def forge_custom_TGS_REQ(self, target_service, target_host, subkey, nonce,
current_time, spn, samaccountname):
WRITE_STDERR(' [+] Building TGS-REQ for SPN ' + B + '\'' + spn\
+'\'' + W + ' and account ' + B + '\'' + samaccountname\
+ '\'' + W + '...')
tgs_req = build_tgs_req(self.realm, target_service, target_host,
self.realm, self.user_account, self.tgt,
self.session_key, subkey, nonce, current_time)
WRITE_STDERR(' Done!\n [+] Sending TGS-REQ to %s...' % self.DC_addr)
return send_req(tgs_req, self.DC_addr)
def forge_custom_TGS_REQ(self, target_service, target_host,
subkey, nonce, current_time, spn,
samaccountname):
WRITE_STDOUT(" [+] Building TGS-REQ for SPN '" + spn\
+"' and account '" + samaccountname\
+ "'...\n")
tgs_req = build_tgs_req(self.realm, target_service, target_host,
self.realm, self.user_account, self.tgt,
self.session_key, subkey, nonce,
current_time
)
WRITE_STDOUT(' Done!\n [+] Sending TGS-REQ to %s...' % self.DC_addr)
return send_req(tgs_req, self.DC_addr)
def get_TGT(self, need_pac=False):
DC_addr = self.DC_addr
WRITE_STDERR(G + "\nAsking " + B + '\'' + DC_addr\
+ '\'' + G + " for a TGT\n" + W)
WRITE_STDERR(' [+] Building AS-REQ for %s...' % DC_addr)
nonce = getrandbits(31)
current_time = time()
as_req = build_as_req(self.realm,
self.user_account,
self.key,
current_time,
nonce,
pac_request=need_pac)
WRITE_STDERR(' Done!\n')
WRITE_STDERR(' [+] Sending AS-REQ to %s...' % DC_addr)
sock = send_req(as_req, DC_addr)
WRITE_STDERR(' Done!\n')
WRITE_STDERR(' [+] Receiving AS-REP from %s...' % DC_addr)
data = recv_rep(sock)
WRITE_STDERR(' Done!\n')
WRITE_STDERR(' [+] Parsing AS-REP from %s...' % DC_addr)
as_rep, as_rep_enc = decrypt_as_rep(data, self.key)
self.as_data["as_rep"] = as_rep
self.as_data["as_rep_enc"] = as_rep_enc
self.session_key = (int(as_rep_enc['key']['keytype']),\
str(as_rep_enc['key']['keyvalue']))
self.logon_time = gt2epoch(str(as_rep_enc['authtime']))
self.tgt = as_rep['ticket']
WRITE_STDERR(' Done!\n')
WRITE_STDERR(G + "TGT retrieved for user " + B + '\''\
+ self.user_account + '\'\n' + W)
def get_TGT(self, need_pac = False):
DC_addr = self.DC_addr
WRITE_STDERR(G + "\nAsking " + B + '\'' + DC_addr\
+ '\'' + G + " for a TGT\n" + W)
WRITE_STDERR(' [+] Building AS-REQ for %s...' % DC_addr)
nonce = getrandbits(31)
current_time = time()
as_req = build_as_req(self.realm, self.user_account,
self.key, current_time,
nonce, pac_request = need_pac
)
WRITE_STDERR(' Done!\n')
WRITE_STDERR(' [+] Sending AS-REQ to %s...' % DC_addr)
sock = send_req(as_req, DC_addr)
WRITE_STDERR(' Done!\n')
WRITE_STDERR(' [+] Receiving AS-REP from %s...' % DC_addr)
data = recv_rep(sock)
WRITE_STDERR(' Done!\n')
WRITE_STDERR(' [+] Parsing AS-REP from %s...' % DC_addr)
as_rep, as_rep_enc = decrypt_as_rep(data, self.key)
self.as_data["as_rep"]=as_rep
self.as_data["as_rep_enc"] = as_rep_enc
self.session_key = (int(as_rep_enc['key']['keytype']),\
str(as_rep_enc['key']['keyvalue']))
self.logon_time = gt2epoch(str(as_rep_enc['authtime']))
self.tgt = as_rep['ticket']
WRITE_STDERR(' Done!\n')
WRITE_STDERR(G + "TGT retrieved for user " + B + '\''\
+ self.user_account + '\'\n' + W)