mirror of
https://github.com/hashcat/hashcat.git
synced 2024-11-22 08:08:10 +00:00
Add module and unit test for hash-mode 18200
This commit is contained in:
parent
81c3edede3
commit
67627607be
@ -90,15 +90,6 @@ typedef struct ikepsk
|
||||
|
||||
} ikepsk_t;
|
||||
|
||||
typedef struct krb5asrep
|
||||
{
|
||||
u32 account_info[512];
|
||||
u32 checksum[4];
|
||||
u32 edata2[5120];
|
||||
u32 edata2_len;
|
||||
|
||||
} krb5asrep_t;
|
||||
|
||||
typedef struct keepass
|
||||
{
|
||||
u32 version;
|
||||
@ -812,7 +803,6 @@ typedef enum hash_type
|
||||
HASH_TYPE_JWT = 66,
|
||||
HASH_TYPE_ELECTRUM_WALLET = 67,
|
||||
HASH_TYPE_ANSIBLE_VAULT = 70,
|
||||
HASH_TYPE_KRB5ASREP = 71,
|
||||
|
||||
} hash_type_t;
|
||||
|
||||
@ -987,7 +977,6 @@ typedef enum kern_type
|
||||
KERN_TYPE_KECCAK_384 = 17900,
|
||||
KERN_TYPE_KECCAK_512 = 18000,
|
||||
KERN_TYPE_TOTP_HMACSHA1 = 18100,
|
||||
KERN_TYPE_KRB5ASREP = 18200,
|
||||
KERN_TYPE_APFS = 18300,
|
||||
KERN_TYPE_PLAINTEXT = 99999,
|
||||
|
||||
@ -1127,7 +1116,6 @@ int sha512macos_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_bu
|
||||
int episerver4_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig);
|
||||
int sha512grub_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig);
|
||||
int sha512b64s_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig);
|
||||
int krb5asrep_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig);
|
||||
int sapb_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig);
|
||||
int sapg_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig);
|
||||
int drupal7_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig);
|
||||
|
@ -65,7 +65,6 @@
|
||||
" 11400 | SIP digest authentication (MD5) | Network Protocols",
|
||||
" 16100 | TACACS+ | Network Protocols",
|
||||
" 16500 | JWT (JSON Web Token) | Network Protocols",
|
||||
" 18200 | Kerberos 5 AS-REP etype 23 | Network Protocols",
|
||||
" 121 | SMF (Simple Machines Forum) > v1.1 | Forums, CMS, E-Commerce, Frameworks",
|
||||
" 2611 | vBulletin < v3.8.5 | Forums, CMS, E-Commerce, Frameworks",
|
||||
" 2711 | vBulletin >= v3.8.5 | Forums, CMS, E-Commerce, Frameworks",
|
||||
@ -465,7 +464,6 @@ static const char *ST_HASH_17600 = "7c2dc1d743735d4e069f3bda85b1b7e9172033dfdd8c
|
||||
static const char *ST_HASH_17900 = "5804b7ada5806ba79540100e9a7ef493654ff2a21d94d4f2ce4bf69abda5d94bf03701fe9525a15dfdc625bfbd769701";
|
||||
static const char *ST_HASH_18000 = "2fbf5c9080f0a704de2e915ba8fdae6ab00bbc026b2c1c8fa07da1239381c6b7f4dfd399bf9652500da723694a4c719587dd0219cb30eabe61210a8ae4dc0b03";
|
||||
static const char *ST_HASH_18100 = "597056:3600";
|
||||
static const char *ST_HASH_18200 = "$krb5asrep$23$user@domain.com:3e156ada591263b8aab0965f5aebd837$007497cb51b6c8116d6407a782ea0e1c5402b17db7afa6b05a6d30ed164a9933c754d720e279c6c573679bd27128fe77e5fea1f72334c1193c8ff0b370fadc6368bf2d49bbfdba4c5dccab95e8c8ebfdc75f438a0797dbfb2f8a1a5f4c423f9bfc1fea483342a11bd56a216f4d5158ccc4b224b52894fadfba3957dfe4b6b8f5f9f9fe422811a314768673e0c924340b8ccb84775ce9defaa3baa0910b676ad0036d13032b0dd94e3b13903cc738a7b6d00b0b3c210d1f972a6c7cae9bd3c959acf7565be528fc179118f28c679f6deeee1456f0781eb8154e18e49cb27b64bf74cd7112a0ebae2102ac";
|
||||
static const char *ST_HASH_18300 = "$fvde$2$16$58778104701476542047675521040224$20000$39602e86b7cea4a34f4ff69ff6ed706d68954ee474de1d2a9f6a6f2d24d172001e484c1d4eaa237d";
|
||||
static const char *ST_HASH_99999 = "hashcat";
|
||||
|
||||
@ -630,7 +628,6 @@ static const char *HT_17600 = "SHA3-512";
|
||||
static const char *HT_17900 = "Keccak-384";
|
||||
static const char *HT_18000 = "Keccak-512";
|
||||
static const char *HT_18100 = "TOTP (HMAC-SHA1)";
|
||||
static const char *HT_18200 = "Kerberos 5 AS-REP etype 23";
|
||||
static const char *HT_18300 = "Apple File System (APFS)";
|
||||
static const char *HT_99999 = "Plaintext";
|
||||
|
||||
@ -715,7 +712,6 @@ static const char *SIGNATURE_DRUPAL7 = "$S$";
|
||||
static const char *SIGNATURE_ECRYPTFS = "$ecryptfs$";
|
||||
static const char *SIGNATURE_EPISERVER = "$episerver$";
|
||||
static const char *SIGNATURE_KEEPASS = "$keepass$";
|
||||
static const char *SIGNATURE_KRB5ASREP = "$krb5asrep$23$";
|
||||
static const char *SIGNATURE_MD5AIX = "{smd5}";
|
||||
static const char *SIGNATURE_MD5APR1 = "$apr1$";
|
||||
static const char *SIGNATURE_MEDIAWIKI_B = "$B$";
|
||||
@ -12246,102 +12242,6 @@ int rar5_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSE
|
||||
return (PARSER_OK);
|
||||
}
|
||||
|
||||
int krb5asrep_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig)
|
||||
{
|
||||
u32 *digest = (u32 *) hash_buf->digest;
|
||||
|
||||
salt_t *salt = hash_buf->salt;
|
||||
|
||||
krb5asrep_t *krb5asrep = (krb5asrep_t *) hash_buf->esalt;
|
||||
|
||||
token_t token;
|
||||
|
||||
token.signatures_cnt = 1;
|
||||
token.signatures_buf[0] = SIGNATURE_KRB5ASREP;
|
||||
|
||||
token.len[0] = strlen(SIGNATURE_KRB5ASREP);
|
||||
token.attr[0] = TOKEN_ATTR_FIXED_LENGTH
|
||||
| TOKEN_ATTR_VERIFY_SIGNATURE;
|
||||
|
||||
/**
|
||||
* $krb5asrep$23$user_principal_name:checksum$edata2
|
||||
*/
|
||||
|
||||
if (input_len < 16) return (PARSER_SALT_LENGTH);
|
||||
|
||||
char *upn_info_start = (char *) input_buf + strlen(SIGNATURE_KRB5ASREP);
|
||||
char *upn_info_stop = strchr ((const char *) upn_info_start, ':');
|
||||
|
||||
if (upn_info_stop == NULL) return (PARSER_SEPARATOR_UNMATCHED);
|
||||
|
||||
upn_info_stop++; // we want the : char included
|
||||
|
||||
const int upn_info_len = upn_info_stop - upn_info_start;
|
||||
|
||||
token.token_cnt = 4;
|
||||
|
||||
token.len[1] = upn_info_len;
|
||||
token.attr[1] = TOKEN_ATTR_FIXED_LENGTH;
|
||||
|
||||
token.sep[2] = '$';
|
||||
token.len_min[2] = 32;
|
||||
token.len_max[2] = 32;
|
||||
token.attr[2] = TOKEN_ATTR_VERIFY_LENGTH
|
||||
| TOKEN_ATTR_VERIFY_HEX;
|
||||
|
||||
token.sep[3] = '$';
|
||||
token.len_min[3] = 64;
|
||||
token.len_max[3] = 40960;
|
||||
token.attr[3] = TOKEN_ATTR_VERIFY_LENGTH
|
||||
| TOKEN_ATTR_VERIFY_HEX;
|
||||
|
||||
const int rc_tokenizer = input_tokenizer (input_buf, input_len, &token);
|
||||
|
||||
if (rc_tokenizer != PARSER_OK) return (rc_tokenizer);
|
||||
|
||||
const u8 *checksum_pos = token.buf[2];
|
||||
|
||||
const u8 *data_pos = token.buf[3];
|
||||
const int data_len = token.len[3];
|
||||
|
||||
memcpy (krb5asrep->account_info, token.buf[1], token.len[1]);
|
||||
|
||||
krb5asrep->checksum[0] = hex_to_u32 (checksum_pos + 0);
|
||||
krb5asrep->checksum[1] = hex_to_u32 (checksum_pos + 8);
|
||||
krb5asrep->checksum[2] = hex_to_u32 (checksum_pos + 16);
|
||||
krb5asrep->checksum[3] = hex_to_u32 (checksum_pos + 24);
|
||||
|
||||
u8 *edata_ptr = (u8 *) krb5asrep->edata2;
|
||||
|
||||
for (int i = 0; i < data_len; i += 2)
|
||||
{
|
||||
const u8 p0 = data_pos[i + 0];
|
||||
const u8 p1 = data_pos[i + 1];
|
||||
|
||||
*edata_ptr++ = hex_convert (p1) << 0
|
||||
| hex_convert (p0) << 4;
|
||||
}
|
||||
|
||||
krb5asrep->edata2_len = data_len / 2;
|
||||
|
||||
/* this is needed for hmac_md5 */
|
||||
*edata_ptr++ = 0x80;
|
||||
|
||||
salt->salt_buf[0] = krb5asrep->checksum[0];
|
||||
salt->salt_buf[1] = krb5asrep->checksum[1];
|
||||
salt->salt_buf[2] = krb5asrep->checksum[2];
|
||||
salt->salt_buf[3] = krb5asrep->checksum[3];
|
||||
|
||||
salt->salt_len = 16;
|
||||
|
||||
digest[0] = krb5asrep->checksum[0];
|
||||
digest[1] = krb5asrep->checksum[1];
|
||||
digest[2] = krb5asrep->checksum[2];
|
||||
digest[3] = krb5asrep->checksum[3];
|
||||
|
||||
return (PARSER_OK);
|
||||
}
|
||||
|
||||
int axcrypt_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig)
|
||||
{
|
||||
u32 *digest = (u32 *) hash_buf->digest;
|
||||
@ -15740,7 +15640,6 @@ u32 kernel_threads_mxx (hashcat_ctx_t *hashcat_ctx)
|
||||
if (hashconfig->hash_mode == 10410) kernel_threads = 64; // RC4
|
||||
if (hashconfig->hash_mode == 10500) kernel_threads = 64; // RC4
|
||||
if (hashconfig->hash_mode == 15700) kernel_threads = 1; // SCRYPT
|
||||
if (hashconfig->hash_mode == 18200) kernel_threads = 64; // RC4
|
||||
|
||||
// let the module decide if it allows user-defined values over module defined valaues
|
||||
|
||||
@ -19109,30 +19008,6 @@ int ascii_digest (hashcat_ctx_t *hashcat_ctx, char *out_buf, const int out_size,
|
||||
|
||||
snprintf (out_buf, out_size, "%06d:%" PRIu64, digest_buf[0], tmp_salt_buf);
|
||||
}
|
||||
else if (hash_mode == 18200)
|
||||
{
|
||||
krb5asrep_t *krb5asreps = (krb5asrep_t *) esalts_buf;
|
||||
|
||||
krb5asrep_t *krb5asrep = &krb5asreps[digest_cur];
|
||||
|
||||
char data[5120 * 4 * 2] = { 0 };
|
||||
|
||||
for (u32 i = 0, j = 0; i < krb5asrep->edata2_len; i += 1, j += 2)
|
||||
{
|
||||
u8 *ptr_edata2 = (u8 *) krb5asrep->edata2;
|
||||
|
||||
sprintf (data + j, "%02x", ptr_edata2[i]);
|
||||
}
|
||||
|
||||
snprintf (out_buf, out_size, "%s%s%08x%08x%08x%08x$%s",
|
||||
SIGNATURE_KRB5ASREP,
|
||||
(char *) krb5asrep->account_info,
|
||||
byte_swap_32 (krb5asrep->checksum[0]),
|
||||
byte_swap_32 (krb5asrep->checksum[1]),
|
||||
byte_swap_32 (krb5asrep->checksum[2]),
|
||||
byte_swap_32 (krb5asrep->checksum[3]),
|
||||
data);
|
||||
}
|
||||
else if (hash_mode == 18300)
|
||||
{
|
||||
apple_secure_notes_t *apple_secure_notess = (apple_secure_notes_t *) esalts_buf;
|
||||
@ -23707,23 +23582,6 @@ int hashconfig_init (hashcat_ctx_t *hashcat_ctx)
|
||||
hashconfig->st_pass = ST_PASS_HASHCAT_PLAIN;
|
||||
break;
|
||||
|
||||
case 18200: hashconfig->hash_type = HASH_TYPE_KRB5ASREP;
|
||||
hashconfig->salt_type = SALT_TYPE_EMBEDDED;
|
||||
hashconfig->attack_exec = ATTACK_EXEC_INSIDE_KERNEL;
|
||||
hashconfig->opts_type = OPTS_TYPE_PT_GENERATE_LE;
|
||||
hashconfig->kern_type = KERN_TYPE_KRB5ASREP;
|
||||
hashconfig->dgst_size = DGST_SIZE_4_4;
|
||||
hashconfig->parse_func = krb5asrep_parse_hash;
|
||||
hashconfig->opti_type = OPTI_TYPE_ZERO_BYTE
|
||||
| OPTI_TYPE_NOT_ITERATED;
|
||||
hashconfig->dgst_pos0 = 0;
|
||||
hashconfig->dgst_pos1 = 1;
|
||||
hashconfig->dgst_pos2 = 2;
|
||||
hashconfig->dgst_pos3 = 3;
|
||||
hashconfig->st_hash = ST_HASH_18200;
|
||||
hashconfig->st_pass = ST_PASS_HASHCAT_PLAIN;
|
||||
break;
|
||||
|
||||
case 18300: hashconfig->hash_type = HASH_TYPE_APPLE_SECURE_NOTES;
|
||||
hashconfig->salt_type = SALT_TYPE_EMBEDDED;
|
||||
hashconfig->attack_exec = ATTACK_EXEC_OUTSIDE_KERNEL;
|
||||
@ -23859,7 +23717,6 @@ int hashconfig_init (hashcat_ctx_t *hashcat_ctx)
|
||||
case 16600: hashconfig->esalt_size = sizeof (electrum_wallet_t); break;
|
||||
case 16700: hashconfig->esalt_size = sizeof (apple_secure_notes_t); break;
|
||||
case 16900: hashconfig->esalt_size = sizeof (ansible_vault_t); break;
|
||||
case 18200: hashconfig->esalt_size = sizeof (krb5asrep_t); break;
|
||||
case 18300: hashconfig->esalt_size = sizeof (apple_secure_notes_t); break;
|
||||
}
|
||||
|
||||
|
268
src/modules/module_18200.c
Normal file
268
src/modules/module_18200.c
Normal file
@ -0,0 +1,268 @@
|
||||
/**
|
||||
* Author......: See docs/credits.txt
|
||||
* License.....: MIT
|
||||
*/
|
||||
|
||||
#include "common.h"
|
||||
#include "types.h"
|
||||
#include "modules.h"
|
||||
#include "bitops.h"
|
||||
#include "convert.h"
|
||||
#include "shared.h"
|
||||
|
||||
static const u32 ATTACK_EXEC = ATTACK_EXEC_INSIDE_KERNEL;
|
||||
static const u32 DGST_POS0 = 0;
|
||||
static const u32 DGST_POS1 = 1;
|
||||
static const u32 DGST_POS2 = 2;
|
||||
static const u32 DGST_POS3 = 3;
|
||||
static const u32 DGST_SIZE = DGST_SIZE_4_4;
|
||||
static const u32 HASH_CATEGORY = HASH_CATEGORY_NETWORK_PROTOCOL;
|
||||
static const char *HASH_NAME = "Kerberos 5 AS-REP etype 23";
|
||||
static const u32 HASH_TYPE = HASH_TYPE_GENERIC;
|
||||
static const u64 KERN_TYPE = 18200;
|
||||
static const u32 OPTI_TYPE = OPTI_TYPE_ZERO_BYTE
|
||||
| OPTI_TYPE_NOT_ITERATED;
|
||||
static const u64 OPTS_TYPE = OPTS_TYPE_STATE_BUFFER_LE
|
||||
| OPTS_TYPE_PT_GENERATE_LE;
|
||||
static const u32 PWDUMP_COLUMN = PWDUMP_COLUMN_NTLM_HASH;
|
||||
static const u32 SALT_TYPE = SALT_TYPE_EMBEDDED;
|
||||
static const char *ST_PASS = "hashcat";
|
||||
static const char *ST_HASH = "$krb5asrep$23$user@domain.com:3e156ada591263b8aab0965f5aebd837$007497cb51b6c8116d6407a782ea0e1c5402b17db7afa6b05a6d30ed164a9933c754d720e279c6c573679bd27128fe77e5fea1f72334c1193c8ff0b370fadc6368bf2d49bbfdba4c5dccab95e8c8ebfdc75f438a0797dbfb2f8a1a5f4c423f9bfc1fea483342a11bd56a216f4d5158ccc4b224b52894fadfba3957dfe4b6b8f5f9f9fe422811a314768673e0c924340b8ccb84775ce9defaa3baa0910b676ad0036d13032b0dd94e3b13903cc738a7b6d00b0b3c210d1f972a6c7cae9bd3c959acf7565be528fc179118f28c679f6deeee1456f0781eb8154e18e49cb27b64bf74cd7112a0ebae2102ac";
|
||||
|
||||
u32 module_attack_exec (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return ATTACK_EXEC; }
|
||||
u32 module_dgst_pos0 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS0; }
|
||||
u32 module_dgst_pos1 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS1; }
|
||||
u32 module_dgst_pos2 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS2; }
|
||||
u32 module_dgst_pos3 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS3; }
|
||||
u32 module_dgst_size (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_SIZE; }
|
||||
u32 module_hash_category (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return HASH_CATEGORY; }
|
||||
const char *module_hash_name (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return HASH_NAME; }
|
||||
u32 module_hash_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return HASH_TYPE; }
|
||||
u64 module_kern_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return KERN_TYPE; }
|
||||
u32 module_opti_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return OPTI_TYPE; }
|
||||
u64 module_opts_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return OPTS_TYPE; }
|
||||
u32 module_pwdump_column (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return PWDUMP_COLUMN; }
|
||||
u32 module_salt_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return SALT_TYPE; }
|
||||
const char *module_st_hash (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return ST_HASH; }
|
||||
const char *module_st_pass (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return ST_PASS; }
|
||||
|
||||
typedef struct krb5asrep
|
||||
{
|
||||
u32 account_info[512];
|
||||
u32 checksum[4];
|
||||
u32 edata2[5120];
|
||||
u32 edata2_len;
|
||||
|
||||
} krb5asrep_t;
|
||||
|
||||
static const char *SIGNATURE_KRB5ASREP = "$krb5asrep$23$";
|
||||
|
||||
u64 module_esalt_size (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra)
|
||||
{
|
||||
const u64 esalt_size = (const u64) sizeof (krb5asrep_t);
|
||||
|
||||
return esalt_size;
|
||||
}
|
||||
|
||||
u32 module_kernel_threads_min (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra)
|
||||
{
|
||||
const u32 kernel_threads_min = 64;
|
||||
|
||||
return kernel_threads_min;
|
||||
}
|
||||
|
||||
u32 module_kernel_threads_max (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra)
|
||||
{
|
||||
const u32 kernel_threads_max = 64;
|
||||
|
||||
return kernel_threads_max;
|
||||
}
|
||||
|
||||
int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED void *digest_buf, MAYBE_UNUSED salt_t *salt, MAYBE_UNUSED void *esalt_buf, MAYBE_UNUSED hashinfo_t *hash_info, const char *line_buf, MAYBE_UNUSED const int line_len)
|
||||
{
|
||||
u32 *digest = (u32 *) digest_buf;
|
||||
|
||||
krb5asrep_t *krb5asrep = (krb5asrep_t *) esalt_buf;
|
||||
|
||||
token_t token;
|
||||
|
||||
token.signatures_cnt = 1;
|
||||
token.signatures_buf[0] = SIGNATURE_KRB5ASREP;
|
||||
|
||||
token.len[0] = strlen(SIGNATURE_KRB5ASREP);
|
||||
token.attr[0] = TOKEN_ATTR_FIXED_LENGTH
|
||||
| TOKEN_ATTR_VERIFY_SIGNATURE;
|
||||
|
||||
/**
|
||||
* $krb5asrep$23$user_principal_name:checksum$edata2
|
||||
*/
|
||||
|
||||
if (line_len < 16) return (PARSER_SALT_LENGTH);
|
||||
|
||||
char *upn_info_start = (char *) line_buf + strlen (SIGNATURE_KRB5ASREP);
|
||||
char *upn_info_stop = strchr ((const char *) upn_info_start, ':');
|
||||
|
||||
if (upn_info_stop == NULL) return (PARSER_SEPARATOR_UNMATCHED);
|
||||
|
||||
upn_info_stop++; // we want the : char included
|
||||
|
||||
const int upn_info_len = upn_info_stop - upn_info_start;
|
||||
|
||||
token.token_cnt = 4;
|
||||
|
||||
token.len[1] = upn_info_len;
|
||||
token.attr[1] = TOKEN_ATTR_FIXED_LENGTH;
|
||||
|
||||
token.sep[2] = '$';
|
||||
token.len_min[2] = 32;
|
||||
token.len_max[2] = 32;
|
||||
token.attr[2] = TOKEN_ATTR_VERIFY_LENGTH
|
||||
| TOKEN_ATTR_VERIFY_HEX;
|
||||
|
||||
token.sep[3] = '$';
|
||||
token.len_min[3] = 64;
|
||||
token.len_max[3] = 40960;
|
||||
token.attr[3] = TOKEN_ATTR_VERIFY_LENGTH
|
||||
| TOKEN_ATTR_VERIFY_HEX;
|
||||
|
||||
const int rc_tokenizer = input_tokenizer ((const u8 *) line_buf, line_len, &token);
|
||||
|
||||
if (rc_tokenizer != PARSER_OK) return (rc_tokenizer);
|
||||
|
||||
const u8 *checksum_pos = token.buf[2];
|
||||
|
||||
const u8 *data_pos = token.buf[3];
|
||||
const int data_len = token.len[3];
|
||||
|
||||
memcpy (krb5asrep->account_info, token.buf[1], token.len[1]);
|
||||
|
||||
krb5asrep->checksum[0] = hex_to_u32 (checksum_pos + 0);
|
||||
krb5asrep->checksum[1] = hex_to_u32 (checksum_pos + 8);
|
||||
