-Added /outfile:X to output hashes to a file for kerberoast/asreproast, one hash per line
-changed asreproast's default behavior to match kerberoast
-clustered the default output help menu around function (things were getting crowded)
See CHANGELOG.md for full details
Generate kerberos keys from user's password to request a tgt. The "/enctype"
parameter can be used to select "AES256" enctype (aes256_cts_hmac_sha1).
Default is RC4 (rc4_hmac).
[changed]
-Merged @mark-s' PR that broke out Program.cs' commands into 'Command' classes for easier command addition.
-Commands that pass /dc:X are now passed through Networking.GetDCIP(), which resolves the DC name (if null) and returns the DC IP. Code refactored to use this centralized resolver.
-The /user:USER flag can now be /user:DOMAIN.COM\USER (auto-completes /domain:Y).
-The "harvest" command now returns the user ticket with the latest renew_till time on intial extraction.
[new] "asktgs" action
-takes /ptt:X, /dc:X, /ticket:X flags like asktgt
- /service:X takes one or more SPN specifications
[new] "tgtdeleg" action
-reimplements @gentilkiwi's Kekeo tgt::deleg action
-uses the GSS-API Kerberos specification (RFC 4121) to request a "fake" delegation context that stores a KRB-CRED in the Authenticator Checksum
-combined with extracting the service session key from the local cache, this allows us to recover usable TGTs for the current user without elevation
[added] "s4u" action
-Added option for multiple alternate snames (/altservice:X,Y,...)
-This executes the S4U2self/S4U2proxy process only once, and substitutes the multiple alternate service names
into the final resulting service ticket structure(s) for as many snames as specified
[fix] "dump" action
-Corrected extraction of complete ServiceName/TargetName strings
[fix] "asreproast" action
-fixed salt demarcation line for "asreproast" hashes
-added eventual hashcat output format, use "/format:<john/hashcat>", default of "john"
[fix] "kerberoast" action
-Added reference for @machsosec for the KerberosRequestorSecurityToken.GetRequest Kerberoasting Method()
-Corrected encType extraction for the hash output
--The executes the S4U2self/S4U2proxy process only once, and substitutes the multiple alternate
service names into the final resulting service ticket structure(s) for as many snames as specified
HarmJ0y
Lee Christensen
Will
Lee Christensen
Quentin Lemaire
Elad Shamir
BlueSkeye
Steve Borosh
Dwight Hohnstein
Mark
a