Skip to content

Instantly share code, notes, and snippets.

@dadevel
Last active August 30, 2024 05:04
Show Gist options
  • Save dadevel/1fdb0dc2afc470140c211236e9277fc9 to your computer and use it in GitHub Desktop.
Save dadevel/1fdb0dc2afc470140c211236e9277fc9 to your computer and use it in GitHub Desktop.
Impacket AES Key Calculator
#!/usr/bin/env python3
from argparse import ArgumentParser
from binascii import unhexlify, hexlify
import json
from impacket.krb5.constants import EncryptionTypes
from impacket.krb5.crypto import string_to_key
# source: https://snovvcrash.rocks/2021/05/21/calculating-kerberos-keys.html
# usage: ./impacket-aeskey.py -d corp.local -c srv01 -p 8bd8406a...
def calc_keys(password: bytes, salt: bytes):
allciphers = {
'aes128_hmac': EncryptionTypes.aes128_cts_hmac_sha1_96.value,
'aes256_hmac': EncryptionTypes.aes256_cts_hmac_sha1_96.value,
}
result = {}
for name, cipher in allciphers.items():
fixed_password = password.decode('utf-16le', 'replace').encode('utf-8', 'replace')
key = string_to_key(cipher, fixed_password, salt)
result[name] = hexlify(key.contents).decode('utf-8')
return result
def calc_machine_keys(domain: str, hostname: str, hexpassword: str) -> dict[str, str]:
return calc_keys(unhexlify(hexpassword), f'{domain.upper()}host{hostname.lower()}.{domain.lower()}'.encode('utf-8'))
def calc_user_keys(domain: str, username: str, rawpassword: str) -> dict[str, str]:
return calc_keys(rawpassword.encode('utf-16le'), f'{domain.upper()}{username}'.encode('utf8'))
def main() -> None:
entrypoint = ArgumentParser()
entrypoint.add_argument('-d', '--domain', required=True)
group = entrypoint.add_mutually_exclusive_group()
group.add_argument('-u', '--user', metavar='USERNAME')
group.add_argument('-c', '--computer', metavar='HOSTNAME')
entrypoint.add_argument('-p', '--password', metavar='USER_PLAIN_PASS|COMPUTER_HEX_PASS')
opts = entrypoint.parse_args()
if opts.user:
keys = calc_user_keys(opts.domain, opts.user, opts.password)
else:
keys = calc_machine_keys(opts.domain, opts.computer, opts.password)
print(json.dumps(keys))
if __name__ == '__main__':
main()
blinker==1.8.2
cffi==1.16.0
charset-normalizer==3.3.2
click==8.1.7
cryptography==42.0.8
dnspython==2.6.1
dsinternals==1.2.4
Flask==3.0.3
future==1.0.0
impacket==0.11.0
itsdangerous==2.2.0
Jinja2==3.1.4
ldap3==2.9.1
ldapdomaindump==0.9.4
MarkupSafe==2.1.5
pyasn1==0.6.0
pycparser==2.22
pycryptodomex==3.20.0
pyOpenSSL==24.1.0
six==1.16.0
Werkzeug==3.0.3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment