Chaning Service Ticket sname if it doesn't match what we want

* It might not work if the ST isn't encrypted for the same user as the new SPN.
fortra · Mar 6, 2017 · b9ec824 · b9ec824
1 parent 0ddd7b1
commit b9ec824
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 4 deletions.
diff --git a/impacket/krb5/ccache.py b/impacket/krb5/ccache.py
@@ -268,7 +268,7 @@ def toTGT(self):
         tgt['sessionKey'] = crypto.Key(cipher.enctype, str(self['key']['keyvalue']))
         return tgt
 
-    def toTGS(self):
+    def toTGS(self, newSPN=None):
         tgs_rep = TGS_REP()
         tgs_rep['pvno'] = 5
         tgs_rep['msg-type'] = int(constants.ApplicationTagNumbers.TGS_REP.value)
@@ -281,6 +281,10 @@ def toTGS(self):
         seq_set(tgs_rep, 'cname', self['client'].toPrincipal().components_to_asn1)
         ticket = types.Ticket()
         ticket.from_asn1(self.ticket['data'])
+        if newSPN is not None:
+            if newSPN.upper() != str(ticket.service_principal).upper():
+                LOG.debug('Changing sname from %s to %s and hoping for the best' % (ticket.service_principal, newSPN) )
+                ticket.service_principal = types.Principal(newSPN, type=int(ticket.service_principal.type))
         seq_set(tgs_rep,'ticket', ticket.to_asn1)
 
         cipher = crypto._enctype_table[self['key']['keytype']]()

diff --git a/impacket/krb5/kerberosv5.py b/impacket/krb5/kerberosv5.py
@@ -470,7 +470,7 @@ def getKerberosType1(username, password, domain, lmhash, nthash, aesKey='', TGT
                     else:
                         LOG.debug("No valid credentials found in cache. ")
                 else:
-                    TGS = creds.toTGS()
+                    TGS = creds.toTGS(principal)
 
                 # retrieve user information from CCache file if needed
                 if username == '' and creds is not None:

diff --git a/impacket/smbconnection.py b/impacket/smbconnection.py
@@ -316,7 +316,7 @@ def kerberosLogin(self, user, password, domain='', lmhash='', nthash='', aesKey=
                     else:
                         LOG.debug("No valid credentials found in cache. ")
                 else:
-                    TGS = creds.toTGS()
+                    TGS = creds.toTGS(principal)
                     LOG.debug('Using TGS from cache')
 
                 # retrieve user information from CCache file if needed

diff --git a/impacket/tds.py b/impacket/tds.py
@@ -700,7 +700,7 @@ def kerberosLogin(self, database, username, password='', domain='', hashes=None,
                     else:
                         LOG.debug("No valid credentials found in cache. ")
                 else:
-                    TGS = creds.toTGS()
+                    TGS = creds.toTGS(principal)
                     LOG.debug('Using TGS from cache')
 
                 # retrieve user information from CCache file if needed