Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding support for supplying additional tickets for asktgs #82

Merged
merged 2 commits into from May 14, 2021
Merged

Adding support for supplying additional tickets for asktgs #82

merged 2 commits into from May 14, 2021

Conversation

0xe7
Copy link
Contributor

@0xe7 0xe7 commented May 14, 2021

In order to manually make requests that require additional tickets I've added the /tgs:X argument to asktgs. This allows us to play with these types of request manually, which are primarily used for requesting different types of tickets involved in constrained delegation. An example of usage is below:

C:\temp\dev\Rubeus-additional-ticket\Rubeus\bin\Release>.\Rubeus.exe asktgs /service:cifs/ic1dc1.child1.internal.zeroday.lab /nowrap /dc:idc1.internal.zeroday.lab /ticket:doIFWjCCBVagA...cm9kYXkubGFi /tgs:doIGnjCCBpq...sLnplcm9kYXkubGFi
   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/
  v1.6.3
[*] Action: Ask TGS
[*] Using domain controller: idc1.internal.zeroday.lab (192.168.71.20)
[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building TGS-REQ request for: 'cifs/ic1dc1.child1.internal.zeroday.lab'
[+] TGS request successful!
[*] base64(ticket.kirbi):
      doIHVDCCB1...BWS5MQUI=
  ServiceName           :  krbtgt/CHILD1.INTERNAL.ZERODAY.LAB
  ServiceRealm          :  INTERNAL.ZERODAY.LAB
  UserName              :  TestSPN$
  UserRealm             :  INTERNAL.ZERODAY.LAB
  StartTime             :  14/05/2021 00:17:57
  EndTime               :  14/05/2021 10:16:45
  RenewTill             :  21/05/2021 00:16:45
  Flags                 :  name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable
  KeyType               :  rc4_hmac
  Base64(key)           :  qz+pbRv0EjHVNUUNoCWJiw==

The README is updated with information about the /tgs:X argument as well as the /usesvcdomain related switch which is useful to force the domain to be extracted from the given SPN when using a /tgs:. Also bumps the minor version.

@HarmJ0y
Copy link
Member

HarmJ0y commented May 14, 2021

Looks great (as always), landed!

@HarmJ0y HarmJ0y merged commit c4e06fb into GhostPack:master May 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants