Skip to content

Commit

Permalink
Merge pull request GhostPack#180 from GhostPack/unicode-domain
Browse files Browse the repository at this point in the history 
Fix for unicode domains
  • Loading branch information
@CCob
CCob authored Jan 8, 2024
2 parents 0e57072 + c06bfca commit baf34c7
Show file tree
Hide file tree
Showing 21 changed files with 64 additions and 47 deletions.
7 changes: 7 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [3.3.1]

### Fixed

* Unicode characters in domain names
* Changed till dates within s4u /opsec requests to UTC to work on anything -UTC

## [2.2.1]

### Added
Expand Down
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ Rubeus is licensed under the BSD 3-Clause license.
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.3.0
v2.3.1


Ticket requests and renewals:
Expand Down
20 changes: 13 additions & 7 deletions Rubeus/Commands/Asktgt.cs
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Text;
using Rubeus.lib.Interop;


Expand Down Expand Up @@ -78,26 +79,35 @@ public void Execute(Dictionary<string, string> arguments)
encType = Interop.KERB_ETYPE.des_cbc_md5;
}
}
if (String.IsNullOrEmpty(domain))
{
domain = System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain().Name;

Console.WriteLine("[*] Got domain: {0}", domain);
}

if (arguments.ContainsKey("/password"))
{
password = arguments["/password"];

string salt = String.Format("{0}{1}", domain.ToUpper(), user);
string salt = String.Format("{0}{1}", domain.ToUpperInvariant(), user);

// special case for computer account salts
if (user.EndsWith("$"))
{
salt = String.Format("{0}host{1}.{2}", domain.ToUpper(), user.TrimEnd('$').ToLower(), domain.ToLower());
salt = String.Format("{0}host{1}.{2}", domain.ToUpperInvariant(), user.TrimEnd('$').ToLowerInvariant(), domain.ToLowerInvariant());
}

// special case for samaccountname spoofing to support Kerberos AES Encryption
if (arguments.ContainsKey("/oldsam"))
{
salt = String.Format("{0}host{1}.{2}", domain.ToUpper(), arguments["/oldsam"].TrimEnd('$').ToLower(), domain.ToLower());
salt = String.Format("{0}host{1}.{2}", domain.ToUpperInvariant(), arguments["/oldsam"].TrimEnd('$').ToLowerInvariant(), domain.ToLowerInvariant());

}

if (encType != Interop.KERB_ETYPE.rc4_hmac)
Console.WriteLine("[*] Using salt: {0}", salt);

hash = Crypto.KerberosPasswordHash(encType, password, salt);
}

Expand Down Expand Up @@ -240,10 +250,6 @@ public void Execute(Dictionary<string, string> arguments)
Console.WriteLine("\r\n[X] You must supply a user name!\r\n");
return;
}
if (String.IsNullOrEmpty(domain))
{
domain = System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain().Name;
}
if (String.IsNullOrEmpty(hash) && String.IsNullOrEmpty(certificate) && !nopreauth)
{
Console.WriteLine("\r\n[X] You must supply a /password, /certificate or a [/des|/rc4|/aes128|/aes256] hash!\r\n");
Expand Down
2 changes: 1 addition & 1 deletion Rubeus/Domain/Info.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ public static void ShowLogo()
Console.WriteLine(" | __ /| | | | _ \\| ___ | | | |/___)");
Console.WriteLine(" | | \\ \\| |_| | |_) ) ____| |_| |___ |");
Console.WriteLine(" |_| |_|____/|____/|_____)____/(___/\r\n");
Console.WriteLine(" v2.3.0 \r\n");
Console.WriteLine(" v2.3.1 \r\n");
}

public static void ShowUsage()
Expand Down
4 changes: 4 additions & 0 deletions Rubeus/Program.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Text;

namespace Rubeus
{
Expand Down Expand Up @@ -44,6 +45,9 @@ private static void MainExecute(string commandName, Dictionary<string,string> pa

try
{
// print unicode char properly
Console.OutputEncoding = Encoding.UTF8;

var commandFound = new CommandCollection().ExecuteCommand(commandName, parsedArgs);

