def parse_TGS_REP(sock, subkey, spn, samaccountname, kdc_addr):
WRITE_STDOUT(' [+] Receiving TGS-REP from %s...' % kdc_addr)
data = recv_rep(sock)
WRITE_STDOUT(' Done!\n')
WRITE_STDOUT(' [+] Parsing TGS-REP from %s...' % kdc_addr)
tgs_rep, tgs_rep_enc = decrypt_tgs_rep(data, subkey)
# MAGIC, not RC4 received...
if len(tgs_rep) == 2 and not tgs_rep_enc:
WRITE_STDOUT(' Only rc4-hmac supported and encryption type\
is \'%s\'. Skipping this account...\n\n' %\
dico_etypes[tgs_rep])
return None, None
else:
WRITE_STDOUT(" Done!\n[+] Got encrypted ticket for SPN '"\
+ spn + "' and account '" + samaccountname + "'\n")
return tgs_rep, tgs_rep_enc
def parse_TGS_REP(sock, subkey, spn, samaccountname, kdc_addr):
WRITE_STDOUT(' [+] Receiving TGS-REP from %s...' % kdc_addr)
data = recv_rep(sock)
WRITE_STDOUT(' Done!\n')
WRITE_STDOUT(' [+] Parsing TGS-REP from %s...' % kdc_addr)
tgs_rep, tgs_rep_enc = decrypt_tgs_rep(data, subkey)
# MAGIC, not RC4 received...
if len(tgs_rep) == 2 and not tgs_rep_enc:
WRITE_STDOUT(' Only rc4-hmac supported and encryption type\
is \'%s\'. Skipping this account...\n\n' %\
dico_etypes[tgs_rep])
return None, None
else:
WRITE_STDOUT(" Done!\n[+] Got encrypted ticket for SPN '"\
+ spn + "' and account '" + samaccountname + "'\n")
return tgs_rep, tgs_rep_enc
def get_TGT(self, need_pac=False):
DC_addr = self.DC_addr
WRITE_STDERR(G + "\nAsking " + B + '\'' + DC_addr\
+ '\'' + G + " for a TGT\n" + W)
WRITE_STDERR(' [+] Building AS-REQ for %s...' % DC_addr)
nonce = getrandbits(31)
current_time = time()
as_req = build_as_req(self.realm,
self.user_account,
self.key,
current_time,
nonce,
pac_request=need_pac)
WRITE_STDERR(' Done!\n')
WRITE_STDERR(' [+] Sending AS-REQ to %s...' % DC_addr)
sock = send_req(as_req, DC_addr)
WRITE_STDERR(' Done!\n')
WRITE_STDERR(' [+] Receiving AS-REP from %s...' % DC_addr)
data = recv_rep(sock)
WRITE_STDERR(' Done!\n')
WRITE_STDERR(' [+] Parsing AS-REP from %s...' % DC_addr)
as_rep, as_rep_enc = decrypt_as_rep(data, self.key)
self.as_data["as_rep"] = as_rep
self.as_data["as_rep_enc"] = as_rep_enc
self.session_key = (int(as_rep_enc['key']['keytype']),\
str(as_rep_enc['key']['keyvalue']))
self.logon_time = gt2epoch(str(as_rep_enc['authtime']))
self.tgt = as_rep['ticket']
WRITE_STDERR(' Done!\n')
WRITE_STDERR(G + "TGT retrieved for user " + B + '\''\
+ self.user_account + '\'\n' + W)
def get_TGT(self, need_pac = False):
DC_addr = self.DC_addr
WRITE_STDERR(G + "\nAsking " + B + '\'' + DC_addr\
+ '\'' + G + " for a TGT\n" + W)
WRITE_STDERR(' [+] Building AS-REQ for %s...' % DC_addr)
nonce = getrandbits(31)
current_time = time()
as_req = build_as_req(self.realm, self.user_account,
self.key, current_time,
nonce, pac_request = need_pac
)
WRITE_STDERR(' Done!\n')
WRITE_STDERR(' [+] Sending AS-REQ to %s...' % DC_addr)
sock = send_req(as_req, DC_addr)
WRITE_STDERR(' Done!\n')
WRITE_STDERR(' [+] Receiving AS-REP from %s...' % DC_addr)
data = recv_rep(sock)
WRITE_STDERR(' Done!\n')
WRITE_STDERR(' [+] Parsing AS-REP from %s...' % DC_addr)
as_rep, as_rep_enc = decrypt_as_rep(data, self.key)
self.as_data["as_rep"]=as_rep
self.as_data["as_rep_enc"] = as_rep_enc
self.session_key = (int(as_rep_enc['key']['keytype']),\
str(as_rep_enc['key']['keyvalue']))
self.logon_time = gt2epoch(str(as_rep_enc['authtime']))
self.tgt = as_rep['ticket']
WRITE_STDERR(' Done!\n')
WRITE_STDERR(G + "TGT retrieved for user " + B + '\''\
+ self.user_account + '\'\n' + W)
def parse_TGS_REP(sock, subkey, spn, samaccountname, kdc_addr):
WRITE_STDOUT(' [+] Receiving TGS-REP from %s...' % kdc_addr)
data = recv_rep(sock)
WRITE_STDOUT(' Done!\n')
WRITE_STDOUT(' [+] Parsing TGS-REP from %s...' % kdc_addr)
tgs_rep, tgs_rep_enc = decrypt_tgs_rep(data, subkey)
# the TGS-REP was not valid (reasons could be wrong SPN, duplicate SPN, etc.)
if tgs_rep == "error":
# we always want to print the error so, we don't use WRITE_STDOUT
print('[-] %s for SPN %s' % (tgs_rep_enc, spn))
return None, None
# MAGIC, not RC4 received...
elif len(tgs_rep) == 2 and not tgs_rep_enc:
WRITE_STDOUT(' Only rc4-hmac supported and encryption type\
is \'%s\'. Skipping this account...\n\n' %\
dico_etypes[tgs_rep])
return None, None
else:
WRITE_STDOUT(" Done!\n[+] Got encrypted ticket for SPN '"\
+ spn + "' and account '" + samaccountname + "'\n")
return tgs_rep, tgs_rep_enc