krb5asrep->checksum[2] = hex_to_u32 (checksum_pos + 16);
|
||||
krb5asrep->checksum[3] = hex_to_u32 (checksum_pos + 24);
|
||||
|
||||
u8 *edata_ptr = (u8 *) krb5asrep->edata2;
|
||||
|
||||
for (int i = 0; i < data_len; i += 2)
|
||||
{
|
||||
const u8 p0 = data_pos[i + 0];
|
||||
const u8 p1 = data_pos[i + 1];
|
||||
|
||||
*edata_ptr++ = hex_convert (p1) << 0
|
||||
| hex_convert (p0) << 4;
|
||||
}
|
||||
|
||||
krb5asrep->edata2_len = data_len / 2;
|
||||
|
||||
/* this is needed for hmac_md5 */
|
||||
*edata_ptr++ = 0x80;
|
||||
|
||||
salt->salt_buf[0] = krb5asrep->checksum[0];
|
||||
salt->salt_buf[1] = krb5asrep->checksum[1];
|
||||
salt->salt_buf[2] = krb5asrep->checksum[2];
|
||||
salt->salt_buf[3] = krb5asrep->checksum[3];
|
||||
|
||||
salt->salt_len = 16;
|
||||
|
||||
digest[0] = krb5asrep->checksum[0];
|
||||
digest[1] = krb5asrep->checksum[1];
|
||||
digest[2] = krb5asrep->checksum[2];
|
||||
digest[3] = krb5asrep->checksum[3];
|
||||
|
||||
return (PARSER_OK);
|
||||
}
|
||||
|
||||
int module_hash_encode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const void *digest_buf, MAYBE_UNUSED const salt_t *salt, MAYBE_UNUSED const void *esalt_buf, MAYBE_UNUSED const hashinfo_t *hash_info, char *line_buf, MAYBE_UNUSED const int line_size)
|
||||
{
|
||||
const u32 *digest = (const u32 *) digest_buf;
|
||||
|
||||
const krb5asrep_t *krb5asrep = (const krb5asrep_t *) esalt_buf;
|
||||
|
||||
char data[5120 * 4 * 2] = { 0 };
|
||||
|
||||
for (u32 i = 0, j = 0; i < krb5asrep->edata2_len; i += 1, j += 2)
|
||||
{
|
||||
u8 *ptr_edata2 = (u8 *) krb5asrep->edata2;
|
||||
|
||||
sprintf (data + j, "%02x", ptr_edata2[i]);
|
||||
}
|
||||
|
||||
const int line_len = snprintf (line_buf, line_size, "%s%s%08x%08x%08x%08x$%s",
|
||||
SIGNATURE_KRB5ASREP,
|
||||
(char *) krb5asrep->account_info,
|
||||
byte_swap_32 (krb5asrep->checksum[0]),
|
||||
byte_swap_32 (krb5asrep->checksum[1]),
|
||||
byte_swap_32 (krb5asrep->checksum[2]),
|
||||
byte_swap_32 (krb5asrep->checksum[3]),
|
||||
data);
|
||||
|
||||
return line_len;
|
||||
}
|
||||
|
||||
void module_init (module_ctx_t *module_ctx)
|
||||
{
|
||||
module_ctx->module_context_size = MODULE_CONTEXT_SIZE_CURRENT;
|
||||
module_ctx->module_interface_version = MODULE_INTERFACE_VERSION_CURRENT;
|
||||
|
||||
module_ctx->module_attack_exec = module_attack_exec;
|
||||
module_ctx->module_benchmark_esalt = MODULE_DEFAULT;
|
||||
module_ctx->module_benchmark_hook_salt = MODULE_DEFAULT;
|
||||
module_ctx->module_benchmark_mask = MODULE_DEFAULT;
|
||||
module_ctx->module_benchmark_salt = MODULE_DEFAULT;
|
||||
module_ctx->module_build_plain_postprocess = MODULE_DEFAULT;
|
||||
module_ctx->module_deep_comp_kernel = MODULE_DEFAULT;
|
||||
module_ctx->module_dgst_pos0 = module_dgst_pos0;
|
||||
module_ctx->module_dgst_pos1 = module_dgst_pos1;
|
||||
module_ctx->module_dgst_pos2 = module_dgst_pos2;
|
||||
module_ctx->module_dgst_pos3 = module_dgst_pos3;
|
||||
module_ctx->module_dgst_size = module_dgst_size;
|
||||
module_ctx->module_dictstat_disable = MODULE_DEFAULT;
|
||||
module_ctx->module_esalt_size = module_esalt_size;
|
||||
module_ctx->module_extra_buffer_size = MODULE_DEFAULT;
|
||||
module_ctx->module_forced_outfile_format = MODULE_DEFAULT;
|
||||
module_ctx->module_hash_binary_count = MODULE_DEFAULT;
|
||||
module_ctx->module_hash_binary_parse = MODULE_DEFAULT;
|
||||
module_ctx->module_hash_binary_save = MODULE_DEFAULT;
|
||||
module_ctx->module_hash_binary_verify = MODULE_DEFAULT;
