diff options
| -rwxr-xr-x | 2.1/charon.rb | 38 | ||||
| -rwxr-xr-x | 2.1/get_mail.rb | 24 | ||||
| -rwxr-xr-x | 2.1/get_ticket.rb | 27 | ||||
| -rwxr-xr-x | 2.1/mail.rb | 28 | ||||
| -rwxr-xr-x | 2.2/charon.rb | 41 | ||||
| -rwxr-xr-x | 2.2/get_mail.rb | 24 | ||||
| -rwxr-xr-x | 2.2/get_ticket.rb | 27 | ||||
| -rwxr-xr-x | 2.2/mail.rb | 29 | ||||
| -rwxr-xr-x | 3.1/charon.rb | 61 | ||||
| -rwxr-xr-x | 3.1/get_mail.rb | 24 | ||||
| -rwxr-xr-x | 3.1/get_ticket.rb | 26 | ||||
| -rwxr-xr-x | 3.1/kinit.rb | 34 | ||||
| -rwxr-xr-x | 3.1/mail.rb | 29 | ||||
| -rw-r--r-- | 3.11/.gitignore | 1 | ||||
| -rwxr-xr-x | 3.11/charon.rb | 61 | ||||
| -rwxr-xr-x | 3.11/get_mail.rb | 60 | ||||
| -rwxr-xr-x | 3.11/kinit.rb | 36 | ||||
| -rwxr-xr-x | 3.11/mail.rb | 29 | ||||
| -rw-r--r-- | 3.2/.gitignore | 1 | ||||
| -rwxr-xr-x | 3.2/charon.rb | 67 | ||||
| -rwxr-xr-x | 3.2/get_mail.rb | 85 | ||||
| -rwxr-xr-x | 3.2/kinit.rb | 36 | ||||
| -rwxr-xr-x | 3.2/mail.rb | 32 | ||||
| -rw-r--r-- | Readme.textile | 3 |
24 files changed, 823 insertions, 0 deletions
diff --git a/2.1/charon.rb b/2.1/charon.rb new file mode 100755 index 0000000..f41bfa5 --- /dev/null +++ b/2.1/charon.rb @@ -0,0 +1,38 @@ +#!/usr/bin/env ruby + +require 'openssl' +require 'securerandom' +require 'sinatra' + +Users = { + "Athena" => "Passw0rd!" +} + +Services = { + "Mail" => "{FvM<kgG}VpHxKJO;6Zo" +} + +def ticket(username, service, password) + cipher = OpenSSL::Cipher::AES.new(256, :CBC).encrypt + cipher.key = Digest::SHA2.digest(password) + s = cipher.update("#{username}:#{service}") + cipher.final + + s.unpack('H*')[0].upcase + ?\n +end + +def noleak(msg, ul, sl) + puts "Error: #{msg}, returning nonsense to avoid leakage." + ticket(SecureRandom.alphanumeric(ul), SecureRandom.alphanumeric(sl), SecureRandom.alphanumeric(16)) +end + +post '/ticket' do + request.body.rewind + data = JSON.parse(request.body.read) + next "Invalid request\n" unless data.keys.sort == %w(password service username) + ul = data["username"].length + sl = data["service"].length + next noleak("Invalid service", ul, sl) unless Services.keys.include?(data["service"]) + next noleak("Invalid username", ul, sl) unless Users.keys.include?(data["username"]) + next noleak("Invalid password", ul, sl) unless Users[data["username"]] == data["password"] + next ticket(data["username"], data["service"], Services[data["service"]]) +end diff --git a/2.1/get_mail.rb b/2.1/get_mail.rb new file mode 100755 index 0000000..b212aed --- /dev/null +++ b/2.1/get_mail.rb @@ -0,0 +1,24 @@ +#!/usr/bin/env ruby + +require 'net/http' +require 'uri' +require 'json' + +uri = URI.parse("http://localhost:4568/login") + +header = {'Content-Type': 'text/json'} + +print "Username: "; un = gets.strip +print "Ticket: "; t = gets.strip + +login = { + "username": un, + "ticket": t +} + +http = Net::HTTP.new(uri.host, uri.port) +request = Net::HTTP::Post.new(uri.request_uri, header) +request.body = login.to_json + +response = http.request(request) +puts response.body diff --git a/2.1/get_ticket.rb b/2.1/get_ticket.rb new file mode 100755 index 0000000..932bac1 --- /dev/null +++ b/2.1/get_ticket.rb @@ -0,0 +1,27 @@ +#!/usr/bin/env ruby + +require 'net/http' +require 'uri' +require 'json' +require 'io/console' + +uri = URI.parse("http://localhost:4567/ticket") + +header = {'Content-Type': 'text/json'} + +print "Username: "; un = gets.strip +print "Password: "; pw = STDIN.noecho(&:gets).strip; puts +print "Service: "; s = gets.strip + +login = { + "username": un, + "password": pw, + "service": s +} + +http = Net::HTTP.new(uri.host, uri.port) +request = Net::HTTP::Post.new(uri.request_uri, header) +request.body = login.to_json + +response = http.request(request) +puts response.body diff --git a/2.1/mail.rb b/2.1/mail.rb new file mode 100755 index 0000000..7a71ffd --- /dev/null +++ b/2.1/mail.rb @@ -0,0 +1,28 @@ +#!/usr/bin/env ruby + +require 'openssl' +require 'securerandom' +require 'sinatra' + +set :port, 4568 + +Service = "Mail" +ServicePassword = "{FvM<kgG}VpHxKJO;6Zo" + +def decrypt(ticket) + ticket = [ticket].pack("H*").unpack("C*").pack("c*") + cipher = OpenSSL::Cipher::AES.new(256, :CBC).decrypt + cipher.key = Digest::SHA2.digest(ServicePassword) + p = cipher.update(ticket) + cipher.final + p.split(?:) +end + +post '/login' do + request.body.rewind + data = JSON.parse(request.body.read) + next "Invalid request\n" unless data.keys.sort == %w(ticket username) + un, sn = decrypt(data["ticket"]) + next "Invalid ticket\n" unless sn == Service + next "Invalid ticket\n" unless un == data["username"] + "Login okay! You have no mail.\n" +end diff --git a/2.2/charon.rb b/2.2/charon.rb new file mode 100755 index 0000000..2210b6e --- /dev/null +++ b/2.2/charon.rb @@ -0,0 +1,41 @@ +#!/usr/bin/env ruby + +require 'openssl' +require 'securerandom' +require 'sinatra' + +Users = { + "Athena" => "Passw0rd!" +} + +Services = { + "Mail" => "{FvM<kgG}VpHxKJO;6Zo" +} + +def ticket(username, service, password, ws_address) + cipher = OpenSSL::Cipher::AES.new(256, :CBC).encrypt + cipher.key = Digest::SHA2.digest(password) + + p = [username, ws_address, service].join(?\0) + s = cipher.update(p) + cipher.final + + s.unpack('H*')[0].upcase + ?\n +end + +def noleak(msg, ul, sl, ws) + puts "Error: #{msg}, returning nonsense to avoid leakage." + ticket(SecureRandom.alphanumeric(ul), SecureRandom.alphanumeric(sl), SecureRandom.alphanumeric(16), ws) +end + +post '/ticket' do + request.body.rewind + data = JSON.parse(request.body.read) + next "Invalid request\n" unless data.keys.sort == %w(password service username) + ul = data["username"].length + sl = data["service"].length + ws = request.ip + next noleak("Invalid service", ul, sl, ws) unless Services.keys.include?(data["service"]) + next noleak("Invalid username", ul, sl, ws) unless Users.keys.include?(data["username"]) + next noleak("Invalid password", ul, sl, ws) unless Users[data["username"]] == data["password"] + next ticket(data["username"], data["service"], Services[data["service"]], ws) +end diff --git a/2.2/get_mail.rb b/2.2/get_mail.rb new file mode 100755 index 0000000..b212aed --- /dev/null +++ b/2.2/get_mail.rb @@ -0,0 +1,24 @@ +#!/usr/bin/env ruby + +require 'net/http' +require 'uri' +require 'json' + +uri = URI.parse("http://localhost:4568/login") + +header = {'Content-Type': 'text/json'} + +print "Username: "; un = gets.strip +print "Ticket: "; t = gets.strip + +login = { + "username": un, + "ticket": t +} + +http = Net::HTTP.new(uri.host, uri.port) +request = Net::HTTP::Post.new(uri.request_uri, header) +request.body = login.to_json + +response = http.request(request) +puts response.body diff --git a/2.2/get_ticket.rb b/2.2/get_ticket.rb new file mode 100755 index 0000000..932bac1 --- /dev/null +++ b/2.2/get_ticket.rb @@ -0,0 +1,27 @@ +#!/usr/bin/env ruby + +require 'net/http' +require 'uri' +require 'json' +require 'io/console' + +uri = URI.parse("http://localhost:4567/ticket") + +header = {'Content-Type': 'text/json'} + +print "Username: "; un = gets.strip +print "Password: "; pw = STDIN.noecho(&:gets).strip; puts +print "Service: "; s = gets.strip + +login = { + "username": un, + "password": pw, + "service": s +} + +http = Net::HTTP.new(uri.host, uri.port) +request = Net::HTTP::Post.new(uri.request_uri, header) +request.body = login.to_json + +response = http.request(request) +puts response.body diff --git a/2.2/mail.rb b/2.2/mail.rb new file mode 100755 index 0000000..e7fa6ff --- /dev/null +++ b/2.2/mail.rb @@ -0,0 +1,29 @@ +#!/usr/bin/env ruby + +require 'openssl' +require 'securerandom' +require 'sinatra' + +set :port, 4568 + +Service = "Mail" +ServicePassword = "{FvM<kgG}VpHxKJO;6Zo" + +def decrypt(ticket) + ticket = [ticket].pack("H*").unpack("C*").pack("c*") + cipher = OpenSSL::Cipher::AES.new(256, :CBC).decrypt + cipher.key = Digest::SHA2.digest(ServicePassword) + p = cipher.update(ticket) + cipher.final + p.split(?\0) +end + +post '/login' do + request.body.rewind + data = JSON.parse(request.body.read) + next "Invalid request\n" unless data.keys.sort == %w(ticket username) + un, ws, sn = decrypt(data["ticket"]) + next "Invalid ticket\n" unless sn == Service + next "Invalid ticket\n" unless un == data["username"] + next "Invalid ticket\n" unless ws == request.ip + "Login okay! You have no mail.\n" +end diff --git a/3.1/charon.rb b/3.1/charon.rb new file mode 100755 index 0000000..75619b8 --- /dev/null +++ b/3.1/charon.rb @@ -0,0 +1,61 @@ +#!/usr/bin/env ruby + +require 'openssl' +require 'securerandom' +require 'sinatra' + +Users = { + "Athena" => "Passw0rd!" +} + +Services = { + "_TGS" => "eiqu@a5ahs8mooqu9Eng", + "Mail" => "{FvM<kgG}VpHxKJO;6Zo" +} + +def encrypt(obj, key) + cipher = OpenSSL::Cipher::AES.new(256, :CBC).encrypt + cipher.key = Digest::SHA2.digest(key) + s = cipher.update(obj) + cipher.final + s.unpack('H*')[0].upcase +end + +def decrypt(obj, key) + ticket = [obj].pack("H*").unpack("C*").pack("c*") + cipher = OpenSSL::Cipher::AES.new(256, :CBC).decrypt + cipher.key = Digest::SHA2.digest(key) + p = cipher.update(ticket) + cipher.final + p.split(?\0) +end + +def ticket(username, ws_address, service) + encrypt([username, ws_address, service].join(?\0), Services[service]) +end + +def noleak(msg, ul, ws) + puts "Error: #{msg}, returning nonsense to avoid leakage." + ticket(SecureRandom.alphanumeric(ul), ws, SecureRandom.alphanumeric(rand(24) + 8)) +end + +post '/login' do + request.body.rewind + data = JSON.parse(request.body.read) + next "Invalid request\n" unless data.keys == %w(username) + un = data["username"] + ul = un.length + ws = request.ip + next noleak("Invalid username", ul, ws) unless Users.keys.include?(un) + tgt = ticket(un, ws, "_TGS") + encrypt(tgt, Users[un]) +end + +post '/ticket' do + request.body.rewind + data = JSON.parse(request.body.read) + next "Invalid request\n" unless data.keys.sort == %w(service ticket username) + un, ws, sn = decrypt(data["ticket"], Services["_TGS"]) + next "Invalid ticket\n" unless sn == "_TGS" + next "Invalid ticket\n" unless un == data["username"] + next "Invalid ticket\n" unless ws == request.ip + ticket(un, ws, data["service"]) +end diff --git a/3.1/get_mail.rb b/3.1/get_mail.rb new file mode 100755 index 0000000..b212aed --- /dev/null +++ b/3.1/get_mail.rb @@ -0,0 +1,24 @@ +#!/usr/bin/env ruby + +require 'net/http' +require 'uri' +require 'json' + +uri = URI.parse("http://localhost:4568/login") + +header = {'Content-Type': 'text/json'} + +print "Username: "; un = gets.strip +print "Ticket: "; t = gets.strip + +login = { + "username": un, + "ticket": t +} + +http = Net::HTTP.new(uri.host, uri.port) +request = Net::HTTP::Post.new(uri.request_uri, header) +request.body = login.to_json + +response = http.request(request) +puts response.body diff --git a/3.1/get_ticket.rb b/3.1/get_ticket.rb new file mode 100755 index 0000000..d22d843 --- /dev/null +++ b/3.1/get_ticket.rb @@ -0,0 +1,26 @@ +#!/usr/bin/env ruby + +require 'net/http' +require 'uri' +require 'json' + +uri = URI.parse("http://localhost:4567/ticket") + +header = {'Content-Type': 'text/json'} + +print "Username: "; un = gets.strip +print "Ticket: "; t = gets.strip +print "Service: "; s = gets.strip + +login = { + "username": un, + "ticket": t, + "service": s +} + +http = Net::HTTP.new(uri.host, uri.port) +request = Net::HTTP::Post.new(uri.request_uri, header) +request.body = login.to_json + +response = http.request(request) +puts response.body diff --git a/3.1/kinit.rb b/3.1/kinit.rb new file mode 100755 index 0000000..0cfa220 --- /dev/null +++ b/3.1/kinit.rb @@ -0,0 +1,34 @@ +#!/usr/bin/env ruby + +require 'io/console' +require 'json' +require 'net/http' +require 'openssl' +require 'uri' + +uri = URI.parse("http://localhost:4567/login") + +header = {'Content-Type': 'text/json'} + +print "Username: "; un = gets.strip +print "Password: "; pw = STDIN.noecho(&:gets).strip; puts + +login = { + "username": un +} + +http = Net::HTTP.new(uri.host, uri.port) +request = Net::HTTP::Post.new(uri.request_uri, header) +request.body = login.to_json + +response = http.request(request) +eticket = [response.body].pack("H*").unpack("C*").pack("c*") + +cipher = OpenSSL::Cipher::AES.new(256, :CBC).decrypt +cipher.key = Digest::SHA2.digest(pw) +begin + ticket = cipher.update(eticket) + cipher.final + puts ticket + ?\n +rescue OpenSSL::Cipher::CipherError + puts "Invalid password?" +end diff --git a/3.1/mail.rb b/3.1/mail.rb new file mode 100755 index 0000000..e7fa6ff --- /dev/null +++ b/3.1/mail.rb @@ -0,0 +1,29 @@ +#!/usr/bin/env ruby + +require 'openssl' +require 'securerandom' +require 'sinatra' + +set :port, 4568 + +Service = "Mail" +ServicePassword = "{FvM<kgG}VpHxKJO;6Zo" + +def decrypt(ticket) + ticket = [ticket].pack("H*").unpack("C*").pack("c*") + cipher = OpenSSL::Cipher::AES.new(256, :CBC).decrypt + cipher.key = Digest::SHA2.digest(ServicePassword) + p = cipher.update(ticket) + cipher.final + p.split(?\0) +end + +post '/login' do + request.body.rewind + data = JSON.parse(request.body.read) + next "Invalid request\n" unless data.keys.sort == %w(ticket username) + un, ws, sn = decrypt(data["ticket"]) + next "Invalid ticket\n" unless sn == Service + next "Invalid ticket\n" unless un == data["username"] + next "Invalid ticket\n" unless ws == request.ip + "Login okay! You have no mail.\n" +end diff --git a/3.11/.gitignore b/3.11/.gitignore new file mode 100644 index 0000000..bfa3c3c --- /dev/null +++ b/3.11/.gitignore @@ -0,0 +1 @@ +.keytab diff --git a/3.11/charon.rb b/3.11/charon.rb new file mode 100755 index 0000000..75619b8 --- /dev/null +++ b/3.11/charon.rb @@ -0,0 +1,61 @@ +#!/usr/bin/env ruby + +require 'openssl' +require 'securerandom' +require 'sinatra' + +Users = { + "Athena" => "Passw0rd!" +} + +Services = { + "_TGS" => "eiqu@a5ahs8mooqu9Eng", + "Mail" => "{FvM<kgG}VpHxKJO;6Zo" +} + +def encrypt(obj, key) + cipher = OpenSSL::Cipher::AES.new(256, :CBC).encrypt + cipher.key = Digest::SHA2.digest(key) + s = cipher.update(obj) + cipher.final + s.unpack('H*')[0].upcase +end + +def decrypt(obj, key) + ticket = [obj].pack("H*").unpack("C*").pack("c*") + cipher = OpenSSL::Cipher::AES.new(256, :CBC).decrypt + cipher.key = Digest::SHA2.digest(key) + p = cipher.update(ticket) + cipher.final + p.split(?\0) +end + +def ticket(username, ws_address, service) + encrypt([username, ws_address, service].join(?\0), Services[service]) +end + +def noleak(msg, ul, ws) + puts "Error: #{msg}, returning nonsense to avoid leakage." + ticket(SecureRandom.alphanumeric(ul), ws, SecureRandom.alphanumeric(rand(24) + 8)) +end + +post '/login' do + request.body.rewind + data = JSON.parse(request.body.read) + next "Invalid request\n" unless data.keys == %w(username) + un = data["username"] + ul = un.length + ws = request.ip + next noleak("Invalid username", ul, ws) unless Users.keys.include?(un) + tgt = ticket(un, ws, "_TGS") + encrypt(tgt, Users[un]) +end + +post '/ticket' do + request.body.rewind + data = JSON.parse(request.body.read) + next "Invalid request\n" unless data.keys.sort == %w(service ticket username) + un, ws, sn = decrypt(data["ticket"], Services["_TGS"]) + next "Invalid ticket\n" unless sn == "_TGS" + next "Invalid ticket\n" unless un == data["username"] + next "Invalid ticket\n" unless ws == request.ip + ticket(un, ws, data["service"]) +end diff --git a/3.11/get_mail.rb b/3.11/get_mail.rb new file mode 100755 index 0000000..679309e --- /dev/null +++ b/3.11/get_mail.rb @@ -0,0 +1,60 @@ +#!/usr/bin/env ruby + +require 'net/http' +require 'uri' +require 'json' + +def get_ticket(un, tgt, sv) + uri = URI.parse("http://localhost:4567/ticket") + header = {'Content-Type': 'text/json'} + + login = { + "username": un, + "ticket": tgt, + "service": sv + } + + http = Net::HTTP.new(uri.host, uri.port) + request = Net::HTTP::Post.new(uri.request_uri, header) + request.body = login.to_json + + response = http.request(request) + response.body +end + +print "Username: "; un = gets.strip +print "Mailserver: "; ms = gets.strip + +unless File.exist?(".keytab") + puts "No keytab, please kinit" + exit 1 +end + +Keys = File.readlines(".keytab").map{ |l| l.strip.split(?:) }.to_h + +if Keys.keys.include?(ms) + ticket = Keys[ms] +elsif Keys.keys.include?("_TGS") + ticket = get_ticket(un, Keys["_TGS"], ms) + File.open(".keytab", ?a) do |f| + f.puts "#{ms}:#{ticket}" + end +else + puts "No Ticket Granting Ticket, please kinit" + exit 1 +end + +uri = URI.parse("http://localhost:4568/login") +header = {'Content-Type': 'text/json'} + +login = { + "username": un, + "ticket": ticket +} + +http = Net::HTTP.new(uri.host, uri.port) +request = Net::HTTP::Post.new(uri.request_uri, header) +request.body = login.to_json + +response = http.request(request) +puts response.body diff --git a/3.11/kinit.rb b/3.11/kinit.rb new file mode 100755 index 0000000..5174839 --- /dev/null +++ b/3.11/kinit.rb @@ -0,0 +1,36 @@ +#!/usr/bin/env ruby + +require 'io/console' +require 'json' +require 'net/http' +require 'openssl' +require 'uri' + +uri = URI.parse("http://localhost:4567/login") + +header = {'Content-Type': 'text/json'} + +print "Username: "; un = gets.strip +print "Password: "; pw = STDIN.noecho(&:gets).strip; puts + +login = { + "username": un +} + +http = Net::HTTP.new(uri.host, uri.port) +request = Net::HTTP::Post.new(uri.request_uri, header) +request.body = login.to_json + +response = http.request(request) +eticket = [response.body].pack("H*").unpack("C*").pack("c*") + +cipher = OpenSSL::Cipher::AES.new(256, :CBC).decrypt +cipher.key = Digest::SHA2.digest(pw) +begin + ticket = cipher.update(eticket) + cipher.final + File.open(".keytab", ?w) do |f| + f.puts "_TGS:#{ticket}" + end +rescue OpenSSL::Cipher::CipherError + puts "Invalid password?" +end diff --git a/3.11/mail.rb b/3.11/mail.rb new file mode 100755 index 0000000..e7fa6ff --- /dev/null +++ b/3.11/mail.rb @@ -0,0 +1,29 @@ +#!/usr/bin/env ruby + +require 'openssl' +require 'securerandom' +require 'sinatra' + +set :port, 4568 + +Service = "Mail" +ServicePassword = "{FvM<kgG}VpHxKJO;6Zo" + +def decrypt(ticket) + ticket = [ticket].pack("H*").unpack("C*").pack("c*") + cipher = OpenSSL::Cipher::AES.new(256, :CBC).decrypt + cipher.key = Digest::SHA2.digest(ServicePassword) + p = cipher.update(ticket) + cipher.final + p.split(?\0) +end + +post '/login' do + request.body.rewind + data = JSON.parse(request.body.read) + next "Invalid request\n" unless data.keys.sort == %w(ticket username) + un, ws, sn = decrypt(data["ticket"]) + next "Invalid ticket\n" unless sn == Service + next "Invalid ticket\n" unless un == data["username"] + next "Invalid ticket\n" unless ws == request.ip + "Login okay! You have no mail.\n" +end diff --git a/3.2/.gitignore b/3.2/.gitignore new file mode 100644 index 0000000..bfa3c3c --- /dev/null +++ b/3.2/.gitignore @@ -0,0 +1 @@ +.keytab diff --git a/3.2/charon.rb b/3.2/charon.rb new file mode 100755 index 0000000..51034b1 --- /dev/null +++ b/3.2/charon.rb @@ -0,0 +1,67 @@ +#!/usr/bin/env ruby + +require 'openssl' +require 'securerandom' +require 'sinatra' + +Users = { + "Athena" => "Passw0rd!" +} + +Services = { + "_TGS" => "eiqu@a5ahs8mooqu9Eng", + "Mail" => "{FvM<kgG}VpHxKJO;6Zo" +} + +def encrypt(obj, key) + cipher = OpenSSL::Cipher::AES.new(256, :CBC).encrypt + cipher.key = Digest::SHA2.digest(key) + s = cipher.update(obj) + cipher.final + s.unpack('H*')[0].upcase +end + +def decrypt(obj, key) + ticket = [obj].pack("H*").unpack("C*").pack("c*") + cipher = OpenSSL::Cipher::AES.new(256, :CBC).decrypt + cipher.key = Digest::SHA2.digest(key) + cipher.update(ticket) + cipher.final +end + +def ticket(username, ws_address, service) + ts = Time.now.to_i + p = [username, ws_address, service, 28800, ts].join(?\0) + s = encrypt(p, Services[service]) + "28800:#{ts}:#{s}" +end + +def noleak(msg, ul, ws) + puts "Error: #{msg}, returning nonsense to avoid leakage." + ticket(SecureRandom.alphanumeric(ul), ws, SecureRandom.alphanumeric(rand(24) + 8)) +end + +post '/login' do + request.body.rewind + data = JSON.parse(request.body.read) + next "Invalid request\n" unless data.keys == %w(username) + un = data["username"] + ul = un.length + ws = request.ip + next noleak("Invalid username", ul, ws) unless Users.keys.include?(un) + tgt = ticket(un, ws, "_TGS") + encrypt(tgt, Users[un]) +end + +post '/ticket' do + request.body.rewind + data = JSON.parse(request.body.read) + next "Invalid request\n" unless data.keys.sort == %w(service ticket username) + un, ws, sn, ls, ts = decrypt(data["ticket"], Services["_TGS"]).split(?\0) + ls = ls.to_i + ts = ts.to_i + next "Invalid ticket\n" unless sn == "_TGS" + next "Invalid ticket\n" unless un == data["username"] + next "Invalid ticket\n" unless ws == request.ip + next "Invalid ticket\n" unless Time.now.to_i >= ts + next "Ticket expired\n" unless Time.now.to_i < (ts + ls) + ticket(un, ws, data["service"]) +end diff --git a/3.2/get_mail.rb b/3.2/get_mail.rb new file mode 100755 index 0000000..8cbbb1f --- /dev/null +++ b/3.2/get_mail.rb @@ -0,0 +1,85 @@ +#!/usr/bin/env ruby + +require 'net/http' +require 'uri' +require 'json' + +def get_ticket(un, tgt, sv) + uri = URI.parse("http://localhost:4567/ticket") + header = {'Content-Type': 'text/json'} + + login = { + "username": un, + "ticket": tgt, + "service": sv + } + + http = Net::HTTP.new(uri.host, uri.port) + request = Net::HTTP::Post.new(uri.request_uri, header) + request.body = login.to_json + + response = http.request(request) + response.body +end + +def ticket_valid?(ticket) + now = Time.now.to_i + timeStart = ticket["timestamp"] + timeEnd = ticket["timestamp"] + ticket["lifespan"] + now >= timeStart && now < timeEnd +end + +def update_keytab! + File.open(".keytab", "w") do |f| + f.puts Tickets.map { |s, p| [s, *p.values].join(?:) } + end +end + +print "Username: "; un = gets.strip +print "Mailserver: "; ms = gets.strip + +unless File.exist?(".keytab") + puts "No keytab, please kinit" + exit 1 +end + +Tickets = File.readlines(".keytab").map { |l| + a = l.strip.split(?:) + [a[0], { + "lifespan" => a[1].to_i, + "timestamp" => a[2].to_i, + "ticket" => a[3] + }] +}.to_h + +unless Tickets.keys.include?