diff --git a/include/interface_migrate.h b/include/interface_migrate.h index 9ad40bd0e..18753188f 100644 --- a/include/interface_migrate.h +++ b/include/interface_migrate.h @@ -4,7 +4,6 @@ static const float MIN_SUFFICIENT_ENTROPY_FILE = 7.0f; - /** * algo specific */ @@ -91,15 +90,6 @@ typedef struct ikepsk } ikepsk_t; -typedef struct krb5tgs -{ - u32 account_info[512]; - u32 checksum[4]; - u32 edata2[5120]; - u32 edata2_len; - -} krb5tgs_t; - typedef struct krb5asrep { u32 account_info[512]; @@ -807,7 +797,6 @@ typedef enum hash_type HASH_TYPE_ORACLET = 48, HASH_TYPE_BSDICRYPT = 49, HASH_TYPE_RAR3HP = 50, - HASH_TYPE_KRB5TGS = 51, HASH_TYPE_STDOUT = 52, HASH_TYPE_PLAINTEXT = 54, HASH_TYPE_LUKS = 55, @@ -964,7 +953,6 @@ typedef enum kern_type KERN_TYPE_MS_DRSR = 12800, KERN_TYPE_ANDROIDFDE_SAMSUNG = 12900, KERN_TYPE_RAR5 = 13000, - KERN_TYPE_KRB5TGS = 13100, KERN_TYPE_AXCRYPT = 13200, KERN_TYPE_SHA1_AXCRYPT = 13300, KERN_TYPE_KEEPASS = 13400, @@ -1139,7 +1127,6 @@ int sha512macos_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_bu int episerver4_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig); int sha512grub_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig); int sha512b64s_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig); -int krb5tgs_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig); int krb5asrep_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig); int sapb_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig); int sapg_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig); diff --git a/src/interface_migrate.c b/src/interface_migrate.c index 68661444f..6022f6b08 100644 --- a/src/interface_migrate.c +++ b/src/interface_migrate.c @@ -63,7 +63,6 @@ " 11100 | PostgreSQL CRAM (MD5) | Network Protocols", " 11200 | MySQL CRAM (SHA1) | Network Protocols", " 11400 | SIP digest authentication (MD5) | Network Protocols", - " 13100 | Kerberos 5 TGS-REP etype 23 | Network Protocols", " 16100 | TACACS+ | Network Protocols", " 16500 | JWT (JSON Web Token) | Network Protocols", " 18200 | Kerberos 5 AS-REP etype 23 | Network Protocols", @@ -418,7 +417,6 @@ static const char *ST_HASH_12700 = "$blockchain$288$7132537221140006826366048012 static const char *ST_HASH_12800 = "v1;PPH1_MD4,54188415275183448824,100,55b530f052a9af79a7ba9c466dddcb8b116f8babf6c3873a51a3898fb008e123"; static const char *ST_HASH_12900 = "15738301074686823451275227041071157383010746868234512752270410712bc4be900bf96ccf43c9852fff49b5f5874a9f6e7bf301686fa6d98286de151f15738301074686823451275227041071"; static const char *ST_HASH_13000 = "$rar5$16$38466361001011015181344360681307$15$00000000000000000000000000000000$8$cc7a30583e62676a"; -static const char *ST_HASH_13100 = "$krb5tgs$23$*user$realm$test/spn*$b548e10f5694ae018d7ad63c257af7dc$35e8e45658860bc31a859b41a08989265f4ef8afd75652ab4d7a30ef151bf6350d879ae189a8cb769e01fa573c6315232b37e4bcad9105520640a781e5fd85c09615e78267e494f433f067cc6958200a82f70627ce0eebc2ac445729c2a8a0255dc3ede2c4973d2d93ac8c1a56b26444df300cb93045d05ff2326affaa3ae97f5cd866c14b78a459f0933a550e0b6507bf8af27c2391ef69fbdd649dd059a4b9ae2440edd96c82479645ccdb06bae0eead3b7f639178a90cf24d9a"; static const char *ST_HASH_13200 = "$axcrypt$*1*10467*9a7cd609bb262c738d9f0e4977039b94*ecbe0fd05a96fd2099d88a92eebb76c59d6837dfe55b3631"; static const char *ST_HASH_13300 = "$axcrypt_sha1$b89eaac7e61417341b710b727768294d"; static const char *ST_HASH_13400 = "$keepass$*2*24569*0*c40432355cce7348c48053ceea0a28e7d18859c4ea47e3a799c6300861f64b95*265dafcc42e1537ff42e97e1e283c70014133be0fe2d420b4d24c6d57c9d2207*a00e20a852694c15aabb074d61b902fa*48dd553fb96f7996635f2414bfe6a1a8429ef0ffb71a1752abbef31853172c35*a44ae659958ad7fae8c8952cb83f3cf03fec2371ce22a8bf7fac1e687af2f249*1*64*5a26ea376cc5afc955104c334571d30486acbac512a94b75ca82a9e31dd97bf7"; @@ -597,7 +595,6 @@ static const char *HT_12700 = "Blockchain, My Wallet"; static const char *HT_12800 = "MS-AzureSync PBKDF2-HMAC-SHA256"; static const char *HT_12900 = "Android FDE (Samsung DEK)"; static const char *HT_13000 = "RAR5"; -static const char *HT_13100 = "Kerberos 5 TGS-REP etype 23"; static const char *HT_13200 = "AxCrypt"; static const char *HT_13300 = "AxCrypt in-memory SHA1"; static const char *HT_13400 = "KeePass 1 (AES/Twofish) and KeePass 2 (AES)"; @@ -718,7 +715,6 @@ static const char *SIGNATURE_DRUPAL7 = "$S$"; static const char *SIGNATURE_ECRYPTFS = "$ecryptfs$"; static const char *SIGNATURE_EPISERVER = "$episerver$"; static const char *SIGNATURE_KEEPASS = "$keepass$"; -static const char *SIGNATURE_KRB5TGS = "$krb5tgs$23$"; static const char *SIGNATURE_KRB5ASREP = "$krb5asrep$23$"; static const char *SIGNATURE_MD5AIX = "{smd5}"; static const char *SIGNATURE_MD5APR1 = "$apr1$"; @@ -12250,140 +12246,6 @@ int rar5_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSE return (PARSER_OK); } -int krb5tgs_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig) -{ - u32 *digest = (u32 *) hash_buf->digest; - - salt_t *salt = hash_buf->salt; - - krb5tgs_t *krb5tgs = (krb5tgs_t *) hash_buf->esalt; - - token_t token; - - token.signatures_cnt = 1; - token.signatures_buf[0] = SIGNATURE_KRB5TGS; - - token.len[0] = 12; - token.attr[0] = TOKEN_ATTR_FIXED_LENGTH - | TOKEN_ATTR_VERIFY_SIGNATURE; - - /** - * $krb5tgs$23$checksum$edata2 - * $krb5tgs$23$*user*realm*spn*$checksum$edata2 - */ - - if (input_len < 16) return (PARSER_SALT_LENGTH); - - if (input_buf[12] == '*') - { - char *account_info_start = (char *) input_buf + 12; // we want the * char included - char *account_info_stop = strchr ((const char *) account_info_start + 1, '*'); - - if (account_info_stop == NULL) return (PARSER_SEPARATOR_UNMATCHED); - - account_info_stop++; // we want the * char included - account_info_stop++; // we want the $ char included - - const int account_info_len = account_info_stop - account_info_start; - - token.token_cnt = 4; - - token.len[1] = account_info_len; - token.attr[1] = TOKEN_ATTR_FIXED_LENGTH; - - token.sep[2] = '$'; - token.len_min[2] = 32; - token.len_max[2] = 32; - token.attr[2] = TOKEN_ATTR_VERIFY_LENGTH - | TOKEN_ATTR_VERIFY_HEX; - - token.sep[3] = '$'; - token.len_min[3] = 64; - token.len_max[3] = 40960; - token.attr[3] = TOKEN_ATTR_VERIFY_LENGTH - | TOKEN_ATTR_VERIFY_HEX; - } - else - { - token.token_cnt = 3; - - token.sep[1] = '$'; - token.len_min[1] = 32; - token.len_max[1] = 32; - token.attr[1] = TOKEN_ATTR_VERIFY_LENGTH - | TOKEN_ATTR_VERIFY_HEX; - - token.sep[2] = '$'; - token.len_min[2] = 