Add doc for DMSA + check signature in SFU response (#4747)

Author: gpotter2

doc/scapy/layers/kerberos.rst

@@ -130,6 +130,37 @@ that are available. For more detail regarding the parameters of the functions, i
    Start time         End time           Renew until        Auth time
    15/04/25 20:15:20  16/04/25 06:10:22  16/04/25 06:10:22  15/04/25 20:15:17
 
+- **Request a ticket for a DMSA**
+
+For more information about DMSAs and how to create them, consult the `relevant Microsoft documentation <https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/delegated-managed-service-accounts/delegated-managed-service-accounts-set-up-dmsa>`_. In this example we allowed ``SERVER1$`` to retrieve the managed password of ``dmsa_user$``.
+
+.. code:: pycon
+
+   >>> load_module("ticketer")
+   >>> t = Ticketer()
+   >>> t.request_tgt("SERVER1$@domain.local", key=Key(EncryptionType.AES256_CTS_HMAC_SHA1_96, bytes.fromhex("63a2577d8bf6abeba0847cded36b9aed202c23750eb9c56b6155be1cc946bb1d")))
+   >>> t.request_st(0, "krbtgt/domain.local", for_user="dmsa_user$@domain.local", dmsa=True)
+   INFO: 3 DMSA keys found and imported !
+   >>> t.show()
+   Keytab name: UNSAVED
+   Principal                Timestamp          KVNO  Keytype
+   dmsa_user$@domain.local  22/05/25 22:03:58  1     AES256-CTS-HMAC-SHA1-96
+   dmsa_user$@domain.local  22/05/25 22:03:58  2     AES128-CTS-HMAC-SHA1-96
+   dmsa_user$@domain.local  22/05/25 22:03:58  3     RC4-HMAC
+   
+   CCache tickets:
+   0. SERVER1$@DOMAIN.LOCAL -> krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
+      canonicalize+pre-authent+initial+renewable+forwardable
+   Start time         End time           Renew until        Auth time
+   22/05/25 22:06:32  23/05/25 08:03:53  23/05/25 08:03:53  22/05/25 22:06:32
+   
+   1. dmsa_user$@domain.local -> krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
+      canonicalize+pre-authent+renewable+forwardable
+   Start time         End time           Renew until        Auth time
+   22/05/25 22:06:37  23/05/25 08:03:53  23/05/25 08:03:53  22/05/25 22:06:32
+
+As you can see, DMSA keys were imported in the keytab. You can use those as detailed in some of the following sections.
+
 - **Load and use keytab for client**
 
 .. code:: pycon

scapy/layers/kerberos.py

@@ -701,6 +701,8 @@ class AD_AND_OR(ASN1_Packet):
     165: "PA-SUPPORTED-ENCTYPES",
     166: "PA-EXTENDED-ERROR",
     167: "PA-PAC-OPTIONS",
+    170: "KERB-SUPERSEDED-BY-USER",
+    171: "KERB-DMSA-KEY-PACKAGE",
 }
 
 _PADATA_CLASSES = {
@@ -1053,6 +1055,9 @@ class KERB_SUPERSEDED_BY_USER(ASN1_Packet):
     )
 
 
+_PADATA_CLASSES[170] = KERB_SUPERSEDED_BY_USER
+
+
 # [MS-KILE] sect 2.2.14
 
 
@@ -1070,14 +1075,17 @@ class KERB_DMSA_KEY_PACKAGE(ASN1_Packet):
                 "previousKeys",
                 [],
                 ASN1F_PACKET("", None, EncryptionKey),
-                explicit_tag=0xA0,
+                explicit_tag=0xA1,
             ),
         ),
         KerberosTime("expirationInterval", GeneralizedTime(), explicit_tag=0xA2),
         KerberosTime("fetchInterval", GeneralizedTime(), explicit_tag=0xA4),
     )
 
 
+_PADATA_CLASSES[171] = KERB_DMSA_KEY_PACKAGE
+
+
 # RFC6113 sect 5.4.1
 
 
@@ -1558,6 +1566,12 @@ class KRB_TGS_REP(ASN1_Packet):
         implicit_tag=ASN1_Class_KRB.TGS_REP,
     )
 
+    def getUPN(self):
+        return "%s@%s" % (
+            self.cname.toString(),
+            self.crealm.val.decode(),
+        )
+
 
 class LastReqItem(ASN1_Packet):
     ASN1_codec = ASN1_Codecs.BER
@@ -3389,6 +3403,19 @@ def _process_padatas_and_key(self, padatas):
                         )
                 elif padata.padataType == 137:  # PA-FX-ERROR
                     self.fast_error = padata.padataValue
+                elif padata.padataType == 130:  # PA-FOR-X509-USER
+                    # Verify S4U checksum
+                    key_usage_number = None
+                    pasfux509 = padata.padataValue
+                    # [MS-SFU] sect 2.2.2
+                    # "In a reply, indicates that it was signed with key usage 27"
+                    if pasfux509.userId.options.val[2] == "1":  # USE_REPLY_KEY_USAGE
+                        key_usage_number = 27
+                    pasfux509.checksum.verify(
+                        self.key,
+                        bytes(pasfux509.userId),
+                        key_usage_number=key_usage_number,
+                    )
 
         # 2. Update the current key if necessary
 
@@ -3455,10 +3482,10 @@ def receive_krb_error_as_req(self, pkt):
                 return
 
             if pkt.root.errorCode == 25:  # KDC_ERR_PREAUTH_REQUIRED
-                if not self.key and (not self.upn or not self.password):
+                if not self.key:
                     log_runtime.error(
                         "Got 'KDC_ERR_PREAUTH_REQUIRED', "
-                        "but no key, nor upn+pass was passed."
+                        "but no possible key could be computed."
                     )
                     raise self.FINAL()
                 self.should_followup = True
@@ -3542,7 +3569,11 @@ def receive_krb_error_tgs_req(self, pkt):
     @ATMT.receive_condition(SENT_TGS_REQ)
     def receive_tgs_rep(self, pkt):
         if Kerberos in pkt and isinstance(pkt.root, KRB_TGS_REP):
-            if not self.renew and pkt.root.ticket.sname.nameString[0].val == b"krbtgt":
+            if (
+                not self.renew
+                and not self.dmsa
+                and pkt.root.ticket.sname.nameString[0].val == b"krbtgt"
+            ):
                 log_runtime.warning("Received a cross-realm referral ticket !")
             raise self.FINAL().action_parameters(pkt)
 
@@ -3570,6 +3601,8 @@ def decrypt_tgs_rep(self, pkt):
             res = enc.decrypt(self.replykey, key_usage_number=9, cls=EncTGSRepPart)
         else:
             res = enc.decrypt(self.replykey)
+
+        # Store result
         self.result = self.RES_TGS_MODE(pkt.root, res.key.toKey(), res)
 
     @ATMT.state(final=1)
@@ -4169,6 +4202,8 @@ def GSS_WrapEx(self, Context, msgs, qop_req=0):
                 Data = b"".join(x.data for x in msgs if x.conf_req_flag)
                 DataLen = len(Data)
                 # 2. Add filler
+                # [MS-KILE] sect 3.4.5.4.1 - "For AES-SHA1 ciphers, the EC must not
+                # be zero"
                 tok.root.EC = ((-DataLen) % Context.KrbSessionKey.ep.blocksize) or 16
                 Filler = b"\x00" * tok.root.EC
                 Data += Filler

scapy/modules/ticketer.py

@@ -695,6 +695,21 @@ def import_krb(self, res, key=None, hash=None, _inplace=None):
                 rep = res.asrep
             elif isinstance(res, KerberosClient.RES_TGS_MODE):
                 rep = res.tgsrep
+
+                # There could be 171 = KERB_DMSA_KEY_PACKAGE to import
+                for padata in res.kdcrep.encryptedPaData:
+                    if padata.padataType == 171:
+                        # We have keys to import.
+                        key_package = padata.padataValue
+                        for key in key_package.currentKeys:
+                            self.add_cred(
+                                principal=rep.getUPN(),
+                                key=key.toKey(),
+                            )
+                        log_interactive.info(
+                            "%s DMSA keys found and imported !"
+                            % len(key_package.currentKeys)
+                        )
             else:
                 raise ValueError("Unknown type of obj !")
             cred.set_from_krb(
@@ -2343,15 +2358,16 @@ def _resign_ticket(self, tkt, spn, hash=None, kdc_hash=None):
             hash=kdc_hash,
         )
 
-        # NOTE: the doc is very unclear regarding the order of the Signatures.
+        # Doc was updated after feedback ! it's now very clear.
 
-        # "The extended KDC signature is a keyed hash [RFC4757] of the entire PAC
-        # message, with the Signature fields of all other PAC_SIGNATURE_DATA structures
-        # (section 2.8) set to zero."
-        # ==> This is wrong.
-        # The Ticket Signature is present when computing the Extended KDC Signature.
+        # [MS-PAC] sect 2.8.1
+        # Signatures are computed in this order:
+        # - Ticket signature
+        # - Extended KDC signature
+        # - Server signature
+        # - KDC signature
 
-        # sect 2.8.3 - Ticket Signature
+        # sect 2.8.2 - Ticket Signature
 
         if 0x00000010 in sig_i:
             # "The ad-data in the PAC’s AuthorizationData element ([RFC4120]
@@ -2365,7 +2381,7 @@ def _resign_ticket(self, tkt, spn, hash=None, kdc_hash=None):
             # included in the PAC when signing it for Extended Server Signature & Server Signature
             pac.Payloads[sig_i[0x00000010]].Signature = ticket_sig
 
-        # sect 2.8.4 - Extended KDC Signature
+        # sect 2.8.3 - Extended KDC Signature
 
         if 0x00000013 in sig_i:
             rpac.Payloads[sig_i[0x00000013]].Signature = extended_kdc_sig = (
@@ -2374,13 +2390,13 @@ def _resign_ticket(self, tkt, spn, hash=None, kdc_hash=None):
             # included in the PAC when signing it for Server Signature
             pac.Payloads[sig_i[0x00000013]].Signature = extended_kdc_sig
 
-        # sect 2.8.1 - Server Signature
+        # sect 2.8.4 - Server Signature
 
         rpac.Payloads[sig_i[0x00000006]].Signature = server_sig = key_srv.make_checksum(
             17, bytes(pac)  # KERB_NON_KERB_CKSUM_SALT(17)
         )
 
-        # sect 2.8.2 - KDC Signature
+        # sect 2.8.5 - KDC Signature
 
         rpac.Payloads[sig_i[0x00000007]].Signature = key_kdc.make_checksum(
             17, server_sig  # KERB_NON_KERB_CKSUM_SALT(17)