Merge pull request GhostPack#157 from eladshamir/asrep2kirbi

Add an asrep2kirbi action
aHlo666 · May 16, 2023 · 7293b2b · 7293b2b
2 parents bec0e35 + 9cf6c8d
commit 7293b2b
Show file tree

Hide file tree

Showing 6 changed files with 143 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -63,6 +63,7 @@ Rubeus is licensed under the BSD 3-Clause license.
     - [tgssub](#tgssub)
     - [currentluid](#currentluid)
     - [logonsession](#logonsession)
+    - [asrep2kirbi](#asrep2kirbi)
   - [Compile Instructions](#compile-instructions)
     - [Targeting other .NET versions](#targeting-other-net-versions)
     - [Sidenote: Building Rubeus as a Library](#sidenote-building-rubeus-as-a-library)
@@ -288,6 +289,9 @@ Rubeus is licensed under the BSD 3-Clause license.
         The "/nowrap" flag prevents any base64 ticket blobs from being column wrapped for any function.
 
         The "/debug" flag outputs ASN.1 debugging information.
+		
+        Convert an AS-REP and a key to a Kirbi:
+            Rubeus.exe asrep2kirbi /asrep:<BASE64 | FILEPATH> </key:BASE64 | /keyhex:HEXSTRING> [/enctype:DES|RC4|AES128|AES256] [/ptt] [/luid:X] [/nowrap]
 
 
      NOTE: Base64 ticket blobs can be decoded with :
@@ -3518,6 +3522,7 @@ Breakdown of the miscellaneous commands:
 | [tgssub](#tgssub) | Substitute in alternate service names into a service ticket |
 | [currentluid](#currentluid) | Display the current user's LUID |
 | [logonsession](#logonsession) | Display logon session information |
+| [asrep2kirbi](#asrep2kirbi) | Convert an AS-REP and a client key to a Kirbi (KERB_CRED) |
 
 
 ### createnetonly
@@ -4037,6 +4042,12 @@ The **logonsession** action will display information about the current context's
 If elevated, the `/current` flag will display information for just the current logon session, and `/luid:X` will display information about the target specified logon session.
 
 
+### asrep2kirbi
+
+The **asrep2kirbi** action will convert an AS-REP and a client key to a Kirbi. 
+
+The client key can be supplied as a Base64 encoded blob or as a hex string.
+
 ## Compile Instructions
 
 We are not planning on releasing binaries for Rubeus, so you will have to compile yourself :)

