github.com/n00py/Slackor@v0.0.0-20200610224921-d007fcea1740/impacket/examples/getTGT.py (about) 1 #!/usr/bin/env python 2 # SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved. 3 # 4 # This software is provided under under a slightly modified version 5 # of the Apache Software License. See the accompanying LICENSE file 6 # for more information. 7 # 8 # Author: 9 # Alberto Solino (@agsolino) 10 # 11 # Description: 12 # Given a password, hash or aesKey, it will request a TGT and save it as ccache 13 # 14 # Examples: 15 # ./getTGT.py -hashes lm:nt contoso.com/user 16 # 17 # 18 from __future__ import division 19 from __future__ import print_function 20 import argparse 21 import logging 22 import sys 23 from binascii import unhexlify 24 25 from impacket import version 26 from impacket.examples import logger 27 from impacket.krb5.kerberosv5 import getKerberosTGT 28 from impacket.krb5 import constants 29 from impacket.krb5.types import Principal 30 31 32 class GETTGT: 33 def __init__(self, target, password, domain, options): 34 self.__password = password 35 self.__user= target 36 self.__domain = domain 37 self.__lmhash = '' 38 self.__nthash = '' 39 self.__aesKey = options.aesKey 40 self.__options = options 41 self.__kdcHost = options.dc_ip 42 if options.hashes is not None: 43 self.__lmhash, self.__nthash = options.hashes.split(':') 44 45 def saveTicket(self, ticket, sessionKey): 46 logging.info('Saving ticket in %s' % (self.__user + '.ccache')) 47 from impacket.krb5.ccache import CCache 48 ccache = CCache() 49 50 ccache.fromTGT(ticket, sessionKey, sessionKey) 51 ccache.saveFile(self.__user + '.ccache') 52 53 def run(self): 54 userName = Principal(self.__user, type=constants.PrincipalNameType.NT_PRINCIPAL.value) 55 tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(userName, self.__password, self.__domain, 56 unhexlify(self.__lmhash), unhexlify(self.__nthash), self.__aesKey, 57 self.__kdcHost) 58 self.saveTicket(tgt,oldSessionKey) 59 60 if __name__ == '__main__': 61 # Init the example's logger theme 62 logger.init() 63 print(version.BANNER) 64 65 parser = argparse.ArgumentParser(add_help=True, description="Given a password, hash or aesKey, it will request a " 66 "TGT and save it as ccache") 67 parser.add_argument('identity', action='store', help='[domain/]username[:password]') 68 parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON') 69 70 group = parser.add_argument_group('authentication') 71 72 group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH') 73 group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)') 74 group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file ' 75 '(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ' 76 'ones specified in the command line') 77 group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication ' 78 '(128 or 256 bits)') 79 group.add_argument('-dc-ip', action='store',metavar = "ip address", help='IP Address of the domain controller. If ' 80 'ommited it use the domain part (FQDN) specified in the target parameter') 81 82 if len(sys.argv)==1: 83 parser.print_help() 84 print("\nExamples: ") 85 print("\t./getTGT.py -hashes lm:nt contoso.com/user\n") 86 print("\tit will use the lm:nt hashes for authentication. If you don't specify them, a password will be asked") 87 sys.exit(1) 88 89 options = parser.parse_args() 90 91 if options.debug is True: 92 logging.getLogger().setLevel(logging.DEBUG) 93 else: 94 logging.getLogger().setLevel(logging.INFO) 95 96 97 import re 98 domain, username, password = re.compile('(?:(?:([^/:]*)/)?([^:]*)(?::([^@]*))?)?').match(options.identity).groups( 99 '') 100 101 try: 102 if domain is None: 103 logging.critical('Domain should be specified!') 104 sys.exit(1) 105 106 if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None: 107 from getpass import getpass 108 password = getpass("Password:") 109 110 if options.aesKey is not None: 111 options.k = True 112 113 executer = GETTGT(username, password, domain, options) 114 executer.run() 115 except Exception as e: 116 if logging.getLogger().level == logging.DEBUG: 117 import traceback 118 traceback.print_exc() 119 print(str(e))