Skip to content

Commit 616eaaa

Browse files
rtpt-erikgeiserrtpt-erikgeiser
committed
Initial commit
0 parents  commit 616eaaa

36 files changed

+5607
-0
lines changed

.github/workflows/check.yml

+74
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,74 @@
1+
name: Check
2+
on:
3+
# run tests on push to main, but not when other branches are pushed to
4+
push:
5+
branches:
6+
- main
7+
8+
# run tests for all pull requests
9+
pull_request:
10+
11+
jobs:
12+
lint:
13+
name: Lint
14+
runs-on: ubuntu-latest
15+
steps:
16+
- name: Set up Go
17+
uses: actions/setup-go@v3
18+
with:
19+
go-version: 1.24.x
20+
id: go
21+
22+
- name: Checkout code
23+
uses: actions/checkout@v3
24+
25+
- name: golangci-lint
26+
uses: golangci/golangci-lint-action@v3
27+
with:
28+
version: v1.64
29+
args: --verbose --timeout 5m
30+
31+
- name: Check go.mod
32+
run: |
33+
echo "check if go.mod is up to date"
34+
go mod tidy
35+
git diff --exit-code go.mod
36+
37+
test:
38+
name: Test
39+
runs-on: ubuntu-latest
40+
steps:
41+
- name: Set up Go
42+
uses: actions/setup-go@v3
43+
with:
44+
go-version: 1.24.x
45+
id: go
46+
47+
- name: Checkout code
48+
uses: actions/checkout@v3
49+
50+
- name: Run tests
51+
run: |
52+
go test ./...
53+
54+
build:
55+
strategy:
56+
matrix:
57+
go-version:
58+
- 1.24.x
59+
runs-on: ubuntu-latest
60+
name: Build with Go ${{ matrix.go-version }}
61+
env:
62+
GOPROXY: https://proxy.golang.org
63+
steps:
64+
- name: Set up Go ${{ matrix.go-version }}
65+
uses: actions/setup-go@v3
66+
with:
67+
go-version: ${{ matrix.go-version }}
68+
id: go
69+
70+
- name: Checkout code
71+
uses: actions/checkout@v3
72+
73+
- name: Build
74+
run: go build ./...

.gitignore

+2
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
/adauth
2+
*.exe

.golangci.yml

+102
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,102 @@
1+
linters:
2+
disable-all: true
3+
enable:
4+
- asasalint
5+
- asciicheck
6+
- bidichk
7+
- bodyclose
8+
- canonicalheader
9+
- containedctx
10+
- decorder
11+
- dupl
12+
- dupword
13+
- durationcheck
14+
- errchkjson
15+
- errname
16+
- errorlint
17+
- fatcontext
18+
- forcetypeassert
19+
- ginkgolinter
20+
- gocheckcompilerdirectives
21+
- gochecksumtype
22+
- goconst
23+
- gocritic
24+
- gocyclo
25+
- godot
26+
- godox
27+
- gofmt
28+
- goheader
29+
- goimports
30+
- gosec
31+
- gomodguard
32+
- goprintffuncname
33+
- gosimple
34+
- gosmopolitan
35+
- govet
36+
- grouper
37+
- importas
38+
- inamedparam
39+
- ineffassign
40+
- interfacebloat
41+
- lll
42+
- loggercheck
43+
- maintidx
44+
- makezero
45+
- mirror
46+
- misspell
47+
- nakedret
48+
- nestif
49+
- nilerr
50+
- nilnil
51+
- nlreturn
52+
- noctx
53+
- nolintlint
54+
- nosprintfhostport
55+
- prealloc
56+
- predeclared
57+
- promlinter
58+
- protogetter
59+
- reassign
60+
- sloglint
61+
- spancheck
62+
- sqlclosecheck
63+
- staticcheck
64+
- tagalign
65+
- tagliatelle
66+
- usetesting
67+
- testableexamples
68+
- testifylint
69+
- thelper
70+
- tparallel
71+
- unconvert
72+
- unparam
73+
- unused
74+
- usestdlibvars
75+
- wastedassign
76+
- whitespace
77+
- wsl
78+
- zerologlint
79+
linters-settings:
80+
godox:
81+
keywords:
82+
- FIXME # FIXME generates a linter warning
83+
goconst:
84+
min-occurrences: 5
85+
tagliatelle:
86+
# check the struck tag name case
87+
case:
88+
rules:
89+
json: snake
90+
yaml: snake
91+
gosec:
92+
excludes:
93+
- G304 # command execution
94+
- G204 # file inclusion
95+
- G115 # integer overflow
96+
- G401 # weak cryptographic primitive (tell Microsoft, not me)
97+
- G501 # weak cryptographic primitive (tell Microsoft, not me)
98+
- G505 # weak cryptographic primitive (tell Microsoft, not me)
99+
- G402 # InsecureSkipVerify may be true
100+
101+
issues:
102+
exclude-use-default: false

LICENSE

+8
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
Copyright 2024 RedTeam Pentesting GmbH
2+
3+
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
4+
5+
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
6+
7+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
8+

README.md

+101
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,101 @@
1+
<p align="center">
2+
<h1 align="center"><b>adauth</b></h1>
3+
<p align="center"><i>Active Directory Authentication Library</i></p>
4+
<p align="center">
5+
<a href="https://github.com/RedTeamPentesting/adauth/releases/latest"><img alt="Release" src="https://img.shields.io/github/release/RedTeamPentesting/adauth.svg?style=for-the-badge"></a>
6+
<a href="https://pkg.go.dev/github.com/RedTeamPentesting/adauth"><img alt="Go Doc" src="https://img.shields.io/badge/godoc-reference-blue.svg?style=for-the-badge"></a>
7+
<a href="https://github.com/RedTeamPentesting/adauth/actions?workflow=Check"><img alt="GitHub Action: Check" src="https://img.shields.io/github/actions/workflow/status/RedTeamPentesting/adauth/check.yml?branch=main&style=for-the-badge"></a>
8+
<a href="/LICENSE"><img alt="Software License" src="https://img.shields.io/badge/license-MIT-brightgreen.svg?style=for-the-badge"></a>
9+
<a href="https://goreportcard.com/report/github.com/RedTeamPentesting/adauth"><img alt="Go Report Card" src="https://goreportcard.com/badge/github.com/RedTeamPentesting/adauth?style=for-the-badge"></a>
10+
</p>
11+
</p>
12+
13+
14+
**Warning: The API of this library is not yet stable. Expect breaking changes.**
15+
16+
`adauth` is a Go library for active directory authentication. It can be used to
17+
quickly set up authentication options:
18+
19+
```go
20+
var (
21+
ctx = context.Background()
22+
authOpts = &adauth.Options{}
23+
)
24+
25+
authOpts.RegisterFlags(pflag.CommandLine)
26+
pflag.Parse()
27+
// --aes-key string Kerberos AES key
28+
// --ccache string Kerberos CCache file name (defaults to $KRB5CCNAME, currently unset)
29+
// --dc string Domain controller
30+
// --debug Enable debug output
31+
// -k, --kerberos Use Kerberos authentication
32+
// -H, --nt-hash string NT hash
33+
// -p, --password string Password
34+
// --pfx string Client certificate and private key in PFX format
35+
// --pfx-password string Password for PFX file
36+
// -u, --user string Username ('user@domain', 'domain\user', 'domain/user' or 'user')
37+
38+
// Credentials for an arbitrary target:
39+
creds, target, err := authOpts.WithTarget(ctx, "smb", pflag.Arg(0))
40+
if err != nil { /* error handling */ }
41+
42+
43+
// Only credentials are need, no specific target:
44+
creds, err := authOpts.NoTarget()
45+
if err != nil { /* error handling */ }
46+
47+
// Credentials to authenticate to the corresponding DC:
48+
creds, dc, err := authOpts.WithDCTarget(ctx, "ldap")
49+
if err != nil { /* error handling */ }
50+
```
51+
52+
It deduces as much information from the parameters as possible. For example,
53+
Kerberos authentication is possible even when specifying the target via IP
54+
address if reverse lookups are possible. Similarly, the domain can be omitted
55+
when the target hostname contains the domain.
56+
57+
The library also contains helper packages for LDAP and DCERPC, a Kerebros PKINIT
58+
implementation as well as helpers for creating and writing CCache files (see
59+
examples).
60+
61+
## Features
62+
63+
* Kerberos
64+
* PKINIT
65+
* UnPAC-the-Hash
66+
* Pass-the-Hash (RC4/NT or AES key)
67+
* CCache (containing TGT or ST)
68+
* NTLM
69+
* Pass-the-Hash
70+
* LDAP
71+
* Kerberos, NTLM, Simple Bind
72+
* mTLS Authentication / Pass-the-Certificate (LDAPS or LDAP+StartTLS)
73+
* Channel Binding (Kerberos and NTLM)
74+
* DCERPC:
75+
* Kerberos, NTLM
76+
* Raw endpoits (with port mapping)
77+
* Named pipes (SMB)
78+
* Signing
79+
* Sealing
80+
81+
## Caveats
82+
83+
**LDAP:**
84+
85+
The LDAP helper package does not support authentication using RC4 service
86+
tickets from `ccache`, since Windows returns unsupported GSSAPI wrap tokens
87+
during the SASL handshake when presented with an RC4 service ticket (see
88+
[github.com/jcmturner/gokrb5/pull/498](https://github.com/jcmturner/gokrb5/pull/498)).
89+
90+
However, it should still be possible to request an AES256 service ticket
91+
instead, even when an NT hash was used for pre-authentication . Unfortunately,
92+
[impacket](https://github.com/fortra/impacket) always requests RC4 tickets. This
93+
behavior can be changed by adding
94+
`int(constants.EncryptionTypes.aes256_cts_hmac_sha1_96.value),` as the first
95+
element of [this
96+
list](https://github.com/fortra/impacket/blob/af91d617c382e1eb132506159debcbc10da7a567/impacket/krb5/kerberosv5.py#L447-L450).
97+
98+
The LDAP library does not (yet) support LDAP signing, but it supports channel
99+
binding for LDAPS and LDAP+StartTLS which is typically sufficient as a
100+
workaround unless the server lacks a TLS certificate.
101+

0 commit comments

Comments
 (0)