File: kerb_validation_info.go

package info (click to toggle)
golang-gopkg-jcmturner-gokrb5.v5 5.3.0%2Bdfsg-2
  • links: PTS, VCS
  • area: main
  • in suites: bookworm, bullseye, bullseye-backports, sid
  • size: 1,168 kB
  • sloc: makefile: 2
file content (291 lines) | stat: -rw-r--r-- 9,857 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
// Package pac implements Microsoft Privilege Attribute Certificate (PAC) processing.
package pac

import (
	"errors"
	"fmt"

	"gopkg.in/jcmturner/gokrb5.v5/mstypes"
	"gopkg.in/jcmturner/rpc.v0/ndr"
)

// KERB_VALIDATION_INFO flags.
const (
	USERFLAG_GUEST                                    = 31 // Authentication was done via the GUEST account; no password was used.
	USERFLAG_NO_ENCRYPTION_AVAILABLE                  = 30 // No encryption is available.
	USERFLAG_LAN_MANAGER_KEY                          = 28 // LAN Manager key was used for authentication.
	USERFLAG_SUB_AUTH                                 = 25 // Sub-authentication used; session key came from the sub-authentication package.
	USERFLAG_EXTRA_SIDS                               = 26 // Indicates that the ExtraSids field is populated and contains additional SIDs.
	USERFLAG_MACHINE_ACCOUNT                          = 24 // Indicates that the account is a machine account.
	USERFLAG_DC_NTLM2                                 = 23 // Indicates that the domain controller understands NTLMv2.
	USERFLAG_RESOURCE_GROUPIDS                        = 22 // Indicates that the ResourceGroupIds field is populated.
	USERFLAG_PROFILEPATH                              = 21 // Indicates that ProfilePath is populated.
	USERFLAG_NTLM2_NTCHALLENGERESP                    = 20 // The NTLMv2 response from the NtChallengeResponseFields ([MS-NLMP] section 2.2.1.3) was used for authentication and session key generation.
	USERFLAG_LM2_LMCHALLENGERESP                      = 19 // The LMv2 response from the LmChallengeResponseFields ([MS-NLMP] section 2.2.1.3) was used for authentication and session key generation.
	USERFLAG_AUTH_LMCHALLENGERESP_KEY_NTCHALLENGERESP = 18 // The LMv2 response from the LmChallengeResponseFields ([MS-NLMP] section 2.2.1.3) was used for authentication and the NTLMv2 response from the NtChallengeResponseFields ([MS-NLMP] section 2.2.1.3) was used session key generation.
)

// KerbValidationInfo implement https://msdn.microsoft.com/en-us/library/cc237948.aspx
type KerbValidationInfo struct {
	LogOnTime               mstypes.FileTime
	LogOffTime              mstypes.FileTime
	KickOffTime             mstypes.FileTime
	PasswordLastSet         mstypes.FileTime
	PasswordCanChange       mstypes.FileTime
	PasswordMustChange      mstypes.FileTime
	EffectiveName           mstypes.RPCUnicodeString
	FullName                mstypes.RPCUnicodeString
	LogonScript             mstypes.RPCUnicodeString
	ProfilePath             mstypes.RPCUnicodeString
	HomeDirectory           mstypes.RPCUnicodeString
	HomeDirectoryDrive      mstypes.RPCUnicodeString
	LogonCount              uint16
	BadPasswordCount        uint16
	UserID                  uint32
	PrimaryGroupID          uint32
	GroupCount              uint32
	pGroupIDs               uint32
	GroupIDs                []mstypes.GroupMembership
	UserFlags               uint32
	UserSessionKey          mstypes.UserSessionKey
	LogonServer             mstypes.RPCUnicodeString
	LogonDomainName         mstypes.RPCUnicodeString
	pLogonDomainID          uint32
	LogonDomainID           mstypes.RPCSID
	Reserved1               []uint32 // Has 2 elements
	UserAccountControl      uint32
	SubAuthStatus           uint32
	LastSuccessfulILogon    mstypes.FileTime
	LastFailedILogon        mstypes.FileTime
	FailedILogonCount       uint32
	Reserved3               uint32
	SIDCount                uint32
	pExtraSIDs              uint32
	ExtraSIDs               []mstypes.KerbSidAndAttributes
	pResourceGroupDomainSID uint32
	ResourceGroupDomainSID  mstypes.RPCSID
	ResourceGroupCount      uint32
	pResourceGroupIDs       uint32
	ResourceGroupIDs        []mstypes.GroupMembership
}

