github.com/n00py/Slackor@v0.0.0-20200610224921-d007fcea1740/impacket/examples/getTGT.py

github.com/n00py/Slackor@v0.0.0-20200610224921-d007fcea1740/impacket/examples/getTGT.py (about)

     1  #!/usr/bin/env python
     2  # SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
     3  #
     4  # This software is provided under under a slightly modified version
     5  # of the Apache Software License. See the accompanying LICENSE file
     6  # for more information.
     7  #
     8  # Author:
     9  #  Alberto Solino (@agsolino)
    10  #
    11  # Description:
    12  #    Given a password, hash or aesKey, it will request a TGT and save it as ccache
    13  #
    14  # Examples:
    15  #         ./getTGT.py -hashes lm:nt contoso.com/user
    16  #
    17  #
    18  from __future__ import division
    19  from __future__ import print_function
    20  import argparse
    21  import logging
    22  import sys
    23  from binascii import unhexlify
    24  
    25  from impacket import version
    26  from impacket.examples import logger
    27  from impacket.krb5.kerberosv5 import getKerberosTGT
    28  from impacket.krb5 import constants
    29  from impacket.krb5.types import Principal
    30  
    31  
    32  class GETTGT:
    33      def __init__(self, target, password, domain, options):
    34          self.__password = password
    35          self.__user= target
    36          self.__domain = domain
    37          self.__lmhash = ''
    38          self.__nthash = ''
    39          self.__aesKey = options.aesKey
    40          self.__options = options
    41          self.__kdcHost = options.dc_ip
    42          if options.hashes is not None:
    43              self.__lmhash, self.__nthash = options.hashes.split(':')
    44  
    45      def saveTicket(self, ticket, sessionKey):
    46          logging.info('Saving ticket in %s' % (self.__user + '.ccache'))
    47          from impacket.krb5.ccache import CCache
    48          ccache = CCache()
    49  
    50          ccache.fromTGT(ticket, sessionKey, sessionKey)
    51          ccache.saveFile(self.__user + '.ccache')
    52  
    53      def run(self):
    54          userName = Principal(self.__user, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
    55          tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(userName, self.__password, self.__domain,
    56                                                                  unhexlify(self.__lmhash), unhexlify(self.__nthash), self.__aesKey,
    57                                                                  self.__kdcHost)
    58          self.saveTicket(tgt,oldSessionKey)
    59  
    60  if __name__ == '__main__':
    61      # Init the example's logger theme
    62      logger.init()
    63      print(version.BANNER)
    64  
    65      parser = argparse.ArgumentParser(add_help=True, description="Given a password, hash or aesKey, it will request a "
    66                                                                  "TGT and save it as ccache")
    67      parser.add_argument('identity', action='store', help='[domain/]username[:password]')
    68      parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
    69  
    70      group = parser.add_argument_group('authentication')
    71  
    72      group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
    73      group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
    74      group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file '
    75                         '(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the '
    76                         'ones specified in the command line')
    77      group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication '
    78                                                                              '(128 or 256 bits)')
    79      group.add_argument('-dc-ip', action='store',metavar = "ip address",  help='IP Address of the domain controller. If '
    80                         'ommited it use the domain part (FQDN) specified in the target parameter')
    81  
    82      if len(sys.argv)==1:
    83          parser.print_help()
    84          print("\nExamples: ")
    85          print("\t./getTGT.py -hashes lm:nt contoso.com/user\n")
    86          print("\tit will use the lm:nt hashes for authentication. If you don't specify them, a password will be asked")
    87          sys.exit(1)
    88  
    89      options = parser.parse_args()
    90  
    91      if options.debug is True:
    92          logging.getLogger().setLevel(logging.DEBUG)
    93      else:
    94          logging.getLogger().setLevel(logging.INFO)
    95  
    96  
    97      import re
    98      domain, username, password = re.compile('(?:(?:([^/:]*)/)?([^:]*)(?::([^@]*))?)?').match(options.identity).groups(
    99          '')
   100  
   101      try:
   102          if domain is None:
   103              logging.critical('Domain should be specified!')
   104              sys.exit(1)
   105  
   106          if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:
   107              from getpass import getpass
   108              password = getpass("Password:")
   109  
   110          if options.aesKey is not None:
   111              options.k = True
   112  
   113          executer = GETTGT(username, password, domain, options)
   114          executer.run()
   115      except Exception as e:
   116          if logging.getLogger().level == logging.DEBUG:
   117              import traceback
   118              traceback.print_exc()
   119          print(str(e))