def kerberosLogin(self,
user,
password,
domain='',
lmhash='',
nthash='',
aesKey='',
kdcHost=None,
TGT=None,
TGS=None,
useCache=True):
"""
logins into the target system explicitly using Kerberos. Hashes are used if RC4_HMAC is supported.
:param string user: username
:param string password: password for the user
:param string domain: domain where the account is valid for (required)
:param string lmhash: LMHASH used to authenticate using hashes (password is not used)
:param string nthash: NTHASH used to authenticate using hashes (password is not used)
:param string aesKey: aes256-cts-hmac-sha1-96 or aes128-cts-hmac-sha1-96 used for Kerberos authentication
:param string kdcHost: hostname or IP Address for the KDC. If None, the domain will be used (it needs to resolve tho)
:param struct TGT: If there's a TGT available, send the structure here and it will be used
:param struct TGS: same for TGS. See smb3.py for the format
:param bool useCache: whether or not we should use the ccache for credentials lookup. If TGT or TGS are specified this is False
:return: True, raises a LDAPSessionError if error.
"""
if lmhash != '' or nthash != '':
if len(lmhash) % 2: lmhash = '0%s' % lmhash
if len(nthash) % 2: nthash = '0%s' % nthash
try: # just in case they were converted already
lmhash = unhexlify(lmhash)
nthash = unhexlify(nthash)
except:
pass
# Importing down here so pyasn1 is not required if kerberos is not used.
from impacket.krb5.ccache import CCache
from impacket.krb5.asn1 import AP_REQ, Authenticator, TGS_REP, seq_set
from impacket.krb5.kerberosv5 import getKerberosTGT, getKerberosTGS
from impacket.krb5 import constants
from impacket.krb5.types import Principal, KerberosTime, Ticket
from pyasn1.codec.der import decoder, encoder
import datetime
if TGT is not None or TGS is not None:
useCache = False
if useCache is True:
try:
ccache = CCache.loadFile(os.getenv('KRB5CCNAME'))
except:
# No cache present
pass
else:
# retrieve user and domain information from CCache file if needed
if user == '' and len(ccache.principal.components) > 0:
user = ccache.principal.components[0]['data']
if domain == '':
domain = ccache.principal.realm['data']
LOG.debug("Using Kerberos Cache: %s" % os.getenv('KRB5CCNAME'))
principal = 'ldap/%s@%s' % (self._dstHost.upper(),
domain.upper())
creds = ccache.getCredential(principal)
if creds is None:
# Let's try for the TGT and go from there
principal = 'krbtgt/%s@%s' % (domain.upper(),
domain.upper())
creds = ccache.getCredential(principal)
if creds is not None:
TGT = creds.toTGT()
LOG.debug('Using TGT from cache')
else:
LOG.debug("No valid credentials found in cache. ")
else:
TGS = creds.toTGS()
LOG.debug('Using TGS from cache')
# First of all, we need to get a TGT for the user
userName = Principal(
user, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
if TGT is None:
if TGS is None:
tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(
userName, password, domain, lmhash, nthash, aesKey,
kdcHost)
else:
tgt = TGT['KDC_REP']
cipher = TGT['cipher']
sessionKey = TGT['sessionKey']
if TGS is None:
serverName = Principal(
'ldap/%s' % self._dstHost,
type=constants.PrincipalNameType.NT_SRV_INST.value)
tgs, cipher, oldSessionKey, sessionKey = getKerberosTGS(
serverName, domain, kdcHost, tgt, cipher, sessionKey)
else:
tgs = TGS['KDC_REP']
cipher = TGS['cipher']
sessionKey = TGS['sessionKey']
# Let's build a NegTokenInit with a Kerberos REQ_AP
blob = SPNEGO_NegTokenInit()
# Kerberos
blob['MechTypes'] = [TypesMech['MS KRB5 - Microsoft Kerberos 5']]
# Let's extract the ticket from the TGS
tgs = decoder.decode(tgs, asn1Spec=TGS_REP())[0]
ticket = Ticket()
ticket.from_asn1(tgs['ticket'])
# Now let's build the AP_REQ
apReq = AP_REQ()
apReq['pvno'] = 5
apReq['msg-type'] = int(constants.ApplicationTagNumbers.AP_REQ.value)
opts = list()
apReq['ap-options'] = constants.encodeFlags(opts)
seq_set(apReq, 'ticket', ticket.to_asn1)
authenticator = Authenticator()
authenticator['authenticator-vno'] = 5
authenticator['crealm'] = domain
seq_set(authenticator, 'cname', userName.components_to_asn1)
now = datetime.datetime.utcnow()
authenticator['cusec'] = now.microsecond
authenticator['ctime'] = KerberosTime.to_asn1(now)
encodedAuthenticator = encoder.encode(authenticator)
# Key Usage 11
# AP-REQ Authenticator (includes application authenticator
# subkey), encrypted with the application session key
# (Section 5.5.1)
encryptedEncodedAuthenticator = cipher.encrypt(sessionKey, 11,
encodedAuthenticator,
None)
apReq['authenticator'] = None
apReq['authenticator']['etype'] = cipher.enctype
apReq['authenticator']['cipher'] = encryptedEncodedAuthenticator
blob['MechToken'] = encoder.encode(apReq)
# Done with the Kerberos saga, now let's get into LDAP
bindRequest = BindRequest()
bindRequest['version'] = Integer7Bit(3)
bindRequest['name'] = LDAPDN(user)
credentials = SaslCredentials()
credentials['mechanism'] = LDAPString('GSS-SPNEGO')
credentials['credentials'] = Credentials(blob.getData())
bindRequest['authentication'] = AuthenticationChoice(
).setComponentByName('sasl', credentials)
resp = self.sendReceive('bindRequest', bindRequest)[0]['protocolOp']
if resp['bindResponse']['resultCode'] != 0:
raise LDAPSessionError(
errorString='Error in bindRequest -> %s:%s' %
(resp['bindResponse']['resultCode'].prettyPrint(),
resp['bindResponse']['diagnosticMessage']))
return True
def login(self,
user='',
password='',
domain='',
lmhash='',
nthash='',
authenticationChoice='sicilyNegotiate'):
"""
logins into the target system
:param string user: username
:param string password: password for the user
:param string domain: domain where the account is valid for
:param string lmhash: LMHASH used to authenticate using hashes (password is not used)
:param string nthash: NTHASH used to authenticate using hashes (password is not used)
:param string authenticationChoice: type of authentication protocol to use (default NTLM)
:return: True, raises a LDAPSessionError if error.
"""
bindRequest = BindRequest()
bindRequest['version'] = 3
if authenticationChoice == 'simple':
if '.' in domain:
bindRequest['name'] = user + '@' + domain
elif domain:
bindRequest['name'] = domain + '\\' + user
else:
bindRequest['name'] = user
bindRequest['authentication']['simple'] = password
response = self.sendReceive(bindRequest)[0]['protocolOp']
elif authenticationChoice == 'sicilyPackageDiscovery':
bindRequest['name'] = user
bindRequest['authentication']['sicilyPackageDiscovery'] = ''
response = self.sendReceive(bindRequest)[0]['protocolOp']
elif authenticationChoice == 'sicilyNegotiate':
# Deal with NTLM Authentication
if lmhash != '' or nthash != '':
if len(lmhash) % 2:
lmhash = '0' + lmhash
if len(nthash) % 2:
nthash = '0' + nthash
try: # just in case they were converted already
lmhash = unhexlify(lmhash)
nthash = unhexlify(nthash)
except TypeError:
pass
bindRequest['name'] = user
# NTLM Negotiate
negotiate = getNTLMSSPType1('', domain)
bindRequest['authentication'][
'sicilyNegotiate'] = negotiate.getData()
response = self.sendReceive(bindRequest)[0]['protocolOp']
# NTLM Challenge
type2 = response['bindResponse']['matchedDN']
# NTLM Auth
type3, exportedSessionKey = getNTLMSSPType3(
negotiate, bytes(type2), user, password, domain, lmhash,
nthash)
bindRequest['authentication']['sicilyResponse'] = type3.getData()
response = self.sendReceive(bindRequest)[0]['protocolOp']
else:
raise LDAPSessionError(
errorString="Unknown authenticationChoice: '%s'" %
authenticationChoice)
if response['bindResponse']['resultCode'] != ResultCode('success'):
raise LDAPSessionError(
errorString='Error in bindRequest -> %s: %s' %
(response['bindResponse']['resultCode'].prettyPrint(),
response['bindResponse']['diagnosticMessage']))
return True
def login(self,
user='',
password='',
domain='',
lmhash='',
nthash='',
authenticationChoice='sicilyNegotiate'):
"""
logins into the target system
:param string user: username
:param string password: password for the user
:param string domain: domain where the account is valid for
:param string lmhash: LMHASH used to authenticate using hashes (password is not used)
:param string nthash: NTHASH used to authenticate using hashes (password is not used)
:param string authenticationChoice: type of authentication protocol to use (default NTLM)
:return: True, raises a LDAPSessionError if error.
"""
bindRequest = BindRequest()
bindRequest['version'] = Integer7Bit(3)
bindRequest['name'] = LDAPDN(user)
if authenticationChoice == 'simple':
bindRequest['authentication'] = AuthenticationChoice(
).setComponentByName(authenticationChoice, AuthSimple(password))
resp = self.sendReceive('bindRequest',
bindRequest)[0]['protocolOp']
elif authenticationChoice == 'sicilyPackageDiscovery':
bindRequest['authentication'] = AuthenticationChoice(
).setComponentByName(authenticationChoice, '')
resp = self.sendReceive('bindRequest',
bindRequest)[0]['protocolOp']
elif authenticationChoice == 'sicilyNegotiate':
# Deal with NTLM Authentication
if lmhash != '' or nthash != '':
if len(lmhash) % 2: lmhash = '0%s' % lmhash
if len(nthash) % 2: nthash = '0%s' % nthash
try: # just in case they were converted already
lmhash = unhexlify(lmhash)
nthash = unhexlify(nthash)
except:
pass
# NTLM Negotiate
negotiate = getNTLMSSPType1('', domain)
bindRequest['authentication'] = AuthenticationChoice(
).setComponentByName('sicilyNegotiate', negotiate)
resp = self.sendReceive('bindRequest',
bindRequest)[0]['protocolOp']
# NTLM Challenge
type2 = resp['bindResponse']['matchedDN']
# NTLM Auth
type3, exportedSessionKey = getNTLMSSPType3(
negotiate, str(type2), user, password, domain, lmhash, nthash)
bindRequest['authentication'] = AuthenticationChoice(
).setComponentByName('sicilyResponse', type3)
resp = self.sendReceive('bindRequest',
bindRequest)[0]['protocolOp']
else:
raise LDAPSessionError(
errorString='Unknown authenticationChoice %s' %
authenticationChoice)
if resp['bindResponse']['resultCode'] != 0:
raise LDAPSessionError(
errorString='Error in bindRequest -> %s:%s' %
(resp['bindResponse']['resultCode'].prettyPrint(),
resp['bindResponse']['diagnosticMessage']))
return True
def kerberosLogin(self, user, password, domain='', lmhash='', nthash='', aesKey='', kdcHost=None, TGT=None,
TGS=None, useCache=True):
"""
logins into the target system explicitly using Kerberos. Hashes are used if RC4_HMAC is supported.
:param string user: username
:param string password: password for the user
:param string domain: domain where the account is valid for (required)
:param string lmhash: LMHASH used to authenticate using hashes (password is not used)
:param string nthash: NTHASH used to authenticate using hashes (password is not used)
:param string aesKey: aes256-cts-hmac-sha1-96 or aes128-cts-hmac-sha1-96 used for Kerberos authentication
:param string kdcHost: hostname or IP Address for the KDC. If None, the domain will be used (it needs to resolve tho)
:param struct TGT: If there's a TGT available, send the structure here and it will be used
:param struct TGS: same for TGS. See smb3.py for the format
:param bool useCache: whether or not we should use the ccache for credentials lookup. If TGT or TGS are specified this is False
:return: True, raises a LDAPSessionError if error.
"""
if lmhash != '' or nthash != '':
if len(lmhash) % 2:
lmhash = '0' + lmhash
if len(nthash) % 2:
nthash = '0' + nthash
try: # just in case they were converted already
lmhash = bytes.fromhex(lmhash)
nthash = bytes.fromhex(nthash)
except TypeError:
pass
# Importing down here so pyasn1 is not required if kerberos is not used.
from impacket.krb5.ccache import CCache
from impacket.krb5.asn1 import AP_REQ, Authenticator, TGS_REP, seq_set
from impacket.krb5.kerberosv5 import getKerberosTGT, getKerberosTGS
from impacket.krb5 import constants
from impacket.krb5.types import Principal, KerberosTime, Ticket
import datetime
if TGT is not None or TGS is not None:
useCache = False
targetName = 'ldap/%s' % self._dstHost
if useCache:
domain, user, TGT, TGS = CCache.parseFile(domain, user, targetName)
# First of all, we need to get a TGT for the user
userName = Principal(user, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
if TGT is None:
if TGS is None:
tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(userName, password, domain, lmhash, nthash,
aesKey, kdcHost)
else:
tgt = TGT['KDC_REP']
cipher = TGT['cipher']
sessionKey = TGT['sessionKey']
if TGS is None:
serverName = Principal(targetName, type=constants.PrincipalNameType.NT_SRV_INST.value)
tgs, cipher, oldSessionKey, sessionKey = getKerberosTGS(serverName, domain, kdcHost, tgt, cipher,
sessionKey)
else:
tgs = TGS['KDC_REP']
cipher = TGS['cipher']
sessionKey = TGS['sessionKey']
# Let's build a NegTokenInit with a Kerberos REQ_AP
blob = SPNEGO_NegTokenInit()
# Kerberos
blob['MechTypes'] = [TypesMech['MS KRB5 - Microsoft Kerberos 5']]
# Let's extract the ticket from the TGS
tgs = decoder.decode(tgs, asn1Spec=TGS_REP())[0]
ticket = Ticket()
ticket.from_asn1(tgs['ticket'])
# Now let's build the AP_REQ
apReq = AP_REQ()
apReq['pvno'] = 5
apReq['msg-type'] = int(constants.ApplicationTagNumbers.AP_REQ.value)
opts = []
apReq['ap-options'] = constants.encodeFlags(opts)
seq_set(apReq, 'ticket', ticket.to_asn1)
authenticator = Authenticator()
authenticator['authenticator-vno'] = 5
authenticator['crealm'] = domain
seq_set(authenticator, 'cname', userName.components_to_asn1)
now = datetime.datetime.utcnow()
authenticator['cusec'] = now.microsecond
authenticator['ctime'] = KerberosTime.to_asn1(now)
encodedAuthenticator = encoder.encode(authenticator)
# Key Usage 11
# AP-REQ Authenticator (includes application authenticator
# subkey), encrypted with the application session key
# (Section 5.5.1)
encryptedEncodedAuthenticator = cipher.encrypt(sessionKey, 11, encodedAuthenticator, None)
apReq['authenticator'] = noValue
apReq['authenticator']['etype'] = cipher.enctype
apReq['authenticator']['cipher'] = encryptedEncodedAuthenticator
blob['MechToken'] = encoder.encode(apReq)
# Done with the Kerberos saga, now let's get into LDAP
bindRequest = BindRequest()
bindRequest['version'] = 3
bindRequest['name'] = user
bindRequest['authentication']['sasl']['mechanism'] = 'GSS-SPNEGO'
bindRequest['authentication']['sasl']['credentials'] = blob.getData()
response = self.sendReceive(bindRequest)[0]['protocolOp']
if response['bindResponse']['resultCode'] != ResultCode('success'):
raise LDAPSessionError(
errorString='Error in bindRequest -> %s: %s' % (response['bindResponse']['resultCode'].prettyPrint(),
response['bindResponse']['diagnosticMessage'])
)
return True