Documentation

Overview

    Package pac implements Microsoft Privilege Attribute Certificate (PAC) processing.

    Index

    Constants

    View Source
    const (
    	// NTLMSupCredLMOWF indicates that the LM OWF member is present and valid.
    	NTLMSupCredLMOWF = 31
    	// NTLMSupCredNTOWF indicates that the NT OWF member is present and valid.
    	NTLMSupCredNTOWF = 30
    )
    View Source
    const (
    	USERFLAG_GUEST                                    = 31 // Authentication was done via the GUEST account; no password was used.
    	USERFLAG_NO_ENCRYPTION_AVAILABLE                  = 30 // No encryption is available.
    	USERFLAG_LAN_MANAGER_KEY                          = 28 // LAN Manager key was used for authentication.
    	USERFLAG_SUB_AUTH                                 = 25 // Sub-authentication used; session key came from the sub-authentication package.
    	USERFLAG_EXTRA_SIDS                               = 26 // Indicates that the ExtraSids field is populated and contains additional SIDs.
    	USERFLAG_MACHINE_ACCOUNT                          = 24 // Indicates that the account is a machine account.
    	USERFLAG_DC_NTLM2                                 = 23 // Indicates that the domain controller understands NTLMv2.
    	USERFLAG_RESOURCE_GROUPIDS                        = 22 // Indicates that the ResourceGroupIds field is populated.
    	USERFLAG_PROFILEPATH                              = 21 // Indicates that ProfilePath is populated.
    	USERFLAG_NTLM2_NTCHALLENGERESP                    = 20 // The NTLMv2 response from the NtChallengeResponseFields ([MS-NLMP] section 2.2.1.3) was used for authentication and session key generation.
    	USERFLAG_LM2_LMCHALLENGERESP                      = 19 // The LMv2 response from the LmChallengeResponseFields ([MS-NLMP] section 2.2.1.3) was used for authentication and session key generation.
    	USERFLAG_AUTH_LMCHALLENGERESP_KEY_NTCHALLENGERESP = 18 // The LMv2 response from the LmChallengeResponseFields ([MS-NLMP] section 2.2.1.3) was used for authentication and the NTLMv2 response from the NtChallengeResponseFields ([MS-NLMP] section 2.2.1.3) was used session key generation.
    )

      KERB_VALIDATION_INFO flags.

      Variables

      This section is empty.

      Functions

      This section is empty.

      Types

      type ClientClaimsInfo

      type ClientClaimsInfo struct {
      	Claims mstypes.ClaimsSetMetadata
      }

        ClientClaimsInfo implements https://msdn.microsoft.com/en-us/library/hh536365.aspx

        func (*ClientClaimsInfo) Unmarshal

        func (k *ClientClaimsInfo) Unmarshal(b []byte) error

          Unmarshal bytes into the ClientClaimsInfo struct

          type ClientInfo

          type ClientInfo struct {
          	ClientID   mstypes.FileTime // A FILETIME structure in little-endian format that contains the Kerberos initial ticket-granting ticket TGT authentication time
          	NameLength uint16           // An unsigned 16-bit integer in little-endian format that specifies the length, in bytes, of the Name field.
          	Name       string           // An array of 16-bit Unicode characters in little-endian format that contains the client's account name.
          }

            ClientInfo implements https://msdn.microsoft.com/en-us/library/cc237951.aspx

            func (*ClientInfo) Unmarshal

            func (k *ClientInfo) Unmarshal(b []byte) error

              Unmarshal bytes into the ClientInfo struct

              type CredentialData

              type CredentialData struct {
              	CredentialCount uint32
              	Credentials     []SECPKGSupplementalCred // Size is the value of CredentialCount
              }

                CredentialData implements https://msdn.microsoft.com/en-us/library/cc237952.aspx This structure is encrypted prior to being encoded in any other structures. Encryption is performed by first serializing the data structure via Network Data Representation (NDR) encoding, as specified in [MS-RPCE]. Once serialized, the data is encrypted using the key and cryptographic system selected through the AS protocol and the KRB_AS_REP message Fields (for capturing this information) and cryptographic parameters are specified in PAC_CREDENTIAL_INFO (section 2.6.1).

                func ReadPACCredentialData

                func ReadPACCredentialData(b *[]byte, p *int, e *binary.ByteOrder) CredentialData

                  ReadPACCredentialData reads a CredentialData from the byte slice.

                  type CredentialsInfo

                  type CredentialsInfo struct {
                  	Version                    uint32 // A 32-bit unsigned integer in little-endian format that defines the version. MUST be 0x00000000.
                  	EType                      uint32
                  	PACCredentialDataEncrypted []byte // Key usage number for encryption: KERB_NON_KERB_SALT (16)
                  	PACCredentialData          CredentialData
                  }

                    CredentialsInfo implements https://msdn.microsoft.com/en-us/library/cc237953.aspx

                    func (*CredentialsInfo) DecryptEncPart

                    func (c *CredentialsInfo) DecryptEncPart(k types.EncryptionKey, e *binary.ByteOrder) error

                      DecryptEncPart decrypts the encrypted part of the CredentialsInfo.

                      func (*CredentialsInfo) Unmarshal

                      func (c *CredentialsInfo) Unmarshal(b []byte, k types.EncryptionKey) error

                        Unmarshal bytes into the CredentialsInfo struct

                        type DeviceClaimsInfo

                        type DeviceClaimsInfo struct {
                        	Claims mstypes.ClaimsSetMetadata
                        }

                          DeviceClaimsInfo implements https://msdn.microsoft.com/en-us/library/hh554226.aspx

                          func (*DeviceClaimsInfo) Unmarshal

                          func (k *DeviceClaimsInfo) Unmarshal(b []byte) error

                            Unmarshal bytes into the DeviceClaimsInfo struct

                            type DeviceInfo

                            type DeviceInfo struct {
                            	UserID            uint32                          // A 32-bit unsigned integer that contains the RID of the account. If the UserId member equals 0x00000000, the first group SID in this member is the SID for this account.
                            	PrimaryGroupID    uint32                          // A 32-bit unsigned integer that contains the RID for the primary group to which this account belongs.
                            	AccountDomainID   mstypes.RPCSID                  // A SID structure that contains the SID for the domain of the account.This member is used in conjunction with the UserId, and GroupIds members to create the user and group SIDs for the client.
                            	AccountGroupCount uint32                          // A 32-bit unsigned integer that contains the number of groups within the account domain to which the account belongs
                            	AccountGroupIDs   []mstypes.GroupMembership       // A pointer to a list of GROUP_MEMBERSHIP (section 2.2.2) structures that contains the groups to which the account belongs in the account domain. The number of groups in this list MUST be equal to GroupCount.
                            	SIDCount          uint32                          // A 32-bit unsigned integer that contains the total number of SIDs present in the ExtraSids member.
                            	ExtraSIDs         []mstypes.KerbSidAndAttributes  // A pointer to a list of KERB_SID_AND_ATTRIBUTES structures that contain a list of SIDs corresponding to groups not in domains. If the UserId member equals 0x00000000, the first group SID in this member is the SID for this account.
                            	DomainGroupCount  uint32                          // A 32-bit unsigned integer that contains the number of domains with groups to which the account belongs.
                            	DomainGroup       []mstypes.DomainGroupMembership // A pointer to a list of DOMAIN_GROUP_MEMBERSHIP structures (section 2.2.3) that contains the domains to which the account belongs to a group. The number of sets in this list MUST be equal to DomainCount.
                            }

                              DeviceInfo implements https://msdn.microsoft.com/en-us/library/hh536402.aspx

                              func (*DeviceInfo) Unmarshal

                              func (k *DeviceInfo) Unmarshal(b []byte) error

                                Unmarshal bytes into the DeviceInfo struct

                                type InfoBuffer

                                type InfoBuffer struct {
                                	ULType       uint32 // A 32-bit unsigned integer in little-endian format that describes the type of data present in the buffer contained at Offset.
                                	CBBufferSize uint32 // A 32-bit unsigned integer in little-endian format that contains the size, in bytes, of the buffer in the PAC located at Offset.
                                	Offset       uint64 // A 64-bit unsigned integer in little-endian format that contains the offset to the beginning of the buffer, in bytes, from the beginning of the PACTYPE structure. The data offset MUST be a multiple of eight. The following sections specify the format of each type of element.
                                }

                                  InfoBuffer implements the PAC Info Buffer: https://msdn.microsoft.com/en-us/library/cc237954.aspx

                                  func ReadPACInfoBuffer

                                  func ReadPACInfoBuffer(b *[]byte, p *int, e *binary.ByteOrder) InfoBuffer

                                    ReadPACInfoBuffer reads a InfoBuffer from the byte slice.

                                    type KerbValidationInfo

                                    type KerbValidationInfo struct {
                                    	LogOnTime          mstypes.FileTime
                                    	LogOffTime         mstypes.FileTime
                                    	KickOffTime        mstypes.FileTime
                                    	PasswordLastSet    mstypes.FileTime
                                    	PasswordCanChange  mstypes.FileTime
                                    	PasswordMustChange mstypes.FileTime
                                    	EffectiveName      mstypes.RPCUnicodeString
                                    	FullName           mstypes.RPCUnicodeString
                                    	LogonScript        mstypes.RPCUnicodeString
                                    	ProfilePath        mstypes.RPCUnicodeString
                                    	HomeDirectory      mstypes.RPCUnicodeString
                                    	HomeDirectoryDrive mstypes.RPCUnicodeString
                                    	LogonCount         uint16
                                    	BadPasswordCount   uint16
                                    	UserID             uint32
                                    	PrimaryGroupID     uint32
                                    	GroupCount         uint32
                                    
                                    	GroupIDs        []mstypes.GroupMembership
                                    	UserFlags       uint32
                                    	UserSessionKey  mstypes.UserSessionKey
                                    	LogonServer     mstypes.RPCUnicodeString
                                    	LogonDomainName mstypes.RPCUnicodeString
                                    
                                    	LogonDomainID        mstypes.RPCSID
                                    	Reserved1            []uint32 // Has 2 elements
                                    	UserAccountControl   uint32
                                    	SubAuthStatus        uint32
                                    	LastSuccessfulILogon mstypes.FileTime
                                    	LastFailedILogon     mstypes.FileTime
                                    	FailedILogonCount    uint32
                                    	Reserved3            uint32
                                    	SIDCount             uint32
                                    
                                    	ExtraSIDs []mstypes.KerbSidAndAttributes
                                    
                                    	ResourceGroupDomainSID mstypes.RPCSID
                                    	ResourceGroupCount     uint32
                                    
                                    	ResourceGroupIDs []mstypes.GroupMembership
                                    	// contains filtered or unexported fields
                                    }

                                      KerbValidationInfo implement https://msdn.microsoft.com/en-us/library/cc237948.aspx The KERB_VALIDATION_INFO structure defines the user's logon and authorization information provided by the DC. The KERB_VALIDATION_INFO structure is a subset of the NETLOGON_VALIDATION_SAM_INFO4 structure ([MS-NRPC] section 2.2.1.4.13). It is a subset due to historical reasons and to the use of the common Active Directory to generate this information. The KERB_VALIDATION_INFO structure is marshaled by RPC [MS-RPCE].

                                      func (*KerbValidationInfo) GetGroupMembershipSIDs

                                      func (k *KerbValidationInfo) GetGroupMembershipSIDs() []string

                                        GetGroupMembershipSIDs returns a slice of strings containing the group membership SIDs found in the PAC.

                                        func (*KerbValidationInfo) Unmarshal

                                        func (k *KerbValidationInfo) Unmarshal(b []byte) (err error)

                                          Unmarshal bytes into the DeviceInfo struct

                                          type NTLMSupplementalCred

                                          type NTLMSupplementalCred struct {
                                          	Version    uint32 // A 32-bit unsigned integer that defines the credential version.This field MUST be 0x00000000.
                                          	Flags      uint32
                                          	LMPassword []byte // A 16-element array of unsigned 8-bit integers that define the LM OWF. The LmPassword member MUST be ignored if the L flag is not set in the Flags member.
                                          	NTPassword []byte // A 16-element array of unsigned 8-bit integers that define the NT OWF. The LtPassword member MUST be ignored if the N flag is not set in the Flags member.
                                          }

                                            NTLMSupplementalCred implements https://msdn.microsoft.com/en-us/library/cc237949.aspx

                                            func ReadNTLMSupplementalCred

                                            func ReadNTLMSupplementalCred(b *[]byte, p *int, e *binary.ByteOrder) NTLMSupplementalCred

                                              ReadNTLMSupplementalCred reads a NTLMSupplementalCred from the byte slice.