64; - token.len_max[2] = 40960; - token.attr[2] = TOKEN_ATTR_VERIFY_LENGTH - | TOKEN_ATTR_VERIFY_HEX; - } - - const int rc_tokenizer = input_tokenizer (input_buf, input_len, &token); - - if (rc_tokenizer != PARSER_OK) return (rc_tokenizer); - - const u8 *checksum_pos; - const u8 *data_pos; - - int data_len; - - if (input_buf[12] == '*') - { - checksum_pos = token.buf[2]; - - data_pos = token.buf[3]; - data_len = token.len[3]; - - memcpy (krb5tgs->account_info, token.buf[1], token.len[1]); - } - else - { - checksum_pos = token.buf[1]; - - data_pos = token.buf[2]; - data_len = token.len[2]; - - krb5tgs->account_info[0] = 0; - } - - krb5tgs->checksum[0] = hex_to_u32 (checksum_pos + 0); - krb5tgs->checksum[1] = hex_to_u32 (checksum_pos + 8); - krb5tgs->checksum[2] = hex_to_u32 (checksum_pos + 16); - krb5tgs->checksum[3] = hex_to_u32 (checksum_pos + 24); - - u8 *edata_ptr = (u8 *) krb5tgs->edata2; - - for (int i = 0; i < data_len; i += 2) - { - const u8 p0 = data_pos[i + 0]; - const u8 p1 = data_pos[i + 1]; - - *edata_ptr++ = hex_convert (p1) << 0 - | hex_convert (p0) << 4; - } - - krb5tgs->edata2_len = data_len / 2; - - /* this is needed for hmac_md5 */ - *edata_ptr++ = 0x80; - - salt->salt_buf[0] = krb5tgs->checksum[0]; - salt->salt_buf[1] = krb5tgs->checksum[1]; - salt->salt_buf[2] = krb5tgs->checksum[2]; - salt->salt_buf[3] = krb5tgs->checksum[3]; - - salt->salt_len = 16; - - digest[0] = krb5tgs->checksum[0]; - digest[1] = krb5tgs->checksum[1]; - digest[2] = krb5tgs->checksum[2]; - digest[3] = krb5tgs->checksum[3]; - - return (PARSER_OK); -} - int krb5asrep_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig) { u32 *digest = (u32 *) hash_buf->digest; @@ -15877,7 +15739,6 @@ u32 kernel_threads_mxx (hashcat_ctx_t *hashcat_ctx) if (hashconfig->hash_mode == 10400) kernel_threads = 64; // RC4 if (hashconfig->hash_mode == 10410) kernel_threads = 64; // RC4 if (hashconfig->hash_mode == 10500) kernel_threads = 64; // RC4 - if (hashconfig->hash_mode == 13100) kernel_threads = 64; // RC4 if (hashconfig->hash_mode == 15700) kernel_threads = 1; // SCRYPT if (hashconfig->hash_mode == 18200) kernel_threads = 64; // RC4 @@ -18263,30 +18124,6 @@ int ascii_digest (hashcat_ctx_t *hashcat_ctx, char *out_buf, const int out_size, byte_swap_32 (digest_buf[1]) ); } - else if (hash_mode == 13100) - { - krb5tgs_t *krb5tgss = (krb5tgs_t *) esalts_buf; - - krb5tgs_t *krb5tgs = &krb5tgss[digest_cur]; - - char data[5120 * 4 * 2] = { 0 }; - - for (u32 i = 0, j = 0; i < krb5tgs->edata2_len; i += 1, j += 2) - { - u8 *ptr_edata2 = (u8 *) krb5tgs->edata2; - - sprintf (data + j, "%02x", ptr_edata2[i]); - } - - snprintf (out_buf, out_size, "%s%s%08x%08x%08x%08x$%s", - SIGNATURE_KRB5TGS, - (char *) krb5tgs->account_info, - byte_swap_32 (krb5tgs->checksum[0]), - byte_swap_32 (krb5tgs->checksum[1]), - byte_swap_32 (krb5tgs->checksum[2]), - byte_swap_32 (krb5tgs->checksum[3]), - data); - } else if (hash_mode == 13200) { snprintf (out_buf, out_size, "%s*1*%u*%08x%08x%08x%08x*%08x%08x%08x%08x%08x%08x", @@ -22828,23 +22665,6 @@ int hashconfig_init (hashcat_ctx_t *hashcat_ctx) hashconfig->st_pass = ST_PASS_HASHCAT_PLAIN; break; - case 13100: hashconfig->hash_type = HASH_TYPE_KRB5TGS; - hashconfig->salt_type = SALT_TYPE_EMBEDDED; - hashconfig->attack_exec = ATTACK_EXEC_INSIDE_KERNEL; - hashconfig->opts_type = OPTS_TYPE_PT_GENERATE_LE; - hashconfig->kern_type = KERN_TYPE_KRB5TGS; - hashconfig->dgst_size = DGST_SIZE_4_4; - hashconfig->parse_func = krb5tgs_parse_hash; - hashconfig->opti_type = OPTI_TYPE_ZERO_BYTE - | OPTI_TYPE_NOT_ITERATED; - hashconfig->dgst_pos0 = 0; - hashconfig->dgst_pos1 = 1; - hashconfig->dgst_pos2 = 2; - hashconfig->dgst_pos3 = 3; - hashconfig->st_hash = ST_HASH_13100; - hashconfig->st_pass = ST_PASS_HASHCAT_PLAIN; - break; - case 13200: hashconfig->hash_type = HASH_TYPE_AES; hashconfig->salt_type = SALT_TYPE_EMBEDDED; hashconfig->attack_exec = ATTACK_EXEC_OUTSIDE_KERNEL; @@ -23998,7 +23818,6 @@ int hashconfig_init (hashcat_ctx_t *hashcat_ctx) case 12001: hashconfig->esalt_size = sizeof (pbkdf2_sha1_t); break; case 12100: hashconfig->esalt_size = sizeof (pbkdf2_sha512_t); break; case 13000: hashconfig->esalt_size = sizeof (rar5_t); break; - case 13100: hashconfig->esalt_size = sizeof (krb5tgs_t); break; case 13400: hashconfig->esalt_size = sizeof (keepass_t); break; case 13500: hashconfig->esalt_size = sizeof (pstoken_t); break; case 13600: hashconfig->esalt_size = sizeof (zip2_t); break; diff --git a/src/modules/module_13100.c b/src/modules/module_13100.c new file mode 100644 index 000000000..dcaaee119 --- /dev/null +++ b/src/modules/module_13100.c @@ -0,0 +1,306 @@ +/** + * Author......: See docs/credits.txt + * License.....: MIT + */ + +#include "common.h" +#include "types.h" +#include "modules.h" +#include "bitops.h" +#include "convert.h" +#include "shared.h" + +static const u32 ATTACK_EXEC = ATTACK_EXEC_INSIDE_KERNEL; +static const u32 DGST_POS0 = 0; +static const u32 DGST_POS1 = 1; +static const u32 DGST_POS2 = 2; +static const u32 DGST_POS3 = 3; +static const u32 DGST_SIZE = DGST_SIZE_4_4; +static const u32 HASH_CATEGORY = HASH_CATEGORY_NETWORK_PROTOCOL; +static const char *HASH_NAME = "Kerberos 5 TGS-REP etype 23"; +static const u32 HASH_TYPE = HASH_TYPE_GENERIC; +static const u64 KERN_TYPE = 13100; +static const u32 OPTI_TYPE = OPTI_TYPE_ZERO_BYTE + | OPTI_TYPE_NOT_ITERATED; +static const u64 OPTS_TYPE = OPTS_TYPE_STATE_BUFFER_LE + | OPTS_TYPE_PT_GENERATE_LE; +static const u32 PWDUMP_COLUMN = PWDUMP_COLUMN_NTLM_HASH; +static const u32 SALT_TYPE = SALT_TYPE_EMBEDDED; +static const char *ST_PASS = "hashcat"; +static const char *ST_HASH = "$krb5tgs$23$*user$realm$test/spn*$b548e10f5694ae018d7ad63c257af7dc$35e8e45658860bc31a859b41a08989265f4ef8afd75652ab4d7a30ef151bf6350d879ae189a8cb769e01fa573c6315232b37e4bcad9105520640a781e5fd85c09615e78267e494f433f067cc6958200a82f70627ce0eebc2ac445729c2a8a0255dc3ede2c4973d2d93ac8c1a56b26444df300cb93045d05ff2326affaa3ae97f5cd866c14b78a459f0933a550e0b6507bf8af27c2391ef69fbdd649dd059a4b9ae2440edd96c82479645ccdb06bae0eead3b7f639178a90cf24d9a"; + +u32 module_attack_exec (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return ATTACK_EXEC; } +u32 module_dgst_pos0 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS0; } +u32 module_dgst_pos1 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS1; } +u32 module_dgst_pos2 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS2; } +u32 module_dgst_pos3 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS3; } +u32 module_dgst_size (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_SIZE; } +u32 module_hash_category (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return HASH_CATEGORY; } +const char *module_hash_name (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return HASH_NAME; } +u32 module_hash_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return HASH_TYPE; } +u64 module_kern_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return KERN_TYPE; } +u32 module_opti_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return OPTI_TYPE; } +u64 module_opts_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return OPTS_TYPE; } +u32 module_pwdump_column (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return PWDUMP_COLUMN; } +u32 module_salt_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return SALT_TYPE; } +const char *module_st_hash (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return ST_HASH; } +const char *module_st_pass (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return ST_PASS; } + +typedef struct krb5tgs +{ + u32 account_info[512]; + u32 checksum[4]; + u32 edata2[5120]; + u32 edata2_len; + +} krb5tgs_t; + +static const char *SIGNATURE_KRB5TGS = "$krb5tgs$23$"; + +u64 module_esalt_size (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) +{ + const u64 esalt_size = (const u64) sizeof (krb5tgs_t); + + return esalt_size; +} + +u32 module_kernel_threads_min (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) +{ + const u32 kernel_threads_min = 64; + + return kernel_threads_min; +} + +u32 module_kernel_threads_max (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) +{ + const u32 kernel_threads_max = 64; + + return kernel_threads_max; +} + +int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED void *digest_buf, MAYBE_UNUSED salt_t *salt, MAYBE_UNUSED void *esalt_buf, MAYBE_UNUSED hashinfo_t *hash_info, const char *line_buf, MAYBE_UNUSED const int line_len) +{ + u32 *digest = (u32 *) digest_buf; + + krb5tgs_t *krb5tgs = (krb5tgs_t *) esalt_buf; + + token_t token; + + token.signatures_cnt = 1; + token.signatures_buf[0] = SIGNATURE_KRB5TGS; + + token.len[0] = 12; + token.attr[0] = TOKEN_ATTR_FIXED_LENGTH + | TOKEN_ATTR_VERIFY_SIGNATURE; + + /** + * $krb5tgs$23$checksum$edata2 + * $krb5tgs$23$*user*realm*spn*$checksum$edata2 + */ + + if (line_len < 16) return (PARSER_SALT_LENGTH); + + if (line_buf[12] == '*') + { + char *account_info_start = (char *) line_buf + 12; // we want the * char included + char *account_info_stop = strchr ((const char *) account_info_start + 1, '*'); + + if (account_info_stop == NULL) return (PARSER_SEPARATOR_UNMATCHED); + + account_info_stop++; // we want the * char included + account_info_stop++; // we want the $ char included + + const int account_info_len = account_info_stop - account_info_start; + + token.token_cnt = 4; + + token.len[1] = account_info_len; + token.attr[1] = TOKEN_ATTR_FIXED_LENGTH; + + token.sep[2] = '$'; + token.len_min[2] = 32; + token.len_max[2] = 32; + token.attr[2] = TOKEN_ATTR_VERIFY_LENGTH + | TOKEN_ATTR_VERIFY_HEX; + + token.sep[3] = '$'; + token.len_min[3] = 64; + token.len_max[3] = 40960; + token.attr[3] = TOKEN_ATTR_VERIFY_LENGTH + | TOKEN_ATTR_VERIFY_HEX; + } + else + { + token.token_cnt = 3; + + token.sep[1] = '$'; + token.len_min[1] = 32; + token.len_max[1] = 32; + token.attr[1] = TOKEN_ATTR_VERIFY_LENGTH + | TOKEN_ATTR_VERIFY_HEX; + + token.sep[2] = '$'; + token.len_min[2] = 64; + token.len_max[2] = 40960; + token.attr[2] = TOKEN_ATTR_VERIFY_LENGTH + | TOKEN_ATTR_VERIFY_HEX; + } + + const int rc_tokenizer = input_tokenizer ((const u8 *) line_buf, line_len, &token); + + if (rc_tokenizer != PARSER_OK) return (rc_tokenizer); + + const u8 *checksum_pos; + const u8 *data_pos; + + int data_len; + + if (line_buf[12] == '*') + { + checksum_pos = token.buf[2]; + + data_pos = token.buf[3]; + data_len = token.len[3]; + + memcpy (krb5tgs->account_info, token.buf[1], token.len[1]); + } + else + { + checksum_pos = token.buf[1]; + + data_pos = token.buf[2]; + data_len = token.len[2]; + + krb5tgs->account_info[0] = 0; + } + + krb5tgs->checksum[0] = hex_to_u32 (checksum_pos + 0); + krb5tgs->checksum[1] = hex_to_u32 (checksum_pos + 8); + krb5tgs->checksum[2] = hex_to_u32 (checksum_pos + 16); + krb5tgs->checksum[3] = hex_to_u32 (checksum_pos + 24); + + u8 *edata_ptr = (u8 *) krb5tgs->edata2; + + for (int i = 0; i < data_len; i += 2) + { + const u8 p0 = data_pos[i + 0]; + const u8 p1 = data_pos[i + 1]; + + *edata_ptr++ = hex_convert (p1) << 0 + | hex_convert (p0) << 4; + } + + krb5tgs->edata2_len = data_len / 2; + + /* this is needed for hmac_md5 */ + *edata_ptr++ = 0x80; + + salt->salt_buf[0] = krb5tgs->checksum[0]; + salt->salt_buf[1] = krb5tgs->checksum[1]; + salt->salt_buf[2] = krb5tgs->checksum[2]; + salt->salt_buf[3] = krb5tgs->checksum[3]; + + salt->salt_len = 16; + + digest[0] = krb5tgs->checksum[0]; + digest[1] = krb5tgs->checksum[1]; + digest[2] = krb5tgs->checksum[2]; + digest[3] = krb5tgs->checksum[3]; + + return (PARSER_OK); +} + +int module_hash_encode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const void *digest_buf, MAYBE_UNUSED const salt_t *salt, MAYBE_UNUSED const void *esalt_buf, MAYBE_UNUSED const hashinfo_t *hash_info, char *line_buf, MAYBE_UNUSED const int line_size) +{ + const u32 *digest = (const u32 *) digest_buf; + + const krb5tgs_t *krb5tgs = (const krb5tgs_t *) esalt_buf; + + char data[5120 * 4 * 2] = { 0 }; + + for (u32 i = 0, j = 0; i < krb5tgs->edata2_len; i += 1, j += 2) + { + u8 *ptr_edata2 = (u8 *) krb5tgs->edata2; + + sprintf (data + j, "%02x", ptr_edata2[i]); + } + + const int line_len = snprintf (line_buf, line_size, "%s%s%08x%08x%08x%08x$%s", + SIGNATURE_KRB5TGS, + (char *) krb5tgs->account_info, + byte_swap_32 (krb5tgs->checksum[0]), + byte_swap_32 (krb5tgs->checksum[1]), + byte_swap_32 (krb5tgs->checksum[2]), + byte_swap_32 (krb5tgs->checksum[3]), + data); + + return line_len; +} + +void module_init (module_ctx_t *module_ctx) +{ + module_ctx->module_context_size = MODULE_CONTEXT_SIZE_CURRENT; + module_ctx->module_interface_version = MODULE_INTERFACE_VERSION_CURRENT; + + module_ctx->module_attack_exec = module_attack_exec; + module_ctx->module_benchmark_esalt = MODULE_DEFAULT; + module_ctx->module_benchmark_hook_salt = MODULE_DEFAULT; + module_ctx->module_benchmark_mask = MODULE_DEFAULT; + module_ctx->module_benchmark_salt = MODULE_DEFAULT; + module_ctx->module_build_plain_postprocess = MODULE_DEFAULT; + module_ctx->module_deep_comp_kernel = MODULE_DEFAULT; + module_ctx->module_dgst_pos0 = module_dgst_pos0; + module_ctx->module_dgst_pos1 = module_dgst_pos1; + module_ctx->module_dgst_pos2 = module_dgst_pos2; + module_ctx->module_dgst_pos3 = module_dgst_pos3; + module_ctx->module_dgst_size = module_dgst_size; + module_ctx->module_dictstat_disable = MODULE_DEFAULT; + module_ctx->module_esalt_size = module_esalt_size; + module_ctx->module_extra_buffer_size = MODULE_DEFAULT; + module_ctx->module_forced_outfile_format = MODULE_DEFAULT; + module_ctx->module_hash_binary_count = MODULE_DEFAULT; + module_ctx->module_hash_binary_parse = MODULE_DEFAULT; + module_ctx->module_hash_binary_save = MODULE_DEFAULT; + module_ctx->module_hash_binary_verify = MODULE_DEFAULT; + module_ctx->module_hash_decode_outfile = MODULE_DEFAULT; + module_ctx->module_hash_decode_zero_hash = MODULE_DEFAULT; + module_ctx->module_hash_decode = module_hash_decode; + module_ctx->module_hash_encode_status = MODULE_DEFAULT; + module_ctx->module_hash_encode = module_hash_encode; + module_ctx->module_hash_init_selftest = MODULE_DEFAULT; + module_ctx->module_hash_mode = MODULE_DEFAULT; + module_ctx->module_hash_category = module_hash_category; + module_ctx->module_hash_name = module_hash_name; + module_ctx->module_hash_type = module_hash_type; + module_ctx->module_hlfmt_disable = MODULE_DEFAULT; + module_ctx->module_hook12 = MODULE_DEFAULT; + module_ctx->module_hook23 = MODULE_DEFAULT; + module_ctx->module_hook_salt_size = MODULE_DEFAULT; + module_ctx->module_hook_size = MODULE_DEFAULT; + module_ctx->module_jit_build_options = MODULE_DEFAULT; + module_ctx->module_kernel_accel_max = MODULE_DEFAULT; + module_ctx->module_kernel_accel_min = MODULE_DEFAULT; + module_ctx->module_kernel_loops_max = MODULE_DEFAULT; + module_ctx->module_kernel_loops_min = MODULE_DEFAULT; + module_ctx->module_kernel_threads_max = module_kernel_threads_max; + module_ctx->module_kernel_threads_min = module_kernel_threads_min; + module_ctx->module_kern_type = module_kern_type; + module_ctx->module_opti_type = module_opti_type; + module_ctx->module_opts_type = module_opts_type; + module_ctx->module_outfile_check_disable = MODULE_DEFAULT; + module_ctx->module_outfile_check_nocomp = MODULE_DEFAULT; + module_ctx->module_potfile_disable = MODULE_DEFAULT; + module_ctx->module_potfile_keep_all_hashes = MODULE_DEFAULT; + module_ctx->module_pwdump_column = module_pwdump_column; + module_ctx->module_pw_max = MODULE_DEFAULT; + module_ctx->module_pw_min = MODULE_DEFAULT; + module_ctx->module_salt_max = MODULE_DEFAULT; + module_ctx->module_salt_min = MODULE_DEFAULT; + module_ctx->module_salt_type = module_salt_type; + module_ctx->module_separator = MODULE_DEFAULT; + module_ctx->module_st_hash = module_st_hash; + module_ctx->module_st_pass = module_st_pass; + module_ctx->module_tmp_size = MODULE_DEFAULT; + module_ctx->module_unstable_warning = MODULE_DEFAULT; + module_ctx->module_warmup_disable = MODULE_DEFAULT; +} diff --git a/tools/test_modules/m13100.pm b/tools/test_modules/m13100.pm new file mode 100644 index 000000000..d54d9daf4 --- /dev/null +++ b/tools/test_modules/m13100.pm @@ -0,0 +1,123 @@ +#!/usr/bin/env perl + +## +## Author......: See docs/credits.txt +## License.....: MIT +## + +use strict; +use warnings; + +use Encode; +use Crypt::RC4; +use Digest::HMAC_MD5 qw (hmac_md5); +use Digest::MD4 qw (md4); +use Digest::MD5 qw (md5_hex); +use POSIX qw (strftime); + +sub module_constraints { [[0, 255], [16, 16], [0, 27], [16, 16], [-1, -1]] } + +sub module_generate_hash +{ + my $word = shift; + my $salt = shift; + my $user = shift // "user"; + my $realm = shift // "realm"; + my $spn = shift // "test/spn"; + my $checksum = shift; + my $edata2 = shift; + + my $k = md4 (encode ("UTF-16LE", $word)); + + my $k1 = hmac_md5 ("\x02\x00\x00\x00", $k); + + my $cleartext_ticket = '6381b03081ada00703050050a00000a11b3019a003020117a1'. + '12041058e0d77776e8b8e03991f2966939222aa2171b154d594b5242544553542e434f4e5'. + '44f534f2e434f4da3133011a003020102a10a30081b067472616e6365a40b3009a0030201'. + '01a1020400a511180f32303136303231353134343735305aa611180f32303136303231353'. + '134343735305aa711180f32303136303231363030343735305aa811180f32303136303232'. + '323134343735305a'; + + if (defined $checksum) + { + $checksum = pack ("H*", $checksum); + } + else + { + my $nonce = unpack ("H*", random_bytes (8)); + + $cleartext_ticket = $nonce . $cleartext_ticket; + + $checksum = hmac_md5 (pack ("H*", $cleartext_ticket), $k1); + } + + my $k3 = hmac_md5 ($checksum, $k1); + + if (defined $edata2) + { + my $cipher_decrypt = Crypt::RC4->new ($k3); + + my $ticket_decrypt = unpack ("H*", $cipher_decrypt->RC4 (pack ("H*", $edata2))); + + my $check_correct = ((substr ($ticket_decrypt, 16, 4) eq "6381" && substr ($ticket_decrypt, 22, 2) eq "30") || + (substr ($ticket_decrypt, 16, 4) eq "6382")) && + ((substr ($ticket_decrypt, 32, 6) eq "030500") || + (substr ($ticket_decrypt, 32, 8) eq "050307A0")); + + if ($check_correct == 1) + { + $cleartext_ticket = $ticket_decrypt; + } + else # validation failed + { + # fake/wrong ticket (otherwise if we just decrypt/encrypt we end up with false positives all the time) + $cleartext_ticket = "0" x (length ($cleartext_ticket) + 16); + } + } + + my $cipher = Crypt::RC4->new ($k3); + + $edata2 = $cipher->RC4 (pack ("H*", $cleartext_ticket)); + + my $tmp_hash = sprintf ('$krb5tgs$23$*%s$%s$%s*$%s$%s', $user, $realm, $spn, unpack ("H*", $checksum), unpack ("H*", $edata2)); + + return $tmp_hash; +} + +sub module_verify_hash +{ + my $line = shift; + + my ($hash, $word) = split (':', $line); + + return unless defined $hash; + return unless defined $word; + + my @data = split ('\$', $hash); + + return unless scalar @data == 8; + + shift @data; + + my $signature = shift @data; + my $algorithm = shift @data; + my $user = shift @data; + $user = substr ($user, 1); + my $realm = shift @data; + my $spn = shift @data; + $spn = substr ($spn, 0, length ($spn) - 1); + my $checksum = shift @data; + my $edata2 = shift @data; + + return unless ($signature eq "krb5tgs"); + return unless (length ($checksum) == 32); + return unless (length ($edata2) >= 64); + + my $word_packed = pack_if_HEX_notation ($word); + + my $new_hash = module_generate_hash ($word_packed, undef, $user, $realm, $spn, $checksum, $edata2); + + return ($new_hash, $word); +} + +1;