// show the usage if no commands were found for the command name
Expand Down
4 changes: 2 additions & 2 deletions Rubeus/lib/Crypto.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,12 @@ public static void ComputeAllKerberosPasswordHashes(string password, string user

Console.WriteLine("[*] Input password : {0}", password);

string salt = String.Format("{0}{1}", domainName.ToUpper(), userName);
string salt = String.Format("{0}{1}", domainName.ToUpperInvariant(), userName);

// special case for computer account salts
if (userName.EndsWith("$"))
{
salt = String.Format("{0}host{1}.{2}", domainName.ToUpper(), userName.TrimEnd('$').ToLower(), domainName.ToLower());
salt = String.Format("{0}host{1}.{2}", domainName.ToUpperInvariant(), userName.TrimEnd('$').ToLowerInvariant(), domainName.ToLowerInvariant());
}

if (!String.IsNullOrEmpty(userName) && !String.IsNullOrEmpty(domainName))
Expand Down
16 changes: 8 additions & 8 deletions Rubeus/lib/ForgeTicket.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -187,7 +187,7 @@ public static void ForgeTicket(
}
if (String.IsNullOrEmpty(netbiosName))
{
kvi.LogonDomainName = new Ndr._RPC_UNICODE_STRING(domain.Substring(0, domain.IndexOf('.')).ToUpper());
kvi.LogonDomainName = new Ndr._RPC_UNICODE_STRING(domain.Substring(0, domain.IndexOf('.')).ToUpperInvariant());
}

// if /ldap was passed make the LDAP queries
Expand Down Expand Up @@ -766,7 +766,7 @@ public static void ForgeTicket(

// output some ticket information relevent to all tickets generated
Console.WriteLine("");
Console.WriteLine("[*] Domain : {0} ({1})", domain.ToUpper(), kvi.LogonDomainName);
Console.WriteLine("[*] Domain : {0} ({1})", domain.ToUpperInvariant(), kvi.LogonDomainName);
Console.WriteLine("[*] SID : {0}", kvi.LogonDomainId?.GetValue());
Console.WriteLine("[*] UserId : {0}", kvi.UserId);
if (kvi.GroupCount > 0)
Expand Down Expand Up @@ -799,14 +799,14 @@ public static void ForgeTicket(

ClientName cn = null;
if (parts[0].Equals("krbtgt") && !cRealm.Equals(domain))
cn = new ClientName((DateTime)startTime, String.Format("{0}@{1}@{1}", user, domain.ToUpper()));
cn = new ClientName((DateTime)startTime, String.Format("{0}@{1}@{1}", user, domain.ToUpperInvariant()));
else
cn = new ClientName((DateTime)startTime, user);

UpnDns upnDns = new UpnDns(upnFlags, domain.ToUpper(), String.Format("{0}@{1}", user, domain.ToLower()));
UpnDns upnDns = new UpnDns(upnFlags, domain.ToUpperInvariant(), String.Format("{0}@{1}", user, domain.ToLowerInvariant()));
if (extendedUpnDns)
{
upnDns = new UpnDns(upnFlags + 2, domain.ToUpper(), String.Format("{0}@{1}", user, domain.ToLower()), user, new SecurityIdentifier(String.Format("{0}-{1}", li.KerbValidationInfo.LogonDomainId?.GetValue(), li.KerbValidationInfo.UserId)));
upnDns = new UpnDns(upnFlags + 2, domain.ToUpperInvariant(), String.Format("{0}@{1}", user, domain.ToLowerInvariant()), user, new SecurityIdentifier(String.Format("{0}-{1}", li.KerbValidationInfo.LogonDomainId?.GetValue(), li.KerbValidationInfo.UserId)));
}

S4UDelegationInfo s4u = null;
Expand All @@ -817,7 +817,7 @@ public static void ForgeTicket(

Console.WriteLine("[*] Generating EncTicketPart");

EncTicketPart decTicketPart = new EncTicketPart(randKeyBytes, etype, cRealm.ToUpper(), cName, flags, cn.ClientId);
EncTicketPart decTicketPart = new EncTicketPart(randKeyBytes, etype, cRealm.ToUpperInvariant(), cName, flags, cn.ClientId);

// set other times in EncTicketPart
DateTime? check = null;
Expand Down Expand Up @@ -971,7 +971,7 @@ public static void ForgeTicket(

// initialize the ticket and add the enc_part
Console.WriteLine("[*] Generating Ticket");
Ticket ticket = new Ticket(domain.ToUpper(), sname);
Ticket ticket = new Ticket(domain.ToUpperInvariant(), sname);
// when performing keylist attack the kvnum is shifted left 16 bits
if (rodcNumber == 0)
{
Expand Down Expand Up @@ -1345,7 +1345,7 @@ public static void ForgeTicket(
sid = new SecurityIdentifier(String.Format("{0}-{1}", sid.Value.Substring(0, sid.Value.LastIndexOf('-')), ticketUserId));
}
}
upnDns = new UpnDns((int)upnDns.Flags,upnDns.DnsDomainName,string.Format("{0}@{1}", ticketUser, upnDns.DnsDomainName.ToLower()), samName, sid);
upnDns = new UpnDns((int)upnDns.Flags,upnDns.DnsDomainName,string.Format("{0}@{1}", ticketUser, upnDns.DnsDomainName.ToLowerInvariant()), samName, sid);

}
}
Expand Down
6 changes: 3 additions & 3 deletions Rubeus/lib/S4U.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -146,19 +146,19 @@ private static void S4U2Proxy(KRB_CRED kirbi, string targetUser, string targetSP

// 15 minutes in the future like genuine requests
DateTime till = DateTime.Now;
till = till.AddMinutes(15);
till = till.AddMinutes(15).ToUniversalTime();
s4u2proxyReq.req_body.till = till;

// extra etypes
s4u2proxyReq.req_body.etypes.Add(Interop.KERB_ETYPE.rc4_hmac_exp);
s4u2proxyReq.req_body.etypes.Add(Interop.KERB_ETYPE.old_exp);

// get hostname and hostname of SPN
string hostName = Dns.GetHostName().ToUpper();
string hostName = Dns.GetHostName().ToUpperInvariant();
string targetHostName;
if (parts.Length > 1)
{
targetHostName = parts[1].Split('.')[0].ToUpper();
targetHostName = parts[1].Split('.')[0].ToUpperInvariant();
}
else
{
Expand Down
2 changes: 1 addition & 1 deletion Rubeus/lib/krb_structures/AS_REP.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ private void Decode(AsnElt asn_AS_REP)
}
break;
case 3:
crealm = Encoding.ASCII.GetString(s.Sub[0].GetOctetString());
crealm = Encoding.UTF8.GetString(s.Sub[0].GetOctetString());
break;
case 4:
cname = new PrincipalName(s.Sub[0]);
Expand Down
2 changes: 1 addition & 1 deletion Rubeus/lib/krb_structures/ETYPE_INFO2_ENTRY.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ public ETYPE_INFO2_ENTRY(AsnElt body)
etype = Convert.ToInt32(s.Sub[0].GetInteger());
break;
case 1:
salt = Encoding.ASCII.GetString(s.Sub[0].GetOctetString());
salt = Encoding.UTF8.GetString(s.Sub[0].GetOctetString());
break;
default:
break;
Expand Down
2 changes: 1 addition & 1 deletion Rubeus/lib/krb_structures/EncKDCRepPart.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ public EncKDCRepPart(AsnElt body)
renew_till = s.Sub[0].GetTime();
break;
case 9:
realm = Encoding.ASCII.GetString(s.Sub[0].GetOctetString());
realm = Encoding.UTF8.GetString(s.Sub[0].GetOctetString());
break;
case 10:
// sname (optional)
Expand Down
2 changes: 1 addition & 1 deletion Rubeus/lib/krb_structures/EncKrbPrivPart.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ public AsnElt Encode()
AsnElt hostAddressTypeSeq = AsnElt.Make(AsnElt.SEQUENCE, new AsnElt[] { hostAddressTypeAsn });
hostAddressTypeSeq = AsnElt.MakeImplicit(AsnElt.CONTEXT, 0, hostAddressTypeSeq);

