MS-NRPC: support Kerberos secure channel

Author: gpotter2

scapy/layers/msrpce/msnrpc.py

@@ -22,15 +22,17 @@
     NL_AUTH_MESSAGE,
     NL_AUTH_SIGNATURE,
 )
+from scapy.layers.kerberos import KerberosSSP, _parse_upn
 from scapy.layers.gssapi import (
     GSS_C_FLAGS,
     GSS_C_NO_CHANNEL_BINDINGS,
     GSS_S_COMPLETE,
     GSS_S_CONTINUE_NEEDED,
     GSS_S_FAILURE,
     GSS_S_FLAGS,
+    SSP,
 )
-from scapy.layers.ntlm import RC4, RC4K, RC4Init, SSP
+from scapy.layers.ntlm import RC4, RC4K, RC4Init, MD4le
 
 from scapy.layers.msrpce.rpcclient import (
     DCERPC_Client,
@@ -40,6 +42,8 @@
 from scapy.layers.msrpce.raw.ms_nrpc import (
     NetrServerAuthenticate3_Request,
     NetrServerAuthenticate3_Response,
+    NetrServerAuthenticateKerberos_Request,
+    NetrServerAuthenticateKerberos_Response,
     NetrServerReqChallenge_Request,
     NetrServerReqChallenge_Response,
     NETLOGON_SECURE_CHANNEL_TYPE,
@@ -114,15 +118,17 @@
     0x00200000: "RODC-passthrough",
     # W: Supports Advanced Encryption Standard (AES) encryption and SHA2 hashing.
     0x01000000: "AES",
-    # Supports Kerberos as the security support provider for secure channel setup.
-    0x20000000: "Kerberos",
+    # Not used. MUST be ignored on receipt.
+    0x20000000: "X",
     # Y: Supports Secure RPC.
     0x40000000: "SecureRPC",
-    # Not used. MUST be ignored on receipt.
-    0x80000000: "Z",
+    # Supports Kerberos as the security support provider for secure channel setup.
+    0x80000000: "Kerberos",
 }
 _negotiateFlags = FlagsField("", 0, -32, _negotiateFlags).names
 
+# -- CRYPTO
+
 
 # [MS-NRPC] sect 3.1.4.3.1
 @crypto_validator
@@ -569,8 +575,8 @@ class NetlogonClient(DCERPC_Client):
         >>> cli = NetlogonClient()
         >>> cli.connect_and_bind("192.168.0.100")
         >>> cli.establish_secure_channel(
-        ...     domainname="DOMAIN", computername="WIN10",
-        ...     HashNT=bytes.fromhex("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"),
+        ...     UPN="WIN10@DOMAIN",
+        ...     HASHNT=bytes.fromhex("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"),
         ... )
     """
 
@@ -583,26 +589,25 @@ def __init__(
         **kwargs,
     ):
         self.interface = find_dcerpc_interface("logon")
-        self.ndr64 = False  # Netlogon doesn't work with NDR64
         self.SessionKey = None
         self.ClientStoredCredential = None
         self.supportAES = supportAES
         super(NetlogonClient, self).__init__(
             DCERPC_Transport.NCACN_IP_TCP,
             auth_level=auth_level,
-            ndr64=self.ndr64,
             verb=verb,
             **kwargs,
         )
 
-    def connect_and_bind(self, remoteIP):
+    def connect(self, host, **kwargs):
         """
         This calls DCERPC_Client's connect_and_bind to bind the 'logon' interface.
         """
-        super(NetlogonClient, self).connect_and_bind(remoteIP, self.interface)
-
-    def alter_context(self):
-        return super(NetlogonClient, self).alter_context(self.interface)
+        super(NetlogonClient, self).connect(
+            host=host,
+            interface=self.interface,
+            **kwargs,
+        )
 
     def create_authenticator(self):
         """
@@ -653,9 +658,12 @@ def validate_authenticator(self, auth):
 
     def establish_secure_channel(
         self,
-        computername: str,
-        domainname: str,
-        HashNt: bytes,
+        UPN: str,
+        DC_FQDN: str,
+        HASHNT: Optional[bytes] = None,
+        PASSWORD: Optional[str] = None,
+        KEY=None,
+        ssp: Optional[KerberosSSP] = None,
         mode=NETLOGON_SECURE_CHANNEL_METHOD.NetrServerAuthenticate3,
         secureChannelType=NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel,
     ):
@@ -667,39 +675,34 @@ def establish_secure_channel(
 
         :param mode: one of NETLOGON_SECURE_CHANNEL_METHOD. This defines which method
                      to use to establish the secure channel.
-        :param computername: the netbios computer account name that is used to establish
-                             the secure channel. (e.g. WIN10)
-        :param domainname: the netbios domain name to connect to (e.g. DOMAIN)
-        :param HashNt: the HashNT of the computer account.
+        :param UPN: the UPN of the computer account name that is used to establish
+                    the secure channel. (e.g. WIN10@domain.local)
+        :param DC_FQDN: the FQDN name of the DC.
+
+        The function then requires one of the following:
+
+        :param HASHNT: the HashNT of the computer account (in Authenticate3 mode).
+        :param KEY: a Kerberos key to use (in Kerberos mode)
+        :param PASSWORD: the password of the computer account (any mode).
+        :param ssp: a KerberosSSP to use (in Kerberos mode)
         """
-        # Flow documented in 3.1.4 Session-Key Negotiation
-        # and sect 3.4.5.2 for specific calls
-        clientChall = os.urandom(8)
-
-        # Step 1: NetrServerReqChallenge
-        netr_server_req_chall_response = self.sr1_req(
-            NetrServerReqChallenge_Request(
-                PrimaryName=None,
-                ComputerName=computername,
-                ClientChallenge=PNETLOGON_CREDENTIAL(
-                    data=clientChall,
-                ),
-                ndr64=self.ndr64,
-                ndrendian=self.ndrendian,
-            )
-        )
-        if (
-            NetrServerReqChallenge_Response not in netr_server_req_chall_response
-            or netr_server_req_chall_response.status != 0
-        ):
-            print(
-                conf.color_theme.fail(
-                    "! %s"
-                    % STATUS_ERREF.get(netr_server_req_chall_response.status, "Failure")
+        computername, domainname = _parse_upn(UPN)
+
+        if mode == NETLOGON_SECURE_CHANNEL_METHOD.NetrServerAuthenticate3:
+            if ssp or KEY:
+                raise ValueError("Cannot use 'ssp' on 'KEY' in Authenticate3 mode !")
+            if not HASHNT:
+                if PASSWORD:
+                    HASHNT = MD4le(PASSWORD)
+                else:
+                    raise ValueError("Missing either 'PASSWORD' or 'HASHNT' !")
+            if "." in domainname:
+                raise ValueError(
+                    "The UPN in Authenticate3 must have a NETBIOS domain name !"
                 )
-            )
-            netr_server_req_chall_response.show()
-            raise ValueError
+        else:
+            if HASHNT:
+                raise ValueError("Cannot use 'HASHNT' in Kerberos mode !")
 