(ms) && ticket_valid?(Tickets[ms]) + if Tickets.keys.include?("_TGS") && ticket_valid?(Tickets["_TGS"]) + packet = get_ticket(un, Tickets["_TGS"]["ticket"], ms).split(?:) + Tickets[ms] = { + "lifespan" => packet[0].to_i, + "timestamp" => packet[1].to_i, + "ticket" => packet[2] + } + update_keytab! + else + puts "No Ticket Granting Ticket, please kinit" + exit 1 + end +end + +ticket = Tickets[ms]["ticket"] + +uri = URI.parse("http://localhost:4568/login") +header = {'Content-Type': 'text/json'} + +login = { + "username": un, + "ticket": ticket +} + +http = Net::HTTP.new(uri.host, uri.port) +request = Net::HTTP::Post.new(uri.request_uri, header) +request.body = login.to_json + +response = http.request(request) +puts response.body diff --git a/3.2/kinit.rb b/3.2/kinit.rb new file mode 100755 index 0000000..5174839 --- /dev/null +++ b/3.2/kinit.rb @@ -0,0 +1,36 @@ +#!/usr/bin/env ruby + +require 'io/console' +require 'json' +require 'net/http' +require 'openssl' +require 'uri' + +uri = URI.parse("http://localhost:4567/login") + +header = {'Content-Type': 'text/json'} + +print "Username: "; un = gets.strip +print "Password: "; pw = STDIN.noecho(&:gets).strip; puts + +login = { + "username": un +} + +http = Net::HTTP.new(uri.host, uri.port) +request = Net::HTTP::Post.new(uri.request_uri, header) +request.body = login.to_json + +response = http.request(request) +eticket = [response.body].pack("H*").unpack("C*").pack("c*") + +cipher = OpenSSL::Cipher::AES.new(256, :CBC).decrypt +cipher.key = Digest::SHA2.digest(pw) +begin + ticket = cipher.update(eticket) + cipher.final + File.open(".keytab", ?w) do |f| + f.puts "_TGS:#{ticket}" + end +rescue OpenSSL::Cipher::CipherError + puts "Invalid password?" +end diff --git a/3.2/mail.rb b/3.2/mail.rb new file mode 100755 index 0000000..e8f9cdd --- /dev/null +++ b/3.2/mail.rb @@ -0,0 +1,32 @@ +#!/usr/bin/env ruby + +require 'openssl' +require 'securerandom' +require 'sinatra' + +set :port, 4568 + +Service = "Mail" +ServicePassword = "{FvM<kgG}VpHxKJO;6Zo" + +def decrypt(ticket) + ticket = [ticket].pack("H*").unpack("C*").pack("c*") + cipher = OpenSSL::Cipher::AES.new(256, :CBC).decrypt + cipher.key = Digest::SHA2.digest(ServicePassword) + cipher.update(ticket) + cipher.final +end + +post '/login' do + request.body.rewind + data = JSON.parse(request.body.read) + next "Invalid request\n" unless data.keys.sort == %w(ticket username) + un, ws, sn, ls, ts = decrypt(data["ticket"]).split(?\0) + ls = ls.to_i + ts = ts.to_i + next "Invalid ticket\n" unless sn == Service + next "Invalid ticket\n" unless un == data["username"] + next "Invalid ticket\n" unless ws == request.ip + next "Invalid ticket\n" unless Time.now.to_i >= ts + next "Ticket expired\n" unless Time.now.to_i < (ts + ls) + "Login okay! You have no mail.\n" +end diff --git a/Readme.textile b/Readme.textile new file mode 100644 index 0000000..d0a0001 --- /dev/null +++ b/Readme.textile @@ -0,0 +1,3 @@ +h1. Charon + +p. I'm reimplementing Kerberos (badly) by following along with "the play":https://web.mit.edu/kerberos/www/dialogue.html. |