|
||||
module_ctx->module_hash_decode_outfile = MODULE_DEFAULT;
|
||||
module_ctx->module_hash_decode_zero_hash = MODULE_DEFAULT;
|
||||
module_ctx->module_hash_decode = module_hash_decode;
|
||||
module_ctx->module_hash_encode_status = MODULE_DEFAULT;
|
||||
module_ctx->module_hash_encode = module_hash_encode;
|
||||
module_ctx->module_hash_init_selftest = MODULE_DEFAULT;
|
||||
module_ctx->module_hash_mode = MODULE_DEFAULT;
|
||||
module_ctx->module_hash_category = module_hash_category;
|
||||
module_ctx->module_hash_name = module_hash_name;
|
||||
module_ctx->module_hash_type = module_hash_type;
|
||||
module_ctx->module_hlfmt_disable = MODULE_DEFAULT;
|
||||
module_ctx->module_hook12 = MODULE_DEFAULT;
|
||||
module_ctx->module_hook23 = MODULE_DEFAULT;
|
||||
module_ctx->module_hook_salt_size = MODULE_DEFAULT;
|
||||
module_ctx->module_hook_size = MODULE_DEFAULT;
|
||||
module_ctx->module_jit_build_options = MODULE_DEFAULT;
|
||||
module_ctx->module_kernel_accel_max = MODULE_DEFAULT;
|
||||
module_ctx->module_kernel_accel_min = MODULE_DEFAULT;
|
||||
module_ctx->module_kernel_loops_max = MODULE_DEFAULT;
|
||||
module_ctx->module_kernel_loops_min = MODULE_DEFAULT;
|
||||
module_ctx->module_kernel_threads_max = module_kernel_threads_max;
|
||||
module_ctx->module_kernel_threads_min = module_kernel_threads_min;
|
||||
module_ctx->module_kern_type = module_kern_type;
|
||||
module_ctx->module_opti_type = module_opti_type;
|
||||
module_ctx->module_opts_type = module_opts_type;
|
||||
module_ctx->module_outfile_check_disable = MODULE_DEFAULT;
|
||||
module_ctx->module_outfile_check_nocomp = MODULE_DEFAULT;
|
||||
module_ctx->module_potfile_disable = MODULE_DEFAULT;
|
||||
module_ctx->module_potfile_keep_all_hashes = MODULE_DEFAULT;
|
||||
module_ctx->module_pwdump_column = module_pwdump_column;
|
||||
module_ctx->module_pw_max = MODULE_DEFAULT;
|
||||
module_ctx->module_pw_min = MODULE_DEFAULT;
|
||||
module_ctx->module_salt_max = MODULE_DEFAULT;
|
||||
module_ctx->module_salt_min = MODULE_DEFAULT;
|
||||
module_ctx->module_salt_type = module_salt_type;
|
||||
module_ctx->module_separator = MODULE_DEFAULT;
|
||||
module_ctx->module_st_hash = module_st_hash;
|
||||
module_ctx->module_st_pass = module_st_pass;
|
||||
module_ctx->module_tmp_size = MODULE_DEFAULT;
|
||||
module_ctx->module_unstable_warning = MODULE_DEFAULT;
|
||||
module_ctx->module_warmup_disable = MODULE_DEFAULT;
|
||||
}
|
122
tools/test_modules/m18200.pm
Normal file
122
tools/test_modules/m18200.pm
Normal file
@ -0,0 +1,122 @@
|
||||
#!/usr/bin/env perl
|
||||
|
||||
##
|
||||
## Author......: See docs/credits.txt
|
||||
## License.....: MIT
|
||||
##
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
|
||||
use Encode;
|
||||
use Crypt::RC4;
|
||||
use Digest::HMAC_MD5 qw (hmac_md5);
|
||||
use Digest::MD4 qw (md4);
|
||||
use Digest::MD5 qw (md5_hex);
|
||||
use POSIX qw (strftime);
|
||||
|
||||
sub module_constraints { [[0, 255], [16, 16], [0, 27], [16, 16], [-1, -1]] }
|
||||
|
||||
sub module_generate_hash
|
||||
{
|
||||
my $word = shift;
|
||||
my $salt = shift;
|
||||
my $user_principal_name = shift // "user\@domain.com";
|
||||
my $checksum = shift;
|
||||
my $edata2 = shift;
|
||||
|
||||
my $k = md4 (encode ("UTF-16LE", $word));
|
||||
|
||||
my $k1 = hmac_md5 ("\x08\x00\x00\x00", $k);
|
||||
|
||||
my $cleartext_ticket = '7981df3081dca01b3019a003020117a112041071e026814da2' .
