Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time
executable file 123 lines (103 sloc) 4.97 KB
#!/usr/bin/env python
# Impacket - Collection of Python classes for working with network protocols.
# SECUREAUTH LABS. Copyright (C) 2021 SecureAuth Corporation. All rights reserved.
# This software is provided under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
# Description:
# Given a password, hash or aesKey, it will request a TGT and save it as ccache
# Examples:
# ./ -hashes lm:nt
# Author:
# Alberto Solino (@agsolino)
from __future__ import division
from __future__ import print_function
import argparse
import logging
import sys
from binascii import unhexlify
from impacket import version
from impacket.examples import logger
from impacket.examples.utils import parse_credentials
from impacket.krb5.kerberosv5 import getKerberosTGT
from impacket.krb5 import constants
from impacket.krb5.types import Principal
class GETTGT:
def __init__(self, target, password, domain, options):
self.__password = password
self.__user= target
self.__domain = domain
self.__lmhash = ''
self.__nthash = ''
self.__aesKey = options.aesKey
self.__options = options
self.__kdcHost = options.dc_ip
if options.hashes is not None:
self.__lmhash, self.__nthash = options.hashes.split(':')
def saveTicket(self, ticket, sessionKey):'Saving ticket in %s' % (self.__user + '.ccache'))
from impacket.krb5.ccache import CCache
ccache = CCache()
ccache.fromTGT(ticket, sessionKey, sessionKey)
ccache.saveFile(self.__user + '.ccache')
def run(self):
userName = Principal(self.__user, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(userName, self.__password, self.__domain,
unhexlify(self.__lmhash), unhexlify(self.__nthash), self.__aesKey,
if __name__ == '__main__':
parser = argparse.ArgumentParser(add_help=True, description="Given a password, hash or aesKey, it will request a "
"TGT and save it as ccache")
parser.add_argument('identity', action='store', help='[domain/]username[:password]')
parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')
parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
group = parser.add_argument_group('authentication')
group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file '
'(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the '
'ones specified in the command line')
group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication '
'(128 or 256 bits)')
group.add_argument('-dc-ip', action='store',metavar = "ip address", help='IP Address of the domain controller. If '
'ommited it use the domain part (FQDN) specified in the target parameter')
if len(sys.argv)==1:
print("\nExamples: ")
print("\t./ -hashes lm:nt\n")
print("\tit will use the lm:nt hashes for authentication. If you don't specify them, a password will be asked")
options = parser.parse_args()
# Init the example's logger theme
if options.debug is True:
# Print the Library's installation path
domain, username, password = parse_credentials(options.identity)
if domain is None:
logging.critical('Domain should be specified!')
if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:
from getpass import getpass
password = getpass("Password:")
if options.aesKey is not None:
options.k = True
executer = GETTGT(username, password, domain, options)
except Exception as e:
if logging.getLogger().level == logging.DEBUG:
import traceback