         # Calc NegotiateFlags
         NegotiateFlags = FlagValue(
@@ -712,23 +715,61 @@ def establish_secure_channel(
         # We are either using NetrServerAuthenticate3 or NetrServerAuthenticateKerberos
         if mode == NETLOGON_SECURE_CHANNEL_METHOD.NetrServerAuthenticate3:
             # We use the legacy NetrServerAuthenticate3 function (NetlogonSSP)
-            # Step 2: Build the session key
+
+            # Make sure the interface is bound
+            if not self.bind_or_alter(self.interface):
+                raise ValueError("Bind failed !")
+
+            # Flow documented in 3.1.4 Session-Key Negotiation
+            # and sect 3.4.5.2 for specific calls
+            clientChall = os.urandom(8)
+
+            # Perform NetrServerReqChallenge request
+            netr_server_req_chall_response = self.sr1_req(
+                NetrServerReqChallenge_Request(
+                    PrimaryName=None,
+                    ComputerName=computername,
+                    ClientChallenge=PNETLOGON_CREDENTIAL(
+                        data=clientChall,
+                    ),
+                    ndr64=self.ndr64,
+                    ndrendian=self.ndrendian,
+                )
+            )
+            if (
+                NetrServerReqChallenge_Response not in netr_server_req_chall_response
+                or netr_server_req_chall_response.status != 0
+            ):
+                print(
+                    conf.color_theme.fail(
+                        "! %s"
+                        % STATUS_ERREF.get(
+                            netr_server_req_chall_response.status, "Failure"
+                        )
+                    )
+                )
+                netr_server_req_chall_response.show()
+                raise ValueError("NetrServerReqChallenge failed !")
+
+            # Build the session key
             serverChall = netr_server_req_chall_response.ServerChallenge.data
             if self.supportAES:
-                SessionKey = ComputeSessionKeyAES(HashNt, clientChall, serverChall)
+                SessionKey = ComputeSessionKeyAES(HASHNT, clientChall, serverChall)
                 self.ClientStoredCredential = ComputeNetlogonCredentialAES(
                     clientChall, SessionKey
                 )
             else:
                 SessionKey = ComputeSessionKeyStrongKey(
-                    HashNt, clientChall, serverChall
+                    HASHNT, clientChall, serverChall
                 )
                 self.ClientStoredCredential = ComputeNetlogonCredentialDES(
                     clientChall, SessionKey
                 )
+
+            # Perform Authenticate3 request
             netr_server_auth3_response = self.sr1_req(
                 NetrServerAuthenticate3_Request(
-                    PrimaryName=None,
+                    PrimaryName="\\\\" + DC_FQDN,
                     AccountName=computername + "$",
                     SecureChannelType=secureChannelType,
                     ComputerName=computername,
@@ -740,10 +781,7 @@ def establish_secure_channel(
                     ndrendian=self.ndrendian,
                 )
             )
-            if (
-                NetrServerAuthenticate3_Response not in netr_server_auth3_response
-                or netr_server_auth3_response.status != 0
-            ):
+            if netr_server_auth3_response.status != 0:
                 # An error occurred.
                 NegotiatedFlags = None
                 if NetrServerAuthenticate3_Response in netr_server_auth3_response:
@@ -758,20 +796,8 @@ def establish_secure_channel(
                                 % (NegotiatedFlags ^ NegotiateFlags)
                             )
                         )
+                raise ValueError("NetrServerAuthenticate3 failed !")
 
-                # Show the error
-                print(
-                    conf.color_theme.fail(
-                        "! %s"
-                        % STATUS_ERREF.get(netr_server_auth3_response.status, "Failure")
-                    )
-                )
-
-                # If error is unknown, show the packet entirely
-                if netr_server_auth3_response.status not in STATUS_ERREF:
-                    netr_server_auth3_response.show()
-
-                raise ValueError
             # Check Server Credential
             if self.supportAES:
                 if (
@@ -798,10 +824,44 @@ def establish_secure_channel(
                 domainname=domainname,
                 computername=computername,
             )
+
+            # Finally alter context (to use the SSP)
+            if not self.alter_context(self.interface):
+                raise ValueError("Bind failed !")
+
         elif mode == NETLOGON_SECURE_CHANNEL_METHOD.NetrServerAuthenticateKerberos:
+            # We use the brand new NetrServerAuthenticateKerberos function
             NegotiateFlags += "Kerberos"
-            # TODO
-            raise NotImplementedError
 
-        # Finally alter context (to use the SSP)
-        self.alter_context()
+            # Set KerberosSSP and alter context
+            if ssp:
+                self.ssp = self.sock.session.ssp = ssp
+            else:
+                self.ssp = self.sock.session.ssp = KerberosSSP(
+                    UPN=UPN,
+                    SPN="netlogon/" + DC_FQDN,
+                    PASSWORD=PASSWORD,
+                    KEY=KEY,
+                )
+            if not self.bind_or_alter(self.interface):
+                raise ValueError("Bind failed !")
+
+            # Send AuthenticateKerberos request
+            netr_server_authkerb_response = self.sr1_req(
+                NetrServerAuthenticateKerberos_Request(
+                    PrimaryName="\\\\" + DC_FQDN,
+                    AccountName=computername + "$",
+                    AccountType=secureChannelType,
+                    ComputerName=computername,
+                    NegotiateFlags=int(NegotiateFlags),
+                    ndr64=self.ndr64,
+                    ndrendian=self.ndrendian,
+                )
+            )
+            if netr_server_authkerb_response.status != 0:
+                # An error occured
+                netr_server_authkerb_response.show()
+                raise ValueError("NetrServerAuthenticateKerberos failed !")
+
+            # The NRPC session key is in this case the kerberos one
+            self.SessionKey = self.sspcontext.SessionKey