|
||||
'3f129f0e67a01b73f79aa11c301a3018a003020100a111180f32303138313033303039353' .
|
||||
'831365aa206020460fdc6caa311180f32303337303931343032343830355aa40703050050' .
|
||||
'c10000a511180f32303138313033303039353831365aa611180f323031383130333030393' .
|
||||
'53831365aa711180f32303138313033303139353831365aa811180f323031383130333131' .
|
||||
'30303433385aa90d1b0b545952454c4c2e434f5250aa20301ea003020101a11730151b066' .
|
||||
'b72627467741b0b545952454c4c2e434f5250';
|
||||
|
||||
if (defined $checksum)
|
||||
{
|
||||
$checksum = pack ("H*", $checksum);
|
||||
}
|
||||
else
|
||||
{
|
||||
my $nonce = unpack ("H*", random_bytes (8));
|
||||
|
||||
$cleartext_ticket = $nonce . $cleartext_ticket;
|
||||
|
||||
$checksum = hmac_md5 (pack ("H*", $cleartext_ticket), $k1);
|
||||
}
|
||||
|
||||
my $k3 = hmac_md5 ($checksum, $k1);
|
||||
|
||||
if (defined $edata2)
|
||||
{
|
||||
my $cipher_decrypt = Crypt::RC4->new ($k3);
|
||||
|
||||
my $ticket_decrypt = unpack ("H*", $cipher_decrypt->RC4 (pack ("H*", $edata2)));
|
||||
|
||||
my $check_correct = ((substr ($ticket_decrypt, 16, 4) eq "7981" && substr ($ticket_decrypt, 22, 2) eq "30")) ||
|
||||
((substr ($ticket_decrypt, 16, 2) eq "79") && (substr ($ticket_decrypt, 20, 2) eq "30")) ||
|
||||
((substr ($ticket_decrypt, 16, 4) eq "7982") && (substr ($ticket_decrypt, 24, 2) eq "30"));
|
||||
|
||||
if ($check_correct == 1)
|
||||
{
|
||||
$cleartext_ticket = $ticket_decrypt;
|
||||
}
|
||||
else # validation failed
|
||||
{
|
||||
# fake/wrong ticket (otherwise if we just decrypt/encrypt we end up with false positives all the time)
|
||||
$cleartext_ticket = "0" x (length ($cleartext_ticket) + 16);
|
||||
}
|
||||
}
|
||||
|
||||
my $cipher = Crypt::RC4->new ($k3);
|
||||
|
||||
$edata2 = $cipher->RC4 (pack ("H*", $cleartext_ticket));
|
||||
|
||||
my $tmp_hash = sprintf ('$krb5asrep$23$%s:%s$%s', $user_principal_name, unpack ("H*", $checksum), unpack ("H*", $edata2));
|
||||
|
||||
return $tmp_hash;
|
||||
}
|
||||
|
||||
sub module_verify_hash
|
||||
{
|
||||
my $line = shift;
|
||||
|
||||
my ($hash, $hash2, $word) = split (':', $line);
|
||||
|
||||
return unless defined $hash;
|
||||
return unless defined $hash2;
|
||||
return unless defined $word;
|
||||
|
||||
my @data = split ('\$', $hash);
|
||||
|
||||
return unless scalar @data == 4;
|
||||
|
||||
shift @data;
|
||||
|
||||
my $signature = shift @data;
|
||||
my $algorithm = shift @data;
|
||||
my $user_principal_name = shift @data;
|
||||
|
||||
return unless ($signature eq "krb5asrep");
|
||||
|
||||
my @data2 = split ('\$', $hash2);
|
||||
|
||||
my $checksum = shift @data2;
|
||||
my $edata2 = shift @data2;
|
||||
|
||||
return unless (length ($checksum) == 32);
|
||||
return unless (length ($edata2) >= 64);
|
||||
|
||||
my $word_packed = pack_if_HEX_notation ($word);
|
||||
|
||||
my $new_hash = module_generate_hash ($word_packed, undef, $user_principal_name, $checksum, $edata2);
|
||||
|
||||
return ($new_hash, $word);
|
||||
}
|
||||
|
||||
1;
|
Loading…
Reference in New Issue
Block a user