Class: Rex::Proto::MsAdts::KeyCredential

Inherits:
Object
  • Object
show all
Defined in:
lib/rex/proto/ms_adts/key_credential.rb

Constant Summary collapse

KEY_USAGE_NGC = 
0x01
KEY_USAGE_FIDO = 
0x07
KEY_USAGE_FEK = 
0x08
KEY_CREDENTIAL_VERSION_2 = 
0x200
DEFAULT_KEY_INFORMATION =

Version and flags

"\x01\x00"

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initializeKeyCredential

Returns a new instance of KeyCredential.



11
12
13
14
15
16
 
# File 'lib/rex/proto/ms_adts/key_credential.rb', line 11

def initialize
  self.key_source = 0
  self.device_id = Rex::Proto::MsDtyp::MsDtypGuid.new
  self.device_id.set(Rex::Proto::MsDtyp::MsDtypGuid.random_generate)
  self.custom_key_information = DEFAULT_KEY_INFORMATION
end

Instance Attribute Details

#custom_key_informationObject

Two bytes is fine: Version and Flags



116
117
118
 
# File 'lib/rex/proto/ms_adts/key_credential.rb', line 116

def custom_key_information
  @custom_key_information
end

#device_idObject

MsDtypGuid

Identifier for this credential



115
116
117
 
# File 'lib/rex/proto/ms_adts/key_credential.rb', line 115

def device_id
  @device_id
end

#key_approximate_last_logon_time_rawObject

Raw bytes for approximate time this key was last used



117
118
119
 
# File 'lib/rex/proto/ms_adts/key_credential.rb', line 117

def key_approximate_last_logon_time_raw
  @key_approximate_last_logon_time_raw
end

#key_creation_time_rawObject

Raw bytes for approximate time this key was created



118
119
120
 
# File 'lib/rex/proto/ms_adts/key_credential.rb', line 118

def key_creation_time_raw
  @key_creation_time_raw
end

#key_hashObject

SHA256 hash of all entries after this entry



111
112
113
 
# File 'lib/rex/proto/ms_adts/key_credential.rb', line 111

def key_hash
  @key_hash
end

#key_idObject

Properties



110
111
112
 
# File 'lib/rex/proto/ms_adts/key_credential.rb', line 110

def key_id
  @key_id
end

#key_sourceObject

Always KEY_SOURCE_AD (0)



114
115
116
 
# File 'lib/rex/proto/ms_adts/key_credential.rb', line 114

def key_source
  @key_source
end

#key_usageObject

Enumeration



113
114
115
 
# File 'lib/rex/proto/ms_adts/key_credential.rb', line 113

def key_usage
  @key_usage
end

#raw_key_materialObject

Key material of the credential, in bytes



112
113
114
 
# File 'lib/rex/proto/ms_adts/key_credential.rb', line 112

def raw_key_material
  @raw_key_material
end

Class Method Details

.from_struct(cred_struct) ⇒ Object

Construct a KeyCredential object from a MsAdtsKeyCredentialStruct (likely received from a Domain Controller)

Parameters:



92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
 
# File 'lib/rex/proto/ms_adts/key_credential.rb', line 92

def self.from_struct(cred_struct)
  obj = KeyCredential.new
  obj.key_id = get_entry(cred_struct, 1)
  obj.key_hash = get_entry(cred_struct, 2)
  obj.raw_key_material = get_entry(cred_struct, 3)
  obj.key_usage = get_entry(cred_struct, 4).unpack('C')[0]
  obj.key_source = get_entry(cred_struct, 5).unpack('C')[0]
  obj.device_id = Rex::Proto::MsDtyp::MsDtypGuid.read(get_entry(cred_struct, 6))
  obj.custom_key_information = get_entry(cred_struct, 7)
  ft = get_entry(cred_struct, 8)
  obj.key_approximate_last_logon_time_raw = ft
  ft = get_entry(cred_struct, 9)
  obj.key_creation_time_raw = ft

  obj
end

.get_entry(struct, identifier) ⇒ String

Find the entry with the given identifier

Parameters:

Returns:

  • (String)

    The data associated with this identifier, or nil if not found



124
125
126
127
128
129
130
 
# File 'lib/rex/proto/ms_adts/key_credential.rb', line 124

def self.get_entry(struct, identifier)
  struct.credential_entries.each do |entry|
    if entry.identifier == identifier
      return entry.data
    end
  end
end

Instance Method Details

#key_approximate_last_logon_timeTime

Approximate time this key was last used

Returns:

  • (Time)

    Approximate time this key was last used



45
46
47
48
 
# File 'lib/rex/proto/ms_adts/key_credential.rb', line 45

def key_approximate_last_logon_time
  ft = key_approximate_last_logon_time_raw
  RubySMB::Field::FileTime.new(ft.unpack('Q')[0]).to_time
end

#key_approximate_last_logon_time=(time) ⇒ Object

Set the approximate last logon time for this credential object

Parameters:

  • time (Time)

    Last time this credential was used to log on



52
53
54
 
# File 'lib/rex/proto/ms_adts/key_credential.rb', line 52

def key_approximate_last_logon_time=(time)
  self.key_approximate_last_logon_time_raw = RubySMB::Field::FileTime.new(time).to_binary_s
end

#key_creation_timeTime

Approximate time this key was created

Returns:

  • (Time)

    Approximate time this key was created



58
59
60
61
 
# File 'lib/rex/proto/ms_adts/key_credential.rb', line 58

def key_creation_time
  ft = key_creation_time_raw
  RubySMB::Field::FileTime.new(ft.unpack('Q')[0]).to_time
end

#key_creation_time=(time) ⇒ Object

Set the creation time for this credential object

Parameters:

  • time (Time)

    Time that this key was created



65
66
67
 
# File 'lib/rex/proto/ms_adts/key_credential.rb', line 65

def key_creation_time=(time)
  self.key_creation_time_raw = RubySMB::Field::FileTime.new(time).to_binary_s
end

#public_keyObject

Parse the object’s raw key material field into a OpenSSL::PKey::RSA object

Parameters:



134
135
136
137
138
139
140
141
142
143
144
145
146
147
 
# File 'lib/rex/proto/ms_adts/key_credential.rb', line 134

def public_key
  case key_usage
  when KEY_USAGE_NGC
    if raw_key_material.start_with?([Rex::Proto::BcryptPublicKey::MAGIC].pack('I'))
      result = Rex::Proto::BcryptPublicKey.read(raw_key_material)
      exponent = OpenSSL::ASN1::Integer.new(bytes_to_int(result.exponent))
      modulus = OpenSSL::ASN1::Integer.new(bytes_to_int(result.modulus))
      # OpenSSL's API has changed over time - constructing from DER has been consistent
      data_sequence = OpenSSL::ASN1::Sequence([modulus, exponent])

      OpenSSL::PKey::RSA.new(data_sequence.to_der)
    end
  end
end

#set_key(public_key, key_usage) ⇒ Object

Set the key material for this credential object

Parameters:

  • public_key (OpenSSL::PKey::RSA)

    Public key used for authentication

  • key_usage (Enumeration)

    From the KEY_USAGE constants in this class



21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
 
# File 'lib/rex/proto/ms_adts/key_credential.rb', line 21

def set_key(public_key, key_usage)
  self.key_usage = key_usage

  case self.key_usage
  when KEY_USAGE_NGC
    result = Rex::Proto::BcryptPublicKey.new
    result.key_length = public_key.n.num_bits
    n = self.class.int_to_bytes(public_key.n)
    e = self.class.int_to_bytes(public_key.e)
    result.exponent = e
    result.modulus = n
    result.prime1 = ''
    result.prime2 = ''
    self.raw_key_material = result.to_binary_s
  else
    # Unknown key type
    return
  end
  sha256 = OpenSSL::Digest.new('SHA256')
  self.key_id = sha256.digest(self.raw_key_material)
end

#to_structMsAdtsKeyCredentialStruct

Creates a MsAdtsKeyCredentialStruct, including calculating the value for key_hash

Returns:



71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
 
# File 'lib/rex/proto/ms_adts/key_credential.rb', line 71

def to_struct
  result = MsAdtsKeyCredentialStruct.new
  result.version = KEY_CREDENTIAL_VERSION_2
  add_entry(result, 3, self.raw_key_material)
  add_entry(result, 4, [self.key_usage].pack('C'))
  add_entry(result, 5, [self.key_source].pack('C'))
  add_entry(result, 6, self.device_id.to_binary_s)
  add_entry(result, 7, self.custom_key_information)
  add_entry(result, 8, self.key_approximate_last_logon_time_raw)
  add_entry(result, 9, self.key_creation_time_raw)

  calculate_key_hash(result)

  add_entry(result, 2, self.key_hash, insert_at_end: false)
  add_entry(result, 1, self.key_id, insert_at_end: false)

  result
end