mirror of https://github.com/daffainfo/nuclei.git
add method GetServiceTicket to the kerberos module (#4422)
* add method GetServiceTicket to the kerberos module * add target username to service ticket * destroy kerberos client when function returnsdev
parent
829b7b5a2d
commit
70452efec1
|
@ -97,6 +97,7 @@ func (c *KerberosClient) EnumerateUser(domain, controller string, username strin
|
|||
return resp, err
|
||||
}
|
||||
cl := kclient.NewWithPassword(username, opts.realm, "foobar", opts.config, kclient.DisablePAFXFAST(true))
|
||||
defer cl.Destroy()
|
||||
|
||||
req, err := messages.NewASReqForTGT(cl.Credentials.Domain(), cl.Config, cl.Credentials.CName())
|
||||
if err != nil {
|
||||
|
@ -143,3 +144,50 @@ func asRepToHashcat(asrep messages.ASRep) (string, error) {
|
|||
hex.EncodeToString(asrep.EncPart.Cipher[:16]),
|
||||
hex.EncodeToString(asrep.EncPart.Cipher[16:])), nil
|
||||
}
|
||||
|
||||
type TGS struct {
|
||||
Ticket messages.Ticket
|
||||
Hash string
|
||||
}
|
||||
|
||||
func (c *KerberosClient) GetServiceTicket(domain, controller string, username, password string, target, spn string) (TGS, error) {
|
||||
var tgs TGS
|
||||
|
||||
if !protocolstate.IsHostAllowed(domain) {
|
||||
// host is not valid according to network policy
|
||||
return tgs, protocolstate.ErrHostDenied.Msgf(domain)
|
||||
}
|
||||
|
||||
opts, err := newKerbrosEnumUserOpts(domain, controller)
|
||||
if err != nil {
|
||||
return tgs, err
|
||||
}
|
||||
cl := kclient.NewWithPassword(username, opts.realm, password, opts.config, kclient.DisablePAFXFAST(true))
|
||||
defer cl.Destroy()
|
||||
|
||||
ticket, _, err := cl.GetServiceTicket(spn)
|
||||
if err != nil {
|
||||
return tgs, err
|
||||
}
|
||||
|
||||
hashcat, err := tgsToHashcat(ticket, target)
|
||||
if err != nil {
|
||||
return tgs, err
|
||||
}
|
||||
|
||||
return TGS{
|
||||
Ticket: ticket,
|
||||
Hash: hashcat,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func tgsToHashcat(tgs messages.Ticket, username string) (string, error) {
|
||||
return fmt.Sprintf("$krb5tgs$%d$*%s$%s$%s*$%s$%s",
|
||||
tgs.EncPart.EType,
|
||||
username,
|
||||
tgs.Realm,
|
||||
strings.Join(tgs.SName.NameString[:], "/"),
|
||||
hex.EncodeToString(tgs.EncPart.Cipher[:16]),
|
||||
hex.EncodeToString(tgs.EncPart.Cipher[16:]),
|
||||
), nil
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue