-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[describeTicket.py] New example script: ticket describer and decrypter #1201
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fixed error: local variable 'kerberoast_hash' referenced before assignment
fixed error
Describe ticket local update
…ll-kwonw group Id
Implement new PAC and known groups
0xdeaddood
added
in review
This issue or pull request is being analyzed
low
Low priority item
labels
Feb 23, 2023
ShutdownRepo
changed the title
New example script: ticket describer and decrypter
[describeTicket.py] New example script: ticket describer and decrypter
Aug 23, 2023
anadrianmanrique
added
medium
Medium priority item
and removed
low
Low priority item
labels
Sep 7, 2023
@0xdeaddood any news here? |
As for the time being, the PR should be rebased due to pac.py being in conflict. Maybe changes in this file are no longer necessary as PAC_ATTRIBUTE_INFO and PAC_REQUESTOR were integrated in the context of #1545. |
# Conflicts: # impacket/krb5/pac.py
Done ✅ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This new example script takes a
.ccache
file as input and parses it.The appropriate credentials for PAC decryption refer to the credentials of the service account who owns the SPN the ticket was issued for (krbtgt for TGTs, service accounts for service tickets). The following information can be supplied to describeTicket
-s/--salt
and-hp/--hex-pass
-s/--salt
and-hp/--hex-pass
-d/--domain
and-u/--user
and-hp/--hex-pass
-d/--domain
and-u/--user
and-hp/--hex-pass
--rc4
and--aes
The appropriate credentials for PAC Credentials decryption refer to the AS-REP key sent by KDC when obtaining a TGT. After a PKINIT pre-authentication, that structure will contain the LM and NT hashes of the user who asked for the TGT. This key can be supplied with the
--asrep-key
argument.The following screenshot shows the usage.
The following screenshot shows a TGT being parsed, the PAC being decrypted and parsed.
If the proper key is not supplied, here's what's shown.
Here is an example with a Service Ticket. The kerberoast hash is printed for the service account, owner of the SPN the ticket was issued for.
Nota-bene: there is an ugly code right now that I'll probably refactor but it doesn't prevent the script from working at the moment. A number of spaces is hardcoded in the parsed PAC Credentials in order to print information in a pretty manner. This could be done in a better way honestly.