Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix crealm tgt/tgs rep when decoding #45

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

CravateRouge
Copy link
Contributor

When decoding tgt/tgs from native format in to_tgt() and to_tgs() the realm of the server is passed as the crealm instead of the user's realm. But as mentioned in Windows specs:

crealm: A KerberosString that represents the realm in which the user account is located.

This was an issue when having to get referral ticket from multiple domains, e.g user TREE2.LAB\Jane wants to access to ldap/dc1.outsider.lab and there is a forest trust between BLOODY.CORP and OUTSIDER.LAB and TREE2.LAB is a tree belonging to the BLOODY.CORP forest, here is what happens:

getTGS.py -v --kirbi jane_bloody_tree.kirbi 'kerberos+password://tree2.lab\jane:[email protected]' 'krbtgt/[email protected]' 

Realm        : TREE2.LAB
Sname        : krbtgt/BLOODY.CORP
UserName     : jane
UserRealm    : TREE2.LAB
StartTime    : 2024-12-01 11:16:28+00:00
EndTime      : 2024-12-01 21:15:33+00:00
RenewTill    : 2024-12-02 11:15:32+00:00
Flags        : enc-pa-rep, renewable, ok-as-delegate, forwardable, pre-authent
Keytype      : 23
Key          : JbLM5dXjr0X90BDvEgY51w==

getTGS.py -v --kirbi jane_outsider_bloody.kirbi 'kerberos+kirbi://tree2.lab\jane:[email protected]' 'krbtgt/[email protected]' 

Realm        : BLOODY.CORP
Sname        : krbtgt/OUTSIDER.LAB
UserName     : jane
UserRealm    : TREE2.LAB
StartTime    : 2024-12-01 11:24:42+00:00
EndTime      : 2024-12-01 21:15:33+00:00
RenewTill    : 2024-12-02 11:15:32+00:00
Flags        : forwardable, enc-pa-rep, renewable, pre-authent
Keytype      : 23
Key          : 9FuHBqcps8EeaagwmvO3cg==

getTGS.py -v --kirbi jane_ldap_outsider.kirbi 'kerberos+kirbi://tree2.lab\jane:[email protected]' 'ldap/[email protected]' 
Traceback (most recent call last):
  File "/home/silver/.local/lib/python3.11/site-packages/minikerberos/examples/getTGS.py", line 57, in <module>
    main()
  File "/home/silver/.local/lib/python3.11/site-packages/minikerberos/examples/getTGS.py", line 54, in main
    asyncio.run(getTGS(args.kerberos_url, args.spn, args.kirbi, args.ccache, args.cross_domain))
  File "/usr/lib/python3.11/asyncio/runners.py", line 190, in run
    return runner.run(main)
           ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/asyncio/runners.py", line 118, in run
    return self._loop.run_until_complete(task)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/asyncio/base_events.py", line 653, in run_until_complete
    return future.result()
           ^^^^^^^^^^^^^^^
  File "/home/silver/.local/lib/python3.11/site-packages/minikerberos/examples/getTGS.py", line 22, in getTGS
    tgs, encpart, key = await client.get_TGS(spn)
                        ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/silver/.local/lib/python3.11/site-packages/minikerberos/aioclient.py", line 449, in get_TGS
    raise KerberosError(rep, 'get_TGS failed!')
minikerberos.protocol.errors.KerberosError: get_TGS failed! Error Name: KRB_AP_ERR_BADMATCH Detail: "The ticket and authenticator do not match"

At the end we have a KRB_AP_ERR_BADMATCH "The ticket and authenticator do not match" because the server realm of the ticket provided as a crealm for the authenticator is BLOODY.CORP but the real user realm is TREE2.LAB which is the value for the crealm in the encrypted part of the ticket so there is a mismatch between the authenticator and ticket and so the server reject our request.

The PR change that by assigning the user realm instead of the server realm to the tgt/tgs rep when decoding the ticket from native to python.

@CravateRouge
Copy link
Contributor Author

@skelsec any news on this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant