccache = True
+				except:
+					tgt = await self.kc.get_TGT(override_etype = self.preferred_etypes)
+					tgs, encpart, self.session_key = await self.kc.get_TGS(self.spn)#, override_etype = self.preferred_etypes)
 
 				#self.expected_server_seq_number = encpart.get('nonce', seq_number)
 				
 				ap_opts = []
 				if ChecksumFlags.GSS_C_MUTUAL_FLAG in self.flags or ChecksumFlags.GSS_C_DCE_STYLE in self.flags:
 					if ChecksumFlags.GSS_C_MUTUAL_FLAG in self.flags:
 						ap_opts.append('mutual-required')
-					apreq = self.kc.construct_apreq(tgs, encpart, self.session_key, flags = self.flags, seq_number = self.seq_number, ap_opts=ap_opts, cb_data = cb_data)
+					if self.from_ccache is False:
+						apreq = self.kc.construct_apreq(tgs, encpart, self.session_key, flags = self.flags, seq_number = self.seq_number, ap_opts=ap_opts, cb_data = cb_data)
+					else:
+						apreq = self.kc.construct_apreq_from_ticket(Ticket(tgs['ticket']).dump(), self.session_key, tgs['crealm'], tgs['cname']['name-string'][0], flags = self.flags, seq_number = self.seq_number, ap_opts = ap_opts, cb_data = cb_data)
 					return apreq, True, None
 				
 				else:
 					#no mutual or dce auth will take one step only
-					apreq = self.kc.construct_apreq(tgs, encpart, self.session_key, flags = self.flags, seq_number = self.seq_number, ap_opts=[], cb_data = cb_data)
+					if self.from_ccache is False:
+						apreq = self.kc.construct_apreq(tgs, encpart, self.session_key, flags = self.flags, seq_number = self.seq_number, ap_opts=[], cb_data = cb_data)
+					else:
+						apreq = self.kc.construct_apreq_from_ticket(Ticket(tgs['ticket']).dump(), self.session_key, tgs['crealm'], tgs['cname']['name-string'][0], flags = self.flags, seq_number = self.seq_number, ap_opts = ap_opts, cb_data = cb_data)
+					
+					
 					self.gssapi = get_gssapi(self.session_key)
 					return apreq, False, None
 
 			else:
 				self.iterations += 1
-				#raise Exception('Not implemented!')
 				if ChecksumFlags.GSS_C_DCE_STYLE in self.flags:
 					# adata = authData[16:]
 					# if ChecksumFlags.GSS_C_DCE_STYLE in self.flags:
diff --git a/msldap/commons/authbuilder.py b/msldap/commons/authbuilder.py
@@ -225,7 +225,8 @@ def build(self):
 				LDAPAuthProtocol.KERBEROS_AES,
 				LDAPAuthProtocol.KERBEROS_PASSWORD, 
 				LDAPAuthProtocol.KERBEROS_CCACHE, 
-				LDAPAuthProtocol.KERBEROS_KEYTAB]:
+				LDAPAuthProtocol.KERBEROS_KEYTAB,
+				LDAPAuthProtocol.KERBEROS_KIRBI]:
 			
 			if self.target is None:
 				raise Exception('Target must be specified with Kerberos!')
@@ -237,9 +238,16 @@ def build(self):
 				raise Exception('target must have a dc_ip for kerberos!')
 			
 			kcred = MSLDAPKerberosCredential()
-			kc = KerberosCredential()
-			kc.username = self.creds.username
-			kc.domain = self.creds.domain
+			if self.creds.auth_method == LDAPAuthProtocol.KERBEROS_KIRBI:
+				kc = KerberosCredential.from_kirbi(self.creds.password, self.creds.username, self.creds.domain)
+			elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_CCACHE:
+				kc = KerberosCredential.from_ccache_file(self.creds.password, self.creds.username, self.creds.domain)
+			elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_KEYTAB:
+				kc = KerberosCredential.from_kirbi(self.creds.password, self.creds.username, self.creds.domain)
+			else:
+				kc = KerberosCredential()
+				kc.username = self.creds.username
+				kc.domain = self.creds.domain
 			kcred.enctypes = []
 			if self.creds.auth_method == LDAPAuthProtocol.KERBEROS_PASSWORD:
 				kc.password = self.creds.password
@@ -262,10 +270,12 @@ def build(self):
 			
 			elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_CCACHE:
 				kc.ccache = self.creds.password
-				kcred.enctypes = [23,17,18]
+				kcred.enctypes = [23,17,18] # TODO: fix this
 			elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_KEYTAB:
 				kc.keytab = self.creds.password
-				kcred.enctypes = [23,17,18]
+				kcred.enctypes = [23,17,18] # TODO: fix this
+			elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_KIRBI:
+				kcred.enctypes = [23,17,18] # TODO: fix this
 			else:
 				raise Exception('No suitable secret type found to set up kerberos!')
 
diff --git a/msldap/commons/credential.py b/msldap/commons/credential.py
@@ -29,12 +29,13 @@ class LDAPAuthProtocol(enum.Enum):
 	SICILY = 'SICILY' #NTLM (old proprietary from MS)
 	NTLM_PASSWORD = 'NTLM_PASSWORD' #actually SASL-GSSAPI-SPNEGO-NTLM
 	NTLM_NT = 'NTLM_NT' #actually SASL-GSSAPI-SPNEGO-NTLM
-	KERBEROS_RC4 = 'KERBEROS_RC4' #actually SASL-GSSAPI-SPNEGO-KERBEROS
-	KERBEROS_NT = 'KERBEROS_NT' #actually SASL-GSSAPI-SPNEGO-KERBEROS
-	KERBEROS_AES = 'KERBEROS_AES' #actually SASL-GSSAPI-SPNEGO-KERBEROS
-	KERBEROS_PASSWORD = 'KERBEROS_PASSWORD' #actually SASL-GSSAPI-SPNEGO-KERBEROS
-	KERBEROS_CCACHE = 'KERBEROS_CCACHE' #actually SASL-GSSAPI-SPNEGO-KERBEROS
-	KERBEROS_KEYTAB = 'KERBEROS_KEYTAB' #actually SASL-GSSAPI-SPNEGO-KERBEROS
+	KERBEROS_RC4 = 'KERBEROS_RC4' 
+	KERBEROS_NT = 'KERBEROS_NT' 
+	KERBEROS_AES = 'KERBEROS_AES' 
+	KERBEROS_PASSWORD = 'KERBEROS_PASSWORD' 
+	KERBEROS_CCACHE = 'KERBEROS_CCACHE' 
+	KERBEROS_KEYTAB = 'KERBEROS_KEYTAB'
+	KERBEROS_KIRBI = 'KERBEROS_KIRBI' 
 	MULTIPLEXOR_KERBEROS = 'MULTIPLEXOR_KERBEROS'
 	MULTIPLEXOR_NTLM = 'MULTIPLEXOR_NTLM'
 	MULTIPLEXOR_SSL_KERBEROS = 'MULTIPLEXOR_SSL_KERBEROS'
@@ -55,6 +56,7 @@ class LDAPAuthProtocol(enum.Enum):
 		LDAPAuthProtocol.KERBEROS_PASSWORD ,
 		LDAPAuthProtocol.KERBEROS_CCACHE ,
 		LDAPAuthProtocol.KERBEROS_KEYTAB ,
+		LDAPAuthProtocol.KERBEROS_KIRBI ,
 		LDAPAuthProtocol.SSPI_NTLM ,
 		LDAPAuthProtocol.SSPI_KERBEROS,
 		LDAPAuthProtocol.MULTIPLEXOR_KERBEROS,
@@ -74,6 +76,7 @@ class LDAPAuthProtocol(enum.Enum):
 	LDAPAuthProtocol.KERBEROS_PASSWORD ,
 	LDAPAuthProtocol.KERBEROS_CCACHE ,
 	LDAPAuthProtocol.KERBEROS_KEYTAB ,
+	LDAPAuthProtocol.KERBEROS_KIRBI ,
 ]
 
 class MSLDAPCredential:
