首页
社区
课程
招聘
[原创]CVE-2021-42287 Windows域内提权漏洞原理分析
发表于: 2022-5-17 14:57 11510

[原创]CVE-2021-42287 Windows域内提权漏洞原理分析

2022-5-17 14:57
11510

本文更多的是根据调试Windows Server 2003,分析漏洞成因。
阅读本文需要一定的Kerberos基础知识、Windows源码阅读调试能力。单纯的阅读可能并不能完全理解其中的关键点,需要进行调试理解。
第一次发文,格式或内容有任何不对的地方,还请各位大佬批评指正。

漏洞编号为:CVE-2021-42278CVE-2021-42287

CVE-2021-42278:通常情况下,机器账户应以\$结尾,即DC$
但是AD域并没有对其进行强校验。通过建立与域控同名却不以\$结尾的机器账户,即DC,对域控进行欺骗。

CVE-2021-42287:利用上述漏洞进行欺骗,请求到DC的TGT后,修改自身的机器账号。之后,利用Kerberos的S4U2Self机制,请求对于“自己”(DC)的ST,但是由于此时机器名已经被修改而无法找到DC,域控将会用DC$的Key进行加密,并向其中添加请求的账户名的PAC。至此便得到了高权限ST。

域控:Windows Server 2003 Debug版
攻击机:Windows 7 x64 SP1
武器化工具:https://github.com/cube0x0/noPac

使用SysinternalsSuite中的ADExplorer64工具查看域内的所有机器账户

ADExplorer

从上图中可以很明确的看到域控的机器名为WINSRVSERVER$,之后会使用WINSRVSERVER作为机器账户名进行欺骗。

相关准备工作不是本文重点,可以在noPac项目中学习

申请TGT时是根据修改后的机器账号WINSRVSERVER进行申请的。
域控调用I_GetASTicket处理AS_REQ消息
首先会调用KdcNormalize获得账户的相关信息包括UserInfoClientTicketInfo
!!!请谨记这个函数,之后的漏洞利用过程会展开分析!!!

通过上面获得的ClientTicketInfo调用BuildTicketAS生成TGT,堆栈如下

查看参数ClientTicketInfo和ClientName可以看到此次是以WINSRVSERVER的身份去申请TGT。

上述函数工作完成后,查看生成的Ticket,即TGT

此时还没有向其中添加PAC,会通过之前获得的UserInfo调用KdcGetPacAuthData生成所需的PAC
此时的PAC为WINSRVSERVER的PAC,属于正常流程

之后便是将PAC放入TGT中,将其打包并使用krbtgt密钥进行加密,通过AS_REP消息传递回Client
关键代码如下,不再展开分析

还原机器账户名的目的是使得域控处理TGS_REQ请求的时候,找不到账户从而是用自己的Key加密

Client向域控申请WINSRVSERVER的服务票据,域控在HandleTGSRequest函数中处理TGS_REQ请求。

首先通过KerbFindPreAuthDataEntry获取TGS_REQ中包含的ApRequest

之后便是解析获得的APRequest获得解密后的TGT

KdcVerifyKdcRequest做了以下几件事情

查看这个函数的结果,获得了传过来的明文TGTkrbtgt的相关服务信息

之后会获取请求的相关信息

内容分别如下

之后会调用KdcFindS4UClientAndRealm来获取PA_DATA_FOR_USER这个结构中的内容
KdcFindS4UClientAndRealm函数会解析PaList并将其转换成KERB_PA_FOR_USER结构,目前需要注意的便是其中的userName是我们要请求的高权限用户的用户名Administrator

之后会通过KdcNormalize获取我们自身WINSRVSERVER的相关信息
其中的关键调用如下:

对于漏洞的利用便发生在这个函数中,并且利用了两次。
第一次实现了将申请的用户转换为域控上的Administrator
第二次实现了将申请的服务转换成WINSRVSERVER$
下面将详细分析漏洞点。

调用KdcNormalize时的相关参数中最重要的就是SourceCName
因为我们是在利用S4U2Self协议请求自身的ST,所以SourceCName也就是自身的名字WINSRVSERVER

之后在CheckSam条件中会调用到KdcGetTicketInfo来获取用户WINSRVSERVER的相关信息

此时OutputPrincipal的值为WINSRVSERVER,即我们自己的机器名DC,目前仍一切正常

之后会调用SamIGetUserLogonInformation2在SAM中查找对应的账户信息,但由于此时已经将创建的机器账号还原,所以并不能找到对应的账号,该函数会返回错误
但是系统并不会直接提示找不到账号,而是会在其后面添加'$'符号,将其作为机器账号再次查找

通过调试信息可以清晰的看到查找到的用户信息不再是WINSRVSERVER而是变成了WINSRVSERVER$也就是域控对应的机器账号UserId = 0x3ed
至此便完成了对于域控的欺骗,之后就是颁发ST的过程

至此,我们成功的请求的用户WINSRVSERVER伪装成了域控自身WINSRVSERVER$

之后再I_GetTGSTicket中,为了获得WINSRVSERVER这个服务的相关信息,又再次调用KdcNormalize,其中的流程与上述基本相同,这也就是漏洞的第二次利用。成功的将请求的服务从WINSRVSERVER伪装成WINSRVSERVER$

完成上述的两次利用后,其他过程都显得不再重要,但有一点仍然需要留意,便是关于PAC的问题。
之前TGT中的PAC主体为WINSRVSERVER,又是如何切换为申请的Administrator的,对于之前的PAC又是如何处理的。
下面将对这两点进行分析

S4U2self协议的意义是 服务器模拟用户向域控申请针对自身的ST,即给予用户访问服务的权限,所以返回的ST中应该插入的是用户的PAC,即下图中的(2)(3)两个过程
而上一步中我们申请的TGT中的PAC,是 不在下图中的Service1向KDC认证的过程 中颁发的PAC
明白了这点也就明白了为什么PAC会被替换

以下堆栈及函数完成了生成ST并向其中添加了用户PAC

对于原本的TGT中的PAC并没有做任何处理,直接将其丢弃了。

本文介绍了CVE-2021-42278CVE-2021-42287的漏洞背景,并从系统层面详细分析了漏洞成因,其关键点在于S4U2self过程中的欺骗。

https://www.rfc-editor.org/rfc/rfc4120.txt
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/1fb9caca-449f-4183-8f7a-1a5fc7e7290a
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/aceb70de-40f0-4409-87fa-df00ca145f5a
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/ae60c948-fda8-45c2-b1d1-a71b484dd1f7
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/c38cc307-f3e6-4ed4-8c81-dc550d96223c

 
 
 
//new machine account
NewMachineAccount(argContainer, argDistinguishedName, argDomain, argDomainController, argMachineAccount, argMachinePassword, argVerbose, argRandom, credential);
 
//clean spn
SetMachineAccountAttribute(argContainer, argDistinguishedName, argDomain, argDomainController, "serviceprincipalname", argMachineAccount, "", false, true, argVerbose, credential);
 
//set samaccountname
SetMachineAccountAttribute(argContainer, argDistinguishedName, argDomain, argDomainController, "samaccountname", argMachineAccount, argDomainController.Split('.')[0], false, false, argVerbose, credential);
//new machine account
NewMachineAccount(argContainer, argDistinguishedName, argDomain, argDomainController, argMachineAccount, argMachinePassword, argVerbose, argRandom, credential);
 
//clean spn
SetMachineAccountAttribute(argContainer, argDistinguishedName, argDomain, argDomainController, "serviceprincipalname", argMachineAccount, "", false, true, argVerbose, credential);
 
//set samaccountname
SetMachineAccountAttribute(argContainer, argDistinguishedName, argDomain, argDomainController, "samaccountname", argMachineAccount, argDomainController.Split('.')[0], false, false, argVerbose, credential);
KerbErr = KdcNormalize(
                ClientName,
                NULL,
                RequestRealm,
                NULL,           // no source ticket
                NameFlags | KDC_NAME_CLIENT | KDC_NAME_FOLLOW_REFERRALS | KDC_NAME_CHECK_GC,
                FALSE,          // do not restrict user accounts (user2user)
                &ClientReferral,
                ClientRealm,
                &ClientTicketInfo,
                pExtendedError,
                &UserHandle,
                WhichFields,
                0L,
                &UserInfo,
                &GroupMembership
                );
KerbErr = KdcNormalize(
                ClientName,
                NULL,
                RequestRealm,
                NULL,           // no source ticket
                NameFlags | KDC_NAME_CLIENT | KDC_NAME_FOLLOW_REFERRALS | KDC_NAME_CHECK_GC,
                FALSE,          // do not restrict user accounts (user2user)
                &ClientReferral,
                ClientRealm,
                &ClientTicketInfo,
                pExtendedError,
                &UserHandle,
                WhichFields,
                0L,
                &UserInfo,
                &GroupMembership
                );
kd> kc
#
00 KDCSVC!BuildTicketAS
01 KDCSVC!I_GetASTicket
02 KDCSVC!KdcGetTicket
03 KDCSVC!KdcAtqIoCompletion
04 NTDSATQ!ATQ_CONTEXT::IOCompletion
05 NTDSATQ!AtqpProcessContext
06 NTDSATQ!AtqPoolThread
07 kernel32!BaseThreadStart
kd> kc
#
00 KDCSVC!BuildTicketAS
01 KDCSVC!I_GetASTicket
02 KDCSVC!KdcGetTicket
03 KDCSVC!KdcAtqIoCompletion
04 NTDSATQ!ATQ_CONTEXT::IOCompletion
05 NTDSATQ!AtqpProcessContext
06 NTDSATQ!AtqPoolThread
07 kernel32!BaseThreadStart
kd> dt ClientTicketInfo
Local var @ 0x332fa00 Type _KDC_TICKET_INFO*
0x0332fcb4
   +0x000 AccountName      : _UNICODE_STRING "WINSRVSERVER"
   +0x008 TrustedForest    : _UNICODE_STRING ""
   +0x010 PasswordExpires  : _LARGE_INTEGER 0x7fffffff`ffffffff
   +0x018 fTicketOpts      : 0x7b
   +0x01c UserAccountControl : 0x80
   +0x020 UserId           : 0x472
   +0x024 TrustType        : 0
   +0x028 TrustAttributes  : 0
   +0x02c Passwords        : 0x0015eab8 _KERB_STORED_CREDENTIAL
   +0x030 OldPasswords     : 0x001522d0 _KERB_STORED_CREDENTIAL
   +0x034 TrustSid         : (null)
   +0x038 PasswordVersion  : 1
   +0x03c LockoutThreshold : 0
kd> dt ClientName
Local var @ 0x332fa04 Type KERB_PRINCIPAL_NAME*
0x00084c44
   +0x000 name_type        : 0n1
   +0x004 name_string      : 0x000c3360 KERB_PRINCIPAL_NAME_name_string_s
kd> dx -id 0,0,89c47a68 -r1 ((KDCSVC!KERB_PRINCIPAL_NAME_name_string_s *)0xc3360)
((KDCSVC!KERB_PRINCIPAL_NAME_name_string_s *)0xc3360)                 : 0xc3360 [Type: KERB_PRINCIPAL_NAME_name_string_s *]
    [+0x000] next             : 0x0 [Type: KERB_PRINCIPAL_NAME_name_string_s *]
    [+0x004] value            : 0xb45d8 : "WINSRVSERVER" [Type: char *]
kd> dt ClientTicketInfo
Local var @ 0x332fa00 Type _KDC_TICKET_INFO*
0x0332fcb4
   +0x000 AccountName      : _UNICODE_STRING "WINSRVSERVER"
   +0x008 TrustedForest    : _UNICODE_STRING ""
   +0x010 PasswordExpires  : _LARGE_INTEGER 0x7fffffff`ffffffff
   +0x018 fTicketOpts      : 0x7b
   +0x01c UserAccountControl : 0x80
   +0x020 UserId           : 0x472
   +0x024 TrustType        : 0
   +0x028 TrustAttributes  : 0
   +0x02c Passwords        : 0x0015eab8 _KERB_STORED_CREDENTIAL
   +0x030 OldPasswords     : 0x001522d0 _KERB_STORED_CREDENTIAL
   +0x034 TrustSid         : (null)
   +0x038 PasswordVersion  : 1
   +0x03c LockoutThreshold : 0
kd> dt ClientName
Local var @ 0x332fa04 Type KERB_PRINCIPAL_NAME*
0x00084c44
   +0x000 name_type        : 0n1
   +0x004 name_string      : 0x000c3360 KERB_PRINCIPAL_NAME_name_string_s
kd> dx -id 0,0,89c47a68 -r1 ((KDCSVC!KERB_PRINCIPAL_NAME_name_string_s *)0xc3360)
((KDCSVC!KERB_PRINCIPAL_NAME_name_string_s *)0xc3360)                 : 0xc3360 [Type: KERB_PRINCIPAL_NAME_name_string_s *]
    [+0x000] next             : 0x0 [Type: KERB_PRINCIPAL_NAME_name_string_s *]
    [+0x004] value            : 0xb45d8 : "WINSRVSERVER" [Type: char *]
kd> dt KERB_ENCRYPTED_TICKET 0x332fabc
KDCSVC!KERB_ENCRYPTED_TICKET
   +0x000 bit_mask         : 0xc0
   +0x000 o                : [1"???"
   +0x004 flags            : tagASN1bitstring_t
   +0x00c key              : KERB_ENCRYPTION_KEY
   +0x018 client_realm     : 0x000c5098  "WINTESTYU03.COM"
   +0x01c client_name      : KERB_PRINCIPAL_NAME
   +0x024 transited        : KERB_TRANSITED_ENCODING
   +0x030 authtime         : tagASN1generalizedtime_t
   +0x03e starttime        : tagASN1generalizedtime_t
   +0x04c endtime          : tagASN1generalizedtime_t
   +0x05a renew_until      : tagASN1generalizedtime_t
   +0x068 client_addresses : (null)
   +0x06c authorization_data : (null)
kd> dt KERB_ENCRYPTED_TICKET 0x332fabc
KDCSVC!KERB_ENCRYPTED_TICKET
   +0x000 bit_mask         : 0xc0
   +0x000 o                : [1"???"
   +0x004 flags            : tagASN1bitstring_t
   +0x00c key              : KERB_ENCRYPTION_KEY
   +0x018 client_realm     : 0x000c5098  "WINTESTYU03.COM"
   +0x01c client_name      : KERB_PRINCIPAL_NAME
   +0x024 transited        : KERB_TRANSITED_ENCODING
   +0x030 authtime         : tagASN1generalizedtime_t
   +0x03e starttime        : tagASN1generalizedtime_t
   +0x04c endtime          : tagASN1generalizedtime_t
   +0x05a renew_until      : tagASN1generalizedtime_t
   +0x068 client_addresses : (null)
   +0x06c authorization_data : (null)
kd> dt AuthorizationData
Local var @ 0x332f9d0 Type PKERB_AUTHORIZATION_DATA_s
   +0x000 next             : (null)
   +0x004 value            : PKERB_AUTHORIZATION_DATA_Seq
kd> dx -id 0,0,89c47a68 -r1 (*((KDCSVC!PKERB_AUTHORIZATION_DATA_Seq *)0x332f9d4))
(*((KDCSVC!PKERB_AUTHORIZATION_DATA_Seq *)0x332f9d4))                 [Type: PKERB_AUTHORIZATION_DATA_Seq]
    [+0x000] auth_data_type   : 128 [Type: long]
    [+0x004] auth_data        [Type: tagASN1octetstring_t]
kd> dx -id 0,0,89c47a68 -r1 (*((KDCSVC!tagASN1octetstring_t *)0x332f9d8))
(*((KDCSVC!tagASN1octetstring_t *)0x332f9d8))                 [Type: tagASN1octetstring_t]
    [+0x000] length           : 0x260 [Type: unsigned long]
    [+0x004] value            : 0x16c828 : 0x4 [Type: unsigned char *]
kd> db 0x16c828 l 260
0016c828  04 00 00 00 00 00 00 00-01 00 00 00 c0 01 00 00  ................
0016c838  48 00 00 00 00 00 00 00-0a 00 00 00 22 00 00 00  H..........."...
0016c848  08 02 00 00 00 00 00 00-06 00 00 00 14 00 00 00  ................
0016c858  30 02 00 00 00 00 00 00-07 00 00 00 14 00 00 00  0...............
0016c868  48 02 00 00 00 00 00 00-01 10 08 00 cc cc cc cc  H...............
0016c878  b0 01 00 00 00 00 00 00-00 00 02 00 c2 dd c3 d9  ................
0016c888  0f f7 d7 01 ff ff ff ff-ff ff ff 7f ff ff ff ff  ................
0016c898  ff ff ff 7f 56 b9 d8 d7-0f f7 d7 01 56 79 42 02  ....V.......VyB.
0016c8a8  d9 f7 d7 01 ff ff ff ff-ff ff ff 7f 18 00 18 00  ................
0016c8b8  04 00 02 00 00 00 00 00-08 00 02 00 00 00 00 00  ................
0016c8c8  0c 00 02 00 00 00 00 00-10 00 02 00 00 00 00 00  ................
0016c8d8  14 00 02 00 00 00 00 00-18 00 02 00 01 00 00 00  ................
0016c8e8  72 04 00 00 03 02 00 00-01 00 00 00 1c 00 02 00  r...............
0016c8f8  20 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ...............
0016c908  00 00 00 00 18 00 1a 00-20 00 02 00 16 00 18 00  ........ .......
0016c918  24 00 02 00 28 00 02 00-00 00 00 00 00 00 00 00  $...(...........
0016c928  80 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0016c938  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0016c948  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0016c958  00 00 00 00 0c 00 00 00-00 00 00 00 0c 00 00 00  ................
0016c968  57 00 49 00 4e 00 53 00-52 00 56 00 53 00 45 00  W.I.N.S.R.V.S.E.
0016c978  52 00 56 00 45 00 52 00-00 00 00 00 00 00 00 00  R.V.E.R.........
0016c988  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0016c998  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0016c9a8  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0016c9b8  00 00 00 00 01 00 00 00-03 02 00 00 07 00 00 00  ................
0016c9c8  0d 00 00 00 00 00 00 00-0c 00 00 00 57 00 49 00  ............W.I.
0016c9d8  4e 00 53 00 52 00 56 00-53 00 45 00 52 00 56 00  N.S.R.V.S.E.R.V.
0016c9e8  45 00 52 00 0c 00 00 00-00 00 00 00 0b 00 00 00  E.R.............
0016c9f8  52 00 45 00 4e 00 50 00-45 00 4e 00 47 00 59 00  W.I.N.T.E.S.T.Y.
0016ca08  55 00 30 00 33 00 00 00-04 00 00 00 01 04 00 00  U.0.3...........
0016ca18  00 00 00 05 15 00 00 00-db ac e2 f8 a5 b2 f3 d1  ................
0016ca28  a1 c4 3e 10 00 00 00 00-00 b4 a3 e5 0f f7 d7 01  ..>.............
0016ca38  18 00 57 00 49 00 4e 00-53 00 52 00 56 00 53 00  ..W.I.N.S.R.V.S.
0016ca48  45 00 52 00 56 00 45 00-52 00 00 00 00 00 00 00  E.R.V.E.R.......
0016ca58  76 ff ff ff c1 fc e6 ad-46 30 3f 05 5e ed 74 c0  v.......F0?.^.t.
0016ca68  20 7d c9 54 00 00 00 00-76 ff ff ff 42 e1 22 e3   }.T....v...B.".
0016ca78  3b 44 cd ee b7 d7 50 5f-2d f9 44 ab 00 00 00 00  ;D....P_-.D.....
kd> dt AuthorizationData
Local var @ 0x332f9d0 Type PKERB_AUTHORIZATION_DATA_s
   +0x000 next             : (null)
   +0x004 value            : PKERB_AUTHORIZATION_DATA_Seq
kd> dx -id 0,0,89c47a68 -r1 (*((KDCSVC!PKERB_AUTHORIZATION_DATA_Seq *)0x332f9d4))
(*((KDCSVC!PKERB_AUTHORIZATION_DATA_Seq *)0x332f9d4))                 [Type: PKERB_AUTHORIZATION_DATA_Seq]
    [+0x000] auth_data_type   : 128 [Type: long]
    [+0x004] auth_data        [Type: tagASN1octetstring_t]
kd> dx -id 0,0,89c47a68 -r1 (*((KDCSVC!tagASN1octetstring_t *)0x332f9d8))
(*((KDCSVC!tagASN1octetstring_t *)0x332f9d8))                 [Type: tagASN1octetstring_t]
    [+0x000] length           : 0x260 [Type: unsigned long]
    [+0x004] value            : 0x16c828 : 0x4 [Type: unsigned char *]
kd> db 0x16c828 l 260
0016c828  04 00 00 00 00 00 00 00-01 00 00 00 c0 01 00 00  ................
0016c838  48 00 00 00 00 00 00 00-0a 00 00 00 22 00 00 00  H..........."...
0016c848  08 02 00 00 00 00 00 00-06 00 00 00 14 00 00 00  ................
0016c858  30 02 00 00 00 00 00 00-07 00 00 00 14 00 00 00  0...............
0016c868  48 02 00 00 00 00 00 00-01 10 08 00 cc cc cc cc  H...............
0016c878  b0 01 00 00 00 00 00 00-00 00 02 00 c2 dd c3 d9  ................
0016c888  0f f7 d7 01 ff ff ff ff-ff ff ff 7f ff ff ff ff  ................
0016c898  ff ff ff 7f 56 b9 d8 d7-0f f7 d7 01 56 79 42 02  ....V.......VyB.
0016c8a8  d9 f7 d7 01 ff ff ff ff-ff ff ff 7f 18 00 18 00  ................
0016c8b8  04 00 02 00 00 00 00 00-08 00 02 00 00 00 00 00  ................
0016c8c8  0c 00 02 00 00 00 00 00-10 00 02 00 00 00 00 00  ................
0016c8d8  14 00 02 00 00 00 00 00-18 00 02 00 01 00 00 00  ................
0016c8e8  72 04 00 00 03 02 00 00-01 00 00 00 1c 00 02 00  r...............
0016c8f8  20 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ...............
0016c908  00 00 00 00 18 00 1a 00-20 00 02 00 16 00 18 00  ........ .......
0016c918  24 00 02 00 28 00 02 00-00 00 00 00 00 00 00 00  $...(...........
0016c928  80 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0016c938  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0016c948  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0016c958  00 00 00 00 0c 00 00 00-00 00 00 00 0c 00 00 00  ................
0016c968  57 00 49 00 4e 00 53 00-52 00 56 00 53 00 45 00  W.I.N.S.R.V.S.E.
0016c978  52 00 56 00 45 00 52 00-00 00 00 00 00 00 00 00  R.V.E.R.........
0016c988  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0016c998  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0016c9a8  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0016c9b8  00 00 00 00 01 00 00 00-03 02 00 00 07 00 00 00  ................
0016c9c8  0d 00 00 00 00 00 00 00-0c 00 00 00 57 00 49 00  ............W.I.
0016c9d8  4e 00 53 00 52 00 56 00-53 00 45 00 52 00 56 00  N.S.R.V.S.E.R.V.
0016c9e8  45 00 52 00 0c 00 00 00-00 00 00 00 0b 00 00 00  E.R.............
0016c9f8  52 00 45 00 4e 00 50 00-45 00 4e 00 47 00 59 00  W.I.N.T.E.S.T.Y.
0016ca08  55 00 30 00 33 00 00 00-04 00 00 00 01 04 00 00  U.0.3...........
0016ca18  00 00 00 05 15 00 00 00-db ac e2 f8 a5 b2 f3 d1  ................
0016ca28  a1 c4 3e 10 00 00 00 00-00 b4 a3 e5 0f f7 d7 01  ..>.............
0016ca38  18 00 57 00 49 00 4e 00-53 00 52 00 56 00 53 00  ..W.I.N.S.R.V.S.
0016ca48  45 00 52 00 56 00 45 00-52 00 00 00 00 00 00 00  E.R.V.E.R.......
0016ca58  76 ff ff ff c1 fc e6 ad-46 30 3f 05 5e ed 74 c0  v.......F0?.^.t.
0016ca68  20 7d c9 54 00 00 00 00-76 ff ff ff 42 e1 22 e3   }.T....v...B.".
0016ca78  3b 44 cd ee b7 d7 50 5f-2d f9 44 ab 00 00 00 00  ;D....P_-.D.....
KerbErr = BuildReply(
            &ClientTicketInfo,
            (Nonce != 0) ? Nonce : RequestBody->nonce,
            &Ticket.server_name,
            Ticket.realm,
            ((RequestBody->bit_mask & addresses_present) != 0) ? RequestBody->addresses : NULL,
            &Ticket,
            &ReplyBody
            );
... 
KerbErr = KerbPackTicket(
            &Ticket,
            ServerKey,
            ServiceTicketInfo.PasswordVersion,
            &Reply.ticket
            );
...
KerbErr = KerbPackKdcReplyBody(
        &ReplyBody,
        (EncryptionKey.keyvalue.value != NULL) ? &EncryptionKey : ClientKey,
        (EncryptionKey.keyvalue.value != NULL) ? KERB_NO_KEY_VERSION : ClientTicketInfo.PasswordVersion,
        KERB_TGS_REP_SALT,
        KERB_ENCRYPTED_AS_REPLY_PDU,
        &Reply.encrypted_part
        );
KerbErr = BuildReply(
            &ClientTicketInfo,
            (Nonce != 0) ? Nonce : RequestBody->nonce,
            &Ticket.server_name,
            Ticket.realm,
            ((RequestBody->bit_mask & addresses_present) != 0) ? RequestBody->addresses : NULL,
            &Ticket,
            &ReplyBody
            );
... 
KerbErr = KerbPackTicket(
            &Ticket,
            ServerKey,
            ServiceTicketInfo.PasswordVersion,
            &Reply.ticket
            );
...
KerbErr = KerbPackKdcReplyBody(
        &ReplyBody,
        (EncryptionKey.keyvalue.value != NULL) ? &EncryptionKey : ClientKey,
        (EncryptionKey.keyvalue.value != NULL) ? KERB_NO_KEY_VERSION : ClientTicketInfo.PasswordVersion,
        KERB_TGS_REP_SALT,
        KERB_ENCRYPTED_AS_REPLY_PDU,
        &Reply.encrypted_part
        );
//undo samaccountname change
SetMachineAccountAttribute(argContainer, argDistinguishedName, argDomain, argDomainController, "samaccountname", argMachineAccount, argMachineAccount, false, false, argVerbose, credential);
//undo samaccountname change
SetMachineAccountAttribute(argContainer, argDistinguishedName, argDomain, argDomainController, "samaccountname", argMachineAccount, argMachineAccount, false, false, argVerbose, credential);
 
ApRequest = KerbFindPreAuthDataEntry(
                KRB5_PADATA_TGS_REQ,
                RequestMessage->KERB_KDC_REQUEST_preauth_data
                );
ApRequest = KerbFindPreAuthDataEntry(
                KRB5_PADATA_TGS_REQ,
                RequestMessage->KERB_KDC_REQUEST_preauth_data
                );
//验证请求。这包括对AP请求进行解码,找到合适的密钥来解密票据,并检查票据。
KerbErr = KdcVerifyKdcRequest(
            ApRequest->preauth_data.value,
            ApRequest->preauth_data.length,
            ClientAddress,
            TRUE,                           // this is a kdc request
            &UnmarshalledApRequest,
            &UnmarshalledAuthenticator,
            &SourceEncryptPart,
            &ReplyKey,
            &SourceTicketKey,
            &ServerTicketInfo,
            &UseSubKey,
            pExtendedError
            );
//验证请求。这包括对AP请求进行解码,找到合适的密钥来解密票据,并检查票据。
KerbErr = KdcVerifyKdcRequest(
            ApRequest->preauth_data.value,
            ApRequest->preauth_data.length,
            ClientAddress,
            TRUE,                           // this is a kdc request
            &UnmarshalledApRequest,
            &UnmarshalledAuthenticator,
            &SourceEncryptPart,
            &ReplyKey,
            &SourceTicketKey,
            &ServerTicketInfo,
            &UseSubKey,
            pExtendedError
            );
kd> dt ServerTicketInfo
Local var @ 0x327fc48 Type _KDC_TICKET_INFO
   +0x000 AccountName      : _UNICODE_STRING "krbtgt"
   +0x008 TrustedForest    : _UNICODE_STRING ""
   +0x010 PasswordExpires  : _LARGE_INTEGER 0x7fffffff`ffffffff
   +0x018 fTicketOpts      : 0x7b
   +0x01c UserAccountControl : 0x11
   +0x020 UserId           : 0x1f6
   +0x024 TrustType        : 0
   +0x028 TrustAttributes  : 0
   +0x02c Passwords        : 0x00084bf0 _KERB_STORED_CREDENTIAL
   +0x030 OldPasswords     : 0x000c4010 _KERB_STORED_CREDENTIAL
   +0x034 TrustSid         : (null)
   +0x038 PasswordVersion  : 2
   +0x03c LockoutThreshold : 0
 
kd> dt SourceEncryptPart
Local var @ 0x327fdd0 Type KERB_ENCRYPTED_TICKET*
0x000fcf90
   +0x000 bit_mask         : 0xd0
   +0x000 o                : [1"???"
   +0x004 flags            : tagASN1bitstring_t
   +0x00c key              : KERB_ENCRYPTION_KEY
   +0x018 client_realm     : 0x00106a18  "WINTESTYU03.COM"
   +0x01c client_name      : KERB_PRINCIPAL_NAME
   +0x024 transited        : KERB_TRANSITED_ENCODING
   +0x030 authtime         : tagASN1generalizedtime_t
   +0x03e starttime        : tagASN1generalizedtime_t
   +0x04c endtime          : tagASN1generalizedtime_t
   +0x05a renew_until      : tagASN1generalizedtime_t
   +0x068 client_addresses : (null)
   +0x06c authorization_data : 0x000c3370 PKERB_AUTHORIZATION_DATA_s
 
kd> db authorization_data l 276
0017f168  30 82 02 72 30 82 02 6e-a0 04 02 02 00 80 a1 82  0..r0..n........
0017f178  02 64 04 82 02 60 04 00-00 00 00 00 00 00 01 00  .d...`..........
0017f188  00 00 c0 01 00 00 48 00-00 00 00 00 00 00 0a 00  ......H.........
0017f198  00 00 22 00 00 00 08 02-00 00 00 00 00 00 06 00  ..".............
0017f1a8  00 00 14 00 00 00 30 02-00 00 00 00 00 00 07 00  ......0.........
0017f1b8  00 00 14 00 00 00 48 02-00 00 00 00 00 00 01 10  ......H.........
0017f1c8  08 00 cc cc cc cc b0 01-00 00 00 00 00 00 00 00  ................
0017f1d8  02 00 02 4e 81 c8 1c f7-d7 01 ff ff ff ff ff ff  ...N............
0017f1e8  ff 7f ff ff ff ff ff ff-ff 7f 56 b9 d8 d7 0f f7  ..........V.....
0017f1f8  d7 01 56 79 42 02 d9 f7-d7 01 ff ff ff ff ff ff  ..VyB...........
0017f208  ff 7f 18 00 18 00 04 00-02 00 00 00 00 00 08 00  ................
0017f218  02 00 00 00 00 00 0c 00-02 00 00 00 00 00 10 00  ................
0017f228  02 00 00 00 00 00 14 00-02 00 00 00 00 00 18 00  ................
0017f238  02 00 08 00 00 00 72 04-00 00 03 02 00 00 01 00  ......r.........
0017f248  00 00 1c 00 02 00 20 00-00 00 00 00 00 00 00 00  ...... .........
0017f258  00 00 00 00 00 00 00 00-00 00 18 00 1a 00 20 00  .............. .
0017f268  02 00 16 00 18 00 24 00-02 00 28 00 02 00 00 00  ......$...(.....
0017f278  00 00 00 00 00 00 80 00-00 00 00 00 00 00 00 00  ................
0017f288  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0017f298  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0017f2a8  00 00 00 00 00 00 00 00-00 00 0c 00 00 00 00 00  ................
0017f2b8  00 00 0c 00 00 00 57 00-49 00 4e 00 53 00 52 00  ......W.I.N.S.R.
0017f2c8  56 00 53 00 45 00 52 00-56 00 45 00 52 00 00 00  V.S.E.R.V.E.R...
0017f2d8  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0017f2e8  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0017f2f8  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0017f308  00 00 00 00 00 00 00 00-00 00 01 00 00 00 03 02  ................
0017f318  00 00 07 00 00 00 0d 00-00 00 00 00 00 00 0c 00  ................
0017f328  00 00 57 00 49 00 4e 00-53 00 52 00 56 00 53 00  ..W.I.N.S.R.V.S.
0017f338  45 00 52 00 56 00 45 00-52 00 0c 00 00 00 00 00  E.R.V.E.R.......
0017f348  00 00 0b 00 00 00 52 00-45 00 4e 00 50 00 45 00  ......W.I.N.T.E.
0017f358  4e 00 47 00 59 00 55 00-30 00 33 00 00 00 04 00  S.T.Y.U.0.3.....
0017f368  00 00 01 04 00 00 00 00-00 05 15 00 00 00 db ac  ................
0017f378  e2 f8 a5 b2 f3 d1 a1 c4-3e 10 00 00 00 00 00 06  ........>.......
0017f388  7d ec a5 f7 d7 01 18 00-57 00 49 00 4e 00 53 00  }.......W.I.N.S.
0017f398  52 00 56 00 53 00 45 00-52 00 56 00 45 00 52 00  R.V.S.E.R.V.E.R.
0017f3a8  00 00 00 00 00 00 76 ff-ff ff 51 30 b4 c6 f1 8c  ......v...Q0....
0017f3b8  bf 3d 01 2f 7c 3d 75 9b-9d 8d 00 00 00 00 76 ff  .=./|=u.......v.
0017f3c8  ff ff 5a 8c df 90 88 38-ec 5d 6c 61 b8 46 bd bf  ..Z....8.]la.F..
0017f3d8  99 5c 00 00 00 00                                .\....
kd> dt ServerTicketInfo
Local var @ 0x327fc48 Type _KDC_TICKET_INFO
   +0x000 AccountName      : _UNICODE_STRING "krbtgt"
   +0x008 TrustedForest    : _UNICODE_STRING ""
   +0x010 PasswordExpires  : _LARGE_INTEGER 0x7fffffff`ffffffff
   +0x018 fTicketOpts      : 0x7b
   +0x01c UserAccountControl : 0x11
   +0x020 UserId           : 0x1f6
   +0x024 TrustType        : 0
   +0x028 TrustAttributes  : 0
   +0x02c Passwords        : 0x00084bf0 _KERB_STORED_CREDENTIAL
   +0x030 OldPasswords     : 0x000c4010 _KERB_STORED_CREDENTIAL
   +0x034 TrustSid         : (null)
   +0x038 PasswordVersion  : 2
   +0x03c LockoutThreshold : 0
 