diff --git a/Rubeus/Commands/ASREP2Kirbi.cs b/Rubeus/Commands/ASREP2Kirbi.cs
@@ -0,0 +1,126 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Runtime.InteropServices.WindowsRuntime;
+using System.Security.Cryptography;
+using Asn1;
+using Rubeus.Asn1;
+using Rubeus.Kerberos;
+using Rubeus.lib.Interop;
+
+
+namespace Rubeus.Commands
+{
+    public class ASREP2Kirbi : ICommand
+    {
+        public static string CommandName => "asrep2kirbi";
+
+        public void Execute(Dictionary<string, string> arguments)
+        {
+            Console.WriteLine("\r\n[*] Action: AS-REP to Kirbi");
+
+            AsnElt asrep = null;
+            byte[] key = null;
+            Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1; //default if non /enctype is specified
+            bool ptt = false;
+            string outfile = "";
+            LUID luid = new LUID();
+
+            if (arguments.ContainsKey("/outfile"))
+            {
+                outfile = arguments["/outfile"];
+            }
+
+            if (arguments.ContainsKey("/ptt"))
+            {
+                ptt = true;
+            }
+
+            if (arguments.ContainsKey("/luid"))
+            {
+                try
+                {
+                    luid = new LUID(arguments["/luid"]);
+                }
+                catch
+                {
+                    Console.WriteLine("[X] Invalid LUID format ({0})\r\n", arguments["/luid"]);
+                    return;
+                }
+            }
+
+            if (arguments.ContainsKey("/asrep"))
+            {
+                string buffer = arguments["/asrep"];
+
+                if (Helpers.IsBase64String(buffer))
+                {
+                    byte[] bufferBytes = Convert.FromBase64String(buffer);
+
+                    asrep = AsnElt.Decode(bufferBytes);
+                }
+                else if (File.Exists(buffer))
+                {
+                    byte[] bufferBytes = File.ReadAllBytes(buffer);
+                    asrep = AsnElt.Decode(bufferBytes);
+                }
+                else
+                {
+                    Console.WriteLine("\r\n[X] /asrep:X must either be a file or a base64 encoded AS-REP message\r\n");
+                    return;
+                }
+            }
+            else
+            {
+                Console.WriteLine("\r\n[X] A /asrep:X needs to be supplied!\r\n");
+                return;
+            }
+
+            if (arguments.ContainsKey("/key"))
+            {
+                if (Helpers.IsBase64String(arguments["/key"]))
+                {
+                    key = Convert.FromBase64String(arguments["/key"]);
+                }
+                else
+                {
+                    Console.WriteLine("\r\n[X] /key:X must be a base64 encoded client key\r\n");
+                    //return;
+                }
+            }
+            else if (arguments.ContainsKey("/keyhex"))
+            {
+                key = Helpers.StringToByteArray(arguments["/keyhex"]);
+            }
+            else
+            {
+                Console.WriteLine("\r\n[X]A /key:X or /keyhex:X must be supplied!");
+                return;
+            }
+
+            if (arguments.ContainsKey("/enctype"))
+            {
+                string encTypeString = arguments["/enctype"].ToUpper();
+
+                if (encTypeString.Equals("RC4") || encTypeString.Equals("NTLM"))
+                {
+                    encType = Interop.KERB_ETYPE.rc4_hmac;
+                }
+                else if (encTypeString.Equals("AES128"))
+                {
+                    encType = Interop.KERB_ETYPE.aes128_cts_hmac_sha1;
+                }
+                else if (encTypeString.Equals("AES256") || encTypeString.Equals("AES"))
+                {
+                    encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
+                }
+                else if (encTypeString.Equals("DES"))
+                {
+                    encType = Interop.KERB_ETYPE.des_cbc_md5;
+                }
+            }
+
+            Ask.HandleASREP(asrep, encType, Helpers.ByteArrayToString(key), outfile, ptt, luid, false, true);
+        }
+    }
+}
diff --git a/Rubeus/Domain/CommandCollection.cs b/Rubeus/Domain/CommandCollection.cs
@@ -45,6 +45,7 @@ public CommandCollection()
             _availableCommands.Add(Golden.CommandName, () => new Golden());
             _availableCommands.Add(Diamond.CommandName, () => new Diamond());
             _availableCommands.Add(Preauthscan.CommandName, () => new Preauthscan());
+            _availableCommands.Add(ASREP2Kirbi.CommandName, () => new ASREP2Kirbi());
         }
 
         public bool ExecuteCommand(string commandName, Dictionary<string, string> arguments)

diff --git a/Rubeus/Domain/Info.cs b/Rubeus/Domain/Info.cs
@@ -222,6 +222,9 @@ Rubeus.exe currentluid
     The ""/nowrap"" flag prevents any base64 ticket blobs from being column wrapped for any function.
 
     The ""/debug"" flag outputs ASN.1 debugging information.
+	
+    Convert an AS-REP and a key to a Kirbi:
+        Rubeus.exe asrep2kirbi /asrep:<BASE64 | FILEPATH> </key:BASE64 | /keyhex:HEXSTRING> [/enctype:DES|RC4|AES128|AES256] [/ptt] [/luid:X] [/nowrap]
 
 
  NOTE: Base64 ticket blobs can be decoded with :

diff --git a/Rubeus/Rubeus.csproj b/Rubeus/Rubeus.csproj
@@ -76,6 +76,7 @@
     <Compile Include="Asn1\Asn1Extensions.cs" />
     <Compile Include="Commands\Asktgs.cs" />
     <Compile Include="Commands\Asktgt.cs" />
+    <Compile Include="Commands\ASREP2Kirbi.cs" />
     <Compile Include="Commands\Asreproast.cs" />
     <Compile Include="Commands\Brute.cs" />
     <Compile Include="Commands\Changepw.cs" />

diff --git a/Rubeus/lib/Ask.cs b/Rubeus/lib/Ask.cs
@@ -628,7 +628,7 @@ public static byte[] TGS(string userName, string domain, Ticket providedTicket,
             return null;
         }
 
-        private static byte[] HandleASREP(AsnElt responseAsn, Interop.KERB_ETYPE etype, string keyString, string outfile, bool ptt, LUID luid = new LUID(), bool describe = false, bool verbose = false, AS_REQ asReq = null, string serviceKey = "", bool getCredentials = false, string dcIP = "")
+        public static byte[] HandleASREP(AsnElt responseAsn, Interop.KERB_ETYPE etype, string keyString, string outfile, bool ptt, LUID luid = new LUID(), bool describe = false, bool verbose = false, AS_REQ asReq = null, string serviceKey = "", bool getCredentials = false, string dcIP = "")
         {
             // parse the response to an AS-REP
             AS_REP rep = new AS_REP(responseAsn);