pac

package
v2.0.0+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 30, 2017 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Overview

Package pac implements Microsoft Privilege Attribute Certificate (PAC) processing.

Index

Constants

View Source
const (
	// NTLMSupCredLMOWF indicates that the LM OWF member is present and valid.
	NTLMSupCredLMOWF = 31
	// NTLMSupCredNTOWF indicates that the NT OWF member is present and valid.
	NTLMSupCredNTOWF = 30
)
View Source
const (
	USERFLAG_GUEST                                    = 31 // Authentication was done via the GUEST account; no password was used.
	USERFLAG_NO_ENCRYPTION_AVAILABLE                  = 30 // No encryption is available.
	USERFLAG_LAN_MANAGER_KEY                          = 28 // LAN Manager key was used for authentication.
	USERFLAG_SUB_AUTH                                 = 25 // Sub-authentication used; session key came from the sub-authentication package.
	USERFLAG_EXTRA_SIDS                               = 26 // Indicates that the ExtraSids field is populated and contains additional SIDs.
	USERFLAG_MACHINE_ACCOUNT                          = 24 // Indicates that the account is a machine account.
	USERFLAG_DC_NTLM2                                 = 23 // Indicates that the domain controller understands NTLMv2.
	USERFLAG_RESOURCE_GROUPIDS                        = 22 // Indicates that the ResourceGroupIds field is populated.
	USERFLAG_PROFILEPATH                              = 21 // Indicates that ProfilePath is populated.
	USERFLAG_NTLM2_NTCHALLENGERESP                    = 20 // The NTLMv2 response from the NtChallengeResponseFields ([MS-NLMP] section 2.2.1.3) was used for authentication and session key generation.
	USERFLAG_LM2_LMCHALLENGERESP                      = 19 // The LMv2 response from the LmChallengeResponseFields ([MS-NLMP] section 2.2.1.3) was used for authentication and session key generation.
	USERFLAG_AUTH_LMCHALLENGERESP_KEY_NTCHALLENGERESP = 18 // The LMv2 response from the LmChallengeResponseFields ([MS-NLMP] section 2.2.1.3) was used for authentication and the NTLMv2 response from the NtChallengeResponseFields ([MS-NLMP] section 2.2.1.3) was used session key generation.
)

KERB_VALIDATION_INFO flags.

Variables

This section is empty.

Functions

This section is empty.

Types

type ClientClaimsInfo

type ClientClaimsInfo struct {
	Claims mstypes.ClaimsSetMetadata
}

ClientClaimsInfo implements https://msdn.microsoft.com/en-us/library/hh536365.aspx

func (*ClientClaimsInfo) Unmarshal

func (k *ClientClaimsInfo) Unmarshal(b []byte) error

Unmarshal bytes into the ClientClaimsInfo struct

type ClientInfo

type ClientInfo struct {
	ClientID   mstypes.FileTime // A FILETIME structure in little-endian format that contains the Kerberos initial ticket-granting ticket TGT authentication time
	NameLength uint16           // An unsigned 16-bit integer in little-endian format that specifies the length, in bytes, of the Name field.
	Name       string           // An array of 16-bit Unicode characters in little-endian format that contains the client's account name.
}

ClientInfo implements https://msdn.microsoft.com/en-us/library/cc237951.aspx

func (*ClientInfo) Unmarshal

func (k *ClientInfo) Unmarshal(b []byte) error

Unmarshal bytes into the ClientInfo struct

type CredentialData

type CredentialData struct {
	CredentialCount uint32
	Credentials     []SECPKGSupplementalCred // Size is the value of CredentialCount
}

CredentialData implements https://msdn.microsoft.com/en-us/library/cc237952.aspx This structure is encrypted prior to being encoded in any other structures. Encryption is performed by first serializing the data structure via Network Data Representation (NDR) encoding, as specified in [MS-RPCE]. Once serialized, the data is encrypted using the key and cryptographic system selected through the AS protocol and the KRB_AS_REP message Fields (for capturing this information) and cryptographic parameters are specified in PAC_CREDENTIAL_INFO (section 2.6.1).

