def main():
    import argparse

    parser = argparse.ArgumentParser(
        description='Convert kirbi file(s) to a single ccache file')
    parser.add_argument('kirbi',
                        help='path to the kirbi file or a of kirbi files')
    parser.add_argument('ccache', help='ccache file name to be created')

    parser.add_argument('-v', '--verbose', action='count', default=0)

    args = parser.parse_args()
    if args.verbose == 0:
        logging.basicConfig(level=logging.INFO)
    elif args.verbose == 1:
        logging.basicConfig(level=logging.DEBUG)
    else:
        logging.basicConfig(level=1)

    abs_path = os.path.abspath(args.kirbi)
    if os.path.isdir(abs_path):
        logging.info('Parsing kirbi files in directory %s' % abs_path)
        cc = CCACHE.from_kirbidir(abs_path)
        cc.to_file(args.ccache)

    else:
        logging.info('Parsing kirbi file %s' % abs_path)
        cc = CCACHE.from_kirbifile(abs_path)
        cc.to_file(args.ccache)

    logging.info('Done!')
Пример #2
0
    def __init__(self, reader, sysinfo):
        self.reader = reader
        self.sysinfo = sysinfo
        self.credentials = []
        self.architecture = None
        self.operating_system = None
        self.buildnumber = None
        self.lsa_decryptor = None

        self.logon_sessions = {}
        self.orphaned_creds = []
        self.kerberos_ccache = CCACHE()
Пример #3
0
def main():
    import argparse

    parser = argparse.ArgumentParser(description='Prints CCACHE file info')
    parser.add_argument('ccachefile', help='input CCACHE file')
    parser.add_argument('-v', '--verbose', action='count', default=0)
    args = parser.parse_args()

    ###### VERBOSITY
    if args.verbose == 0:
        logging.basicConfig(level=logging.INFO)
    else:
        logging.basicConfig(level=logging.DEBUG)

    logging.basicConfig(level=logging.INFO)
    logging.debug('Opening file %s' % args.ccachefile)
    cc = CCACHE.from_file(args.ccachefile)

    table = []
    table.append(['id'] + Credential.summary_header())
    i = 0
    for cred in cc.credentials:
        table.append([str(i)] + cred.summary())
        i += 1
    print()  #this line intentionally left blank
    print_table(table)
Пример #4
0
	def get_kerberos(self):
		if CCACHE is None:
			return

		self.kerberos_ccache = CCACHE()
		dec_template = KerberosTemplate.get_template(self.sysinfo)
		dec = KerberosDecryptor(
			self.reader, dec_template, self.lsa_decryptor, self.sysinfo
		)

		dec.start()	

		for cred in dec.credentials:
			for ticket in cred.tickets:
				for fn in ticket.kirbi_data:
					self.kerberos_ccache.add_kirbi(ticket.kirbi_data[fn].native)
			
			if cred.luid in self.logon_sessions:
				self.logon_sessions[cred.luid].kerberos_creds.append(cred)
			else:
				self.orphaned_creds.append(cred)
Пример #5
0
    def get_kerberos(self):
        try:
            from minikerberos.ccache import CCACHE
        except ImportError:
            raise ImportError('You need to install minikerberos dependency')

        self.kerberos_ccache = CCACHE()
        dec_template = KerberosTemplate.get_template(self.sysinfo)
        dec = KerberosDecryptor(self.reader, dec_template, self.lsa_decryptor,
                                self.sysinfo)
        dec.start()
        for cred in dec.credentials:
            for ticket in cred.tickets:
                for fn in ticket.kirbi_data:
                    self.kerberos_ccache.add_kirbi(
                        ticket.kirbi_data[fn].native)

            if cred.luid in self.logon_sessions:
                self.logon_sessions[cred.luid].kerberos_creds.append(cred)
            else:
                self.orphaned_creds.append(cred)
def main():
    import argparse
    parser = argparse.ArgumentParser(
        description=
        'Parses CCACHE file and outputs all TGS tickets in a hashcat-crackable format'
    )
    parser.add_argument('ccache', help='CCACHE file to roast')

    args = parser.parse_args()

    ccache = CCACHE.from_file(args.ccache)
    for hash in ccache.get_hashes(all_hashes=True):
        print(hash)
Пример #7
0
 def add_secret(self, st: KerberosSecretType, secret: str):
     if st == KerberosSecretType.PASSWORD or st == KerberosSecretType.PW or st == KerberosSecretType.PASS:
         if secret == '' or secret is None:
             self.password = getpass.getpass(
                 'Enter Kerberos credential password:')
         else:
             self.password = secret
     elif st == KerberosSecretType.NT or st == KerberosSecretType.RC4:
         self.nt_hash = secret
         self.kerberos_key_rc4 = secret
     elif st == KerberosSecretType.AES128:
         self.kerberos_key_aes_128 = secret
     elif st == KerberosSecretType.AES256:
         self.kerberos_key_aes_256 = secret
     elif st == KerberosSecretType.DES:
         self.kerberos_key_des = secret
     elif st == KerberosSecretType.DES3 or st == KerberosSecretType.TDES:
         self.kerberos_key_des3 = secret
     elif st == KerberosSecretType.CCACHE:
         self.ccache = CCACHE.from_file(secret)
Пример #8
0
    def from_connection_string(s):
        """
        Credential input format:
        <domain>/<username>/<secret_type>:<secret>@<dc_ip_or_hostname>
        """
        cred = KerberosCredential()

        cred.domain, t = s.split('/', 1)
        cred.username, t = t.split('/', 1)
        secret_type, t = t.split(':', 1)
        secret, target = t.rsplit('@', 1)

        st = KerberosSecretType(secret_type.upper())
        if st == KerberosSecretType.PASSWORD or st == KerberosSecretType.PW or st == KerberosSecretType.PASS:
            if secret == '' or secret is None:
                cred.password = getpass.getpass(
                    'Enter Kerberos credential password:')
            else:
                cred.password = secret

        elif st == KerberosSecretType.NT or st == KerberosSecretType.RC4:
            cred.nt_hash = secret
            cred.kerberos_key_rc4 = secret

        elif st == KerberosSecretType.AES:
            cred.kerberos_key_aes_256 = secret
            cred.kerberos_key_aes_128 = secret

        elif st == KerberosSecretType.DES:
            cred.kerberos_key_des = secret

        elif st == KerberosSecretType.DES3 or st == KerberosSecretType.TDES:
            cred.kerberos_key_des3 = secret

        elif st == KerberosSecretType.CCACHE:
            cred.ccache = CCACHE.from_file(secret)

        cred.target = target
        return cred
def main():
    import argparse

    parser = argparse.ArgumentParser(
        description='Convert ccache file to kirbi file(s)')
    parser.add_argument('ccache', help='path to the ccache file')
    parser.add_argument(
        'kirbidir', help='output directory fir the extracted kirbi file(s)')
    parser.add_argument('-v', '--verbose', action='count', default=0)

    args = parser.parse_args()
    if args.verbose == 0:
        logging.basicConfig(level=logging.INFO)
    elif args.verbose == 1:
        logging.basicConfig(level=logging.DEBUG)
    else:
        logging.basicConfig(level=1)

    logging.info('Parsing CCACHE file')
    cc = CCACHE.from_file(args.ccache)
    logging.info('Extracting kirbi file(s)')
    cc.to_kirbidir(args.kirbidir)
    logging.info('Done!')
Пример #10
0
class pypykatz:
    def __init__(self, reader, sysinfo):
        self.reader = reader
        self.sysinfo = sysinfo
        self.credentials = []
        self.architecture = None
        self.operating_system = None
        self.buildnumber = None
        self.lsa_decryptor = None

        self.logon_sessions = {}
        self.orphaned_creds = []
        self.kerberos_ccache = CCACHE()

    def to_dict(self):
        t = {}
        t['logon_sessions'] = {}
        for ls in self.logon_sessions:
            # print(ls)
            t['logon_sessions'][ls] = (self.logon_sessions[ls].to_dict())
        t['orphaned_creds'] = []
        for oc in self.orphaned_creds:
            t['orphaned_creds'].append(oc.to_dict())
        return t

    def to_json(self):
        return json.dumps(self.to_dict(), cls=UniversalEncoder)

    @staticmethod
    def go_live():
        if platform.system() != 'Windows':
            raise Exception('Live parsing will only work on Windows')
        from pypykatz.commons.readers.local.live_reader import LiveReader
        reader = LiveReader()
        sysinfo = KatzSystemInfo.from_live_reader(reader)
        mimi = pypykatz(reader.get_buffered_reader(), sysinfo)
        mimi.start()
        return mimi

    @staticmethod
    def parse_minidump_file(filename):
        try:
            minidump = MinidumpFile.parse(filename)
            reader = minidump.get_reader().get_buffered_reader()
            sysinfo = KatzSystemInfo.from_minidump(minidump)
        except Exception as e:
            logger.exception('Minidump parsing error!')
            raise e
        try:
            mimi = pypykatz(reader, sysinfo)
            mimi.start()
        except Exception as e:
            #logger.info('Credentials parsing error!')
            mimi.log_basic_info()
            raise e
        return mimi

    @staticmethod
    def parse_minidump_bytes(data):
        """
		Parses LSASS minidump file bytes.
		data needs to be bytearray
		"""
        minidump = MinidumpFile.parse_bytes(data)
        reader = minidump.get_reader().get_buffered_reader()
        sysinfo = KatzSystemInfo.from_minidump(minidump)
        mimi = pypykatz(reader, sysinfo)
        mimi.start()
        return mimi

    @staticmethod
    def parse_minidump_external(handle):
        """
		Parses LSASS minidump file based on the file object.
		File object can really be any object as longs as 
		it implements read, seek, tell functions with the 
		same parameters as a file object would.

		handle: file like object
		"""
        minidump = MinidumpFile.parse_external(handle)
        reader = minidump.get_reader().get_buffered_reader()
        sysinfo = KatzSystemInfo.from_minidump(minidump)
        mimi = pypykatz(reader, sysinfo)
        mimi.start()
        return mimi

    @staticmethod
    def parse_minidump_buffer(buff):
        """
		Parses LSASS minidump file which contents are in a bytes buffer
		buff: io.BytesIO object
		"""
        minidump = MinidumpFile.parse_buff(buff)
        reader = minidump.get_reader().get_buffered_reader()
        sysinfo = KatzSystemInfo.from_minidump(minidump)
        mimi = pypykatz(reader, sysinfo)
        mimi.start()
        return mimi

    @staticmethod
    def parse_memory_dump_rekall(filename, override_timestamp=None):
        from pypykatz.commons.readers.rekall.rekallreader import RekallReader
        reader = RekallReader.from_memory_file(filename, override_timestamp)
        sysinfo = KatzSystemInfo.from_rekallreader(reader)
        mimi = pypykatz(reader, sysinfo)
        mimi.start()
        return mimi

    @staticmethod
    def go_rekall(session, override_timestamp=None, buildnumber=None):
        from pypykatz.commons.readers.rekall.rekallreader import RekallReader
        reader = RekallReader.from_session(session, override_timestamp,
                                           buildnumber)
        sysinfo = KatzSystemInfo.from_rekallreader(reader)
        mimi = pypykatz(reader, sysinfo)
        mimi.start()
        return mimi

    @staticmethod
    def go_volatility3(vol3_obj):
        from pypykatz.commons.readers.volatility3.volreader import Vol3Reader, vol3_treegrid
        reader = Vol3Reader(vol3_obj)
        sysinfo = reader.get_sysinfo()
        mimi = pypykatz(reader, sysinfo)
        mimi.start()
        return vol3_treegrid(mimi)

    def log_basic_info(self):
        """
		In case of error, please attach this to the issues page
		"""
        logger.info('===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE =====')
        logger.info('pypyKatz version: %s' % __version__)
        logger.info('CPU arch: %s' % self.sysinfo.architecture.name)
        logger.info('OS: %s' % self.sysinfo.operating_system)
        logger.info('BuildNumber: %s' % self.sysinfo.buildnumber)
        logger.info('MajorVersion: %s ' % self.sysinfo.major_version)
        logger.info('MSV timestamp: %s' % self.sysinfo.msv_dll_timestamp)
        logger.info('===== BASIC INFO END =====')

    def get_logoncreds(self):
        credman_template = CredmanTemplate.get_template(self.sysinfo)
        msv_template = MsvTemplate.get_template(self.sysinfo)
        logoncred_decryptor = MsvDecryptor(self.reader, msv_template,
                                           self.lsa_decryptor,
                                           credman_template, self.sysinfo)
        logoncred_decryptor.start()
        self.logon_sessions = logoncred_decryptor.logon_sessions

    def get_lsa_bruteforce(self):
        #good luck!
        logger.info('Testing all available templates! Expect warnings!')
        for lsa_dec_template in LsaTemplate.get_template_brute(self.sysinfo):
            try:
                lsa_dec = LsaDecryptor.choose(self.reader, lsa_dec_template,
                                              self.sysinfo)
                logger.debug(lsa_dec.dump())
            except:
                pass
            else:
                logger.info(
                    'Lucky you! Brutefoce method found a -probably- working template!'
                )
                return lsa_dec

    def get_lsa(self):
        #trying with automatic template detection
        try:
            lsa_dec_template = LsaTemplate.get_template(self.sysinfo)
            lsa_dec = LsaDecryptor.choose(self.reader, lsa_dec_template,
                                          self.sysinfo)
            logger.debug(lsa_dec.dump())
        except:
            logger.exception(
                'Failed to automatically detect correct LSA template!')
            lsa_dec = self.get_lsa_bruteforce()
            if lsa_dec is None:
                raise Exception('All detection methods failed.')
            return lsa_dec
        else:
            return lsa_dec

    def get_wdigest(self):
        decryptor_template = WdigestTemplate.get_template(self.sysinfo)
        decryptor = WdigestDecryptor(self.reader, decryptor_template,
                                     self.lsa_decryptor, self.sysinfo)
        decryptor.start()
        for cred in decryptor.credentials:
            if cred.luid in self.logon_sessions:
                self.logon_sessions[cred.luid].wdigest_creds.append(cred)
            else:
                self.orphaned_creds.append(cred)

    def get_tspkg(self):
        tspkg_dec_template = TspkgTemplate.get_template(self.sysinfo)
        tspkg_dec = TspkgDecryptor(self.reader, tspkg_dec_template,
                                   self.lsa_decryptor, self.sysinfo)
        tspkg_dec.start()
        for cred in tspkg_dec.credentials:
            if cred.luid in self.logon_sessions:
                self.logon_sessions[cred.luid].tspkg_creds.append(cred)
            else:
                self.orphaned_creds.append(cred)

    def get_ssp(self):
        dec_template = SspTemplate.get_template(self.sysinfo)
        dec = SspDecryptor(self.reader, dec_template, self.lsa_decryptor,
                           self.sysinfo)
        dec.start()
        for cred in dec.credentials:
            if cred.luid in self.logon_sessions:
                self.logon_sessions[cred.luid].ssp_creds.append(cred)
            else:
                self.orphaned_creds.append(cred)

    def get_livessp(self):
        livessp_dec_template = LiveSspTemplate.get_template(self.sysinfo)
        livessp_dec = LiveSspDecryptor(self.reader, livessp_dec_template,
                                       self.lsa_decryptor, self.sysinfo)
        livessp_dec.start()
        for cred in livessp_dec.credentials:
            if cred.luid in self.logon_sessions:
                self.logon_sessions[cred.luid].livessp_creds.append(cred)
            else:
                self.orphaned_creds.append(cred)

    def get_dpapi(self):
        dec_template = DpapiTemplate.get_template(self.sysinfo)
        dec = DpapiDecryptor(self.reader, dec_template, self.lsa_decryptor,
                             self.sysinfo)
        dec.start()
        for cred in dec.credentials:
            if cred.luid in self.logon_sessions:
                self.logon_sessions[cred.luid].dpapi_creds.append(cred)
            else:
                self.orphaned_creds.append(cred)

    def get_kerberos(self):
        dec_template = KerberosTemplate.get_template(self.sysinfo)
        dec = KerberosDecryptor(self.reader, dec_template, self.lsa_decryptor,
                                self.sysinfo)
        dec.start()
        for cred in dec.credentials:
            for ticket in cred.tickets:
                for fn in ticket.kirbi_data:
                    self.kerberos_ccache.add_kirbi(
                        ticket.kirbi_data[fn].native)

            if cred.luid in self.logon_sessions:
                self.logon_sessions[cred.luid].kerberos_creds.append(cred)
            else:
                self.orphaned_creds.append(cred)

    def start(self):
        #self.log_basic_info()
        #input()
        self.lsa_decryptor = self.get_lsa()
        self.get_logoncreds()
        self.get_wdigest()
        self.get_kerberos()
        self.get_tspkg()
        self.get_ssp()
        self.get_livessp()
        self.get_dpapi()
Пример #11
0
class pypykatz:
    def __init__(self, reader, sysinfo):
        self.reader = reader
        self.sysinfo = sysinfo
        self.credentials = []
        self.architecture = None
        self.operating_system = None
        self.buildnumber = None
        self.lsa_decryptor = None

        self.logon_sessions = []
        self.orphaned_creds = []
        self.kerberos_ccache = CCACHE()

        #self.logger = logging.getLogger('pypykatz')

    def to_dict(self):
        t = {}
        t['logon_sessions'] = self.logon_sessions
        t['orphaned_creds'] = self.orphaned_creds
        return t

    def to_json(self):
        return json.dumps(self.to_dict())

    @staticmethod
    def go_live():
        reader = LiveReader()
        sysinfo = KatzSystemInfo.from_live_reader(reader)
        mimi = pypykatz(reader.get_buffered_reader(), sysinfo)
        mimi.start()
        return mimi

    @staticmethod
    def parse_minidump_file(filename):
        try:
            minidump = MinidumpFile.parse(filename)
            reader = minidump.get_reader().get_buffered_reader()
            sysinfo = KatzSystemInfo.from_minidump(minidump)
        except Exception as e:
            logger.exception('Minidump parsing error!')
            raise e
        try:
            mimi = pypykatz(reader, sysinfo)
            mimi.start()
        except Exception as e:
            #logger.info('Credentials parsing error!')
            mimi.log_basic_info()
            raise e
        return mimi

    @staticmethod
    def parse_minidump_bytes(data):
        minidump = MinidumpFile.parse_bytes(data)
        reader = minidump.get_reader().get_buffered_reader()
        sysinfo = KatzSystemInfo.from_minidump(minidump)
        mimi = pypykatz(reader, sysinfo)
        mimi.start()
        return mimi

    @staticmethod
    def parse_minidump_buffer(buff):
        minidump = MinidumpFile.parse_buff(buff)
        reader = minidump.get_reader().get_buffered_reader()
        sysinfo = KatzSystemInfo.from_minidump(minidump)
        mimi = pypykatz(reader, sysinfo)
        mimi.start()
        return mimi

    @staticmethod
    def parse_memory_dump_rekall(filename, override_timestamp=None):
        from pypykatz.commons.readers.rekall.rekallreader import RekallReader
        reader = RekallReader.from_memory_file(filename, override_timestamp)
        sysinfo = KatzSystemInfo.from_rekallreader(reader)
        mimi = pypykatz(reader, sysinfo)
        mimi.start()
        return mimi

    @staticmethod
    def go_rekall(session, override_timestamp=None, buildnumber=None):
        from pypykatz.commons.readers.rekall.rekallreader import RekallReader
        reader = RekallReader.from_session(session, override_timestamp,
                                           buildnumber)
        sysinfo = KatzSystemInfo.from_rekallreader(reader)
        mimi = pypykatz(reader, sysinfo)
        mimi.start()
        return mimi

    def log_basic_info(self):
        """
		In case of error, please attach this to the issues page
		"""
        logger.info('===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE =====')
        logger.info('CPU arch: %s' % self.sysinfo.architecture.name)
        logger.info('OS: %s' % self.sysinfo.operating_system)
        logger.info('BuildNumber: %s' % self.sysinfo.buildnumber)
        logger.info('MajorVersion: %s ' % self.sysinfo.major_version)
        logger.info('MSV timestamp: %s' % self.sysinfo.msv_dll_timestamp)
        logger.info('===== BASIC INFO END =====')

    def get_logoncreds(self):
        credman_template = CredmanTemplate.get_template(self.sysinfo)
        msv_template = MsvTemplate.get_template(self.sysinfo)
        logoncred_decryptor = MsvDecryptor(self.reader, msv_template,
                                           self.lsa_decryptor,
                                           credman_template, self.sysinfo)
        logoncred_decryptor.start()
        self.logon_sessions = logoncred_decryptor.logon_sessions

    def get_lsa(self):
        lsa_dec_template = LsaTemplate.get_template(self.sysinfo)
        lsa_dec = LsaDecryptor(self.reader, lsa_dec_template, self.sysinfo)
        logger.debug(lsa_dec.dump())
        return lsa_dec

    def get_wdigest(self):
        decryptor_template = WdigestTemplate.get_template(self.sysinfo)
        decryptor = WdigestDecryptor(self.reader, decryptor_template,
                                     self.lsa_decryptor, self.sysinfo)
        decryptor.start()
        for cred in decryptor.credentials:
            if cred.luid in self.logon_sessions:
                self.logon_sessions[cred.luid].wdigest_creds.append(cred)
            else:
                self.orphaned_creds.append(cred)

    def get_tspkg(self):
        tspkg_dec_template = TspkgTemplate.get_template(self.sysinfo)
        tspkg_dec = TspkgDecryptor(self.reader, tspkg_dec_template,
                                   self.lsa_decryptor, self.sysinfo)
        tspkg_dec.start()
        for cred in tspkg_dec.credentials:
            if cred.luid in self.logon_sessions:
                self.logon_sessions[cred.luid].tspkg_creds.append(cred)
            else:
                self.orphaned_creds.append(cred)

    def get_ssp(self):
        dec_template = SspTemplate.get_template(self.sysinfo)
        dec = SspDecryptor(self.reader, dec_template, self.lsa_decryptor,
                           self.sysinfo)
        dec.start()
        for cred in dec.credentials:
            if cred.luid in self.logon_sessions:
                self.logon_sessions[cred.luid].ssp_creds.append(cred)
            else:
                self.orphaned_creds.append(cred)

    def get_livessp(self):
        livessp_dec_template = LiveSspTemplate.get_template(self.sysinfo)
        livessp_dec = LiveSspDecryptor(self.reader, livessp_dec_template,
                                       self.lsa_decryptor, self.sysinfo)
        livessp_dec.start()
        for cred in livessp_dec.credentials:
            if cred.luid in self.logon_sessions:
                self.logon_sessions[cred.luid].livessp_creds.append(cred)
            else:
                self.orphaned_creds.append(cred)

    def get_dpapi(self):
        dec_template = DpapiTemplate.get_template(self.sysinfo)
        dec = DpapiDecryptor(self.reader, dec_template, self.lsa_decryptor,
                             self.sysinfo)
        dec.start()
        for cred in dec.credentials:
            if cred.luid in self.logon_sessions:
                self.logon_sessions[cred.luid].dpapi_creds.append(cred)
            else:
                self.orphaned_creds.append(cred)

    def get_kerberos(self):
        dec_template = KerberosTemplate.get_template(self.sysinfo)
        dec = KerberosDecryptor(self.reader, dec_template, self.lsa_decryptor,
                                self.sysinfo)
        dec.start()
        for cred in dec.credentials:
            for ticket in cred.tickets:
                for fn in ticket.kirbi_data:
                    self.kerberos_ccache.add_kirbi(
                        ticket.kirbi_data[fn].native)

            if cred.luid in self.logon_sessions:
                self.logon_sessions[cred.luid].kerberos_creds.append(cred)
            else:
                self.orphaned_creds.append(cred)

    def start(self):
        #self.log_basic_info()
        #input()
        self.lsa_decryptor = self.get_lsa()
        self.get_logoncreds()
        self.get_wdigest()
        self.get_kerberos()
        self.get_tspkg()
        self.get_ssp()
        self.get_livessp()
        self.get_dpapi()
Пример #12
0
#
# Author:
#  Tamas Jos (@skelsec)
#
import os
import logging
from minikerberos.ccache import CCACHE

if __name__ == '__main__':
    import argparse

    parser = argparse.ArgumentParser(
        description='Convert ccache file to kirbi file(s)')
    parser.add_argument('ccache', help='path to the ccache file')
    parser.add_argument(
        'kirbidir', help='output directory fir the extracted kirbi file(s)')
    parser.add_argument('-v', '--verbose', action='count', default=0)

    args = parser.parse_args()
    if args.verbose == 0:
        logging.basicConfig(level=logging.INFO)
    elif args.verbose == 1:
        logging.basicConfig(level=logging.DEBUG)
    else:
        logging.basicConfig(level=1)

    logging.info('Parsing CCACHE file')
    cc = CCACHE.from_file(args.ccache)
    logging.info('Extracting kirbi file(s)')
    cc.to_kirbidir(args.kirbidir)
    logging.info('Done!')
Пример #13
0
from minikerberos.ccache import CCACHE

if __name__ == '__main__':
	import argparse
	
	parser = argparse.ArgumentParser(description='Convert kirbi file(s) to a single ccache file')
	parser.add_argument('kirbi', help='path to the kirbi file or a of kirbi files')
	parser.add_argument('ccache', help='ccache file name to be created')
	
	parser.add_argument('-v', '--verbose', action='count', default=0)
	
	args = parser.parse_args()
	if args.verbose == 0:
		logging.basicConfig(level=logging.INFO)
	elif args.verbose == 1:
		logging.basicConfig(level=logging.DEBUG)
	else:
		logging.basicConfig(level=1)
	
	abs_path = os.path.abspath(args.kirbi)
	if os.path.isdir(abs_path):	
		logging.info('Parsing kirbi files in directory %s' % abs_path)
		cc = CCACHE.from_kirbidir(abs_path)
		cc.to_file(args.ccache)
		
	else:
		logging.info('Parsing kirbi file %s' % abs_path)
		cc = CCACHE.from_kirbifile(abs_path)
		cc.to_file(args.ccache)
		
	logging.info('Done!')
Пример #14
0
def main():
    import argparse

    parser = argparse.ArgumentParser(
        description='Tool to manipulate CCACHE files')
    subparsers = parser.add_subparsers(help='commands')
    subparsers.required = True
    subparsers.dest = 'command'

    roast_group = subparsers.add_parser(
        'roast', help='Lists all tickets in hashcat-friendly format')
    roast_group.add_argument('-a',
                             '--allhash',
                             action='store_true',
                             help='Process all tickets, regardless of enctype')
    roast_group.add_argument('-o', '--outfile', help='Output hash file name')

    list_group = subparsers.add_parser('list',
                                       help='List all tickets in the file')

    delete_group = subparsers.add_parser(
        'del',
        help=
        'Delete ticket(s) from file, store the new ccache file in a specified filename, or an automatically generated one'
    )
    delete_group.add_argument('-o',
                              '--outfile',
                              help='Output ccache file name')
    delete_group.add_argument('-i',
                              '--id',
                              type=int,
                              action='append',
                              help='Ticket ID to delete',
                              required=True)
    parser.add_argument('ccachefile', help='input CCACHE file')
    args = parser.parse_args()

    logging.basicConfig(level=logging.INFO)
    logging.debug('Opening file %s' % args.ccachefile)
    cc = CCACHE.from_file(args.ccachefile)

    if args.command == 'list':
        table = []
        table.append(['id'] + Credential.summary_header())
        i = 0
        for cred in cc.credentials:
            table.append([str(i)] + cred.summary())
            i += 1
        print()  #this line intentionally left blank
        print_table(table)

    elif args.command == 'roast':
        if args.outfile:
            with open(args.outfile, 'wb') as f:
                for h in cc.get_hashes(all_hashes=args.allhash):
                    f.write(h.encode() + b'\r\n')
        else:
            for h in cc.get_hashes(all_hashes=args.allhash):
                print(h)

    elif args.command == 'del':
        #delete
        output_filename = os.path.join(
            os.path.dirname(os.path.abspath(args.ccachefile)),
            '%s.edited.ccache' %
            ntpath.basename(args.ccachefile))  #sorry for this, im tired now :(
        id = args.id
        temp_cc = CCACHE()
        temp_cc.file_format_version = cc.file_format_version
        temp_cc.headerlen = cc.headerlen
        temp_cc.headers = cc.headers
        temp_cc.primary_principal = cc.primary_principal
        i = 0
        for cred in cc.credentials:
            if i in id:
                i += 1
                continue

            temp_cc.credentials.append(cred)
            i += 1
        logging.info('Writing edited file to %s' % output_filename)
        temp_cc.to_file(output_filename)
Пример #15
0
class katz:
    def __init__(self, reader, sysinfo):
        self.reader = reader
        self.sysinfo = sysinfo
        self.credentials = []
        self.architecture = None
        self.operating_system = None
        self.buildnumber = None
        self.lsa_decryptor = None

        self.logon_sessions = []
        self.orphaned_creds = []
        self.kerberos_ccache = CCACHE()

        self.logger = logging.getLogger('pypykatz')

    @staticmethod
    def parse_minidump_file(filename):
        minidump = MinidumpFile.parse(filename)
        reader = minidump.get_reader().get_buffered_reader()
        sysinfo = KatzSystemInfo.from_minidump(minidump)
        mimi = katz(reader, sysinfo)
        mimi.start()
        return mimi

    def start(self):
        self.log_basic_info()
        self.lsa_decryptor = self.get_lsa()
        self.get_logoncreds()
        self.get_wdigest()
        self.get_kerberos()
        self.get_tspkg()
        self.get_ssp()
        self.get_livessp()
        self.get_dpapi()

    def log_basic_info(self):
        """
        In case of error, please attach this to the issues page
        """
        self.logger.debug(
            '===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE =====')
        self.logger.debug('CPU arch: %s' % self.sysinfo.architecture.name)
        self.logger.debug('OS: %s' % self.sysinfo.operating_system)
        self.logger.debug('BuildNumber: %s' % self.sysinfo.buildnumber)
        self.logger.debug('MajorVersion: %s ' % self.sysinfo.major_version)
        self.logger.debug('MSV timestamp: %s' % self.sysinfo.msv_dll_timestamp)
        self.logger.debug('===== BASIC INFO END =====')

    def get_logoncreds(self):
        credman_template = CredmanTemplate.get_template(self.sysinfo)
        msv_template = MsvTemplate.get_template(self.sysinfo)
        logoncred_decryptor = MsvDecryptor(self.reader, msv_template,
                                           self.lsa_decryptor,
                                           credman_template, self.sysinfo)
        logoncred_decryptor.start()
        self.logon_sessions = logoncred_decryptor.logon_sessions

    def get_lsa(self):
        lsa_dec_template = LsaTemplate.get_template(self.sysinfo)
        lsa_dec = LsaDecryptor(self.reader, lsa_dec_template, self.sysinfo)
        self.logger.debug(lsa_dec.dump())
        return lsa_dec

    def get_wdigest(self):
        decryptor_template = WdigestTemplate.get_template(self.sysinfo)
        decryptor = WdigestDecryptor(self.reader, decryptor_template,
                                     self.lsa_decryptor, self.sysinfo)
        decryptor.start()
        for cred in decryptor.credentials:
            if cred.luid in self.logon_sessions:
                self.logon_sessions[cred.luid].wdigest_creds.append(cred)
            else:
                self.orphaned_creds.append(cred)

    def get_tspkg(self):
        tspkg_dec_template = TspkgTemplate.get_template(self.sysinfo)
        tspkg_dec = TspkgDecryptor(self.reader, tspkg_dec_template,
                                   self.lsa_decryptor, self.sysinfo)
        tspkg_dec.start()
        for cred in tspkg_dec.credentials:
            if cred.luid in self.logon_sessions:
                self.logon_sessions[cred.luid].tspkg_creds.append(cred)
            else:
                self.orphaned_creds.append(cred)

    def get_ssp(self):
        dec_template = SspTemplate.get_template(self.sysinfo)
        dec = SspDecryptor(self.reader, dec_template, self.lsa_decryptor,
                           self.sysinfo)
        dec.start()
        for cred in dec.credentials:
            if cred.luid in self.logon_sessions:
                self.logon_sessions[cred.luid].ssp_creds.append(cred)
            else:
                self.orphaned_creds.append(cred)

    def get_livessp(self):
        livessp_dec_template = LiveSspTemplate.get_template(self.sysinfo)
        livessp_dec = LiveSspDecryptor(self.reader, livessp_dec_template,
                                       self.lsa_decryptor, self.sysinfo)
        livessp_dec.start()
        for cred in livessp_dec.credentials:
            if cred.luid in self.logon_sessions:
                self.logon_sessions[cred.luid].livessp_creds.append(cred)
            else:
                self.orphaned_creds.append(cred)

    def get_dpapi(self):
        dec_template = DpapiTemplate.get_template(self.sysinfo)
        dec = DpapiDecryptor(self.reader, dec_template, self.lsa_decryptor,
                             self.sysinfo)
        dec.start()
        for cred in dec.credentials:
            if cred.luid in self.logon_sessions:
                self.logon_sessions[cred.luid].dpapi_creds.append(cred)
            else:
                self.orphaned_creds.append(cred)

    def get_kerberos(self):
        dec_template = KerberosTemplate.get_template(self.sysinfo)
        dec = KerberosDecryptor(self.reader, dec_template, self.lsa_decryptor,
                                self.sysinfo)
        dec.start()
        for cred in dec.credentials:
            for ticket in cred.tickets:
                for fn in ticket.kirbi_data:
                    self.kerberos_ccache.add_kirbi(
                        ticket.kirbi_data[fn].native)

            if cred.luid in self.logon_sessions:
                self.logon_sessions[cred.luid].kerberos_creds.append(cred)
            else:
                self.orphaned_creds.append(cred)
Пример #16
0
class pypykatz:
	def __init__(self, reader, sysinfo, logger=None):
		self.reader = reader
		self.sysinfo = sysinfo
		self.credentials = []
		self.architecture = None
		self.operating_system = None
		self.buildnumber = None
		self.lsa_decryptor = None
		
		self.logon_sessions = []
		self.orphaned_creds = []
		self.kerberos_ccache = None
		
		self.logger = logger if logger else logging.getLogger('pypykatz')
		
	def to_dict(self):
		t = {}
		t['logon_sessions'] = {}
		for ls in self.logon_sessions:
			# print(ls)
			t['logon_sessions'][ls] = (self.logon_sessions[ls].to_dict())
		t['orphaned_creds'] = []
		for oc in self.orphaned_creds:
			t['orphaned_creds'].append(oc.to_dict())
		return t
		
	def to_json(self):
		return json.dumps(self.to_dict())
		
	@staticmethod
	def go_live():
		reader = LiveReader()
		sysinfo = KatzSystemInfo.from_live_reader(reader)
		mimi = pypykatz(reader.get_buffered_reader(), sysinfo)
		mimi.start()
		return mimi
	
	def log_basic_info(self):
		"""
		In case of error, please attach this to the issues page
		"""
		self.logger.debug('===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE =====')
		self.logger.debug('CPU arch: %s' % self.sysinfo.architecture.name)
		self.logger.debug('OS: %s' % self.sysinfo.operating_system)
		self.logger.debug('BuildNumber: %s' % self.sysinfo.buildnumber)
		self.logger.debug('MajorVersion: %s ' % self.sysinfo.major_version)
		self.logger.debug('MSV timestamp: %s' % self.sysinfo.msv_dll_timestamp)
		self.logger.debug('===== BASIC INFO END =====')
		
	def get_logoncreds(self):
		credman_template = CredmanTemplate.get_template(self.sysinfo)
		msv_template = MsvTemplate.get_template(self.sysinfo)
		logoncred_decryptor = MsvDecryptor(self.reader, msv_template, self.lsa_decryptor, credman_template, self.sysinfo)
		logoncred_decryptor.start()
		self.logon_sessions = logoncred_decryptor.logon_sessions
	
	def get_lsa(self):
		lsa_dec_template = LsaTemplate.get_template(self.sysinfo)
		lsa_dec = LsaDecryptor(self.reader, lsa_dec_template, self.sysinfo)
		# self.logger.debug(lsa_dec.dump())
		return lsa_dec
	
	def get_wdigest(self):
		decryptor_template = WdigestTemplate.get_template(self.sysinfo)
		decryptor = WdigestDecryptor(self.reader, decryptor_template, self.lsa_decryptor, self.sysinfo)
		decryptor.start()
		for cred in decryptor.credentials:
			if cred.luid in self.logon_sessions:
				self.logon_sessions[cred.luid].wdigest_creds.append(cred)
			else:
				self.orphaned_creds.append(cred)
	
	def get_tspkg(self):
		tspkg_dec_template = TspkgTemplate.get_template(self.sysinfo)
		tspkg_dec = TspkgDecryptor(self.reader,tspkg_dec_template, self.lsa_decryptor, self.sysinfo)
		tspkg_dec.start()
		for cred in tspkg_dec.credentials:
			if cred.luid in self.logon_sessions:
				self.logon_sessions[cred.luid].tspkg_creds.append(cred)
			else:
				self.orphaned_creds.append(cred)
				
	def get_ssp(self):
		dec_template = SspTemplate.get_template(self.sysinfo)
		dec = SspDecryptor(self.reader, dec_template, self.lsa_decryptor, self.sysinfo)
		dec.start()
		for cred in dec.credentials:
			if cred.luid in self.logon_sessions:
				self.logon_sessions[cred.luid].ssp_creds.append(cred)
			else:
				self.orphaned_creds.append(cred)
				
	def get_livessp(self):
		livessp_dec_template = LiveSspTemplate.get_template(self.sysinfo)
		livessp_dec = LiveSspDecryptor(self.reader, livessp_dec_template, self.lsa_decryptor, self.sysinfo)
		livessp_dec.start()
		for cred in livessp_dec.credentials:
			if cred.luid in self.logon_sessions:
				self.logon_sessions[cred.luid].livessp_creds.append(cred)
			else:
				self.orphaned_creds.append(cred)
				
	def get_dpapi(self):
		dec_template = DpapiTemplate.get_template(self.sysinfo)
		dec = DpapiDecryptor(self.reader, dec_template, self.lsa_decryptor, self.sysinfo)
		dec.start()
		for cred in dec.credentials:
			if cred.luid in self.logon_sessions:
				self.logon_sessions[cred.luid].dpapi_creds.append(cred)
			else:
				self.orphaned_creds.append(cred)
	
	def get_kerberos(self):
		if CCACHE is None:
			return

		self.kerberos_ccache = CCACHE()
		dec_template = KerberosTemplate.get_template(self.sysinfo)
		dec = KerberosDecryptor(
			self.reader, dec_template, self.lsa_decryptor, self.sysinfo
		)

		dec.start()	

		for cred in dec.credentials:
			for ticket in cred.tickets:
				for fn in ticket.kirbi_data:
					self.kerberos_ccache.add_kirbi(ticket.kirbi_data[fn].native)
			
			if cred.luid in self.logon_sessions:
				self.logon_sessions[cred.luid].kerberos_creds.append(cred)
			else:
				self.orphaned_creds.append(cred)
	
	def start(self):
		# self.log_basic_info()
		self.lsa_decryptor = self.get_lsa()
		for cb in (
			self.get_logoncreds, self.get_wdigest,
			self.get_kerberos, self.get_tspkg, self.get_ssp,
				self.get_livessp, self.get_dpapi):
			try:
				cb()
			except Exception as e:
				self.logger.exception(e)
Пример #17
0
    )
    delete_group.add_argument('-o',
                              '--outfile',
                              help='Output ccache file name')
    delete_group.add_argument('-i',
                              '--id',
                              type=int,
                              action='append',
                              help='Ticket ID to delete',
                              required=True)
    parser.add_argument('ccachefile', help='input CCACHE file')
    args = parser.parse_args()

    logging.basicConfig(level=logging.INFO)
    logging.debug('Opening file %s' % args.ccachefile)
    cc = CCACHE.from_file(args.ccachefile)

    if args.command == 'list':
        table = []
        table.append(['id'] + Credential.summary_header())
        i = 0
        for cred in cc.credentials:
            table.append([str(i)] + cred.summary())
            i += 1
        print()  #this line intentionally left blank
        print_table(table)

    elif args.command == 'del':
        #delete
        output_filename = os.path.join(
            os.path.dirname(os.path.abspath(args.ccachefile)),
Пример #18
0
from minikerberos.ccache import CCACHE

if __name__ == '__main__':
    ccache = CCACHE.from_file(
        '../../ktest/victim_lsass_latest.dmp_229c8765.ccache')
    print(ccache.get_hashes(all_hashes=True))
Пример #19
0
class pypykatz:
    """mimikatz offline"""
    def __init__(self, reader, sysinfo):
        self.reader = reader
        self.sysinfo = sysinfo
        self.credentials = []
        self.architecture = None
        self.operating_system = None
        self.buildnumber = None
        self.lsa_decryptor = None

        self.logon_sessions = []
        self.orphaned_creds = []
        self.kerberos_ccache = CCACHE()

    def to_dict(self):
        t = {}
        t['logon_sessions'] = self.logon_sessions
        t['orphaned_creds'] = self.orphaned_creds
        return t

    def to_json(self):
        return json.dumps(self.to_dict())

    @staticmethod
    def go_live():
        reader = LiveReader()
        sysinfo = KatzSystemInfo.from_live_reader(reader)
        mimi = pypykatz(reader.get_buffered_reader(), sysinfo)
        mimi.start()
        return mimi

    @staticmethod
    def parse_minidump_file(filename):
        minidump = MinidumpFile.parse(filename)
        reader = minidump.get_reader().get_buffered_reader()
        sysinfo = KatzSystemInfo.from_minidump(minidump)
        mimi = pypykatz(reader, sysinfo)
        mimi.start()
        return mimi

    @staticmethod
    def parse_memory_dump_rekall(filename, override_timestamp=None):
        from pypykatz.commons.readers.rekall.rekallreader import RekallReader
        reader = RekallReader.from_memory_file(filename, override_timestamp)
        sysinfo = KatzSystemInfo.from_rekallreader(reader)
        mimi = pypykatz(reader, sysinfo)
        mimi.start()
        return mimi

    @staticmethod
    def go_rekall(session, override_timestamp=None):
        from pypykatz.commons.readers.rekall.rekallreader import RekallReader
        reader = RekallReader.from_session(session, override_timestamp)
        sysinfo = KatzSystemInfo.from_rekallreader(reader)
        mimi = pypykatz(reader, sysinfo)
        mimi.start()
        return mimi

    def get_logoncreds(self):
        credman_template = CredmanTemplate.get_template(self.sysinfo)
        msv_template = MsvTemplate.get_template(self.sysinfo)
        logoncred_decryptor = MsvDecryptor(self.reader, msv_template,
                                           self.lsa_decryptor,
                                           credman_template, self.sysinfo)
        logoncred_decryptor.start()
        self.logon_sessions = logoncred_decryptor.logon_sessions

    def get_lsa(self):
        lsa_dec_template = LsaTemplate.get_template(self.sysinfo)
        lsa_dec = LsaDecryptor(self.reader, lsa_dec_template, self.sysinfo)
        logging.debug(lsa_dec.dump())
        return lsa_dec

    def get_wdigest(self):
        decryptor_template = WdigestTemplate.get_template(self.sysinfo)
        decryptor = WdigestDecryptor(self.reader, decryptor_template,
                                     self.lsa_decryptor, self.sysinfo)
        decryptor.start()
        for cred in decryptor.credentials:
            if cred.luid in self.logon_sessions:
                self.logon_sessions[cred.luid].wdigest_creds.append(cred)
            else:
                self.orphaned_creds.append(cred)

    def get_tspkg(self):
        tspkg_dec_template = TspkgTemplate.get_template(self.sysinfo)
        tspkg_dec = TspkgDecryptor(self.reader, tspkg_dec_template,
                                   self.lsa_decryptor, self.sysinfo)
        tspkg_dec.start()
        for cred in tspkg_dec.credentials:
            if cred.luid in self.logon_sessions:
                self.logon_sessions[cred.luid].tspkg_creds.append(cred)
            else:
                self.orphaned_creds.append(cred)

    def get_ssp(self):
        dec_template = SspTemplate.get_template(self.sysinfo)
        dec = SspDecryptor(self.reader, dec_template, self.lsa_decryptor,
                           self.sysinfo)
        dec.start()
        for cred in dec.credentials:
            if cred.luid in self.logon_sessions:
                self.logon_sessions[cred.luid].ssp_creds.append(cred)
            else:
                self.orphaned_creds.append(cred)

    def get_livessp(self):
        livessp_dec_template = LiveSspTemplate.get_template(self.sysinfo)
        livessp_dec = LiveSspDecryptor(self.reader, livessp_dec_template,
                                       self.lsa_decryptor, self.sysinfo)
        livessp_dec.start()
        for cred in livessp_dec.credentials:
            if cred.luid in self.logon_sessions:
                self.logon_sessions[cred.luid].livessp_creds.append(cred)
            else:
                self.orphaned_creds.append(cred)

    def get_dpapi(self):
        dec_template = DpapiTemplate.get_template(self.sysinfo)
        dec = DpapiDecryptor(self.reader, dec_template, self.lsa_decryptor,
                             self.sysinfo)
        dec.start()
        for cred in dec.credentials:
            if cred.luid in self.logon_sessions:
                self.logon_sessions[cred.luid].dpapi_creds.append(cred)
            else:
                self.orphaned_creds.append(cred)

    def get_kerberos(self):
        dec_template = KerberosTemplate.get_template(self.sysinfo)
        dec = KerberosDecryptor(self.reader, dec_template, self.lsa_decryptor,
                                self.sysinfo)
        dec.start()
        for cred in dec.credentials:
            for ticket in cred.tickets:
                for fn in ticket.kirbi_data:
                    self.kerberos_ccache.add_kirbi(
                        ticket.kirbi_data[fn].native)

            if cred.luid in self.logon_sessions:
                self.logon_sessions[cred.luid].kerberos_creds.append(cred)
            else:
                self.orphaned_creds.append(cred)

    def start(self):
        self.lsa_decryptor = self.get_lsa()
        self.get_logoncreds()
        self.get_wdigest()
        #CHICKEN BITS - UNTESTED!!! DO NOT UNCOMMENT
        self.get_kerberos()
        self.get_tspkg()
        self.get_ssp()
        self.get_livessp()
        self.get_dpapi()