Hide keyboard shortcuts

Hot-keys on this page

r m x p   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

1# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved. 

2# 

3# This software is provided under under a slightly modified version 

4# of the Apache Software License. See the accompanying LICENSE file 

5# for more information. 

6# 

7# Author: Alberto Solino (@agsolino) 

8# 

9# Description: 

10# [MS-PAC] Implementation 

11# 

12from impacket.dcerpc.v5.dtypes import ULONG, RPC_UNICODE_STRING, FILETIME, PRPC_SID, USHORT 

13from impacket.dcerpc.v5.ndr import NDRSTRUCT, NDRUniConformantArray, NDRPOINTER 

14from impacket.dcerpc.v5.nrpc import USER_SESSION_KEY, CHAR_FIXED_8_ARRAY, PUCHAR_ARRAY, PRPC_UNICODE_STRING_ARRAY 

15from impacket.dcerpc.v5.rpcrt import TypeSerialization1 

16from impacket.structure import Structure 

17 

18################################################################################ 

19# CONSTANTS 

20################################################################################ 

21# From https://msdn.microsoft.com/library/aa302203#msdn_pac_credentials 

22# and http://diswww.mit.edu/menelaus.mit.edu/cvs-krb5/25862 

23PAC_LOGON_INFO = 1 

24PAC_CREDENTIALS_INFO = 2 

25PAC_SERVER_CHECKSUM = 6 

26PAC_PRIVSVR_CHECKSUM = 7 

27PAC_CLIENT_INFO_TYPE = 10 

28PAC_DELEGATION_INFO = 11 

29PAC_UPN_DNS_INFO = 12 

30 

31################################################################################ 

32# STRUCTURES 

33################################################################################ 

34 

35PISID = PRPC_SID 

36 

37# 2.2.1 KERB_SID_AND_ATTRIBUTES 

38class KERB_SID_AND_ATTRIBUTES(NDRSTRUCT): 

39 structure = ( 

40 ('Sid', PISID), 

41 ('Attributes', ULONG), 

42 ) 

43 

44class KERB_SID_AND_ATTRIBUTES_ARRAY(NDRUniConformantArray): 

45 item = KERB_SID_AND_ATTRIBUTES 

46 

47class PKERB_SID_AND_ATTRIBUTES_ARRAY(NDRPOINTER): 

48 referent = ( 

49 ('Data', KERB_SID_AND_ATTRIBUTES_ARRAY), 

50 ) 

51 

52# 2.2.2 GROUP_MEMBERSHIP 

53from impacket.dcerpc.v5.nrpc import PGROUP_MEMBERSHIP_ARRAY 

54 

55# 2.2.3 DOMAIN_GROUP_MEMBERSHIP 

56class DOMAIN_GROUP_MEMBERSHIP(NDRSTRUCT): 

57 structure = ( 

58 ('DomainId', PISID), 

59 ('GroupCount', ULONG), 

60 ('GroupIds', PGROUP_MEMBERSHIP_ARRAY), 

61 ) 

62 

63class DOMAIN_GROUP_MEMBERSHIP_ARRAY(NDRUniConformantArray): 

64 item = DOMAIN_GROUP_MEMBERSHIP 

65 

66class PDOMAIN_GROUP_MEMBERSHIP_ARRAY(NDRPOINTER): 

67 referent = ( 

68 ('Data', KERB_SID_AND_ATTRIBUTES_ARRAY), 

69 ) 

70 

71# 2.3 PACTYPE 

72class PACTYPE(Structure): 

73 structure = ( 

74 ('cBuffers', '<L=0'), 

75 ('Version', '<L=0'), 

76 ('Buffers', ':'), 

77 ) 

78 

79# 2.4 PAC_INFO_BUFFER 

80class PAC_INFO_BUFFER(Structure): 

81 structure = ( 

82 ('ulType', '<L=0'), 

83 ('cbBufferSize', '<L=0'), 

84 ('Offset', '<Q=0'), 

85 ) 

86 

87# 2.5 KERB_VALIDATION_INFO 

88class KERB_VALIDATION_INFO(NDRSTRUCT): 