byte[] hostAddressAddressBytes = Encoding.ASCII.GetBytes(host_name);
byte[] hostAddressAddressBytes = Encoding.UTF8.GetBytes(host_name);
AsnElt hostAddressAddressAsn = AsnElt.MakeBlob(hostAddressAddressBytes);
AsnElt hostAddressAddressSeq = AsnElt.Make(AsnElt.SEQUENCE, new AsnElt[] { hostAddressAddressAsn });
hostAddressAddressSeq = AsnElt.MakeImplicit(AsnElt.CONTEXT, 1, hostAddressAddressSeq);
Expand Down
4 changes: 2 additions & 2 deletions Rubeus/lib/krb_structures/EncTicketPart.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ public EncTicketPart(AsnElt body, byte[] asrepKey = null, bool noAdData = false)
key = new EncryptionKey(s);
break;
case 2:
crealm = Encoding.ASCII.GetString(s.Sub[0].GetOctetString());
crealm = Encoding.UTF8.GetString(s.Sub[0].GetOctetString());
break;
case 3:
cname = new PrincipalName(s.Sub[0]);
Expand Down Expand Up @@ -135,7 +135,7 @@ public AsnElt Encode()

// crealm [2] Realm
// -- clients realm
AsnElt realmAsn = AsnElt.MakeString(AsnElt.IA5String, crealm);
AsnElt realmAsn = AsnElt.MakeString(AsnElt.UTF8String, crealm);
realmAsn = AsnElt.MakeImplicit(AsnElt.UNIVERSAL, AsnElt.GeneralString, realmAsn);
AsnElt realmSeq = AsnElt.Make(AsnElt.SEQUENCE, new[] { realmAsn });
realmSeq = AsnElt.MakeImplicit(AsnElt.CONTEXT, 2, realmSeq);
Expand Down
2 changes: 1 addition & 1 deletion Rubeus/lib/krb_structures/HostAddress.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ public HostAddress(AsnElt body)
addr_type = (Interop.HostAddressType)s.Sub[0].GetInteger();
break;
case 1:
addr_string = Encoding.ASCII.GetString(s.Sub[0].GetOctetString());
addr_string = Encoding.UTF8.GetString(s.Sub[0].GetOctetString());
break;
default:
break;
Expand Down
4 changes: 2 additions & 2 deletions Rubeus/lib/krb_structures/KDC_PROXY_MESSAGE.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ public KDC_PROXY_MESSAGE(AsnElt body)
kerb_message = s.Sub[0].GetOctetString();
break;
case 1:
target_domain = Encoding.ASCII.GetString(s.Sub[0].GetOctetString());
target_domain = Encoding.UTF8.GetString(s.Sub[0].GetOctetString());
break;
case 2:
dclocator_hint = Convert.ToUInt32(s.Sub[0].GetInteger());
Expand All @@ -68,7 +68,7 @@ public AsnElt Encode()
// target-domain [1] KerberosString OPTIONAL,
if (target_domain != null)
{
AsnElt domainAsn = AsnElt.MakeString(AsnElt.IA5String, target_domain);
AsnElt domainAsn = AsnElt.MakeString(AsnElt.UTF8String, target_domain);
domainAsn = AsnElt.MakeImplicit(AsnElt.UNIVERSAL, AsnElt.GeneralString, domainAsn);
AsnElt domainSeq = AsnElt.Make(AsnElt.SEQUENCE, new[] { domainAsn });
domainSeq = AsnElt.MakeImplicit(AsnElt.CONTEXT, 1, domainSeq);
Expand Down
2 changes: 1 addition & 1 deletion Rubeus/lib/krb_structures/KDC_REQ_BODY.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ public KDCReqBody(AsnElt body)
cname = new PrincipalName(s.Sub[0]);
break;
case 2:
realm = Encoding.ASCII.GetString(s.Sub[0].GetOctetString());
