Skip to content
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

executable file 120 lines (100 sloc) 4.71 KB
#!/usr/bin/env python
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
# Author:
# Alberto Solino (@agsolino)
# Description:
# Given a password, hash or aesKey, it will request a TGT and save it as ccache
# Examples:
# ./ -hashes lm:nt
from __future__ import division
from __future__ import print_function
import argparse
import logging
import sys
from binascii import unhexlify
from impacket import version
from impacket.examples import logger
from impacket.krb5.kerberosv5 import getKerberosTGT
from impacket.krb5 import constants
from impacket.krb5.types import Principal
class GETTGT:
def __init__(self, target, password, domain, options):
self.__password = password
self.__user= target
self.__domain = domain
self.__lmhash = ''
self.__nthash = ''
self.__aesKey = options.aesKey
self.__options = options
self.__kdcHost = options.dc_ip
if options.hashes is not None:
self.__lmhash, self.__nthash = options.hashes.split(':')
def saveTicket(self, ticket, sessionKey):'Saving ticket in %s' % (self.__user + '.ccache'))
from impacket.krb5.ccache import CCache
ccache = CCache()
ccache.fromTGT(ticket, sessionKey, sessionKey)
ccache.saveFile(self.__user + '.ccache')
def run(self):
userName = Principal(self.__user, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(userName, self.__password, self.__domain,
unhexlify(self.__lmhash), unhexlify(self.__nthash), self.__aesKey,
if __name__ == '__main__':
# Init the example's logger theme
parser = argparse.ArgumentParser(add_help=True, description="Given a password, hash or aesKey, it will request a "
"TGT and save it as ccache")
parser.add_argument('identity', action='store', help='[domain/]username[:password]')
parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
group = parser.add_argument_group('authentication')
group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file '
'(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the '
'ones specified in the command line')
group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication '
'(128 or 256 bits)')
group.add_argument('-dc-ip', action='store',metavar = "ip address", help='IP Address of the domain controller. If '
'ommited it use the domain part (FQDN) specified in the target parameter')
if len(sys.argv)==1:
print("\nExamples: ")
print("\t./ -hashes lm:nt\n")
print("\tit will use the lm:nt hashes for authentication. If you don't specify them, a password will be asked")
options = parser.parse_args()
if options.debug is True:
import re
domain, username, password = re.compile('(?:(?:([^/:]*)/)?([^:]*)(?::([^@]*))?)?').match(options.identity).groups(
if domain is None:
logging.critical('Domain should be specified!')
if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:
from getpass import getpass
password = getpass("Password:")
if options.aesKey is not None:
options.k = True
executer = GETTGT(username, password, domain, options)
except Exception as e:
if logging.getLogger().level == logging.DEBUG:
import traceback
You can’t perform that action at this time.