kd> dt SourceEncryptPart
Local var @ 0x327fdd0 Type KERB_ENCRYPTED_TICKET*
0x000fcf90
   +0x000 bit_mask         : 0xd0
   +0x000 o                : [1"???"
   +0x004 flags            : tagASN1bitstring_t
   +0x00c key              : KERB_ENCRYPTION_KEY
   +0x018 client_realm     : 0x00106a18  "WINTESTYU03.COM"
   +0x01c client_name      : KERB_PRINCIPAL_NAME
   +0x024 transited        : KERB_TRANSITED_ENCODING
   +0x030 authtime         : tagASN1generalizedtime_t
   +0x03e starttime        : tagASN1generalizedtime_t
   +0x04c endtime          : tagASN1generalizedtime_t
   +0x05a renew_until      : tagASN1generalizedtime_t
   +0x068 client_addresses : (null)
   +0x06c authorization_data : 0x000c3370 PKERB_AUTHORIZATION_DATA_s
 
kd> db authorization_data l 276
0017f168  30 82 02 72 30 82 02 6e-a0 04 02 02 00 80 a1 82  0..r0..n........
0017f178  02 64 04 82 02 60 04 00-00 00 00 00 00 00 01 00  .d...`..........
0017f188  00 00 c0 01 00 00 48 00-00 00 00 00 00 00 0a 00  ......H.........
0017f198  00 00 22 00 00 00 08 02-00 00 00 00 00 00 06 00  ..".............
0017f1a8  00 00 14 00 00 00 30 02-00 00 00 00 00 00 07 00  ......0.........
0017f1b8  00 00 14 00 00 00 48 02-00 00 00 00 00 00 01 10  ......H.........
0017f1c8  08 00 cc cc cc cc b0 01-00 00 00 00 00 00 00 00  ................
0017f1d8  02 00 02 4e 81 c8 1c f7-d7 01 ff ff ff ff ff ff  ...N............
0017f1e8  ff 7f ff ff ff ff ff ff-ff 7f 56 b9 d8 d7 0f f7  ..........V.....
0017f1f8  d7 01 56 79 42 02 d9 f7-d7 01 ff ff ff ff ff ff  ..VyB...........
0017f208  ff 7f 18 00 18 00 04 00-02 00 00 00 00 00 08 00  ................
0017f218  02 00 00 00 00 00 0c 00-02 00 00 00 00 00 10 00  ................
0017f228  02 00 00 00 00 00 14 00-02 00 00 00 00 00 18 00  ................
0017f238  02 00 08 00 00 00 72 04-00 00 03 02 00 00 01 00  ......r.........
0017f248  00 00 1c 00 02 00 20 00-00 00 00 00 00 00 00 00  ...... .........
0017f258  00 00 00 00 00 00 00 00-00 00 18 00 1a 00 20 00  .............. .
0017f268  02 00 16 00 18 00 24 00-02 00 28 00 02 00 00 00  ......$...(.....
0017f278  00 00 00 00 00 00 80 00-00 00 00 00 00 00 00 00  ................
0017f288  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0017f298  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0017f2a8  00 00 00 00 00 00 00 00-00 00 0c 00 00 00 00 00  ................
0017f2b8  00 00 0c 00 00 00 57 00-49 00 4e 00 53 00 52 00  ......W.I.N.S.R.
0017f2c8  56 00 53 00 45 00 52 00-56 00 45 00 52 00 00 00  V.S.E.R.V.E.R...
0017f2d8  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0017f2e8  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0017f2f8  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0017f308  00 00 00 00 00 00 00 00-00 00 01 00 00 00 03 02  ................
0017f318  00 00 07 00 00 00 0d 00-00 00 00 00 00 00 0c 00  ................
0017f328  00 00 57 00 49 00 4e 00-53 00 52 00 56 00 53 00  ..W.I.N.S.R.V.S.
0017f338  45 00 52 00 56 00 45 00-52 00 0c 00 00 00 00 00  E.R.V.E.R.......
0017f348  00 00 0b 00 00 00 52 00-45 00 4e 00 50 00 45 00  ......W.I.N.T.E.
0017f358  4e 00 47 00 59 00 55 00-30 00 33 00 00 00 04 00  S.T.Y.U.0.3.....
0017f368  00 00 01 04 00 00 00 00-00 05 15 00 00 00 db ac  ................
0017f378  e2 f8 a5 b2 f3 d1 a1 c4-3e 10 00 00 00 00 00 06  ........>.......
0017f388  7d ec a5 f7 d7 01 18 00-57 00 49 00 4e 00 53 00  }.......W.I.N.S.
0017f398  52 00 56 00 53 00 45 00-52 00 56 00 45 00 52 00  R.V.S.E.R.V.E.R.
0017f3a8  00 00 00 00 00 00 76 ff-ff ff 51 30 b4 c6 f1 8c  ......v...Q0....
0017f3b8  bf 3d 01 2f 7c 3d 75 9b-9d 8d 00 00 00 00 76 ff  .=./|=u.......v.
0017f3c8  ff ff 5a 8c df 90 88 38-ec 5d 6c 61 b8 46 bd bf  ..Z....8.]la.F..
0017f3d8  99 5c 00 00 00 00                                .\....
KerbErr = KerbConvertPrincipalNameToKdcName(
            &ServerName,
            &RequestBody->KERB_KDC_REQUEST_BODY_server_name
            );
 
KerbErr = KerbConvertPrincipalNameToKdcName(
               &SourceClientName,
               &SourceEncryptPart->client_name
               );
 
KerbErr = KerbConvertRealmToUnicodeString(
               &SourceClientRealm,
               &SourceEncryptPart->client_realm
               );
KerbErr = KerbConvertPrincipalNameToKdcName(
            &ServerName,

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

最后于 2022-5-19 09:30 被dre4merp编辑 ,原因:
收藏
免费 3
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//