def test_plaintext(self):
cred = KerberosCredential()
cred.username = self.username
cred.password = self.password
cred.domain = self.domain
kcomm = KerbrosComm(cred, self.kerberos_socet)
kcomm.get_TGT()
def test_rc4(self):
cred = KerberosCredential()
cred.username = self.username
salt = (self.domain.upper() + self.username).encode()
cred.kerberos_key_rc4 = hashlib.new(
'md4', self.password.encode('utf-16-le')).hexdigest()
cred.domain = self.domain
kcomm = KerbrosComm(cred, self.kerberos_socet)
kcomm.get_TGT()
def test_des(self):
cred = KerberosCredential()
cred.username = self.username
salt = (self.domain.upper() + self.username).encode()
cred.kerberos_key_des = string_to_key(Enctype.DES_MD5,
self.password.encode(),
salt).contents.hex()
cred.domain = self.domain
kcomm = KerbrosComm(cred, self.kerberos_socet)
kcomm.get_TGT()
def test_aes256_override(self):
cred = KerberosCredential()
cred.username = self.username
salt = (self.domain.upper() + self.username).encode()
cred.kerberos_key_aes_256 = string_to_key(Enctype.AES256,
self.password.encode(),
salt).contents.hex()
cred.domain = self.domain
kcomm = KerbrosComm(cred, self.kerberos_socet)
kcomm.get_TGT()
kcomm.get_TGS(self.target, override_etype=[2, 3, 16, 23, 17, 18])
def test_aes128(self):
cred = KerberosCredential()
cred.username = self.username
salt = (self.domain.upper() + self.username).encode()
cred.kerberos_key_aes_128 = string_to_key(Enctype.AES128,
self.password.encode(),
salt).contents.hex()
cred.domain = self.domain
kcomm = KerbrosComm(cred, self.kerberos_socet)
kcomm.get_TGT()
kcomm.get_TGS(self.target)
def to_spnego_cred(creds, target = None):
if creds.authentication_type == SMBAuthProtocol.NTLM:
ntlmcred = SMBNTLMCredential()
ntlmcred.username = creds.username
ntlmcred.domain = creds.domain if creds.domain is not None else ''
ntlmcred.workstation = None
ntlmcred.is_guest = False
if creds.secret is None:
raise Exception('NTLM authentication requres password!')
if creds.secret_type == SMBCredentialsSecretType.NT:
ntlmcred.nt_hash = creds.secret
elif creds.secret_type == SMBCredentialsSecretType.PASSWORD:
ntlmcred.password = creds.secret
settings = NTLMHandlerSettings(ntlmcred)
handler = NTLMAUTHHandler(settings)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context('NTLMSSP - Microsoft NTLM Security Support Provider', handler)
return spneg
elif creds.authentication_type == SMBAuthProtocol.KERBEROS:
if target is None:
raise Exception('Target must be specified with Kerberos!')
if target.hostname is None:
raise Exception('target must have a domain name or hostname for kerberos!')
if target.dc_ip is None:
raise Exception('target must have a dc_ip for kerberos!')
kc = KerberosCredential()
kc.username = creds.username
kc.domain = creds.domain
if creds.secret_type == SMBCredentialsSecretType.PASSWORD:
kc.password = creds.secret
elif creds.secret_type == SMBCredentialsSecretType.NT:
kc.nt_hash = creds.secret
elif creds.secret_type == SMBCredentialsSecretType.AES:
if len(creds.secret) == 32:
kc.kerberos_key_aes_128 = creds.secret
elif len(creds.secret) == 64:
kc.kerberos_key_aes_256 = creds.secret
elif creds.secret_type == SMBCredentialsSecretType.RC4:
kc.kerberos_key_rc4 = creds.secret
elif creds.secret_type == SMBCredentialsSecretType.RC4:
kc.ccache = creds.secret
else:
raise Exception('No suitable secret type found to set up kerberos!')
kcred = SMBKerberosCredential()
kcred.ccred = kc #KerberosCredential
kcred.ksoc = KerberosSocketAIO(target.dc_ip) #KerberosSocketAIO
kcred.target = KerberosTarget.from_target_string(target.to_target_string()) #KerberosTarget
handler = SMBKerberos(kcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5', handler)
return spneg
elif creds.authentication_type == SMBAuthProtocol.SSPI_KERBEROS:
if target is None:
raise Exception('Target must be specified with Kerberos SSPI!')
kerbcred = SMBKerberosSSPICredential()
kerbcred.client = None #creds.username #here we could submit the domain as well for impersonation? TODO!
kerbcred.password = creds.secret
kerbcred.target = target.to_target_string()
handler = SMBKerberosSSPI(kerbcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5', handler)
return spneg
elif creds.authentication_type == SMBAuthProtocol.SSPI_NTLM:
ntlmcred = SMBNTLMSSPICredential()
ntlmcred.client = creds.username #here we could submit the domain as well for impersonation? TODO!
ntlmcred.password = creds.secret
handler = SMBNTLMSSPI(ntlmcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context('NTLMSSP - Microsoft NTLM Security Support Provider', handler)
return spneg
elif creds.authentication_type.value.startswith('MULTIPLEXOR'):
if creds.authentication_type in [SMBAuthProtocol.MULTIPLEXOR_SSL_NTLM, SMBAuthProtocol.MULTIPLEXOR_NTLM]:
from aiosmb.ntlm.multiplexor import SMBNTLMMultiplexor
ntlmcred = SMBMultiplexorCredential()
ntlmcred.type = 'NTLM'
if creds.username is not None:
ntlmcred.username = '******'
if creds.domain is not None:
ntlmcred.domain = '<CURRENT>'
if creds.secret is not None:
ntlmcred.password = '******'
ntlmcred.is_guest = False
ntlmcred.is_ssl = True if creds.authentication_type == SMBAuthProtocol.MULTIPLEXOR_SSL_NTLM else False
ntlmcred.parse_settings(creds.settings)
handler = SMBNTLMMultiplexor(ntlmcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context('NTLMSSP - Microsoft NTLM Security Support Provider', handler)
return spneg
elif creds.authentication_type in [SMBAuthProtocol.MULTIPLEXOR_SSL_KERBEROS, SMBAuthProtocol.MULTIPLEXOR_KERBEROS]:
from aiosmb.kerberos.multiplexor import SMBKerberosMultiplexor
ntlmcred = SMBMultiplexorCredential()
ntlmcred.type = 'KERBEROS'
ntlmcred.target = creds.target
if creds.username is not None:
ntlmcred.username = '******'
if creds.domain is not None:
ntlmcred.domain = '<CURRENT>'
if creds.secret is not None:
ntlmcred.password = '******'
ntlmcred.is_guest = False
ntlmcred.is_ssl = True if creds.authentication_type == SMBAuthProtocol.MULTIPLEXOR_SSL_NTLM else False
ntlmcred.parse_settings(creds.settings)
handler = SMBKerberosMultiplexor(ntlmcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5', handler)
return spneg
import hashlib
from minikerberos.common import KerberosCredential
from minikerberos.communication import KerberosSocket
from minikerberos.security import APREPRoast
from minikerberos.encryption import _enctype_table, Key
from minikerberos.asn1_structs import EncASRepPart
ccred = KerberosCredential()
ccred.username = '******'
ccred.domain = 'TEST.corp'
ccred2 = KerberosCredential()
ccred2.username = '******'
ccred2.domain = 'TEST.corp'
creds = [ccred, ccred2]
ks = KerberosSocket('192.168.9.1')
ar = APREPRoast(ks)
res = ar.run(creds)
rep = res[0]
print(res)
x, a, enctype, checksum, data = rep.split('$')
password = '******'
cipher = _enctype_table[int(enctype)]
key = Key(int(enctype),