// Unmarshal bytes into the DeviceInfo struct
func (k *KerbValidationInfo) Unmarshal(b []byte) (err error) {
	ch, _, p, err := ndr.ReadHeaders(&b)
	if err != nil {
		return fmt.Errorf("error parsing byte stream headers: %v", err)
	}
	e := &ch.Endianness

	//The next 4 bytes are an RPC unique pointer referent. We just skip these
	p += 4

	k.LogOnTime = mstypes.ReadFileTime(&b, &p, e)
	k.LogOffTime = mstypes.ReadFileTime(&b, &p, e)
	k.KickOffTime = mstypes.ReadFileTime(&b, &p, e)
	k.PasswordLastSet = mstypes.ReadFileTime(&b, &p, e)
	k.PasswordCanChange = mstypes.ReadFileTime(&b, &p, e)
	k.PasswordMustChange = mstypes.ReadFileTime(&b, &p, e)

	if k.EffectiveName, err = mstypes.ReadRPCUnicodeString(&b, &p, e); err != nil {
		return
	}
	if k.FullName, err = mstypes.ReadRPCUnicodeString(&b, &p, e); err != nil {
		return
	}
	if k.LogonScript, err = mstypes.ReadRPCUnicodeString(&b, &p, e); err != nil {
		return
	}
	if k.ProfilePath, err = mstypes.ReadRPCUnicodeString(&b, &p, e); err != nil {
		return
	}
	if k.HomeDirectory, err = mstypes.ReadRPCUnicodeString(&b, &p, e); err != nil {
		return
	}
	if k.HomeDirectoryDrive, err = mstypes.ReadRPCUnicodeString(&b, &p, e); err != nil {
		return
	}

	k.LogonCount = ndr.ReadUint16(&b, &p, e)
	k.BadPasswordCount = ndr.ReadUint16(&b, &p, e)
	k.UserID = ndr.ReadUint32(&b, &p, e)
	k.PrimaryGroupID = ndr.ReadUint32(&b, &p, e)
	k.GroupCount = ndr.ReadUint32(&b, &p, e)
	k.pGroupIDs = ndr.ReadUint32(&b, &p, e)

	k.UserFlags = ndr.ReadUint32(&b, &p, e)
	k.UserSessionKey = mstypes.ReadUserSessionKey(&b, &p, e)

	if k.LogonServer, err = mstypes.ReadRPCUnicodeString(&b, &p, e); err != nil {
		return
	}
	if k.LogonDomainName, err = mstypes.ReadRPCUnicodeString(&b, &p, e); err != nil {
		return
	}

	k.pLogonDomainID = ndr.ReadUint32(&b, &p, e)

	k.Reserved1 = []uint32{
		ndr.ReadUint32(&b, &p, e),
		ndr.ReadUint32(&b, &p, e),
	}

	k.UserAccountControl = ndr.ReadUint32(&b, &p, e)
	k.SubAuthStatus = ndr.ReadUint32(&b, &p, e)
	k.LastSuccessfulILogon = mstypes.ReadFileTime(&b, &p, e)
	k.LastFailedILogon = mstypes.ReadFileTime(&b, &p, e)
	k.FailedILogonCount = ndr.ReadUint32(&b, &p, e)
	k.Reserved3 = ndr.ReadUint32(&b, &p, e)

	k.SIDCount = ndr.ReadUint32(&b, &p, e)
	k.pExtraSIDs = ndr.ReadUint32(&b, &p, e)

	k.pResourceGroupDomainSID = ndr.ReadUint32(&b, &p, e)
	k.ResourceGroupCount = ndr.ReadUint32(&b, &p, e)
	k.pResourceGroupIDs = ndr.ReadUint32(&b, &p, e)

