scapy.libs.rfc3961

Implementation of cryptographic functions for Kerberos 5

  • RFC 3961: Encryption and Checksum Specifications for Kerberos 5

  • RFC 3962: Advanced Encryption Standard (AES) Encryption for Kerberos 5

  • RFC 4757: The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows

  • RFC 6113: A Generalized Framework for Kerberos Pre-Authentication

  • RFC 8009: AES Encryption with HMAC-SHA2 for Kerberos 5

Note

You will find more complete documentation for Kerberos over at SMB

class scapy.libs.rfc3961.ChecksumType(*values)[source]

Bases: IntEnum

CRC32 = 1
HMAC_MD5 = -138
HMAC_SHA1_96_AES128 = 15
HMAC_SHA1_96_AES256 = 16
HMAC_SHA1_DES3_KD = 12
HMAC_SHA256_128_AES128 = 19
HMAC_SHA384_192_AES256 = 20
RSA_MD4 = 2
RSA_MD4_DES = 3
RSA_MD5_DES = 8
class scapy.libs.rfc3961.EncryptionType(*values)[source]

Bases: IntEnum

AES128_CTS_HMAC_SHA1_96 = 17
AES128_CTS_HMAC_SHA256_128 = 19
AES256_CTS_HMAC_SHA1_96 = 18
AES256_CTS_HMAC_SHA384_192 = 20
DES3_CBC_SHA1_KD = 16
DES_CBC_CRC = 1
DES_CBC_MD4 = 2
DES_CBC_MD5 = 3
RC4_HMAC = 23
RC4_HMAC_EXP = 24
exception scapy.libs.rfc3961.InvalidChecksum[source]

Bases: ValueError

scapy.libs.rfc3961.KRB_FX_CF2(key1: Key, key2: Key, pepper1: bytes, pepper2: bytes) Key[source]

KRB-FX-CF2 RFC6113

class scapy.libs.rfc3961.Key(etype: EncryptionType | int | None = None, key: bytes = b'', cksumtype: ChecksumType | int | None = None)[source]

Bases: object

decrypt(keyusage: int, ciphertext: bytes, **kwargs: Any) bytes[source]

Decrypt data using the current Key.

Parameters:

  • keyusage – the key usage

  • ciphertext – the encrypted text to decrypt

encrypt(keyusage: int, plaintext: bytes, confounder: bytes | None = None, **kwargs: Any) bytes[source]

Encrypt data using the current Key.

Parameters:

  • keyusage – the key usage

  • plaintext – the plain text to encrypt

  • confounder – (optional) choose the confounder. Otherwise random.

make_checksum(keyusage: int, text: bytes, cksumtype: int | None = None, **kwargs: Any) bytes[source]

Create a checksum using the current Key.

Parameters:

  • keyusage – the key usage

  • text – the text to create a checksum from

  • cksumtype – (optional) override the checksum type

classmethod new_random_key(etype: EncryptionType) Key[source]

Generates a seed then calls random-to-key

prf(string: bytes) bytes[source]
classmethod random_to_key(etype: EncryptionType, seed: bytes) Key[source]

random-to-key per RFC3961

This is used to create a random Key from a seed.

classmethod string_to_key(etype: EncryptionType, string: bytes, salt: bytes, params: bytes | None = None) Key[source]

string-to-key per RFC3961

This is typically used to create a Key object from a password + salt

verify_checksum(keyusage: int, text: bytes, cksum: bytes, cksumtype: int | None = None) None[source]

Verify a checksum using the current Key.

Parameters:

  • keyusage – the key usage

  • text – the text to verify

  • cksum – the expected checksum

  • cksumtype – (optional) override the checksum type

scapy.libs.rfc3961.SP800108_KDFCTR(K_I: bytes, Label: bytes, Context: bytes, L: int, hashmod: _GenericHash = <class 'scapy.layers.tls.crypto.hash.Hash_SHA256'>) bytes[source]

KDF in Counter Mode as section 5.1 of [SP800-108]

This assumes r=32, and defaults to SHA256 ([MS-SMB2] default).