Module: Rex::Proto::Kerberos::Pac

Defined in:

lib/rex/proto/kerberos/pac/krb5_pac.rb,
lib/rex/proto/kerberos/pac.rb,
lib/rex/proto/kerberos/pac/error.rb,
lib/rex/proto/kerberos/pac/krb5_pac_element_type.rb

Overview

full MIDL spec for PAC learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/1d4912dd-5115-4124-94b6-fa414add575f

Defined Under Namespace

Modules: Error, Krb5PacElementType Classes: CypherBlock, GroupAttributes, Krb5ClientInfo, Krb5FullPacChecksum, Krb5LogonInformation, Krb5NtlmSupplementalCredential, Krb5Pac, Krb5PacAttributes, Krb5PacCredentialData, Krb5PacCredentialDataPtr, Krb5PacCredentialInfo, Krb5PacElement, Krb5PacInfoBuffer, Krb5PacPrivServerChecksum, Krb5PacRequestor, Krb5PacServerChecksum, Krb5PacSignatureData, Krb5SecpkgSupplementalCred, Krb5SecpkgSupplementalCredByteArrayPtr, Krb5SerializedPacCredentialData, Krb5SidAndAttributes, Krb5SidAndAttributesPtr, Krb5SignatureType, Krb5TicketChecksum, Krb5UpnDnsInfo, Krb5ValidationInfo, Krb5ValidationInfoPtr, PacAttributesFlags, UnknownPacElement, UpnDnsInfoAttributes, UserAccountAttributes, UserFlagAttributes, UserSessionKey

Constant Summary

VERSION =

0

NETLOGON_FLAG =

0x20000

SE_GROUP_MANDATORY =

Kerberos: learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/311aab27-ebdf-47f7-b939-13dc99b15341 Reference with details on flags: learn.microsoft.com/en-gb/windows/win32/api/winnt/ns-winnt-token_groups?redirectedfrom=MSDN#members

0x00000001

SE_GROUP_ENABLED_BY_DEFAULT =

0x00000002

SE_GROUP_ENABLED =

0x00000004

SE_GROUP_OWNER =

0x00000008

SE_GROUP_RESOURCE =

0x20000000

SE_GROUP_ALL =

XXX: Does not include some of the newer SE_GROUP_* flags

SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED

PAC_WAS_GIVEN_IMPLICITLY =

0x00000001

USER_NORMAL_ACCOUNT =

0x00000010

USER_DONT_EXPIRE_PASSWORD =

0x00000200

PAC_LOGON_INFO =

1

PAC_CREDENTIALS_INFO =

2

PAC_SERVER_CHECKSUM =

6

PAC_PRIVSVR_CHECKSUM =

7

PAC_CLIENT_INFO =

10

AD_WIN2K_PAC =

128

SEC_TO_UNIX_EPOCH =

11644473600

WINDOWS_TICK =

10000000

NEVER_EXPIRE =

0x7fffffffffffffff

DOMAIN_ADMINS =

512

DOMAIN_USERS =

513

SCHEMA_ADMINISTRATORS =

518

ENTERPRISE_ADMINS =

519

GROUP_POLICY_CREATOR_OWNERS =

520

DEFAULT_ADMIN_RID =

500

DEFAULT_USER_RID =

1000

NT_AUTHORITY_SID =

'S-1-5'

CHECKSUM_SIGNATURE_LENGTH =

github.com/rapid7/metasploit-framework/blob/b2eb348d943af25adfc41e6fa689d9da00154685/lib/rex/proto/kerberos/crypto.rb#L37-L42 learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/6e95edd3-af93-41d4-8303-6c7955297315

{
  # Used by: modules/auxiliary/admin/kerberos/ms14_068_kerberos_checksum.rb.
  # Not defined in the specification explicitly, but the exploit uses a weaker checksum to bypass Microsoft's PAC security methods
  Rex::Proto::Kerberos::Crypto::Checksum::RSA_MD5 => 16,
  Rex::Proto::Kerberos::Crypto::Checksum::SHA1_AES128 => 12,
  Rex::Proto::Kerberos::Crypto::Checksum::SHA1_AES256 => 12,
  Rex::Proto::Kerberos::Crypto::Checksum::HMAC_MD5 => 16,
  0xffffff76 => 16 # Negative 138 two's complement (HMAC_MD5)
}.freeze