-
Notifications
You must be signed in to change notification settings - Fork 3.6k
/
describeTicket.py
executable file
·798 lines (719 loc) · 39.9 KB
/
describeTicket.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
#!/usr/bin/env python3
# Impacket - Collection of Python classes for working with network protocols.
#
# Copyright Fortra, LLC and its affiliated companies
#
# All rights reserved.
#
# This software is provided under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# Description:
# Ticket describer. Parses ticket, decrypts the enc-part, and parses the PAC.
#
# Authors:
# Remi Gascou (@podalirius_)
# Charlie Bromberg (@_nwodtuhs)
# Mathieu Calemard du Gardin (@Dramelac_)
import logging
import sys
import traceback
import argparse
import datetime
import base64
from typing import Sequence
from Cryptodome.Hash import MD4
from enum import Enum
from binascii import unhexlify, hexlify
from pyasn1.codec.der import decoder
from impacket import version
from impacket.dcerpc.v5.dtypes import FILETIME, PRPC_SID
from impacket.dcerpc.v5.rpcrt import TypeSerialization1
from impacket.examples import logger
from impacket.krb5 import constants, pac
from impacket.krb5.asn1 import TGS_REP, EncTicketPart, AD_IF_RELEVANT
from impacket.krb5.ccache import CCache
from impacket.krb5.constants import ChecksumTypes
from impacket.krb5.crypto import Key, _enctype_table, InvalidChecksum, string_to_key
from impacket.ldap.ldaptypes import LDAP_SID
PSID = PRPC_SID
class User_Flags(Enum):
LOGON_EXTRA_SIDS = 0x0020
LOGON_RESOURCE_GROUPS = 0x0200
# 2.2.1.10 SE_GROUP Attributes
class SE_GROUP_Attributes(Enum):
SE_GROUP_MANDATORY = 0x00000001
SE_GROUP_ENABLED_BY_DEFAULT = 0x00000002
SE_GROUP_ENABLED = 0x00000004
# 2.2.1.12 USER_ACCOUNT Codes
class USER_ACCOUNT_Codes(Enum):
USER_ACCOUNT_DISABLED = 0x00000001
USER_HOME_DIRECTORY_REQUIRED = 0x00000002
USER_PASSWORD_NOT_REQUIRED = 0x00000004
USER_TEMP_DUPLICATE_ACCOUNT = 0x00000008
USER_NORMAL_ACCOUNT = 0x00000010
USER_MNS_LOGON_ACCOUNT = 0x00000020
USER_INTERDOMAIN_TRUST_ACCOUNT = 0x00000040
USER_WORKSTATION_TRUST_ACCOUNT = 0x00000080
USER_SERVER_TRUST_ACCOUNT = 0x00000100
USER_DONT_EXPIRE_PASSWORD = 0x00000200
USER_ACCOUNT_AUTO_LOCKED = 0x00000400
USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0x00000800
USER_SMARTCARD_REQUIRED = 0x00001000
USER_TRUSTED_FOR_DELEGATION = 0x00002000
USER_NOT_DELEGATED = 0x00004000
USER_USE_DES_KEY_ONLY = 0x00008000
USER_DONT_REQUIRE_PREAUTH = 0x00010000
USER_PASSWORD_EXPIRED = 0x00020000
USER_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 0x00040000
USER_NO_AUTH_DATA_REQUIRED = 0x00080000
USER_PARTIAL_SECRETS_ACCOUNT = 0x00100000
USER_USE_AES_KEYS = 0x00200000
# 2.2.1.13 UF_FLAG Codes
class UF_FLAG_Codes(Enum):
UF_SCRIPT = 0x00000001
UF_ACCOUNTDISABLE = 0x00000002
UF_HOMEDIR_REQUIRED = 0x00000008
UF_LOCKOUT = 0x00000010
UF_PASSWD_NOTREQD = 0x00000020
UF_PASSWD_CANT_CHANGE = 0x00000040
UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0x00000080
UF_TEMP_DUPLICATE_ACCOUNT = 0x00000100
UF_NORMAL_ACCOUNT = 0x00000200
UF_INTERDOMAIN_TRUST_ACCOUNT = 0x00000800
UF_WORKSTATION_TRUST_ACCOUNT = 0x00001000
UF_SERVER_TRUST_ACCOUNT = 0x00002000
UF_DONT_EXPIRE_PASSWD = 0x00010000
UF_MNS_LOGON_ACCOUNT = 0x00020000
UF_SMARTCARD_REQUIRED = 0x00040000
UF_TRUSTED_FOR_DELEGATION = 0x00080000
UF_NOT_DELEGATED = 0x00100000
UF_USE_DES_KEY_ONLY = 0x00200000
UF_DONT_REQUIRE_PREAUTH = 0x00400000
UF_PASSWORD_EXPIRED = 0x00800000
UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 0x01000000
UF_NO_AUTH_DATA_REQUIRED = 0x02000000
UF_PARTIAL_SECRETS_ACCOUNT = 0x04000000
UF_USE_AES_KEYS = 0x08000000
# PAC_ATTRIBUTES_INFO Flags code
class Upn_Dns_Flags(Enum):
U_UsernameOnly = 0x00000001
S_SidSamSupplied = 0x00000002
# PAC_ATTRIBUTES_INFO Flags code
class Attributes_Flags(Enum):
PAC_WAS_REQUESTED = 0x00000001
PAC_WAS_GIVEN_IMPLICITLY = 0x00000002
# Builtin known Windows Group
MsBuiltInGroups = {
"498": "Enterprise Read-Only Domain Controllers",
"512": "Domain Admins",
"513": "Domain Users",
"514": "Domain Guests",
"515": "Domain Computers",
"516": "Domain Controllers",
"517": "Cert Publishers",
"518": "Schema Admins",
"519": "Enterprise Admins",
"520": "Group Policy Creator Owners",
"521": "Read-Only Domain Controllers",
"522": "Cloneable Controllers",
"525": "Protected Users",
"526": "Key Admins",
"527": "Enterprise Key Admins",
"553": "RAS and IAS Servers",
"571": "Allowed RODC Password Replication Group",
"572": "Denied RODC Password Replication Group",
"S-1-1-0": "Everyone",
"S-1-2-0": "Local",
"S-1-2-1": "Console Logon",
"S-1-3-0": "Creator Owner",
"S-1-3-1": "Creator Group",
"S-1-3-2": "Owner Server",
"S-1-3-3": "Group Server",
"S-1-3-4": "Owner Rights",
"S-1-5-1": "Dialup",
"S-1-5-2": "Network",
"S-1-5-3": "Batch",
"S-1-5-4": "Interactive",
"S-1-5-6": "Service",
"S-1-5-7": "Anonymous Logon",
"S-1-5-8": "Proxy",
"S-1-5-9": "Enterprise Domain Controllers",
"S-1-5-10": "Self",
"S-1-5-11": "Authenticated Users",
"S-1-5-12": "Restricted Code",
"S-1-5-13": "Terminal Server User",
"S-1-5-14": "Remote Interactive Logon",
"S-1-5-15": "This Organization",
"S-1-5-17": "IUSR",
"S-1-5-18": "System (or LocalSystem)",
"S-1-5-19": "NT Authority (LocalService)",
"S-1-5-20": "Network Service",
"S-1-5-32-544": "Administrators",
"S-1-5-32-545": "Users",
"S-1-5-32-546": "Guests",
"S-1-5-32-547": "Power Users",
"S-1-5-32-548": "Account Operators",
"S-1-5-32-549": "Server Operators",
"S-1-5-32-550": "Print Operators",
"S-1-5-32-551": "Backup Operators",
"S-1-5-32-552": "Replicators",
"S-1-5-32-554": "Builtin\\Pre-Windows",
"S-1-5-32-555": "Builtin\\Remote Desktop Users",
"S-1-5-32-556": "Builtin\\Network Configuration Operators",
"S-1-5-32-557": "Builtin\\Incoming Forest Trust Builders",
"S-1-5-32-558": "Builtin\\Performance Monitor Users",
"S-1-5-32-559": "Builtin\\Performance Log Users",
"S-1-5-32-560": "Builtin\\Windows Authorization Access Group",
"S-1-5-32-561": "Builtin\\Terminal Server License Servers",
"S-1-5-32-562": "Builtin\\Distributed COM Users",
"S-1-5-32-568": "Builtin\\IIS_IUSRS",
"S-1-5-32-569": "Builtin\\Cryptographic Operators",
"S-1-5-32-573": "Builtin\\Event Log Readers",
"S-1-5-32-574": "Builtin\\Certificate Service DCOM Access",
"S-1-5-32-575": "Builtin\\RDS Remote Access Servers",
"S-1-5-32-576": "Builtin\\RDS Endpoint Servers",
"S-1-5-32-577": "Builtin\\RDS Management Servers",
"S-1-5-32-578": "Builtin\\Hyper-V Administrators",
"S-1-5-32-579": "Builtin\\Access Control Assistance Operators",
"S-1-5-32-580": "Builtin\\Remote Management Users",
"S-1-5-64-10": "NTLM Authentication",
"S-1-5-64-14": "SChannel Authentication",
"S-1-5-64-21": "Digest Authentication",
"S-1-5-80": "NT Service",
"S-1-5-80-0": "All Services",
"S-1-5-83-0": "NT VIRTUAL MACHINE\\Virtual Machines",
"S-1-5-113": "Local Account",
"S-1-5-114": "Local Account and member of Administrators group",
"S-1-5-1000": "Other Organization",
"S-1-15-2-1": "All app packages",
"S-1-16-0": "ML Untrusted",
"S-1-16-4096": "ML Low",
"S-1-16-8192": "ML Medium",
"S-1-16-8448": "ML Medium Plus",
"S-1-16-12288": "ML High",
"S-1-16-16384": "ML System",
"S-1-16-20480": "ML Protected Process",
"S-1-16-28672": "ML Secure Process",
"S-1-18-1": "Authentication authority asserted identity",
"S-1-18-2": "Service asserted identity",
"S-1-18-3": "Fresh public key identity",
"S-1-18-4": "Key trust identity",
"S-1-18-5": "Key property MFA",
"S-1-18-6": "Key property attestation",
}
def parse_ccache(args):
ccache = CCache.loadFile(args.ticket)
cred_number = 0
logging.info('Number of credentials in cache: %d' % len(ccache.credentials))
for creds in ccache.credentials:
logging.info('Parsing credential[%d]:' % cred_number)
rawTicket = creds.toTGS()
decodedTicket = decoder.decode(rawTicket['KDC_REP'], asn1Spec=TGS_REP())[0]
# Printing the session key
sessionKey = hexlify(rawTicket['sessionKey'].contents).decode('utf-8')
logging.info("%-30s: %s" % ("Ticket Session Key", sessionKey))
# Beginning the parsing of the ticket
logging.info("%-30s: %s" % ("User Name", creds['client'].prettyPrint().split(b'@')[0].decode('utf-8')))
logging.info("%-30s: %s" % ("User Realm", creds['client'].prettyPrint().split(b'@')[1].decode('utf-8')))
spn = creds['server'].prettyPrint().split(b'@')[0].decode('utf-8')
logging.info("%-30s: %s" % ("Service Name", spn))
logging.info("%-30s: %s" % ("Service Realm", creds['server'].prettyPrint().split(b'@')[1].decode('utf-8')))
logging.info("%-30s: %s" % ("Start Time", datetime.datetime.fromtimestamp(creds['time']['starttime']).strftime("%d/%m/%Y %H:%M:%S %p")))
if datetime.datetime.fromtimestamp(creds['time']['endtime']) < datetime.datetime.now():
logging.info("%-30s: %s (expired)" % ("End Time", datetime.datetime.fromtimestamp(creds['time']['endtime']).strftime("%d/%m/%Y %H:%M:%S %p")))
else:
logging.info("%-30s: %s" % ("End Time", datetime.datetime.fromtimestamp(creds['time']['endtime']).strftime("%d/%m/%Y %H:%M:%S %p")))
if datetime.datetime.fromtimestamp(creds['time']['renew_till']) < datetime.datetime.now():
logging.info("%-30s: %s (expired)" % ("RenewTill", datetime.datetime.fromtimestamp(creds['time']['renew_till']).strftime("%d/%m/%Y %H:%M:%S %p")))
else:
logging.info("%-30s: %s" % ("RenewTill", datetime.datetime.fromtimestamp(creds['time']['renew_till']).strftime("%d/%m/%Y %H:%M:%S %p")))
flags = []
for k in constants.TicketFlags:
if ((creds['tktflags'] >> (31 - k.value)) & 1) == 1:
flags.append(constants.TicketFlags(k.value).name)
logging.info("%-30s: (0x%x) %s" % ("Flags", creds['tktflags'], ", ".join(flags)))
keyType = constants.EncryptionTypes(creds["key"]["keytype"]).name
logging.info("%-30s: %s" % ("KeyType", keyType))
logging.info("%-30s: %s" % ("Base64(key)", base64.b64encode(creds["key"]["keyvalue"]).decode("utf-8")))
if spn.split('/')[0] != 'krbtgt':
logging.debug("Attempting to create Kerberoast hash")
kerberoast_hash = None
# code adapted from Rubeus's DisplayTicket() (https://github.com/GhostPack/Rubeus/blob/3620814cd2c5f05e87cddd50211197bd932fec51/Rubeus/lib/LSA.cs)
# if this isn't a TGT, try to display a Kerberoastable hash
if keyType != "rc4_hmac" and keyType != "aes256_cts_hmac_sha1_96":
# can only display rc4_hmac ad it doesn't have a salt. DES/AES keys require the user/domain as a salt, and we don't have
# the user account name that backs the requested SPN for the ticket, no no dice :(
logging.debug("Service ticket uses encryption key type %s, unable to extract hash and salt" % keyType)
elif keyType == "rc4_hmac":
kerberoast_hash = kerberoast_from_ccache(decodedTGS = decodedTicket, spn = spn, username = args.user, domain = args.domain)
elif args.user:
if args.user.endswith("$"):
user = "host%s.%s" % (args.user.rstrip('$').lower(), args.domain.lower())
else:
user = args.user
kerberoast_hash = kerberoast_from_ccache(decodedTGS = decodedTicket, spn = spn, username = user, domain = args.domain)
else:
logging.error("AES256 in use but no '-u/--user' passed, unable to generate crackable hash")
if kerberoast_hash:
logging.info("%-30s: %s" % ("Kerberoast hash", kerberoast_hash))
logging.info("%-30s:" % "Decoding unencrypted data in credential[%d]['ticket']" % cred_number)
spn = "/".join(list([str(sname_component) for sname_component in decodedTicket['ticket']['sname']['name-string']]))
etype = decodedTicket['ticket']['enc-part']['etype']
logging.info(" %-28s: %s" % ("Service Name", spn))
logging.info(" %-28s: %s" % ("Service Realm", decodedTicket['ticket']['realm']))
logging.info(" %-28s: %s (etype %d)" % ("Encryption type", constants.EncryptionTypes(etype).name, etype))
if not decodedTicket['ticket']['enc-part']['kvno'].isNoValue():
logging.debug("No kvno in ticket, skipping")
logging.info(" %-28s: %d" % ("Key version number (kvno)", decodedTicket['ticket']['enc-part']['kvno']))
logging.debug("Handling Kerberos keys")
ekeys = generate_kerberos_keys(args)
# copypasta from krbrelayx.py
# Select the correct encryption key
try:
logging.debug('Ticket is encrypted with %s (etype %d)' % (constants.EncryptionTypes(etype).name, etype))
key = ekeys[etype]
logging.debug('Using corresponding key: %s' % hexlify(key.contents).decode('utf-8'))
# This raises a KeyError (pun intended) if our key is not found
except KeyError:
if len(ekeys) > 0:
logging.error('Could not find the correct encryption key! Ticket is encrypted with %s (etype %d), but only keytype(s) %s were calculated/supplied',
constants.EncryptionTypes(etype).name,
etype,
', '.join([str(enctype) for enctype in ekeys.keys()]))
else:
logging.error('Could not find the correct encryption key! Ticket is encrypted with %s (etype %d), but no keys/creds were supplied',
constants.EncryptionTypes(etype).name,
etype)
return None
# todo : decodedTicket['ticket']['enc-part'] is handled. Handle decodedTicket['enc-part']?
# Recover plaintext info from ticket
try:
cipherText = decodedTicket['ticket']['enc-part']['cipher']
newCipher = _enctype_table[int(etype)]
plainText = newCipher.decrypt(key, 2, cipherText)
except InvalidChecksum:
logging.error('Ciphertext integrity failed. Most likely the account password or AES key is incorrect')
if args.salt:
logging.info('Make sure the salt/username/domain are set and with the proper values. In case of a computer account, append a "$" to the name.')
logging.debug('Remember: the encrypted-part of the ticket is secured with one of the target service\'s Kerberos keys. The target service is the one who owns the \'Service Name\' SPN printed above')
return
logging.debug('Ticket successfully decrypted')
encTicketPart = decoder.decode(plainText, asn1Spec=EncTicketPart())[0]
sessionKey = Key(encTicketPart['key']['keytype'], bytes(encTicketPart['key']['keyvalue']))
adIfRelevant = decoder.decode(encTicketPart['authorization-data'][0]['ad-data'], asn1Spec=AD_IF_RELEVANT())[0]
# So here we have the PAC
pacType = pac.PACTYPE(adIfRelevant[0]['ad-data'].asOctets())
# parsing every PAC
parsed_pac = parse_pac(pacType, args)
logging.info("%-30s:" % "Decoding credential[%d]['ticket']['enc-part']" % cred_number)
# One section per PAC
for element_type in parsed_pac:
element_type_name = list(element_type.keys())[0]
logging.info(" %-28s" % element_type_name)
# iterate over each attribute of the current PAC
for attribute in element_type[element_type_name]:
value = element_type[element_type_name][attribute]
if isinstance(value, Sequence) and not isinstance(value, str):
# If the value is an array, print as a multiline view for better readability
if len(value) > 0:
logging.info(" %-26s: %s" % (attribute, value[0]))
for subvalue in value[1:]:
logging.info(" "*32+"%s" % subvalue)
else:
logging.info(" %-26s:" % attribute)
else:
logging.info(" %-26s: %s" % (attribute, value))
cred_number += 1
def parse_pac(pacType, args):
def PACparseFILETIME(data):
# FILETIME structure (minwinbase.h)
# Contains a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
# https://docs.microsoft.com/en-us/windows/win32/api/minwinbase/ns-minwinbase-filetime
dwLowDateTime = data['dwLowDateTime']
dwHighDateTime = data['dwHighDateTime']
v_FILETIME = "Infinity (absolute time)"
if dwLowDateTime != 0xffffffff and dwHighDateTime != 0x7fffffff:
temp_time = dwHighDateTime
temp_time <<= 32
temp_time |= dwLowDateTime
if datetime.timedelta(microseconds=temp_time / 10).total_seconds() != 0:
v_FILETIME = (datetime.datetime(1601, 1, 1, 0, 0, 0) + datetime.timedelta(microseconds=temp_time / 10)).strftime("%d/%m/%Y %H:%M:%S %p")
return v_FILETIME
def PACparseGroupIds(data):
groups = []
for group in data:
groupMembership = {}
groupMembership['RelativeId'] = group['RelativeId']
groupMembership['Attributes'] = group['Attributes']
groups.append(groupMembership)
return groups
parsed_tuPAC = []
buff = pacType['Buffers']
for bufferN in range(pacType['cBuffers']):
infoBuffer = pac.PAC_INFO_BUFFER(buff)
data = pacType['Buffers'][infoBuffer['Offset']-8:][:infoBuffer['cbBufferSize']]
if infoBuffer['ulType'] == pac.PAC_LOGON_INFO:
type1 = TypeSerialization1(data)
newdata = data[len(type1)+4:]
kerbdata = pac.KERB_VALIDATION_INFO()
kerbdata.fromString(newdata)
kerbdata.fromStringReferents(newdata[len(kerbdata.getData()):])
parsed_data = {}
parsed_data['Logon Time'] = PACparseFILETIME(kerbdata['LogonTime'])
parsed_data['Logoff Time'] = PACparseFILETIME(kerbdata['LogoffTime'])
parsed_data['Kickoff Time'] = PACparseFILETIME(kerbdata['KickOffTime'])
parsed_data['Password Last Set'] = PACparseFILETIME(kerbdata['PasswordLastSet'])
parsed_data['Password Can Change'] = PACparseFILETIME(kerbdata['PasswordCanChange'])
parsed_data['Password Must Change'] = PACparseFILETIME(kerbdata['PasswordMustChange'])
parsed_data['LastSuccessfulILogon'] = PACparseFILETIME(kerbdata['LastSuccessfulILogon'])
parsed_data['LastFailedILogon'] = PACparseFILETIME(kerbdata['LastFailedILogon'])
parsed_data['FailedILogonCount'] = kerbdata['FailedILogonCount']
parsed_data['Account Name'] = kerbdata['EffectiveName']
parsed_data['Full Name'] = kerbdata['FullName']
parsed_data['Logon Script'] = kerbdata['LogonScript']
parsed_data['Profile Path'] = kerbdata['ProfilePath']
parsed_data['Home Dir'] = kerbdata['HomeDirectory']
parsed_data['Dir Drive'] = kerbdata['HomeDirectoryDrive']
parsed_data['Logon Count'] = kerbdata['LogonCount']
parsed_data['Bad Password Count'] = kerbdata['BadPasswordCount']
parsed_data['User RID'] = kerbdata['UserId']
parsed_data['Group RID'] = kerbdata['PrimaryGroupId']
parsed_data['Group Count'] = kerbdata['GroupCount']
all_groups_id = [str(gid['RelativeId']) for gid in PACparseGroupIds(kerbdata['GroupIds'])]
parsed_data['Groups'] = ", ".join(all_groups_id)
groups = []
unknown_count = 0
# Searching for common group name
for gid in all_groups_id:
group_name = MsBuiltInGroups.get(gid)
if group_name:
groups.append(f"({gid}) {group_name}")
else:
unknown_count += 1
if unknown_count > 0:
groups.append(f"+{unknown_count} Unknown custom group{'s' if unknown_count > 1 else ''}")
parsed_data['Groups (decoded)'] = groups
# UserFlags parsing
UserFlags = kerbdata['UserFlags']
User_Flags_Flags = []
for flag in User_Flags:
if UserFlags & flag.value:
User_Flags_Flags.append(flag.name)
parsed_data['User Flags'] = "(%s) %s" % (UserFlags, ", ".join(User_Flags_Flags))
parsed_data['User Session Key'] = hexlify(kerbdata['UserSessionKey']).decode('utf-8')
parsed_data['Logon Server'] = kerbdata['LogonServer']
parsed_data['Logon Domain Name'] = kerbdata['LogonDomainName']
# LogonDomainId parsing
if kerbdata['LogonDomainId'] == b'':
parsed_data['Logon Domain SID'] = kerbdata['LogonDomainId']
else:
parsed_data['Logon Domain SID'] = kerbdata['LogonDomainId'].formatCanonical()
# UserAccountControl parsing
UAC = kerbdata['UserAccountControl']
UAC_Flags = []
for flag in USER_ACCOUNT_Codes:
if UAC & flag.value:
UAC_Flags.append(flag.name)
parsed_data['User Account Control'] = "(%s) %s" % (UAC, ", ".join(UAC_Flags))
parsed_data['Extra SID Count'] = kerbdata['SidCount']
extraSids = []
# ExtraSids parsing
for extraSid in kerbdata['ExtraSids']:
sid = extraSid['Sid'].formatCanonical()
attributes = extraSid['Attributes']
attributes_flags = []
for flag in SE_GROUP_Attributes:
if attributes & flag.value:
attributes_flags.append(flag.name)
# Group name matching
group_name = MsBuiltInGroups.get(sid, '')
if not group_name and len(sid.split('-')) == 8:
# Try to find an RID match
group_name = MsBuiltInGroups.get(sid.split('-')[-1], '')
if group_name:
group_name = f" {group_name}"
extraSids.append("%s%s (%s)" % (sid, group_name, ', '.join(attributes_flags)))
parsed_data['Extra SIDs'] = extraSids
# ResourceGroupDomainSid parsing
if kerbdata['ResourceGroupDomainSid'] == b'':
parsed_data['Resource Group Domain SID'] = kerbdata['ResourceGroupDomainSid']
else:
parsed_data['Resource Group Domain SID'] = kerbdata['ResourceGroupDomainSid'].formatCanonical()
parsed_data['Resource Group Count'] = kerbdata['ResourceGroupCount']
parsed_data['Resource Group Ids'] = ', '.join([str(gid['RelativeId']) for gid in PACparseGroupIds(kerbdata['ResourceGroupIds'])])
parsed_data['LMKey'] = hexlify(kerbdata['LMKey']).decode('utf-8')
parsed_data['SubAuthStatus'] = kerbdata['SubAuthStatus']
parsed_data['Reserved3'] = kerbdata['Reserved3']
parsed_tuPAC.append({"LoginInfo": parsed_data})
elif infoBuffer['ulType'] == pac.PAC_CLIENT_INFO_TYPE:
clientInfo = pac.PAC_CLIENT_INFO()
clientInfo.fromString(data)
parsed_data = {}
try:
parsed_data['Client Id'] = PACparseFILETIME(clientInfo['ClientId'])
except:
try:
parsed_data['Client Id'] = PACparseFILETIME(FILETIME(data[:32]))
except Exception as e:
logging.error(e)
parsed_data['Client Name'] = clientInfo['Name'].decode('utf-16-le')
parsed_tuPAC.append({"ClientName": parsed_data})
elif infoBuffer['ulType'] == pac.PAC_UPN_DNS_INFO:
upn = pac.UPN_DNS_INFO(data)
# UPN PArsing
UpnLength = upn['UpnLength']
UpnOffset = upn['UpnOffset']
UpnName = data[UpnOffset:UpnOffset+UpnLength].decode('utf-16-le')
# DNS Name Parsing
DnsDomainNameLength = upn['DnsDomainNameLength']
DnsDomainNameOffset = upn['DnsDomainNameOffset']
DnsName = data[DnsDomainNameOffset:DnsDomainNameOffset + DnsDomainNameLength].decode('utf-16-le')
# Flag parsing
flags = upn['Flags']
attr_flags = []
for flag_lib in Upn_Dns_Flags:
if flags & flag_lib.value:
attr_flags.append(flag_lib.name)
parsed_data = {}
parsed_data['Flags'] = f"({flags}) {', '.join(attr_flags)}"
parsed_data['UPN'] = UpnName
parsed_data['DNS Domain Name'] = DnsName
# Depending on the flag supplied, additional data may be supplied
if Upn_Dns_Flags.S_SidSamSupplied.name in attr_flags:
# SamAccountName and Sid is also supplied
upn = pac.UPN_DNS_INFO_FULL(data)
# Sam parsing
SamNameLength = upn['SamNameLength']
SamNameOffset = upn['SamNameOffset']
SamName = data[SamNameOffset:SamNameOffset+SamNameLength].decode('utf-16-le')
# Sid parsing
SidLength = upn['SidLength']
SidOffset = upn['SidOffset']
Sid = LDAP_SID(data[SidOffset:SidOffset+SidLength]) # Using LDAP_SID instead of RPC_SID (https://github.com/SecureAuthCorp/impacket/issues/1386)
parsed_data["SamAccountName"] = SamName
parsed_data["UserSid"] = Sid.formatCanonical()
parsed_tuPAC.append({"UpnDns": parsed_data})
elif infoBuffer['ulType'] == pac.PAC_SERVER_CHECKSUM:
signatureData = pac.PAC_SIGNATURE_DATA(data)
parsed_data = {}
parsed_data['Signature Type'] = ChecksumTypes(signatureData['SignatureType']).name
parsed_data['Signature'] = hexlify(signatureData['Signature']).decode('utf-8')
parsed_tuPAC.append({"ServerChecksum": parsed_data})
elif infoBuffer['ulType'] == pac.PAC_PRIVSVR_CHECKSUM:
signatureData = pac.PAC_SIGNATURE_DATA(data)
parsed_data = {}
parsed_data['Signature Type'] = ChecksumTypes(signatureData['SignatureType']).name
# signatureData.dump()
parsed_data['Signature'] = hexlify(signatureData['Signature']).decode('utf-8')
parsed_tuPAC.append({"KDCChecksum": parsed_data})
elif infoBuffer['ulType'] == pac.PAC_CREDENTIALS_INFO:
# Parsing 2.6.1 PAC_CREDENTIAL_INFO
credential_info = pac.PAC_CREDENTIAL_INFO(data)
parsed_credential_info = {}
parsed_credential_info['Version'] = "(0x%x) %d" % (credential_info.fields['Version'], credential_info.fields['Version'])
credinfo_enctype = credential_info.fields['EncryptionType']
parsed_credential_info['Encryption Type'] = "(0x%x) %s" % (credinfo_enctype, constants.EncryptionTypes(credential_info.fields['EncryptionType']).name)
if not args.asrep_key:
parsed_credential_info['Encryption Type'] = "<Cannot decrypt, --asrep-key missing>"
logging.error('No ASREP key supplied, cannot decrypt PAC Credentials')
parsed_tuPAC.append({"Credential Info": parsed_credential_info})
else:
parsed_tuPAC.append({"Credential Info": parsed_credential_info})
newCipher = _enctype_table[credinfo_enctype]
key = Key(credinfo_enctype, unhexlify(args.asrep_key))
plain_credential_data = newCipher.decrypt(key, 16, credential_info.fields['SerializedData'])
type1 = TypeSerialization1(plain_credential_data)
newdata = plain_credential_data[len(type1) + 4:]
# Parsing 2.6.2 PAC_CREDENTIAL_DATA
credential_data = pac.PAC_CREDENTIAL_DATA(newdata)
parsed_credential_data = {}
parsed_credential_data[' Credential Count'] = credential_data['CredentialCount']
parsed_tuPAC.append({" Credential Data": parsed_credential_data})
# Parsing (one or many) 2.6.3 SECPKG_SUPPLEMENTAL_CRED
for credential in credential_data['Credentials']:
parsed_secpkg_supplemental_cred = {}
parsed_secpkg_supplemental_cred[' Package Name'] = credential['PackageName']
parsed_secpkg_supplemental_cred[' Credential Size'] = credential['CredentialSize']
parsed_tuPAC.append({" SecPkg Credentials": parsed_secpkg_supplemental_cred})
# Parsing 2.6.4 NTLM_SUPPLEMENTAL_CREDENTIAL
ntlm_supplemental_cred = pac.NTLM_SUPPLEMENTAL_CREDENTIAL(b''.join(credential['Credentials']))
parsed_ntlm_supplemental_cred = {}
parsed_ntlm_supplemental_cred[' Version'] = ntlm_supplemental_cred['Version']
parsed_ntlm_supplemental_cred[' Flags'] = ntlm_supplemental_cred['Flags']
parsed_ntlm_supplemental_cred[' LmPasword'] = hexlify(ntlm_supplemental_cred['LmPassword']).decode('utf-8')
parsed_ntlm_supplemental_cred[' NtPasword'] = hexlify(ntlm_supplemental_cred['NtPassword']).decode('utf-8')
parsed_tuPAC.append({" NTLM Credentials": parsed_ntlm_supplemental_cred})
elif infoBuffer['ulType'] == pac.PAC_DELEGATION_INFO:
delegationInfo = pac.S4U_DELEGATION_INFO(data)
parsed_data = {}
parsed_data['S4U2proxyTarget'] = delegationInfo['S4U2proxyTarget']
parsed_data['TransitedListSize'] = delegationInfo.fields['TransitedListSize'].fields['Data']
parsed_data['S4UTransitedServices'] = delegationInfo['S4UTransitedServices'].decode('utf-8')
parsed_tuPAC.append({"DelegationInfo": parsed_data})
elif infoBuffer['ulType'] == pac.PAC_ATTRIBUTES_INFO:
# Parsing 2.14 PAC_ATTRIBUTES_INFO
attributeInfo = pac.PAC_ATTRIBUTE_INFO(data)
flags = attributeInfo['Flags']
attr_flags = []
for flag_lib in Attributes_Flags:
if flags & flag_lib.value:
attr_flags.append(flag_lib.name)
parsed_data = {
'Flags': f"({flags}) {', '.join(attr_flags)}"
}
parsed_tuPAC.append({"Attributes Info": parsed_data})
elif infoBuffer['ulType'] == pac.PAC_REQUESTOR_INFO:
# Parsing 2.15 PAC_REQUESTOR
requestorInfo = pac.PAC_REQUESTOR(data)
parsed_data = {
'UserSid': requestorInfo['UserSid'].formatCanonical()
}
parsed_tuPAC.append({"Requestor Info": parsed_data})
else:
logging.debug("Unsupported PAC structure: %s. Please raise an issue or PR" % infoBuffer['ulType'])
buff = buff[len(infoBuffer):]
return parsed_tuPAC
def generate_kerberos_keys(args):
# copypasta from krbrelayx.py
# Store Kerberos keys
keys = {}
if args.rc4:
keys[int(constants.EncryptionTypes.rc4_hmac.value)] = unhexlify(args.rc4)
if args.aes:
if len(args.aes) == 64:
keys[int(constants.EncryptionTypes.aes256_cts_hmac_sha1_96.value)] = unhexlify(args.aes)
else:
keys[int(constants.EncryptionTypes.aes128_cts_hmac_sha1_96.value)] = unhexlify(args.aes)
ekeys = {}
for kt, key in keys.items():
ekeys[kt] = Key(kt, key)
allciphers = [
int(constants.EncryptionTypes.rc4_hmac.value),
int(constants.EncryptionTypes.aes256_cts_hmac_sha1_96.value),
int(constants.EncryptionTypes.aes128_cts_hmac_sha1_96.value)
]
# Calculate Kerberos keys from specified password/salt
if args.password or args.hex_pass:
if not args.salt and args.user and args.domain: # https://www.thehacker.recipes/ad/movement/kerberos
if args.user.endswith('$'):
args.salt = "%shost%s.%s" % (args.domain.upper(), args.user.rstrip('$').lower(), args.domain.lower())
else:
args.salt = "%s%s" % (args.domain.upper(), args.user)
for cipher in allciphers:
if cipher == 23 and args.hex_pass:
# RC4 calculation is done manually for raw passwords
md4 = MD4.new()
md4.update(unhexlify(args.hex_pass))
ekeys[cipher] = Key(cipher, md4.digest())
logging.debug('Calculated type %s (%d) Kerberos key: %s' % (constants.EncryptionTypes(cipher).name, cipher, hexlify(ekeys[cipher].contents).decode('utf-8')))
elif args.salt:
# Do conversion magic for raw passwords
if args.hex_pass:
rawsecret = unhexlify(args.hex_pass).decode('utf-16-le', 'replace').encode('utf-8', 'replace')
else:
# If not raw, it was specified from the command line, assume it's not UTF-16
rawsecret = args.password
ekeys[cipher] = string_to_key(cipher, rawsecret, args.salt)
logging.debug('Calculated type %s (%d) Kerberos key: %s' % (constants.EncryptionTypes(cipher).name, cipher, hexlify(ekeys[cipher].contents).decode('utf-8')))
else:
logging.debug('Cannot calculate type %s (%d) Kerberos key: salt is None: Missing -s/--salt or (-u/--user and -d/--domain)' % (constants.EncryptionTypes(cipher).name, cipher))
else:
logging.debug('No password (-p/--password or -hp/--hex_pass supplied, skipping Kerberos keys calculation')
return ekeys
def kerberoast_from_ccache(decodedTGS, spn, username, domain):
try:
if not domain:
domain = decodedTGS['ticket']['realm']._value.upper()
else:
domain = domain.upper()
if not username:
username = "USER"
username = username.rstrip('$')
# Copy-pasta from GestUserSPNs.py
if decodedTGS['ticket']['enc-part']['etype'] == constants.EncryptionTypes.rc4_hmac.value:
entry = '$krb5tgs$%d$*%s$%s$%s*$%s$%s' % (
constants.EncryptionTypes.rc4_hmac.value, username, domain, spn.replace(':', '~'),
hexlify(decodedTGS['ticket']['enc-part']['cipher'][:16].asOctets()).decode(),
hexlify(decodedTGS['ticket']['enc-part']['cipher'][16:].asOctets()).decode())
elif decodedTGS['ticket']['enc-part']['etype'] == constants.EncryptionTypes.aes128_cts_hmac_sha1_96.value:
entry = '$krb5tgs$%d$%s$%s$*%s*$%s$%s' % (
constants.EncryptionTypes.aes128_cts_hmac_sha1_96.value, username, domain, spn.replace(':', '~'),
hexlify(decodedTGS['ticket']['enc-part']['cipher'][-12:].asOctets()).decode(),
hexlify(decodedTGS['ticket']['enc-part']['cipher'][:-12:].asOctets()).decode)
elif decodedTGS['ticket']['enc-part']['etype'] == constants.EncryptionTypes.aes256_cts_hmac_sha1_96.value:
entry = '$krb5tgs$%d$%s$%s$*%s*$%s$%s' % (
constants.EncryptionTypes.aes256_cts_hmac_sha1_96.value, username, domain, spn.replace(':', '~'),
hexlify(decodedTGS['ticket']['enc-part']['cipher'][-12:].asOctets()).decode(),
hexlify(decodedTGS['ticket']['enc-part']['cipher'][:-12:].asOctets()).decode())
elif decodedTGS['ticket']['enc-part']['etype'] == constants.EncryptionTypes.des_cbc_md5.value:
entry = '$krb5tgs$%d$*%s$%s$%s*$%s$%s' % (
constants.EncryptionTypes.des_cbc_md5.value, username, domain, spn.replace(':', '~'),
hexlify(decodedTGS['ticket']['enc-part']['cipher'][:16].asOctets()).decode(),
hexlify(decodedTGS['ticket']['enc-part']['cipher'][16:].asOctets()).decode())
else:
logging.debug('Skipping %s/%s due to incompatible e-type %d' % (
decodedTGS['ticket']['sname']['name-string'][0], decodedTGS['ticket']['sname']['name-string'][1],
decodedTGS['ticket']['enc-part']['etype']))
return entry
except Exception as e:
raise
logging.debug("Not able to parse ticket: %s" % e)
def parse_args():
parser = argparse.ArgumentParser(add_help=True, description='Ticket describer. Parses ticket, decrypts the enc-part, and parses the PAC.')
parser.add_argument('ticket', action='store', help='Path to ticket.ccache')
parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')
ticket_decryption = parser.add_argument_group()
ticket_decryption.title = 'Ticket decryption credentials (optional)'
ticket_decryption.description = 'Tickets carry a set of information encrypted by one of the target service account\'s Kerberos keys.' \
'(example: if the ticket is for user:"john" for service:"cifs/service.domain.local", you need to supply credentials or keys ' \
'of the service account who owns SPN "cifs/service.domain.local")'
ticket_decryption.add_argument('-p', '--password', action="store", metavar="PASSWORD", help='Cleartext password of the service account')
ticket_decryption.add_argument('-hp', '--hex-password', dest='hex_pass', action="store", metavar="HEXPASSWORD", help='Hex password of the service account')
ticket_decryption.add_argument('-u', '--user', action="store", metavar="USER", help='Name of the service account')
ticket_decryption.add_argument('-d', '--domain', action="store", metavar="DOMAIN", help='FQDN Domain')
ticket_decryption.add_argument('-s', '--salt', action="store", metavar="SALT", help='Salt for keys calculation (DOMAIN.LOCALSomeuser for users, DOMAIN.LOCALhostsomemachine.domain.local for machines)')
ticket_decryption.add_argument('--rc4', action="store", metavar="RC4", help='RC4 KEY (i.e. NT hash)')
ticket_decryption.add_argument('--aes', action="store", metavar="HEXKEY", help='AES128 or AES256 key')
credential_info = parser.add_argument_group()
credential_info.title = 'PAC Credentials decryption material'
credential_info.description = '[MS-PAC] section 2.6 (PAC Credentials) describes an element that is used to send credentials for alternate security protocols to the client during initial logon.' \
'This PAC credentials is typically used when PKINIT is conducted for pre-authentication. This structure contains LM and NT hashes.' \
'The information is encrypted using the AS reply key. Attack primitive known as UnPAC-the-Hash. (https://www.thehacker.recipes/ad/movement/kerberos/unpac-the-hash)'
credential_info.add_argument('--asrep-key', action="store", metavar="HEXKEY", help='AS reply key for PAC Credentials decryption')
if len(sys.argv) == 1:
parser.print_help()
sys.exit(1)
args = parser.parse_args()
if not args.salt:
if args.user and not args.domain:
parser.error('without -s/--salt, and with -u/--user, argument -d/--domain is required to calculate the salt')
elif not args.user and args.domain:
parser.error('without -s/--salt, and with -d/--domain, argument -u/--user is required to calculate the salt')
if args.domain and not '.' in args.domain:
parser.error('Domain supplied in -d/--domain should be FQDN')
return args
def init_logger(args):
# Init the example's logger theme and debug level
logger.init(args.ts)
if args.debug is True:
logging.getLogger().setLevel(logging.DEBUG)
# Print the Library's installation path
logging.debug(version.getInstallationPath())
else:
logging.getLogger().setLevel(logging.INFO)
logging.getLogger('impacket.smbserver').setLevel(logging.ERROR)
def main():
print(version.BANNER)
args = parse_args()
init_logger(args)
try:
parse_ccache(args)
except Exception as e:
if logging.getLogger().level == logging.DEBUG:
traceback.print_exc()
logging.error(str(e))
if __name__ == '__main__':
main()