89 structure = ( 

90 ('LogonTime', FILETIME), 

91 ('LogoffTime', FILETIME), 

92 ('KickOffTime', FILETIME), 

93 ('PasswordLastSet', FILETIME), 

94 ('PasswordCanChange', FILETIME), 

95 ('PasswordMustChange', FILETIME), 

96 ('EffectiveName', RPC_UNICODE_STRING), 

97 ('FullName', RPC_UNICODE_STRING), 

98 ('LogonScript', RPC_UNICODE_STRING), 

99 ('ProfilePath', RPC_UNICODE_STRING), 

100 ('HomeDirectory', RPC_UNICODE_STRING), 

101 ('HomeDirectoryDrive', RPC_UNICODE_STRING), 

102 ('LogonCount', USHORT), 

103 ('BadPasswordCount', USHORT), 

104 ('UserId', ULONG), 

105 ('PrimaryGroupId', ULONG), 

106 ('GroupCount', ULONG), 

107 ('GroupIds', PGROUP_MEMBERSHIP_ARRAY), 

108 ('UserFlags', ULONG), 

109 ('UserSessionKey', USER_SESSION_KEY), 

110 ('LogonServer', RPC_UNICODE_STRING), 

111 ('LogonDomainName', RPC_UNICODE_STRING), 

112 ('LogonDomainId', PRPC_SID), 

113 

114 # Also called Reserved1 

115 ('LMKey', CHAR_FIXED_8_ARRAY), 

116 

117 ('UserAccountControl', ULONG), 

118 ('SubAuthStatus', ULONG), 

119 ('LastSuccessfulILogon', FILETIME), 

120 ('LastFailedILogon', FILETIME), 

121 ('FailedILogonCount', ULONG), 

122 ('Reserved3', ULONG), 

123 

124 ('SidCount', ULONG), 

125 #('ExtraSids', PNETLOGON_SID_AND_ATTRIBUTES_ARRAY), 

126 ('ExtraSids', PKERB_SID_AND_ATTRIBUTES_ARRAY), 

127 ('ResourceGroupDomainSid', PISID), 

128 ('ResourceGroupCount', ULONG), 

129 ('ResourceGroupIds', PGROUP_MEMBERSHIP_ARRAY), 

130 ) 

131 

132class PKERB_VALIDATION_INFO(NDRPOINTER): 

133 referent = ( 

134 ('Data', KERB_VALIDATION_INFO), 

135 ) 

136 

137# 2.6.1 PAC_CREDENTIAL_INFO 

138class PAC_CREDENTIAL_INFO(Structure): 

139 structure = ( 

140 ('Version', '<L=0'), 

141 ('EncryptionType', '<L=0'), 

142 ('SerializedData', ':'), 

143 ) 

144 

145# 2.6.3 SECPKG_SUPPLEMENTAL_CRED 

146class SECPKG_SUPPLEMENTAL_CRED(NDRSTRUCT): 

147 structure = ( 

148 ('PackageName', RPC_UNICODE_STRING), 

149 ('CredentialSize', ULONG), 

150 ('Credentials', PUCHAR_ARRAY), 

151 ) 

152 

153class SECPKG_SUPPLEMENTAL_CRED_ARRAY(NDRUniConformantArray): 

154 item = SECPKG_SUPPLEMENTAL_CRED 

155 

156# 2.6.2 PAC_CREDENTIAL_DATA 

157class PAC_CREDENTIAL_DATA(NDRSTRUCT): 

158 structure = ( 

159 ('CredentialCount', ULONG), 

160 ('Credentials', SECPKG_SUPPLEMENTAL_CRED_ARRAY), 

161 ) 

162 

163# 2.6.4 NTLM_SUPPLEMENTAL_CREDENTIAL 

164class NTLM_SUPPLEMENTAL_CREDENTIAL(NDRSTRUCT): 

165 structure = ( 

166 ('Version', ULONG), 

167 ('Flags', ULONG), 

168 ('LmPassword', '16s=b""'), 

169 ('NtPassword', '16s=b""'), 

170 ) 

171 

172# 2.7 PAC_CLIENT_INFO 

173class PAC_CLIENT_INFO(Structure): 

174 structure = ( 

175 ('ClientId', '<Q=0'), 

176 ('NameLength', '<H=0'), 

177 ('_Name', '_-Name', 'self["NameLength"]'), 

178 ('Name', ':'), 

179 ) 

180 

181# 2.8 PAC_SIGNATURE_DATA 

182class PAC_SIGNATURE_DATA(Structure): 

183 structure = ( 

184 ('SignatureType', '<l=0'), 

185 ('Signature', ':'), 

186 ) 

187 

188# 2.9 Constrained Delegation Information - S4U_DELEGATION_INFO 

189class S4U_DELEGATION_INFO(NDRSTRUCT): 

190 structure = ( 

191 ('S4U2proxyTarget', RPC_UNICODE_STRING), 

192 ('TransitedListSize', ULONG), 

193 ('S4UTransitedServices', PRPC_UNICODE_STRING_ARRAY ), 

194 ) 

195 

196# 2.10 UPN_DNS_INFO 

197class UPN_DNS_INFO(Structure): 

198 structure = ( 

199 ('UpnLength', '<H=0'), 

200 ('UpnOffset', '<H=0'), 

201 ('DnsDomainNameLength', '<H=0'), 

202 ('DnsDomainNameOffset', '<H=0'), 

203 ('Flags', '<L=0'), 

204 ) 

205 

206# 2.11 PAC_CLIENT_CLAIMS_INFO 

207class PAC_CLIENT_CLAIMS_INFO(Structure): 

208 structure = ( 

209 ('Claims', ':'), 

210 ) 

211 

212# 2.12 PAC_DEVICE_INFO 

213class PAC_DEVICE_INFO(NDRSTRUCT): 

214 structure = ( 

215 ('UserId', ULONG), 

216 ('PrimaryGroupId', ULONG), 

217 ('AccountDomainId', PISID ), 

218 ('AccountGroupCount', ULONG ), 

219 ('AccountGroupIds', PGROUP_MEMBERSHIP_ARRAY ), 

220 ('SidCount', ULONG ), 

221 ('ExtraSids', PKERB_SID_AND_ATTRIBUTES_ARRAY ), 

222 ('DomainGroupCount', ULONG ), 

223 ('DomainGroup', PDOMAIN_GROUP_MEMBERSHIP_ARRAY ), 

224 ) 

225 

226# 2.13 PAC_DEVICE_CLAIMS_INFO 

227class PAC_DEVICE_CLAIMS_INFO(Structure): 

228 structure = ( 

229 ('Claims', ':'), 

230 ) 

231 

232class VALIDATION_INFO(TypeSerialization1): 

233 structure = ( 

234 ('Data', PKERB_VALIDATION_INFO), 

235 )