From cacfcccaf5c42b70e99c395a605a3f509d6e31fa Mon Sep 17 00:00:00 2001 From: 5amu Date: Sun, 26 Nov 2023 17:32:51 +0100 Subject: [PATCH 1/3] add method GetServiceTicket to the kerberos module --- pkg/js/libs/kerberos/kerberos.go | 46 ++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/pkg/js/libs/kerberos/kerberos.go b/pkg/js/libs/kerberos/kerberos.go index 2a4ccd6eb2..c21d21d146 100644 --- a/pkg/js/libs/kerberos/kerberos.go +++ b/pkg/js/libs/kerberos/kerberos.go @@ -143,3 +143,49 @@ func asRepToHashcat(asrep messages.ASRep) (string, error) { hex.EncodeToString(asrep.EncPart.Cipher[:16]), hex.EncodeToString(asrep.EncPart.Cipher[16:])), nil } + +type TGS struct { + Ticket messages.Ticket + Hash string +} + +func (c *KerberosClient) GetServiceTicket(domain, controller string, username, password string, target, spn string) (TGS, error) { + var tgs TGS + + if !protocolstate.IsHostAllowed(domain) { + // host is not valid according to network policy + return tgs, protocolstate.ErrHostDenied.Msgf(domain) + } + + opts, err := newKerbrosEnumUserOpts(domain, controller) + if err != nil { + return tgs, err + } + cl := kclient.NewWithPassword(username, opts.realm, password, opts.config, kclient.DisablePAFXFAST(true)) + + ticket, _, err := cl.GetServiceTicket(spn) + if err != nil { + return tgs, err + } + + hashcat, err := tgsToHashcat(ticket) + if err != nil { + return tgs, err + } + + return TGS{ + Ticket: ticket, + Hash: hashcat, + }, nil +} + +func tgsToHashcat(tgs messages.Ticket) (string, error) { + return fmt.Sprintf("$krb5tgs$%d$*%s$%s$%s*$%s$%s", + tgs.EncPart.EType, + "", + tgs.Realm, + strings.Join(tgs.SName.NameString[:], "/"), + hex.EncodeToString(tgs.EncPart.Cipher[:16]), + hex.EncodeToString(tgs.EncPart.Cipher[16:]), + ), nil +} From b129cccacfd9a7e02b54340d13c6e173735e061e Mon Sep 17 00:00:00 2001 From: 5amu Date: Mon, 27 Nov 2023 21:27:31 +0100 Subject: [PATCH 2/3] add target username to service ticket --- pkg/js/libs/kerberos/kerberos.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/js/libs/kerberos/kerberos.go b/pkg/js/libs/kerberos/kerberos.go index c21d21d146..84e4efccdc 100644 --- a/pkg/js/libs/kerberos/kerberos.go +++ b/pkg/js/libs/kerberos/kerberos.go @@ -168,7 +168,7 @@ func (c *KerberosClient) GetServiceTicket(domain, controller string, username, p return tgs, err } - hashcat, err := tgsToHashcat(ticket) + hashcat, err := tgsToHashcat(ticket, target) if err != nil { return tgs, err } @@ -179,10 +179,10 @@ func (c *KerberosClient) GetServiceTicket(domain, controller string, username, p }, nil } -func tgsToHashcat(tgs messages.Ticket) (string, error) { +func tgsToHashcat(tgs messages.Ticket, username string) (string, error) { return fmt.Sprintf("$krb5tgs$%d$*%s$%s$%s*$%s$%s", tgs.EncPart.EType, - "", + username, tgs.Realm, strings.Join(tgs.SName.NameString[:], "/"), hex.EncodeToString(tgs.EncPart.Cipher[:16]), From 62ee28aea9acfc95547d322415d83f2a55dbd306 Mon Sep 17 00:00:00 2001 From: 5amu Date: Sat, 23 Dec 2023 00:17:02 +0100 Subject: [PATCH 3/3] destroy kerberos client when function returns --- pkg/js/libs/kerberos/kerberos.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkg/js/libs/kerberos/kerberos.go b/pkg/js/libs/kerberos/kerberos.go index 84e4efccdc..954dd0ceb6 100644 --- a/pkg/js/libs/kerberos/kerberos.go +++ b/pkg/js/libs/kerberos/kerberos.go @@ -97,6 +97,7 @@ func (c *KerberosClient) EnumerateUser(domain, controller string, username strin return resp, err } cl := kclient.NewWithPassword(username, opts.realm, "foobar", opts.config, kclient.DisablePAFXFAST(true)) + defer cl.Destroy() req, err := messages.NewASReqForTGT(cl.Credentials.Domain(), cl.Config, cl.Credentials.CName()) if err != nil { @@ -162,6 +163,7 @@ func (c *KerberosClient) GetServiceTicket(domain, controller string, username, p return tgs, err } cl := kclient.NewWithPassword(username, opts.realm, password, opts.config, kclient.DisablePAFXFAST(true)) + defer cl.Destroy() ticket, _, err := cl.GetServiceTicket(spn) if err != nil {