1# Copyright (c) 2003-2016 CORE Security Technologies 2# 3# This software is provided under under a slightly modified version 4# of the Apache Software License. See the accompanying LICENSE file 5# for more information. 6# 7# Author: Alberto Solino (@agsolino) 8# 9# Description: 10# Constants for krb5.asn1 package. I took them out from the RFC plus 11# some data from [MS-KILE] as well. 12# 13# 14 15from impacket.dcerpc.v5.enum import Enum 16 17def encodeFlags(flags): 18 finalFlags = list() 19 20 for i in range(0,32): 21 finalFlags.append(0,) 22 23 24 for f in flags: 25 finalFlags[f] = 1 26 27 return finalFlags 28 29class ApplicationTagNumbers(Enum): 30 Ticket = 1 31 Authenticator = 2 32 EncTicketPart = 3 33 AS_REQ = 10 34 AS_REP = 11 35 TGS_REQ = 12 36 TGS_REP = 13 37 AP_REQ = 14 38 AP_REP = 15 39 RESERVED16 = 16 40 RESERVED17 = 17 41 KRB_SAFE = 20 42 KRB_PRIV = 21 43 KRB_CRED = 22 44 EncASRepPart = 25 45 EncTGSRepPart = 26 46 EncApRepPart = 27 47 EncKrbPrivPart = 28 48 EncKrbCredPart = 29 49 KRB_ERROR = 30 50 51class PrincipalNameType(Enum): 52 NT_UNKNOWN = 0 53 NT_PRINCIPAL = 1 54 NT_SRV_INST = 2 55 NT_SRV_HST = 3 56 NT_SRV_XHST = 4 57 NT_UID = 5 58 NT_X500_PRINCIPAL = 6 59 NT_SMTP_NAME = 7 60 NT_ENTERPRISE = 10 61 62class PreAuthenticationDataTypes(Enum): 63 PA_TGS_REQ = 1 64 PA_ENC_TIMESTAMP = 2 65 PA_PW_SALT = 3 66 PA_ENC_UNIX_TIME = 5 67 PA_SANDIA_SECUREID = 6 68 PA_SESAME = 7 69 PA_OSF_DCE = 8 70 PA_CYBERSAFE_SECUREID = 9 71 PA_AFS3_SALT = 10 72 PA_ETYPE_INFO = 11 73 PA_SAM_CHALLENGE = 12 74 PA_SAM_RESPONSE = 13 75 PA_PK_AS_REQ_OLD = 14 76 PA_PK_AS_REP_OLD = 15 77 PA_PK_AS_REQ = 16 78 PA_PK_AS_REP = 17 79 PA_ETYPE_INFO2 = 19 80 PA_USE_SPECIFIED_KVNO = 20 81 PA_SAM_REDIRECT = 21 82 PA_GET_FROM_TYPED_DATA = 22 83 TD_PADATA = 22 84 PA_SAM_ETYPE_INFO = 23 85 PA_ALT_PRINC = 24 86 PA_SAM_CHALLENGE2 = 30 87 PA_SAM_RESPONSE2 = 31 88 PA_EXTRA_TGT = 41 89 TD_PKINIT_CMS_CERTIFICATES = 101 90 TD_KRB_PRINCIPAL = 102 91 TD_KRB_REALM = 103 92 TD_TRUSTED_CERTIFIERS = 104 93 TD_CERTIFICATE_INDEX = 105 94 TD_APP_DEFINED_ERROR = 106 95 TD_REQ_NONCE = 107 96 TD_REQ_SEQ = 108 97 PA_PAC_REQUEST = 128 98 PA_FOR_USER = 129 99 PA_FX_COOKIE = 133 100 PA_FX_FAST = 136 101 PA_FX_ERROR = 137 102 PA_ENCRYPTED_CHALLENGE = 138 103 PA_SUPPORTED_ENCTYPES = 165 104 PA_PAC_OPTIONS = 167 105 106class AddressType(Enum): 107 IPv4 = 2 108 Directional = 3 109 ChaosNet = 5 110 XNS = 6 111 ISO = 7 112 DECNET_Phase_IV = 12 113 AppleTalk_DDP = 16 114 NetBios = 20 115 IPv6 = 24 116 117# 3.1.5.9 Key Usage Numbers 118KERB_NON_KERB_SALT = 16 119KERB_NON_KERB_CKSUM_SALT = 17 120 121# 7.5.4. Authorization Data Types 122class AuthorizationDataType(Enum): 123 AD_IF_RELEVANT = 1 124 AD_INTENDED_FOR_SERVER = 2 125 AD_INTENDED_FOR_APPLICATION_CLASS = 3 126 AD_KDC_ISSUED = 4 127 AD_AND_OR = 5 128 AD_MANDATORY_TICKET_EXTENSIONS = 6 129 AD_IN_TICKET_EXTENSIONS = 7 130 AD_MANDATORY_FOR_KDC = 8 131 #Reserved values = 9-63 132 OSF_DCE = 64 133 SESAME = 65 134 AD_OSF_DCE_PKI_CERTID = 66 135 AD_WIN2K_PAC = 128 136 AD_ETYPE_NEGOTIATION = 129 137 138# 7.5.5. Transited Encoding Types 139class TransitedEncodingTypes(Enum): 140 DOMAIN_X500_COMPRESS = 1 141 142# 7.5.6. Protocol Version Number 143class ProtocolVersionNumber(Enum): 144 pvno = 5 145 146# 7.5.7. Kerberos Message Types 147class KerberosMessageTypes(Enum): 148 KRB_AS_REQ = 10 # Request for initial authentication 149 KRB_AS_REP = 11 # Response to KRB_AS_REQ request 150 KRB_TGS_REQ = 12 # Request for authentication based on TGT 151 KRB_TGS_REP = 13 # Response to KRB_TGS_REQ request 152 KRB_AP_REQ = 14 # Application request to server 153 KRB_AP_REP = 15 # Response to KRB_AP_REQ_MUTUAL 154 KRB_RESERVED16 = 16 # Reserved for user-to-user krb_tgt_request 155 KRB_RESERVED17 = 17 # Reserved for user-to-user krb_tgt_reply 156 KRB_SAFE = 20 # Safe (checksummed) application message 157 KRB_PRIV = 21 # Private (encrypted) application message 158 KRB_CRED = 22 # Private (encrypted) message to forward 159 # credentials 160 KRB_ERROR = 30 # Error response 161 162# 7.5.8. Name Types 163class NameTypes(Enum): 164 KRB_NT_UNKNOWN = 0 # Name type not known 165 KRB_NT_PRINCIPAL = 1 # Just the name of the principal as in DCE, 166 # or for users 167 KRB_NT_SRV_INST = 2 # Service and other unique instance (krbtgt) 168 KRB_NT_SRV_HST = 3 # Service with host name as instance 169 # (telnet, rcommands) 170 KRB_NT_SRV_XHST = 4 # Service with host as remaining components 171 KRB_NT_UID = 5 # Unique ID 172 KRB_NT_X500_PRINCIPAL = 6 # Encoded X.509 Distinguished name [RFC2253] 173 KRB_NT_SMTP_NAME = 7 # Name in form of SMTP email name 174 # (e.g., user@example.com) 175 KRB_NT_ENTERPRISE = 10 # Enterprise name; may be mapped to 176 # principal name 177 178# 7.5.9. Error Codes 179class ErrorCodes(Enum): 180 KDC_ERR_NONE = 0 # No error 181 KDC_ERR_NAME_EXP = 1 # Client's entry in database 182 # has expired 183 KDC_ERR_SERVICE_EXP = 2 # Server's entry in database 184 # has expired 185 KDC_ERR_BAD_PVNO = 3 # Requested protocol version 186 # number not supported 187 KDC_ERR_C_OLD_MAST_KVNO = 4 # Client's key encrypted in 188 # old master key 189 KDC_ERR_S_OLD_MAST_KVNO = 5 # Server's key encrypted in 190 # old master key 191 KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 # Client not found in 192 # Kerberos database 193 KDC_ERR_S_PRINCIPAL_UNKNOWN = 7 # Server not found in 194 # Kerberos database 195 KDC_ERR_PRINCIPAL_NOT_UNIQUE = 8 # Multiple principal entries 196 # in database 197 KDC_ERR_NULL_KEY = 9 # The client or server has a 198 # null key 199 KDC_ERR_CANNOT_POSTDATE = 10 # Ticket not eligible for 200 # postdating 201 KDC_ERR_NEVER_VALID = 11 # Requested starttime is 202 # later than end time 203 KDC_ERR_POLICY = 12 # KDC policy rejects request 204 KDC_ERR_BADOPTION = 13 # KDC cannot accommodate 205 # requested option 206 KDC_ERR_ETYPE_NOSUPP = 14 # KDC has no support for 207 # encryption type 208 KDC_ERR_SUMTYPE_NOSUPP = 15 # KDC has no support for 209 # checksum type 210 KDC_ERR_PADATA_TYPE_NOSUPP = 16 # KDC has no support for 211 # padata type 212 KDC_ERR_TRTYPE_NOSUPP = 17 # KDC has no support for 213 # transited type 214 KDC_ERR_CLIENT_REVOKED = 18 # Clients credentials have 215 # been revoked 216 KDC_ERR_SERVICE_REVOKED = 19 # Credentials for server have 217 # been revoked 218 KDC_ERR_TGT_REVOKED = 20 # TGT has been revoked 219 KDC_ERR_CLIENT_NOTYET = 21 # Client not yet valid; try 220 # again later 221 KDC_ERR_SERVICE_NOTYET = 22 # Server not yet valid; try 222 # again later 223 KDC_ERR_KEY_EXPIRED = 23 # Password has expired; 224 # change password to reset 225 KDC_ERR_PREAUTH_FAILED = 24 # Pre-authentication 226 # information was invalid 227 KDC_ERR_PREAUTH_REQUIRED = 25 # Additional pre- 228 # authentication required 229 KDC_ERR_SERVER_NOMATCH = 26 # Requested server and ticket 230 # don't match 231 KDC_ERR_MUST_USE_USER2USER = 27 # Server principal valid for 232 # user2user only 233 KDC_ERR_PATH_NOT_ACCEPTED = 28 # KDC Policy rejects 234 # transited path 235 KDC_ERR_SVC_UNAVAILABLE = 29 # A service is not available 236 KRB_AP_ERR_BAD_INTEGRITY = 31 # Integrity check on 237 # decrypted field failed 238 KRB_AP_ERR_TKT_EXPIRED = 32 # Ticket expired 239 KRB_AP_ERR_TKT_NYV = 33 # Ticket not yet valid 240 KRB_AP_ERR_REPEAT = 34 # Request is a replay 241 KRB_AP_ERR_NOT_US = 35 # The ticket isn't for us 242 KRB_AP_ERR_BADMATCH = 36 # Ticket and authenticator 243 # don't match 244 KRB_AP_ERR_SKEW = 37 # Clock skew too great 245 KRB_AP_ERR_BADADDR = 38 # Incorrect net address 246 KRB_AP_ERR_BADVERSION = 39 # Protocol version mismatch 247 KRB_AP_ERR_MSG_TYPE = 40 # Invalid msg type 248 KRB_AP_ERR_MODIFIED = 41 # Message stream modified 249 KRB_AP_ERR_BADORDER = 42 # Message out of order 250 KRB_AP_ERR_BADKEYVER = 44 # Specified version of key is 251 # not available 252 KRB_AP_ERR_NOKEY = 45 # Service key not available 253 KRB_AP_ERR_MUT_FAIL = 46 # Mutual authentication 254 # failed 255 KRB_AP_ERR_BADDIRECTION = 47 # Incorrect message direction 256 KRB_AP_ERR_METHOD = 48 # Alternative authentication 257 # method required 258 KRB_AP_ERR_BADSEQ = 49 # Incorrect sequence number 259 # in message 260 KRB_AP_ERR_INAPP_CKSUM = 50 # Inappropriate type of 261 # checksum in message 262 KRB_AP_PATH_NOT_ACCEPTED = 51 # Policy rejects transited 263 # path 264 KRB_ERR_RESPONSE_TOO_BIG = 52 # Response too big for UDP; 265 # retry with TCP 266 KRB_ERR_GENERIC = 60 # Generic error (description 267 # in e-text) 268 KRB_ERR_FIELD_TOOLONG = 61 # Field is too long for this 269 # implementation 270 KDC_ERROR_CLIENT_NOT_TRUSTED = 62 # Reserved for PKINIT 271 KDC_ERROR_KDC_NOT_TRUSTED = 63 # Reserved for PKINIT 272 KDC_ERROR_INVALID_SIG = 64 # Reserved for PKINIT 273 KDC_ERR_KEY_TOO_WEAK = 65 # Reserved for PKINIT 274 KDC_ERR_CERTIFICATE_MISMATCH = 66 # Reserved for PKINIT 275 KRB_AP_ERR_NO_TGT = 67 # No TGT available to 276 # validate USER-TO-USER 277 KDC_ERR_WRONG_REALM = 68 # Reserved for future use 278 KRB_AP_ERR_USER_TO_USER_REQUIRED = 69 # Ticket must be for 279 # USER-TO-USER 280 KDC_ERR_CANT_VERIFY_CERTIFICATE = 70 # Reserved for PKINIT 281 KDC_ERR_INVALID_CERTIFICATE = 71 # Reserved for PKINIT 282 KDC_ERR_REVOKED_CERTIFICATE = 72 # Reserved for PKINIT 283 KDC_ERR_REVOCATION_STATUS_UNKNOWN = 73 # Reserved for PKINIT 284 KDC_ERR_REVOCATION_STATUS_UNAVAILABLE = 74 # Reserved for PKINIT 285 KDC_ERR_CLIENT_NAME_MISMATCH = 75 # Reserved for PKINIT 286 KDC_ERR_KDC_NAME_MISMATCH = 76 # Reserved for PKINIT 287 288ERROR_MESSAGES = { 289 0 : ('KDC_ERR_NONE', 'No error'), 290 1 : ('KDC_ERR_NAME_EXP', 'Client\'s entry in database has expired'), 291 2 : ('KDC_ERR_SERVICE_EXP', 'Server\'s entry in database has expired'), 292 3 : ('KDC_ERR_BAD_PVNO', 'Requested protocol version number not supported'), 293 4 : ('KDC_ERR_C_OLD_MAST_KVNO', 'Client\'s key encrypted in old master key'), 294 5 : ('KDC_ERR_S_OLD_MAST_KVNO', 'Server\'s key encrypted in old master key'), 295 6 : ('KDC_ERR_C_PRINCIPAL_UNKNOWN', 'Client not found in Kerberos database'), 296 7 : ('KDC_ERR_S_PRINCIPAL_UNKNOWN', 'Server not found in Kerberos database'), 297 8 : ('KDC_ERR_PRINCIPAL_NOT_UNIQUE', 'Multiple principal entries in database'), 298 9 : ('KDC_ERR_NULL_KEY', 'The client or server has a null key'), 299 10 : ('KDC_ERR_CANNOT_POSTDATE', 'Ticket not eligible for postdating'), 300 11 : ('KDC_ERR_NEVER_VALID', 'Requested starttime is later than end time'), 301 12 : ('KDC_ERR_POLICY', 'KDC policy rejects request'), 302 13 : ('KDC_ERR_BADOPTION', 'KDC cannot accommodate requested option'), 303 14 : ('KDC_ERR_ETYPE_NOSUPP', 'KDC has no support for encryption type'), 304 15 : ('KDC_ERR_SUMTYPE_NOSUPP', 'KDC