                                              type PACType

                                              type PACType struct {
                                              	CBuffers           uint32
                                              	Version            uint32
                                              	Buffers            []InfoBuffer
                                              	Data               []byte
                                              	KerbValidationInfo *KerbValidationInfo
                                              	CredentialsInfo    *CredentialsInfo
                                              	ServerChecksum     *SignatureData
                                              	KDCChecksum        *SignatureData
                                              	ClientInfo         *ClientInfo
                                              	S4UDelegationInfo  *S4UDelegationInfo
                                              	UPNDNSInfo         *UPNDNSInfo
                                              	ClientClaimsInfo   *ClientClaimsInfo
                                              	DeviceInfo         *DeviceInfo
                                              	DeviceClaimsInfo   *DeviceClaimsInfo
                                              	ZeroSigData        []byte
                                              }

                                                PACType implements: https://msdn.microsoft.com/en-us/library/cc237950.aspx

                                                func (*PACType) ProcessPACInfoBuffers

                                                func (pac *PACType) ProcessPACInfoBuffers(key types.EncryptionKey) error

                                                  ProcessPACInfoBuffers processes the PAC Info Buffers. https://msdn.microsoft.com/en-us/library/cc237954.aspx

                                                  func (*PACType) Unmarshal

                                                  func (pac *PACType) Unmarshal(b []byte) error

                                                    Unmarshal bytes into the PACType struct

                                                    type S4UDelegationInfo

                                                    type S4UDelegationInfo struct {
                                                    	S4U2proxyTarget      mstypes.RPCUnicodeString // The name of the principal to whom the application can forward the ticket.
                                                    	TransitedListSize    uint32
                                                    	S4UTransitedServices []mstypes.RPCUnicodeString // List of all services that have been delegated through by this client and subsequent services or servers.. Size is value of TransitedListSize
                                                    }

                                                      S4UDelegationInfo implements https://msdn.microsoft.com/en-us/library/cc237944.aspx

                                                      func (*S4UDelegationInfo) Unmarshal

                                                      func (k *S4UDelegationInfo) Unmarshal(b []byte) error

                                                        Unmarshal bytes into the S4UDelegationInfo struct

                                                        type SECPKGSupplementalCred

                                                        type SECPKGSupplementalCred struct {
                                                        	PackageName    mstypes.RPCUnicodeString
                                                        	CredentialSize uint32
                                                        	Credentials    []uint8 // Is a ptr. Size is the value of CredentialSize
                                                        }

                                                          SECPKGSupplementalCred implements https://msdn.microsoft.com/en-us/library/cc237956.aspx

                                                          func ReadSECPKGSupplementalCred

                                                          func ReadSECPKGSupplementalCred(b *[]byte, p *int, e *binary.ByteOrder) SECPKGSupplementalCred

                                                            ReadSECPKGSupplementalCred reads a SECPKGSupplementalCred from the byte slice.

                                                            type SignatureData

                                                            type SignatureData struct {
                                                            	SignatureType  uint32 // A 32-bit unsigned integer value in little-endian format that defines the cryptographic system used to calculate the checksum. This MUST be one of the following checksum types: KERB_CHECKSUM_HMAC_MD5 (signature size = 16), HMAC_SHA1_96_AES128 (signature size = 12), HMAC_SHA1_96_AES256 (signature size = 12).
                                                            	Signature      []byte // Size depends on the type. See comment above.
                                                            	RODCIdentifier uint16 // A 16-bit unsigned integer value in little-endian format that contains the first 16 bits of the key version number ([MS-KILE] section 3.1.5.8) when the KDC is an RODC. When the KDC is not an RODC, this field does not exist.
                                                            }

                                                              SignatureData implements https://msdn.microsoft.com/en-us/library/cc237955.aspx

                                                              func (*SignatureData) Unmarshal

                                                              func (k *SignatureData) Unmarshal(b []byte) ([]byte, error)

                                                                Unmarshal bytes into the SignatureData struct

                                                                type UPNDNSInfo

                                                                type UPNDNSInfo struct {
                                                                	UPNLength           uint16 // An unsigned 16-bit integer in little-endian format that specifies the length, in bytes, of the UPN field.
                                                                	UPNOffset           uint16 // An unsigned 16-bit integer in little-endian format that contains the offset to the beginning of the buffer, in bytes, from the beginning of the UPN_DNS_INFO structure.
                                                                	DNSDomainNameLength uint16
                                                                	DNSDomainNameOffset uint16
                                                                	Flags               uint32
                                                                	UPN                 string
                                                                	DNSDomain           string
                                                                }

                                                                  UPNDNSInfo implements https://msdn.microsoft.com/en-us/library/dd240468.aspx

                                                                  func (*UPNDNSInfo) Unmarshal

                                                                  func (k *UPNDNSInfo) Unmarshal(b []byte) error

                                                                    Unmarshal bytes into the UPN_DNSInfo struct