func ReadPACCredentialData

func ReadPACCredentialData(b *[]byte, p *int, e *binary.ByteOrder) CredentialData

ReadPACCredentialData reads a CredentialData from the byte slice.

type CredentialsInfo

type CredentialsInfo struct {
	Version                    uint32 // A 32-bit unsigned integer in little-endian format that defines the version. MUST be 0x00000000.
	EType                      uint32
	PACCredentialDataEncrypted []byte // Key usage number for encryption: KERB_NON_KERB_SALT (16)
	PACCredentialData          CredentialData
}

CredentialsInfo implements https://msdn.microsoft.com/en-us/library/cc237953.aspx

func (*CredentialsInfo) DecryptEncPart

func (c *CredentialsInfo) DecryptEncPart(k types.EncryptionKey, e *binary.ByteOrder) error

DecryptEncPart decrypts the encrypted part of the CredentialsInfo.

func (*CredentialsInfo) Unmarshal

func (c *CredentialsInfo) Unmarshal(b []byte, k types.EncryptionKey) error

Unmarshal bytes into the CredentialsInfo struct

type DeviceClaimsInfo

type DeviceClaimsInfo struct {
	Claims mstypes.ClaimsSetMetadata
}

DeviceClaimsInfo implements https://msdn.microsoft.com/en-us/library/hh554226.aspx

func (*DeviceClaimsInfo) Unmarshal

func (k *DeviceClaimsInfo) Unmarshal(b []byte) error

Unmarshal bytes into the DeviceClaimsInfo struct

type DeviceInfo

type DeviceInfo struct {
	UserID            uint32                          // A 32-bit unsigned integer that contains the RID of the account. If the UserId member equals 0x00000000, the first group SID in this member is the SID for this account.
	PrimaryGroupID    uint32                          // A 32-bit unsigned integer that contains the RID for the primary group to which this account belongs.
	AccountDomainID   mstypes.RPCSID                  // A SID structure that contains the SID for the domain of the account.This member is used in conjunction with the UserId, and GroupIds members to create the user and group SIDs for the client.
	AccountGroupCount uint32                          // A 32-bit unsigned integer that contains the number of groups within the account domain to which the account belongs
	AccountGroupIDs   []mstypes.GroupMembership       // A pointer to a list of GROUP_MEMBERSHIP (section 2.2.2) structures that contains the groups to which the account belongs in the account domain. The number of groups in this list MUST be equal to GroupCount.
	SIDCount          uint32                          // A 32-bit unsigned integer that contains the total number of SIDs present in the ExtraSids member.
	ExtraSIDs         []mstypes.KerbSidAndAttributes  // A pointer to a list of KERB_SID_AND_ATTRIBUTES structures that contain a list of SIDs corresponding to groups not in domains. If the UserId member equals 0x00000000, the first group SID in this member is the SID for this account.
	DomainGroupCount  uint32                          // A 32-bit unsigned integer that contains the number of domains with groups to which the account belongs.
	DomainGroup       []mstypes.DomainGroupMembership // A pointer to a list of DOMAIN_GROUP_MEMBERSHIP structures (section 2.2.3) that contains the domains to which the account belongs to a group. The number of sets in this list MUST be equal to DomainCount.
}

DeviceInfo implements https://msdn.microsoft.com/en-us/library/hh536402.aspx

func (*DeviceInfo) Unmarshal

func (k *DeviceInfo) Unmarshal(b []byte) error

Unmarshal bytes into the DeviceInfo struct

type InfoBuffer

type InfoBuffer struct {
	ULType       uint32 // A 32-bit unsigned integer in little-endian format that describes the type of data present in the buffer contained at Offset.
	CBBufferSize uint32 // A 32-bit unsigned integer in little-endian format that contains the size, in bytes, of the buffer in the PAC located at Offset.
	Offset       uint64 // A 64-bit unsigned integer in little-endian format that contains the offset to the beginning of the buffer, in bytes, from the beginning of the PACTYPE structure. The data offset MUST be a multiple of eight. The following sections specify the format of each type of element.
}

InfoBuffer implements the PAC Info Buffer: https://msdn.microsoft.com/en-us/library/cc237954.aspx

func ReadPACInfoBuffer

func ReadPACInfoBuffer(b *[]byte, p *int, e *binary.ByteOrder) InfoBuffer

ReadPACInfoBuffer reads a InfoBuffer from the byte slice.

type KerbValidationInfo

type KerbValidationInfo struct {
	LogOnTime          mstypes.FileTime
	LogOffTime         mstypes.FileTime
	KickOffTime        mstypes.FileTime
	PasswordLastSet    mstypes.FileTime
	PasswordCanChange  mstypes.FileTime
	PasswordMustChange mstypes.FileTime
	EffectiveName      mstypes.RPCUnicodeString
	FullName           mstypes.RPCUnicodeString
	LogonScript        mstypes.RPCUnicodeString
	ProfilePath        mstypes.RPCUnicodeString
	HomeDirectory      mstypes.RPCUnicodeString
	HomeDirectoryDrive mstypes.RPCUnicodeString
	LogonCount         uint16
	BadPasswordCount   uint16
	UserID             uint32
	PrimaryGroupID     uint32
	GroupCount         uint32

	GroupIDs        []mstypes.GroupMembership
	UserFlags       uint32
	UserSessionKey  mstypes.UserSessionKey
	LogonServer     mstypes.RPCUnicodeString
	LogonDomainName mstypes.RPCUnicodeString

	LogonDomainID        mstypes.RPCSID
	Reserved1            []uint32 // Has 2 elements
	UserAccountControl   uint32
	SubAuthStatus        uint32
	LastSuccessfulILogon mstypes.FileTime
	LastFailedILogon     mstypes.FileTime
	FailedILogonCount    uint32
	Reserved3            uint32
	SIDCount             uint32

	ExtraSIDs []mstypes.KerbSidAndAttributes

	ResourceGroupDomainSID mstypes.RPCSID
	ResourceGroupCount     uint32

	ResourceGroupIDs []mstypes.GroupMembership
	// contains filtered or unexported fields
}

KerbValidationInfo implement https://msdn.microsoft.com/en-us/library/cc237948.aspx The KERB_VALIDATION_INFO structure defines the user's logon and authorization information provided by the DC. The KERB_VALIDATION_INFO structure is a subset of the NETLOGON_VALIDATION_SAM_INFO4 structure ([MS-NRPC] section 2.2.1.4.13). It is a subset due to historical reasons and to the use of the common Active Directory to generate this information. The KERB_VALIDATION_INFO structure is marshaled by RPC [MS-RPCE].

func (*KerbValidationInfo) GetGroupMembershipSIDs

func (k *KerbValidationInfo) GetGroupMembershipSIDs() []string

GetGroupMembershipSIDs returns a slice of strings containing the group membership SIDs found in the PAC.

func (*KerbValidationInfo) Unmarshal

func (k *KerbValidationInfo) Unmarshal(b []byte) (err error)

Unmarshal bytes into the DeviceInfo struct

type NTLMSupplementalCred

type NTLMSupplementalCred struct {
	Version    uint32 // A 32-bit unsigned integer that defines the credential version.This field MUST be 0x00000000.
	Flags      uint32
	LMPassword []byte // A 16-element array of unsigned 8-bit integers that define the LM OWF. The LmPassword member MUST be ignored if the L flag is not set in the Flags member.
	NTPassword []byte // A 16-element array of unsigned 8-bit integers that define the NT OWF. The LtPassword member MUST be ignored if the N flag is not set in the Flags member.
}

NTLMSupplementalCred implements https://msdn.microsoft.com/en-us/library/cc237949.aspx

func ReadNTLMSupplementalCred

func ReadNTLMSupplementalCred(b *[]byte, p *int, e *binary.ByteOrder) NTLMSupplementalCred

ReadNTLMSupplementalCred reads a NTLMSupplementalCred from the byte slice.

