dadevel/impacket-aeskey.py

## impacket-aeskey.py
#!/usr/bin/env python3
from argparse import ArgumentParser
from binascii import unhexlify, hexlify
import json

from impacket.krb5.constants import EncryptionTypes
from impacket.krb5.crypto import string_to_key

# source: https://snovvcrash.rocks/2021/05/21/calculating-kerberos-keys.html
# usage: ./impacket-aeskey.py -d corp.local -c srv01 -p 8bd8406a...

def calc_keys(password: bytes, salt: bytes):
    allciphers = {
        'aes128_hmac': EncryptionTypes.aes128_cts_hmac_sha1_96.value,
        'aes256_hmac': EncryptionTypes.aes256_cts_hmac_sha1_96.value,
    }
    result = {}
    for name, cipher in allciphers.items():
        fixed_password = password.decode('utf-16le', 'replace').encode('utf-8', 'replace')
        key = string_to_key(cipher, fixed_password, salt)
        result[name] = hexlify(key.contents).decode('utf-8')
    return result


def calc_machine_keys(domain: str, hostname: str, hexpassword: str) -> dict[str, str]:
    return calc_keys(unhexlify(hexpassword), f'{domain.upper()}host{hostname.lower()}.{domain.lower()}'.encode('utf-8'))


def calc_user_keys(domain: str, username: str, rawpassword: str) -> dict[str, str]:
    return calc_keys(rawpassword.encode('utf-16le'), f'{domain.upper()}{username}'.encode('utf8'))


def main() -> None:
    entrypoint = ArgumentParser()
    entrypoint.add_argument('-d', '--domain', required=True)
    group = entrypoint.add_mutually_exclusive_group()
    group.add_argument('-u', '--user', metavar='USERNAME')
    group.add_argument('-c', '--computer', metavar='HOSTNAME')
    entrypoint.add_argument('-p', '--password', metavar='USER_PLAIN_PASS|COMPUTER_HEX_PASS')
    opts = entrypoint.parse_args()
    if opts.user:
        keys = calc_user_keys(opts.domain, opts.user, opts.password)
    else:
        keys = calc_machine_keys(opts.domain, opts.computer, opts.password)
    print(json.dumps(keys))


if __name__ == '__main__':
    main()

## requirements.txt
blinker==1.8.2
cffi==1.16.0
charset-normalizer==3.3.2
click==8.1.7
cryptography==42.0.8
dnspython==2.6.1
dsinternals==1.2.4
Flask==3.0.3
future==1.0.0
impacket==0.11.0
itsdangerous==2.2.0
Jinja2==3.1.4
ldap3==2.9.1
ldapdomaindump==0.9.4
MarkupSafe==2.1.5
pyasn1==0.6.0
pycparser==2.22
pycryptodomex==3.20.0
pyOpenSSL==24.1.0
six==1.16.0
Werkzeug==3.0.3
	#!/usr/bin/env python3
	from argparse import ArgumentParser
	from binascii import unhexlify, hexlify
	import json

	from impacket.krb5.constants import EncryptionTypes
	from impacket.krb5.crypto import string_to_key

	# source: https://snovvcrash.rocks/2021/05/21/calculating-kerberos-keys.html
	# usage: ./impacket-aeskey.py -d corp.local -c srv01 -p 8bd8406a...

	def calc_keys(password: bytes, salt: bytes):
	allciphers = {
	'aes128_hmac': EncryptionTypes.aes128_cts_hmac_sha1_96.value,
	'aes256_hmac': EncryptionTypes.aes256_cts_hmac_sha1_96.value,
	}
	result = {}
	for name, cipher in allciphers.items():
	fixed_password = password.decode('utf-16le', 'replace').encode('utf-8', 'replace')
	key = string_to_key(cipher, fixed_password, salt)
	result[name] = hexlify(key.contents).decode('utf-8')
	return result


	def calc_machine_keys(domain: str, hostname: str, hexpassword: str) -> dict[str, str]:
	return calc_keys(unhexlify(hexpassword), f'{domain.upper()}host{hostname.lower()}.{domain.lower()}'.encode('utf-8'))


	def calc_user_keys(domain: str, username: str, rawpassword: str) -> dict[str, str]:
	return calc_keys(rawpassword.encode('utf-16le'), f'{domain.upper()}{username}'.encode('utf8'))


	def main() -> None:
	entrypoint = ArgumentParser()
	entrypoint.add_argument('-d', '--domain', required=True)
	group = entrypoint.add_mutually_exclusive_group()
	group.add_argument('-u', '--user', metavar='USERNAME')
	group.add_argument('-c', '--computer', metavar='HOSTNAME')
	entrypoint.add_argument('-p', '--password', metavar='USER_PLAIN_PASS\|COMPUTER_HEX_PASS')
	opts = entrypoint.parse_args()
	if opts.user:
	keys = calc_user_keys(opts.domain, opts.user, opts.password)
	else:
	keys = calc_machine_keys(opts.domain, opts.computer, opts.password)
	print(json.dumps(keys))


	if __name__ == '__main__':
	main()
	blinker==1.8.2
	cffi==1.16.0
	charset-normalizer==3.3.2
	click==8.1.7
	cryptography==42.0.8
	dnspython==2.6.1
	dsinternals==1.2.4
	Flask==3.0.3
	future==1.0.0
	impacket==0.11.0
	itsdangerous==2.2.0
	Jinja2==3.1.4
	ldap3==2.9.1
	ldapdomaindump==0.9.4
	MarkupSafe==2.1.5
	pyasn1==0.6.0
	pycparser==2.22
	pycryptodomex==3.20.0
	pyOpenSSL==24.1.0
	six==1.16.0
	Werkzeug==3.0.3