Ejemplo n.º 1
0
    def forge_custom_TGS_REQ(self, target_service, target_host, subkey, nonce,
                             current_time, spn, samaccountname):

        WRITE_STDERR('  [+] Building TGS-REQ for SPN ' + B + '\'' + spn\
                +'\'' + W + ' and account ' + B + '\'' + samaccountname\
                + '\'' + W + '...')

        tgs_req = build_tgs_req(self.realm, target_service, target_host,
                                self.realm, self.user_account, self.tgt,
                                self.session_key, subkey, nonce, current_time)

        WRITE_STDERR(' Done!\n  [+] Sending TGS-REQ to %s...' % self.DC_addr)
        return send_req(tgs_req, self.DC_addr)
Ejemplo n.º 2
0
    def forge_custom_TGS_REQ(self, target_service, target_host,
                             subkey, nonce, current_time, spn,
                             samaccountname):

        WRITE_STDOUT("  [+] Building TGS-REQ for SPN '" + spn\
                +"' and account '" + samaccountname\
                + "'...\n")

        tgs_req = build_tgs_req(self.realm, target_service, target_host,
                                self.realm, self.user_account, self.tgt,
                                self.session_key, subkey, nonce,
                                current_time
                                )

        WRITE_STDOUT(' Done!\n  [+] Sending TGS-REQ to %s...' % self.DC_addr)
        return send_req(tgs_req, self.DC_addr)
Ejemplo n.º 3
0
    def get_TGT(self, need_pac=False):
        DC_addr = self.DC_addr
        WRITE_STDERR(G + "\nAsking " + B + '\'' + DC_addr\
                           + '\'' + G + " for a TGT\n" + W)

        WRITE_STDERR('  [+] Building AS-REQ for %s...' % DC_addr)

        nonce = getrandbits(31)
        current_time = time()

        as_req = build_as_req(self.realm,
                              self.user_account,
                              self.key,
                              current_time,
                              nonce,
                              pac_request=need_pac)

        WRITE_STDERR(' Done!\n')

        WRITE_STDERR('  [+] Sending AS-REQ to %s...' % DC_addr)
        sock = send_req(as_req, DC_addr)
        WRITE_STDERR(' Done!\n')

        WRITE_STDERR('  [+] Receiving AS-REP from %s...' % DC_addr)
        data = recv_rep(sock)
        WRITE_STDERR(' Done!\n')

        WRITE_STDERR('  [+] Parsing AS-REP from %s...' % DC_addr)
        as_rep, as_rep_enc = decrypt_as_rep(data, self.key)

        self.as_data["as_rep"] = as_rep
        self.as_data["as_rep_enc"] = as_rep_enc

        self.session_key = (int(as_rep_enc['key']['keytype']),\
                      str(as_rep_enc['key']['keyvalue']))

        self.logon_time = gt2epoch(str(as_rep_enc['authtime']))
        self.tgt = as_rep['ticket']
        WRITE_STDERR(' Done!\n')

        WRITE_STDERR(G + "TGT retrieved for user " + B + '\''\
                         + self.user_account + '\'\n' + W)
Ejemplo n.º 4
0
    def get_TGT(self, need_pac = False):
        DC_addr = self.DC_addr
        WRITE_STDERR(G + "\nAsking " + B + '\'' + DC_addr\
                           + '\'' + G + " for a TGT\n" + W)

        WRITE_STDERR('  [+] Building AS-REQ for %s...' % DC_addr)

        nonce = getrandbits(31)
        current_time = time()

        as_req = build_as_req(self.realm, self.user_account,
                              self.key, current_time,
                              nonce, pac_request = need_pac
                              )

        WRITE_STDERR(' Done!\n')

        WRITE_STDERR('  [+] Sending AS-REQ to %s...' % DC_addr)
        sock = send_req(as_req, DC_addr)
        WRITE_STDERR(' Done!\n')

        WRITE_STDERR('  [+] Receiving AS-REP from %s...' % DC_addr)
        data = recv_rep(sock)
        WRITE_STDERR(' Done!\n')

        WRITE_STDERR('  [+] Parsing AS-REP from %s...' % DC_addr)
        as_rep, as_rep_enc = decrypt_as_rep(data, self.key)

        self.as_data["as_rep"]=as_rep
        self.as_data["as_rep_enc"] = as_rep_enc

        self.session_key = (int(as_rep_enc['key']['keytype']),\
                      str(as_rep_enc['key']['keyvalue']))

        self.logon_time = gt2epoch(str(as_rep_enc['authtime']))
        self.tgt = as_rep['ticket']
        WRITE_STDERR(' Done!\n')

        WRITE_STDERR(G + "TGT retrieved for user " + B + '\''\
                         + self.user_account + '\'\n' + W)