Example #1
0
def parse_TGS_REP(sock, subkey, spn, samaccountname, kdc_addr):
        WRITE_STDOUT('  [+] Receiving TGS-REP from %s...' % kdc_addr)
        data = recv_rep(sock)
        WRITE_STDOUT(' Done!\n')

        WRITE_STDOUT('  [+] Parsing TGS-REP from %s...' % kdc_addr)
        tgs_rep, tgs_rep_enc = decrypt_tgs_rep(data, subkey)

        # MAGIC, not RC4 received...
        if len(tgs_rep) == 2 and not tgs_rep_enc:
            WRITE_STDOUT(' Only rc4-hmac supported and encryption type\
                            is \'%s\'. Skipping this account...\n\n' %\
                            dico_etypes[tgs_rep])
            return None, None
        else:
            WRITE_STDOUT(" Done!\n[+] Got encrypted ticket for SPN '"\
                     + spn + "' and account '" + samaccountname + "'\n")
            return tgs_rep, tgs_rep_enc
Example #2
0
def parse_TGS_REP(sock, subkey, spn, samaccountname, kdc_addr):
    WRITE_STDOUT('  [+] Receiving TGS-REP from %s...' % kdc_addr)
    data = recv_rep(sock)
    WRITE_STDOUT(' Done!\n')

    WRITE_STDOUT('  [+] Parsing TGS-REP from %s...' % kdc_addr)
    tgs_rep, tgs_rep_enc = decrypt_tgs_rep(data, subkey)

    # MAGIC, not RC4 received...
    if len(tgs_rep) == 2 and not tgs_rep_enc:
        WRITE_STDOUT(' Only rc4-hmac supported and encryption type\
                            is \'%s\'. Skipping this account...\n\n'                                                                 %\
                        dico_etypes[tgs_rep])
        return None, None
    else:
        WRITE_STDOUT(" Done!\n[+] Got encrypted ticket for SPN '"\
                 + spn + "' and account '" + samaccountname + "'\n")
        return tgs_rep, tgs_rep_enc
Example #3
0
    def get_TGT(self, need_pac=False):
        DC_addr = self.DC_addr
        WRITE_STDERR(G + "\nAsking " + B + '\'' + DC_addr\
                           + '\'' + G + " for a TGT\n" + W)

        WRITE_STDERR('  [+] Building AS-REQ for %s...' % DC_addr)

        nonce = getrandbits(31)
        current_time = time()

        as_req = build_as_req(self.realm,
                              self.user_account,
                              self.key,
                              current_time,
                              nonce,
                              pac_request=need_pac)

        WRITE_STDERR(' Done!\n')

        WRITE_STDERR('  [+] Sending AS-REQ to %s...' % DC_addr)
        sock = send_req(as_req, DC_addr)
        WRITE_STDERR(' Done!\n')

        WRITE_STDERR('  [+] Receiving AS-REP from %s...' % DC_addr)
        data = recv_rep(sock)
        WRITE_STDERR(' Done!\n')

        WRITE_STDERR('  [+] Parsing AS-REP from %s...' % DC_addr)
        as_rep, as_rep_enc = decrypt_as_rep(data, self.key)

        self.as_data["as_rep"] = as_rep
        self.as_data["as_rep_enc"] = as_rep_enc

        self.session_key = (int(as_rep_enc['key']['keytype']),\
                      str(as_rep_enc['key']['keyvalue']))

        self.logon_time = gt2epoch(str(as_rep_enc['authtime']))
        self.tgt = as_rep['ticket']
        WRITE_STDERR(' Done!\n')

        WRITE_STDERR(G + "TGT retrieved for user " + B + '\''\
                         + self.user_account + '\'\n' + W)
Example #4
0
    def get_TGT(self, need_pac = False):
        DC_addr = self.DC_addr
        WRITE_STDERR(G + "\nAsking " + B + '\'' + DC_addr\
                           + '\'' + G + " for a TGT\n" + W)

        WRITE_STDERR('  [+] Building AS-REQ for %s...' % DC_addr)

        nonce = getrandbits(31)
        current_time = time()

        as_req = build_as_req(self.realm, self.user_account,
                              self.key, current_time,
                              nonce, pac_request = need_pac
                              )

        WRITE_STDERR(' Done!\n')

        WRITE_STDERR('  [+] Sending AS-REQ to %s...' % DC_addr)
        sock = send_req(as_req, DC_addr)
        WRITE_STDERR(' Done!\n')

        WRITE_STDERR('  [+] Receiving AS-REP from %s...' % DC_addr)
        data = recv_rep(sock)
        WRITE_STDERR(' Done!\n')

        WRITE_STDERR('  [+] Parsing AS-REP from %s...' % DC_addr)
        as_rep, as_rep_enc = decrypt_as_rep(data, self.key)

        self.as_data["as_rep"]=as_rep
        self.as_data["as_rep_enc"] = as_rep_enc

        self.session_key = (int(as_rep_enc['key']['keytype']),\
                      str(as_rep_enc['key']['keyvalue']))

        self.logon_time = gt2epoch(str(as_rep_enc['authtime']))
        self.tgt = as_rep['ticket']
        WRITE_STDERR(' Done!\n')

        WRITE_STDERR(G + "TGT retrieved for user " + B + '\''\
                         + self.user_account + '\'\n' + W)
Example #5
0
def parse_TGS_REP(sock, subkey, spn, samaccountname, kdc_addr):
    WRITE_STDOUT('  [+] Receiving TGS-REP from %s...' % kdc_addr)
    data = recv_rep(sock)
    WRITE_STDOUT(' Done!\n')

    WRITE_STDOUT('  [+] Parsing TGS-REP from %s...' % kdc_addr)
    tgs_rep, tgs_rep_enc = decrypt_tgs_rep(data, subkey)

    # the TGS-REP was not valid (reasons could be wrong SPN, duplicate SPN, etc.)
    if tgs_rep == "error":
        # we always want to print the error so, we don't use WRITE_STDOUT
        print('[-] %s for SPN %s' % (tgs_rep_enc, spn))
        return None, None
    # MAGIC, not RC4 received...
    elif len(tgs_rep) == 2 and not tgs_rep_enc:
        WRITE_STDOUT(' Only rc4-hmac supported and encryption type\
                            is \'%s\'. Skipping this account...\n\n'                                                                 %\
                        dico_etypes[tgs_rep])
        return None, None
    else:
        WRITE_STDOUT(" Done!\n[+] Got encrypted ticket for SPN '"\
                 + spn + "' and account '" + samaccountname + "'\n")
        return tgs_rep, tgs_rep_enc