realm = Encoding.UTF8.GetString(s.Sub[0].GetOctetString());
break;
case 3:
// optional
Expand Down
6 changes: 3 additions & 3 deletions Rubeus/lib/krb_structures/KRB_ERROR.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,19 +56,19 @@ public KRB_ERROR(AsnElt body)
error_code = Convert.ToUInt32(s.Sub[0].GetInteger());
break;
case 7:
crealm = Encoding.ASCII.GetString(s.Sub[0].GetOctetString());
crealm = Encoding.UTF8.GetString(s.Sub[0].GetOctetString());
break;
case 8:
cname = new PrincipalName(s.Sub[0]);
break;
case 9:
realm = Encoding.ASCII.GetString(s.Sub[0].GetOctetString());
realm = Encoding.UTF8.GetString(s.Sub[0].GetOctetString());
break;
case 10:
sname = new PrincipalName(s.Sub[0]);
break;
case 11:
e_text = Encoding.ASCII.GetString(s.Sub[0].GetOctetString());
e_text = Encoding.UTF8.GetString(s.Sub[0].GetOctetString());
break;
case 12:
try
Expand Down
8 changes: 4 additions & 4 deletions Rubeus/lib/krb_structures/KrbCredInfo.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ public KrbCredInfo(AsnElt body)
key = new EncryptionKey(s);
break;
case 1:
prealm = Encoding.ASCII.GetString(s.Sub[0].GetOctetString());
prealm = Encoding.UTF8.GetString(s.Sub[0].GetOctetString());
break;
case 2:
pname = new PrincipalName(s.Sub[0]);
Expand All @@ -69,7 +69,7 @@ public KrbCredInfo(AsnElt body)
renew_till = s.Sub[0].GetTime();
break;
case 8:
srealm = Encoding.ASCII.GetString(s.Sub[0].GetOctetString());
srealm = Encoding.UTF8.GetString(s.Sub[0].GetOctetString());
break;
case 9:
sname = new PrincipalName(s.Sub[0]);
Expand All @@ -93,7 +93,7 @@ public AsnElt Encode()
// prealm [1] Realm OPTIONAL
if (!String.IsNullOrEmpty(prealm))
{
AsnElt prealmAsn = AsnElt.MakeString(AsnElt.IA5String, prealm);
AsnElt prealmAsn = AsnElt.MakeString(AsnElt.UTF8String, prealm);
prealmAsn = AsnElt.MakeImplicit(AsnElt.UNIVERSAL, AsnElt.GeneralString, prealmAsn);
AsnElt prealmAsnSeq = AsnElt.Make(AsnElt.SEQUENCE, prealmAsn);
prealmAsnSeq = AsnElt.MakeImplicit(AsnElt.CONTEXT, 1, prealmAsnSeq);
Expand Down Expand Up @@ -166,7 +166,7 @@ public AsnElt Encode()
// srealm [8] Realm OPTIONAL
if (!String.IsNullOrEmpty(srealm))
{
AsnElt srealmAsn = AsnElt.MakeString(AsnElt.IA5String, srealm);
AsnElt srealmAsn = AsnElt.MakeString(AsnElt.UTF8String, srealm);
srealmAsn = AsnElt.MakeImplicit(AsnElt.UNIVERSAL, AsnElt.GeneralString, srealmAsn);
AsnElt srealmAsnSeq = AsnElt.Make(AsnElt.SEQUENCE, srealmAsn);
srealmAsnSeq = AsnElt.MakeImplicit(AsnElt.CONTEXT, 8, srealmAsnSeq);
Expand Down
2 changes: 1 addition & 1 deletion Rubeus/lib/krb_structures/TGS_REP.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ private void Decode(AsnElt asn_TGS_REP)
padata = new PA_DATA(s.Sub[0]);
break;
case 3:
crealm = Encoding.ASCII.GetString(s.Sub[0].GetOctetString());
crealm = Encoding.UTF8.GetString(s.Sub[0].GetOctetString());
break;
case 4:
cname = new PrincipalName(s.Sub[0]);
Expand Down
Loading

0 comments on commit baf34c7

Please sign in to comment.