Provide Structured SerializedData in PacCredentialInfo #317
Comments
|
I tried to decrypt this blob but I'm not sure how I can handle the decrypted data: The decrypted data is not sth I can further process, it's not Type Serialization Version 1 or 2 according to [MS-RPCE]. Not sure what type of data it is. This decrypted data is version 1 serialization that can be used. |
|
What is this value?
Is this the decrypted form of
And then everything else afterword is the structure. You can use |
|
Yes, but what I meant is that |
KrbEncTicketPart ticketDecrypted = tgsRep.Ticket.EncryptedPart.Decrypt(
KerberosRun.U2USessionKey.AsKey(),
KeyUsage.Ticket,
(ReadOnlyMemory<byte> t) => KrbEncTicketPart.DecodeApplication(t));
var pac = Helper.GetPAC(ticketDecrypted);
Console.WriteLine("[-] PacCredentialInfo Data:");
Console.WriteLine(" Data: {0}", (BitConverter.ToString(pac.CredentialType.Marshal().ToArray())).Replace("-", ""));
Console.WriteLine(" Length: {0}", pac.CredentialType.Marshal().ToArray().Length);
var credSerialData = pac.CredentialType.SerializedData.ToArray();
Console.WriteLine("[-] SerializedData Data:");
Console.WriteLine(" Data: {0}", (BitConverter.ToString(credSerialData)).Replace("-", ""));
Console.WriteLine(" Length: {0}", credSerialData.Length);
var key = Utils.ByteArrayToStringCrypto(sessionKey.KeyValue.ToArray());
Console.WriteLine("[-] KeyEncType: {0}", sessionKey.EType);
Console.WriteLine("[-] Key: {0}", key);
var plainCredData = Helper.KerberosDecrypt(sessionKey.EType, 16, Utils.StringToByteArrayCrypto(key), credSerialData);
Console.WriteLine("[-] Decrypted: {0}", (BitConverter.ToString(plainCredData)).Replace("-", ""));
BinaryReader reader = new BinaryReader(new MemoryStream(plainCredData));
Console.WriteLine("[-] SerialType Version: {0}",reader.ReadByte());I should get SerialType Version 1 (or 2) |
|
I see now. How are you getting |
|
From AS reply. Decrypt the ticket enc part and get the key
Get Outlook for iOS<https://aka.ms/o0ukef>
…________________________________
From: Steve Syfuhs ***@***.***>
Sent: Tuesday, September 20, 2022 1:11:54 AM
To: dotnet/Kerberos.NET ***@***.***>
Cc: dev2null ***@***.***>; Author ***@***.***>
Subject: Re: [dotnet/Kerberos.NET] Provide Structured SerializedData in PacCredentialInfo (Issue #317)
I see now. How are you getting sessionKey?
—
Reply to this email directly, view it on GitHub<#317 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AHD3R4XT7HYAYPDENNHLJSLV7CNFVANCNFSM6AAAAAAQPWC4TA>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
That's not the correct key. It's the DH session key. The point is to bind the NTLM key in such a way that it shows possession of the certificate's private key. You can only do that with the DH session key. |
|
Yeah, I always make mistakes... I thought ASREP key is asRep.Key... Now it works perfectly |
|
Maybe as a reference for this feature request (decrypted public class PacCredentialData : INdrStruct
{
public void Marshal(NdrBuffer buffer)
{
if (buffer == null)
{
throw new ArgumentNullException(nameof(buffer));
}
buffer.WriteInt32LittleEndian(this.CredentialCount);
//Not sure about this
buffer.WriteDeferredStructArray(this.SuppCredential);
}
public void Unmarshal(NdrBuffer buffer)
{
if (buffer == null)
{
throw new ArgumentNullException(nameof(buffer));
}
this.CredentialCount = buffer.ReadInt32LittleEndian();
this.SuppCredential = buffer.ReadConformantArray<SupplementalCredential>(this.CredentialCount, new Func<SupplementalCredential>(buffer.ReadStruct<SupplementalCredential>));
}
public PacCredentialData(ReadOnlyMemory<byte> bytes)
{
using (var buffer = new NdrBuffer(bytes))
{
buffer.UnmarshalObject(this);
}
}
[KerberosIgnore]
public int CredentialCount { get; set; }
public IEnumerable<SupplementalCredential> SuppCredential { get; set; }
public PacCredentialData(int CredentialCount, SupplementalCredential[] Credentials)
{
this.CredentialCount = CredentialCount;
this.SuppCredential = Credentials;
}
}
public class SupplementalCredential : INdrStruct
{
public SupplementalCredential() { }
public void Marshal(NdrBuffer buffer)
{
if (buffer == null)
{
throw new ArgumentNullException(nameof(buffer));
}
buffer.WriteStruct<RpcString>(this.PackageName);
buffer.WriteInt32LittleEndian(this.CredentialSize);
buffer.WriteDeferredConformantArray<sbyte>(this.Credentials.ToArray());
}
public void Unmarshal(NdrBuffer buffer)
{
if (buffer == null)
{
throw new ArgumentNullException(nameof(buffer));
}
this.PackageName = buffer.ReadStruct<RpcString>();
this.CredentialSize = buffer.ReadInt32LittleEndian();
buffer.ReadDeferredConformantArray<sbyte>(this.CredentialSize, v => this.Credentials = v);
}
[KerberosIgnore]
public RpcString PackageName { get; set; }
public int CredentialSize { get; set; }
public ReadOnlyMemory<sbyte> Credentials;
public SupplementalCredential(RpcString PackageName, int CredentialSize, sbyte[] Credentials)
{
this.PackageName = PackageName;
this.CredentialSize = CredentialSize;
this.Credentials = Credentials;
}
} |
Hi, it would be nice to provide a solution to deal with the
SerializedDatain PAC'sCredentialType(PacCredentialInfostructure).This could be quite useful for WHfB/smartcard users to obtain their NTLM hash in that encrypted
NTLM_SUPPLEMENTAL_CREDENTIALblob after the User-to-User authentication, in order to perform NTLM authentication to access some dedicated resources.At least the
SerializedDatashould be further structured as described in https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/2f9cae55-350a-423e-a692-1d16659e544aThe text was updated successfully, but these errors were encountered: