Hide keyboard shortcuts

Hot-keys on this page

r m x p   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

1# Impacket - Collection of Python classes for working with network protocols. 

2# 

3# SECUREAUTH LABS. Copyright (C) 2018 SecureAuth Corporation. All rights reserved. 

4# 

5# This software is provided under a slightly modified version 

6# of the Apache Software License. See the accompanying LICENSE file 

7# for more information. 

8# 

9# Description: 

10# [MS-PAC] Implementation 

11# 

12# Author: 

13# Alberto Solino (@agsolino) 

14# 

15from impacket.dcerpc.v5.dtypes import ULONG, RPC_UNICODE_STRING, FILETIME, PRPC_SID, USHORT 

16from impacket.dcerpc.v5.ndr import NDRSTRUCT, NDRUniConformantArray, NDRPOINTER 

17from impacket.dcerpc.v5.nrpc import USER_SESSION_KEY, CHAR_FIXED_8_ARRAY, PUCHAR_ARRAY, PRPC_UNICODE_STRING_ARRAY 

18from impacket.dcerpc.v5.rpcrt import TypeSerialization1 

19from impacket.structure import Structure 

20 

21################################################################################ 

22# CONSTANTS 

23################################################################################ 

24# From https://msdn.microsoft.com/library/aa302203#msdn_pac_credentials 

25# and http://diswww.mit.edu/menelaus.mit.edu/cvs-krb5/25862 

26PAC_LOGON_INFO = 1 

27PAC_CREDENTIALS_INFO = 2 

28PAC_SERVER_CHECKSUM = 6 

29PAC_PRIVSVR_CHECKSUM = 7 

30PAC_CLIENT_INFO_TYPE = 10 

31PAC_DELEGATION_INFO = 11 

32PAC_UPN_DNS_INFO = 12 

33 

34################################################################################ 

35# STRUCTURES 

36################################################################################ 

37 

38PISID = PRPC_SID 

39 

40# 2.2.1 KERB_SID_AND_ATTRIBUTES 

41class KERB_SID_AND_ATTRIBUTES(NDRSTRUCT): 

42 structure = ( 

43 ('Sid', PISID), 

44 ('Attributes', ULONG), 

45 ) 

46 

47class KERB_SID_AND_ATTRIBUTES_ARRAY(NDRUniConformantArray): 

48 item = KERB_SID_AND_ATTRIBUTES 

49 

50class PKERB_SID_AND_ATTRIBUTES_ARRAY(NDRPOINTER): 

51 referent = ( 

52 ('Data', KERB_SID_AND_ATTRIBUTES_ARRAY), 

53 ) 

54 

55# 2.2.2 GROUP_MEMBERSHIP 

56from impacket.dcerpc.v5.nrpc import PGROUP_MEMBERSHIP_ARRAY 

57 

58# 2.2.3 DOMAIN_GROUP_MEMBERSHIP 

59class DOMAIN_GROUP_MEMBERSHIP(NDRSTRUCT): 

60 structure = ( 

61 ('DomainId', PISID), 

62 ('GroupCount', ULONG), 

63 ('GroupIds', PGROUP_MEMBERSHIP_ARRAY), 

64 ) 

65 

66class DOMAIN_GROUP_MEMBERSHIP_ARRAY(NDRUniConformantArray): 

67 item = DOMAIN_GROUP_MEMBERSHIP 

68 

69class PDOMAIN_GROUP_MEMBERSHIP_ARRAY(NDRPOINTER): 

70 referent = ( 

71 ('Data', KERB_SID_AND_ATTRIBUTES_ARRAY), 

72 ) 

73 

74# 2.3 PACTYPE 

75class PACTYPE(Structure): 

76 structure = ( 

77 ('cBuffers', '<L=0'), 

78 ('Version', '<L=0'), 

79 ('Buffers', ':'), 

80 ) 

81 

82# 2.4 PAC_INFO_BUFFER 

83class PAC_INFO_BUFFER(Structure): 

84 structure = ( 

85 ('ulType', '<L=0'), 

86 ('cbBufferSize', '<L=0'), 

87 ('Offset', '<Q=0'), 

88 ) 

89 

90# 2.5 KERB_VALIDATION_INFO 

91class KERB_VALIDATION_INFO(NDRSTRUCT): 

92 structure = ( 

93 ('LogonTime', FILETIME), 

94 ('LogoffTime', FILETIME), 

95 ('KickOffTime', FILETIME), 

96 ('PasswordLastSet', FILETIME), 

97 ('PasswordCanChange', FILETIME), 

98 ('PasswordMustChange', FILETIME), 

99 ('EffectiveName', RPC_UNICODE_STRING), 

100 ('FullName', RPC_UNICODE_STRING), 

101 ('LogonScript', RPC_UNICODE_STRING), 

102 ('ProfilePath', RPC_UNICODE_STRING), 

103 ('HomeDirectory', RPC_UNICODE_STRING), 

104 ('HomeDirectoryDrive', RPC_UNICODE_STRING), 

105 ('LogonCount', USHORT), 

106 ('BadPasswordCount', USHORT), 

107 ('UserId', ULONG), 

108 ('PrimaryGroupId', ULONG), 

109 ('GroupCount', ULONG), 

110 ('GroupIds', PGROUP_MEMBERSHIP_ARRAY), 

111 ('UserFlags', ULONG), 

112 ('UserSessionKey', USER_SESSION_KEY), 

113 ('LogonServer', RPC_UNICODE_STRING), 

114 ('LogonDomainName', RPC_UNICODE_STRING), 

115 ('LogonDomainId', PRPC_SID), 

116 

117 # Also called Reserved1 

118 ('LMKey', CHAR_FIXED_8_ARRAY), 

119 

120 ('UserAccountControl', ULONG), 

121 ('SubAuthStatus', ULONG), 

122 ('LastSuccessfulILogon', FILETIME), 

123 ('LastFailedILogon', FILETIME), 

124 ('FailedILogonCount', ULONG), 

125 ('Reserved3', ULONG), 

126 

127 ('SidCount', ULONG), 

128 #('ExtraSids', PNETLOGON_SID_AND_ATTRIBUTES_ARRAY), 

129 ('ExtraSids', PKERB_SID_AND_ATTRIBUTES_ARRAY), 

130 ('ResourceGroupDomainSid', PISID), 

131 ('ResourceGroupCount', ULONG), 

132 ('ResourceGroupIds', PGROUP_MEMBERSHIP_ARRAY), 

133 ) 

134 

135class PKERB_VALIDATION_INFO(NDRPOINTER): 

136 referent = ( 

137 ('Data', KERB_VALIDATION_INFO), 

138 ) 

139 

140# 2.6.1 PAC_CREDENTIAL_INFO 

141class PAC_CREDENTIAL_INFO(Structure): 

142 structure = ( 

143 ('Version', '<L=0'), 

144 ('EncryptionType', '<L=0'), 

145 ('SerializedData', ':'), 

146 ) 

147 

148# 2.6.3 SECPKG_SUPPLEMENTAL_CRED 

149class SECPKG_SUPPLEMENTAL_CRED(NDRSTRUCT): 

150 structure = ( 

151 ('PackageName', RPC_UNICODE_STRING), 

152 ('CredentialSize', ULONG), 

153 ('Credentials', PUCHAR_ARRAY), 

154 ) 

155 

156class SECPKG_SUPPLEMENTAL_CRED_ARRAY(NDRUniConformantArray): 

157 item = SECPKG_SUPPLEMENTAL_CRED 

158 

159# 2.6.2 PAC_CREDENTIAL_DATA 

160class PAC_CREDENTIAL_DATA(NDRSTRUCT): 

161 structure = ( 

162 ('CredentialCount', ULONG), 

163 ('Credentials', SECPKG_SUPPLEMENTAL_CRED_ARRAY), 

164 ) 

165 

166# 2.6.4 NTLM_SUPPLEMENTAL_CREDENTIAL 

167class NTLM_SUPPLEMENTAL_CREDENTIAL(NDRSTRUCT): 

168 structure = ( 

169 ('Version', ULONG), 

170 ('Flags', ULONG), 

171 ('LmPassword', '16s=b""'), 

172 ('NtPassword', '16s=b""'), 

173 ) 

174 

175# 2.7 PAC_CLIENT_INFO 

176class PAC_CLIENT_INFO(Structure): 

177 structure = ( 

178 ('ClientId', '<Q=0'), 

179 ('NameLength', '<H=0'), 

180 ('_Name', '_-Name', 'self["NameLength"]'), 

181 ('Name', ':'), 

182 ) 

183 

184# 2.8 PAC_SIGNATURE_DATA 

185class PAC_SIGNATURE_DATA(Structure): 

186 structure = ( 

187 ('SignatureType', '<l=0'), 

188 ('Signature', ':'), 

189 ) 

190 

191# 2.9 Constrained Delegation Information - S4U_DELEGATION_INFO 

192class S4U_DELEGATION_INFO(NDRSTRUCT): 

193 structure = ( 

194 ('S4U2proxyTarget', RPC_UNICODE_STRING), 

195 ('TransitedListSize', ULONG), 

196 ('S4UTransitedServices', PRPC_UNICODE_STRING_ARRAY ), 

197 ) 

198 

199# 2.10 UPN_DNS_INFO 

200class UPN_DNS_INFO(Structure): 

201 structure = ( 

202 ('UpnLength', '<H=0'), 

203 ('UpnOffset', '<H=0'), 

204 ('DnsDomainNameLength', '<H=0'), 

205 ('DnsDomainNameOffset', '<H=0'), 

206 ('Flags', '<L=0'), 

207 ) 

208 

209# 2.11 PAC_CLIENT_CLAIMS_INFO 

210class PAC_CLIENT_CLAIMS_INFO(Structure): 

211 structure = ( 

212 ('Claims', ':'), 

213 ) 

214 

215# 2.12 PAC_DEVICE_INFO 

216class PAC_DEVICE_INFO(NDRSTRUCT): 

217 structure = ( 

218 ('UserId', ULONG), 

219 ('PrimaryGroupId', ULONG), 

220 ('AccountDomainId', PISID ), 

221 ('AccountGroupCount', ULONG ), 

222 ('AccountGroupIds', PGROUP_MEMBERSHIP_ARRAY ), 

223 ('SidCount', ULONG ), 

224 ('ExtraSids', PKERB_SID_AND_ATTRIBUTES_ARRAY ), 

225 ('DomainGroupCount', ULONG ), 

226 ('DomainGroup', PDOMAIN_GROUP_MEMBERSHIP_ARRAY ), 

227 ) 

228 

229# 2.13 PAC_DEVICE_CLAIMS_INFO 

230class PAC_DEVICE_CLAIMS_INFO(Structure): 

231 structure = ( 

232 ('Claims', ':'), 

233 ) 

234 

235class VALIDATION_INFO(TypeSerialization1): 

236 structure = ( 

237 ('Data', PKERB_VALIDATION_INFO), 

238 )