	// Populate pointers
	if err = k.EffectiveName.UnmarshalString(&b, &p, e); err != nil {
		return
	}
	if err = k.FullName.UnmarshalString(&b, &p, e); err != nil {
		return
	}
	if err = k.LogonScript.UnmarshalString(&b, &p, e); err != nil {
		return
	}
	if err = k.ProfilePath.UnmarshalString(&b, &p, e); err != nil {
		return
	}
	if err = k.HomeDirectory.UnmarshalString(&b, &p, e); err != nil {
		return
	}
	if err = k.HomeDirectoryDrive.UnmarshalString(&b, &p, e); err != nil {
		return
	}
	var ah ndr.ConformantArrayHeader
	if k.GroupCount > 0 {
		ah, err = ndr.ReadUniDimensionalConformantArrayHeader(&b, &p, e)
		if err != nil {
			return
		}
		if ah.MaxCount != int(k.GroupCount) {
			err = errors.New("error with size of group list")
			return
		}
		g := make([]mstypes.GroupMembership, k.GroupCount, k.GroupCount)
		for i := range g {
			g[i] = mstypes.ReadGroupMembership(&b, &p, e)
		}
		k.GroupIDs = g
	}

	if err = k.LogonServer.UnmarshalString(&b, &p, e); err != nil {
		return
	}
	if err = k.LogonDomainName.UnmarshalString(&b, &p, e); err != nil {
		return
	}

	if k.pLogonDomainID != 0 {
		k.LogonDomainID, err = mstypes.ReadRPCSID(&b, &p, e)
		if err != nil {
			return fmt.Errorf("error reading LogonDomainID: %v", err)
		}
	}

	if k.SIDCount > 0 {
		ah, err = ndr.ReadUniDimensionalConformantArrayHeader(&b, &p, e)
		if err != nil {
			return
		}
		if ah.MaxCount != int(k.SIDCount) {
			return fmt.Errorf("error with size of ExtraSIDs list. Expected: %d, Actual: %d", k.SIDCount, ah.MaxCount)
		}
		es := make([]mstypes.KerbSidAndAttributes, k.SIDCount, k.SIDCount)
		attr := make([]uint32, k.SIDCount, k.SIDCount)
		ptr := make([]uint32, k.SIDCount, k.SIDCount)
		for i := range attr {
			ptr[i] = ndr.ReadUint32(&b, &p, e)
			attr[i] = ndr.ReadUint32(&b, &p, e)
		}
		for i := range es {
			if ptr[i] != 0 {
				s, err := mstypes.ReadRPCSID(&b, &p, e)
				es[i] = mstypes.KerbSidAndAttributes{SID: s, Attributes: attr[i]}
				if err != nil {
					return ndr.Malformed{EText: fmt.Sprintf("could not read ExtraSIDs: %v", err)}
				}
			}
		}
		k.ExtraSIDs = es
	}

	if k.pResourceGroupDomainSID != 0 {
		k.ResourceGroupDomainSID, err = mstypes.ReadRPCSID(&b, &p, e)
		if err != nil {
			return err
		}
	}

	if k.ResourceGroupCount > 0 {
		ah, err = ndr.ReadUniDimensionalConformantArrayHeader(&b, &p, e)
		if err != nil {
			return
		}
		if ah.MaxCount != int(k.ResourceGroupCount) {
			return fmt.Errorf("error with size of ResourceGroup list. Expected: %d, Actual: %d", k.ResourceGroupCount, ah.MaxCount)
		}
		g := make([]mstypes.GroupMembership, k.ResourceGroupCount, k.ResourceGroupCount)
		for i := range g {
			g[i] = mstypes.ReadGroupMembership(&b, &p, e)
		}
		k.ResourceGroupIDs = g
	}

	//Check that there is only zero padding left
	if len(b) >= p {
		for _, v := range b[p:] {
			if v != 0 {
				return ndr.Malformed{EText: "non-zero padding left over at end of data stream"}
			}
		}
	}

	return nil
}

// GetGroupMembershipSIDs returns a slice of strings containing the group membership SIDs found in the PAC.
func (k *KerbValidationInfo) GetGroupMembershipSIDs() []string {
	var g []string
	lSID := k.LogonDomainID.ToString()
	for i := range k.GroupIDs {
		g = append(g, fmt.Sprintf("%s-%d", lSID, k.GroupIDs[i].RelativeID))
	}
	for _, s := range k.ExtraSIDs {
		var exists = false
		for _, es := range g {
			if es == s.SID.ToString() {
				exists = true
				break
			}
		}
		if !exists {
			g = append(g, s.SID.ToString())
		}
	}
	for _, r := range k.ResourceGroupIDs {
		var exists = false
		s := fmt.Sprintf("%s-%d", k.ResourceGroupDomainSID.ToString(), r.RelativeID)
		for _, es := range g {
			if es == s {
				exists = true
				break
			}
		}
		if !exists {
			g = append(g, s)
		}
	}
	return g
}