has no support for checksum type'), 305 16 : ('KDC_ERR_PADATA_TYPE_NOSUPP', 'KDC has no support for padata type'), 306 17 : ('KDC_ERR_TRTYPE_NOSUPP', 'KDC has no support for transited type'), 307 18 : ('KDC_ERR_CLIENT_REVOKED', 'Clients credentials have been revoked'), 308 19 : ('KDC_ERR_SERVICE_REVOKED', 'Credentials for server have been revoked'), 309 20 : ('KDC_ERR_TGT_REVOKED', 'TGT has been revoked'), 310 21 : ('KDC_ERR_CLIENT_NOTYET', 'Client not yet valid; try again later'), 311 22 : ('KDC_ERR_SERVICE_NOTYET', 'Server not yet valid; try again later'), 312 23 : ('KDC_ERR_KEY_EXPIRED', 'Password has expired; change password to reset'), 313 24 : ('KDC_ERR_PREAUTH_FAILED', 'Pre-authentication information was invalid'), 314 25 : ('KDC_ERR_PREAUTH_REQUIRED', 'Additional pre-authentication required'), 315 26 : ('KDC_ERR_SERVER_NOMATCH', 'Requested server and ticket don\'t match'), 316 27 : ('KDC_ERR_MUST_USE_USER2USER', 'Server principal valid for user2user only'), 317 28 : ('KDC_ERR_PATH_NOT_ACCEPTED', 'KDC Policy rejects transited path'), 318 29 : ('KDC_ERR_SVC_UNAVAILABLE', 'A service is not available'), 319 31 : ('KRB_AP_ERR_BAD_INTEGRITY', 'Integrity check on decrypted field failed'), 320 32 : ('KRB_AP_ERR_TKT_EXPIRED', 'Ticket expired'), 321 33 : ('KRB_AP_ERR_TKT_NYV', 'Ticket not yet valid'), 322 34 : ('KRB_AP_ERR_REPEAT', 'Request is a replay'), 323 35 : ('KRB_AP_ERR_NOT_US', 'The ticket isn\'t for us'), 324 36 : ('KRB_AP_ERR_BADMATCH', 'Ticket and authenticator don\'t match'), 325 37 : ('KRB_AP_ERR_SKEW', 'Clock skew too great'), 326 38 : ('KRB_AP_ERR_BADADDR', 'Incorrect net address'), 327 39 : ('KRB_AP_ERR_BADVERSION', 'Protocol version mismatch'), 328 40 : ('KRB_AP_ERR_MSG_TYPE', 'Invalid msg type'), 329 41 : ('KRB_AP_ERR_MODIFIED', 'Message stream modified'), 330 42 : ('KRB_AP_ERR_BADORDER', 'Message out of order'), 331 44 : ('KRB_AP_ERR_BADKEYVER', 'Specified version of key is not available'), 332 45 : ('KRB_AP_ERR_NOKEY', 'Service key not available'), 333 46 : ('KRB_AP_ERR_MUT_FAIL', 'Mutual authentication failed'), 334 47 : ('KRB_AP_ERR_BADDIRECTION', 'Incorrect message direction'), 335 48 : ('KRB_AP_ERR_METHOD', 'Alternative authentication method required'), 336 49 : ('KRB_AP_ERR_BADSEQ', 'Incorrect sequence number in message'), 337 50 : ('KRB_AP_ERR_INAPP_CKSUM', 'Inappropriate type of checksum in message'), 338 51 : ('KRB_AP_PATH_NOT_ACCEPTED', 'Policy rejects transited path'), 339 52 : ('KRB_ERR_RESPONSE_TOO_BIG', 'Response too big for UDP; retry with TCP'), 340 60 : ('KRB_ERR_GENERIC', 'Generic error (description in e-text)'), 341 61 : ('KRB_ERR_FIELD_TOOLONG', 'Field is too long for this implementation'), 342 62 : ('KDC_ERROR_CLIENT_NOT_TRUSTED', 'Reserved for PKINIT'), 343 63 : ('KDC_ERROR_KDC_NOT_TRUSTED', 'Reserved for PKINIT'), 344 64 : ('KDC_ERROR_INVALID_SIG', 'Reserved for PKINIT'), 345 65 : ('KDC_ERR_KEY_TOO_WEAK', 'Reserved for PKINIT'), 346 66 : ('KDC_ERR_CERTIFICATE_MISMATCH', 'Reserved for PKINIT'), 347 67 : ('KRB_AP_ERR_NO_TGT', 'No TGT available to validate USER-TO-USER'), 348 68 : ('KDC_ERR_WRONG_REALM', 'Reserved for future use'), 349 69 : ('KRB_AP_ERR_USER_TO_USER_REQUIRED', 'Ticket must be for USER-TO-USER'), 350 70 : ('KDC_ERR_CANT_VERIFY_CERTIFICATE', 'Reserved for PKINIT'), 351 71 : ('KDC_ERR_INVALID_CERTIFICATE', 'Reserved for PKINIT'), 352 72 : ('KDC_ERR_REVOKED_CERTIFICATE', 'Reserved for PKINIT'), 353 73 : ('KDC_ERR_REVOCATION_STATUS_UNKNOWN', 'Reserved for PKINIT'), 354 74 : ('KDC_ERR_REVOCATION_STATUS_UNAVAILABLE', 'Reserved for PKINIT'), 355 75 : ('KDC_ERR_CLIENT_NAME_MISMATCH', 'Reserved for PKINIT'), 356 76 : ('KDC_ERR_KDC_NAME_MISMATCH', 'Reserved for PKINIT'), 357} 358 359class TicketFlags(Enum): 360 reserved = 0 361 forwardable = 1 362 forwarded = 2 363 proxiable = 3 364 proxy = 4 365 may_postdate = 5 366 postdated = 6 367 invalid = 7 368 renewable = 8 369 initial = 9 370 pre_authent = 10 371 hw_authent = 11 372 transited_policy_checked = 12 373 ok_as_delegate = 13 374 enc_pa_rep = 15 375 anonymous = 16 376 377class KDCOptions(Enum): 378 reserved = 0 379 forwardable = 1 380 forwarded = 2 381 proxiable = 3 382 proxy = 4 383 allow_postdate = 5 384 postdated = 6 385 unused7 = 7 386 renewable = 8 387 unused9 = 9 388 unused10 = 10 389 opt_hardware_auth = 11 390 unused12 = 12 391 unused13 = 13 392 cname_in_addl_tkt = 14 393 canonicalize = 15 394 disable_transited_check = 26 395 renewable_ok = 27 396 enc_tkt_in_skey = 28 397 renew = 30 398 validate = 31 399 400class APOptions(Enum): 401 reserved = 0 402 use_session_key = 1 403 mutual_required = 2 404 405class EncryptionTypes(Enum): 406 des_cbc_crc = 1 407 des_cbc_md4 = 2 408 des_cbc_md5 = 3 409 _reserved_4 = 4 410 des3_cbc_md5 = 5 411 _reserved_6 = 6 412 des3_cbc_sha1 = 7 413 dsaWithSHA1_CmsOID = 9 414 md5WithRSAEncryption_CmsOID = 10 415 sha1WithRSAEncryption_CmsOID = 11 416 rc2CBC_EnvOID = 12 417 rsaEncryption_EnvOID = 13 418 rsaES_OAEP_ENV_OID = 14 419 des_ede3_cbc_Env_OID = 15 420 des3_cbc_sha1_kd = 16 421 aes128_cts_hmac_sha1_96 = 17 422 aes256_cts_hmac_sha1_96 = 18 423 rc4_hmac = 23 424 rc4_hmac_exp = 24 425 subkey_keymaterial = 65 426 427class ChecksumTypes(Enum): 428 rsa_md5_des = 8 429 rsa_md4_des = 4 430 hmac_md5 = -138 431 hmac_sha1_des3_kd = 12 432 hmac_sha1_96_aes128 = 15 433 hmac_sha1_96_aes256 = 16 434