kerb_validation_info.go
5.0 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
// Package pac implements Microsoft Privilege Attribute Certificate (PAC) processing.
package pac
import (
"bytes"
"fmt"
"gopkg.in/jcmturner/rpc.v1/mstypes"
"gopkg.in/jcmturner/rpc.v1/ndr"
)
// KERB_VALIDATION_INFO flags.
const (
USERFLAG_GUEST = 31 // Authentication was done via the GUEST account; no password was used.
USERFLAG_NO_ENCRYPTION_AVAILABLE = 30 // No encryption is available.
USERFLAG_LAN_MANAGER_KEY = 28 // LAN Manager key was used for authentication.
USERFLAG_SUB_AUTH = 25 // Sub-authentication used; session key came from the sub-authentication package.
USERFLAG_EXTRA_SIDS = 26 // Indicates that the ExtraSids field is populated and contains additional SIDs.
USERFLAG_MACHINE_ACCOUNT = 24 // Indicates that the account is a machine account.
USERFLAG_DC_NTLM2 = 23 // Indicates that the domain controller understands NTLMv2.
USERFLAG_RESOURCE_GROUPIDS = 22 // Indicates that the ResourceGroupIds field is populated.
USERFLAG_PROFILEPATH = 21 // Indicates that ProfilePath is populated.
USERFLAG_NTLM2_NTCHALLENGERESP = 20 // The NTLMv2 response from the NtChallengeResponseFields ([MS-NLMP] section 2.2.1.3) was used for authentication and session key generation.
USERFLAG_LM2_LMCHALLENGERESP = 19 // The LMv2 response from the LmChallengeResponseFields ([MS-NLMP] section 2.2.1.3) was used for authentication and session key generation.
USERFLAG_AUTH_LMCHALLENGERESP_KEY_NTCHALLENGERESP = 18 // The LMv2 response from the LmChallengeResponseFields ([MS-NLMP] section 2.2.1.3) was used for authentication and the NTLMv2 response from the NtChallengeResponseFields ([MS-NLMP] section 2.2.1.3) was used session key generation.
)
// KerbValidationInfo implement https://msdn.microsoft.com/en-us/library/cc237948.aspx
// The KERB_VALIDATION_INFO structure defines the user's logon and authorization information
// provided by the DC. The KERB_VALIDATION_INFO structure is a subset of the
// NETLOGON_VALIDATION_SAM_INFO4 structure ([MS-NRPC] section 2.2.1.4.13).
// It is a subset due to historical reasons and to the use of the common Active Directory to generate this information.
// The KERB_VALIDATION_INFO structure is marshaled by RPC [MS-RPCE].
type KerbValidationInfo struct {
LogOnTime mstypes.FileTime
LogOffTime mstypes.FileTime
KickOffTime mstypes.FileTime
PasswordLastSet mstypes.FileTime
PasswordCanChange mstypes.FileTime
PasswordMustChange mstypes.FileTime
EffectiveName mstypes.RPCUnicodeString
FullName mstypes.RPCUnicodeString
LogonScript mstypes.RPCUnicodeString
ProfilePath mstypes.RPCUnicodeString
HomeDirectory mstypes.RPCUnicodeString
HomeDirectoryDrive mstypes.RPCUnicodeString
LogonCount uint16
BadPasswordCount uint16
UserID uint32
PrimaryGroupID uint32
GroupCount uint32
GroupIDs []mstypes.GroupMembership `ndr:"pointer,conformant"`
UserFlags uint32
UserSessionKey mstypes.UserSessionKey
LogonServer mstypes.RPCUnicodeString
LogonDomainName mstypes.RPCUnicodeString
LogonDomainID mstypes.RPCSID `ndr:"pointer"`
Reserved1 [2]uint32 // Has 2 elements
UserAccountControl uint32
SubAuthStatus uint32
LastSuccessfulILogon mstypes.FileTime
LastFailedILogon mstypes.FileTime
FailedILogonCount uint32
Reserved3 uint32
SIDCount uint32
ExtraSIDs []mstypes.KerbSidAndAttributes `ndr:"pointer,conformant"`
ResourceGroupDomainSID mstypes.RPCSID `ndr:"pointer"`
ResourceGroupCount uint32
ResourceGroupIDs []mstypes.GroupMembership `ndr:"pointer,conformant"`
}
// Unmarshal bytes into the DeviceInfo struct
func (k *KerbValidationInfo) Unmarshal(b []byte) (err error) {
dec := ndr.NewDecoder(bytes.NewReader(b))
err = dec.Decode(k)
if err != nil {
err = fmt.Errorf("error unmarshaling KerbValidationInfo: %v", err)
}
return
}
// GetGroupMembershipSIDs returns a slice of strings containing the group membership SIDs found in the PAC.
func (k *KerbValidationInfo) GetGroupMembershipSIDs() []string {
var g []string
lSID := k.LogonDomainID.String()
for i := range k.GroupIDs {
g = append(g, fmt.Sprintf("%s-%d", lSID, k.GroupIDs[i].RelativeID))
}
for _, s := range k.ExtraSIDs {
var exists = false
for _, es := range g {
if es == s.SID.String() {
exists = true
break
}
}
if !exists {
g = append(g, s.SID.String())
}
}
for _, r := range k.ResourceGroupIDs {
var exists = false
s := fmt.Sprintf("%s-%d", k.ResourceGroupDomainSID.String(), r.RelativeID)
for _, es := range g {
if es == s {
exists = true
break
}
}
if !exists {
g = append(g, s)
}
}
return g
}