type PACType

type PACType struct {
	CBuffers           uint32
	Version            uint32
	Buffers            []InfoBuffer
	Data               []byte
	KerbValidationInfo *KerbValidationInfo
	CredentialsInfo    *CredentialsInfo
	ServerChecksum     *SignatureData
	KDCChecksum        *SignatureData
	ClientInfo         *ClientInfo
	S4UDelegationInfo  *S4UDelegationInfo
	UPNDNSInfo         *UPNDNSInfo
	ClientClaimsInfo   *ClientClaimsInfo
	DeviceInfo         *DeviceInfo
	DeviceClaimsInfo   *DeviceClaimsInfo
	ZeroSigData        []byte
}

PACType implements: https://msdn.microsoft.com/en-us/library/cc237950.aspx

func (*PACType) ProcessPACInfoBuffers

func (pac *PACType) ProcessPACInfoBuffers(key types.EncryptionKey) error

ProcessPACInfoBuffers processes the PAC Info Buffers. https://msdn.microsoft.com/en-us/library/cc237954.aspx

func (*PACType) Unmarshal

func (pac *PACType) Unmarshal(b []byte) error

Unmarshal bytes into the PACType struct

type S4UDelegationInfo

type S4UDelegationInfo struct {
	S4U2proxyTarget      mstypes.RPCUnicodeString // The name of the principal to whom the application can forward the ticket.
	TransitedListSize    uint32
	S4UTransitedServices []mstypes.RPCUnicodeString // List of all services that have been delegated through by this client and subsequent services or servers.. Size is value of TransitedListSize
}

S4UDelegationInfo implements https://msdn.microsoft.com/en-us/library/cc237944.aspx

func (*S4UDelegationInfo) Unmarshal

func (k *S4UDelegationInfo) Unmarshal(b []byte) error

Unmarshal bytes into the S4UDelegationInfo struct

type SECPKGSupplementalCred

type SECPKGSupplementalCred struct {
	PackageName    mstypes.RPCUnicodeString
	CredentialSize uint32
	Credentials    []uint8 // Is a ptr. Size is the value of CredentialSize
}

SECPKGSupplementalCred implements https://msdn.microsoft.com/en-us/library/cc237956.aspx

func ReadSECPKGSupplementalCred

func ReadSECPKGSupplementalCred(b *[]byte, p *int, e *binary.ByteOrder) SECPKGSupplementalCred

ReadSECPKGSupplementalCred reads a SECPKGSupplementalCred from the byte slice.

type SignatureData

type SignatureData struct {
	SignatureType  uint32 // A 32-bit unsigned integer value in little-endian format that defines the cryptographic system used to calculate the checksum. This MUST be one of the following checksum types: KERB_CHECKSUM_HMAC_MD5 (signature size = 16), HMAC_SHA1_96_AES128 (signature size = 12), HMAC_SHA1_96_AES256 (signature size = 12).
	Signature      []byte // Size depends on the type. See comment above.
	RODCIdentifier uint16 // A 16-bit unsigned integer value in little-endian format that contains the first 16 bits of the key version number ([MS-KILE] section 3.1.5.8) when the KDC is an RODC. When the KDC is not an RODC, this field does not exist.
}

SignatureData implements https://msdn.microsoft.com/en-us/library/cc237955.aspx

func (*SignatureData) Unmarshal

func (k *SignatureData) Unmarshal(b []byte) ([]byte, error)

Unmarshal bytes into the SignatureData struct

type UPNDNSInfo

type UPNDNSInfo struct {
	UPNLength           uint16 // An unsigned 16-bit integer in little-endian format that specifies the length, in bytes, of the UPN field.
	UPNOffset           uint16 // An unsigned 16-bit integer in little-endian format that contains the offset to the beginning of the buffer, in bytes, from the beginning of the UPN_DNS_INFO structure.
	DNSDomainNameLength uint16
	DNSDomainNameOffset uint16
	Flags               uint32
	UPN                 string
	DNSDomain           string
}

UPNDNSInfo implements https://msdn.microsoft.com/en-us/library/dd240468.aspx

func (*UPNDNSInfo) Unmarshal

func (k *UPNDNSInfo) Unmarshal(b []byte) error

Unmarshal bytes into the UPN_DNSInfo struct

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL