Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added ability to set the RENEW ticket option to renew a TGT #1585

Merged
merged 4 commits into from
Aug 26, 2024
Merged

Added ability to set the RENEW ticket option to renew a TGT #1585

merged 4 commits into from
Aug 26, 2024

Conversation

shikatano
Copy link
Contributor

per discussion in #1529

@shikatano shikatano mentioned this pull request Jul 22, 2023
Closed
@ShutdownRepo
Copy link
Contributor

Awesome! Didn't test it yet but it's a great addition

@ShutdownRepo ShutdownRepo mentioned this pull request Jul 22, 2023
Closed
@anadrianmanrique anadrianmanrique self-assigned this Aug 17, 2023
@anadrianmanrique anadrianmanrique added the medium Medium priority item label Aug 17, 2023
@Tw1sm Tw1sm mentioned this pull request May 11, 2024
Closed
@anadrianmanrique
Copy link
Contributor

anadrianmanrique commented Aug 22, 2024
edited
Loading

Hello, I've been testing this PR. From what understand, the use case, involves to use getST.py to request a TGT, which at the beggining sound a bit confusing. Despite this, from my test, I can see that -renew flag keeps the same session key of the old ticket, used also for auhentication. That's not the case when -renew flag is not being passed. Please confirm that this is the expected behavior. Thanks!

python getST.py -spn krbtgt/DOMAIN.COM domain.com/Administrator:password -dc-ip 1.1.1.1
Impacket v0.11.0 - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Getting ST for user
[*] Saving ticket in Administrator.ccache

└─$ python describeTicket.py Administrator.ccache
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Number of credentials in cache: 1
[*] Parsing credential[0]:
[*] Ticket Session Key            : 1c7d8facbd37ae6a45d6724a086612dd
[*] User Name                     : Administrator
[*] User Realm                    : DOMAIN.COM
[*] Service Name                  : krbtgt/DOMAIN.COM
[*] Service Realm                 : DOMAIN.COM
[*] Start Time                    : 22/08/2024 12:25:11 PM
[*] End Time                      : 22/08/2024 22:25:11 PM
[*] RenewTill                     : 23/08/2024 12:26:04 PM
[*] Flags                         : (0x40a10000) forwardable, renewable, pre_authent, enc_pa_rep

└─$ KRB5CCNAME=Administrator.ccache python getST.py  -k -no-pass -spn krbtgt/DOMAIN.COM domain.com/Administrator -dc-ip 1.1.1.1 -renew

└─$ python describeTicket.py Administrator.ccache
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Number of credentials in cache: 1
[*] Parsing credential[0]:
[*] Ticket Session Key            : 1c7d8facbd37ae6a45d6724a086612dd
[*] User Name                     : Administrator
[*] User Realm                    : DOMAIN.COM
[*] Service Name                  : krbtgt/DOMAIN.COM
[*] Service Realm                 : DOMAIN.COM
[*] Start Time                    : 22/08/2024 12:25:25 PM
[*] End Time                      : 22/08/2024 22:25:25 PM
[*] RenewTill                     : 23/08/2024 12:26:04 PM
[*] Flags                         : (0x40a10000) forwardable, renewable, pre_authent, enc_pa_rep

KRB5CCNAME=Administrator.ccache python getST.py  -k -no-pass -spn krbtgt/DOMAIN.COM domain.com/Administrator -dc-ip 1.1.1.1
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting ST for user
[*] Saving ticket in Administrator.ccache

 python describeTicket.py Administrator.ccache
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Number of credentials in cache: 1
[*] Parsing credential[0]:
[*] Ticket Session Key            : f0893ce585c39d386814511f46ea8299
[*] User Name                     : Administrator
[*] User Realm                    : DOMAIN.COM
[*] Service Name                  : krbtgt/DOMAIN.COM
[*] Service Realm                 : DOMAIN.COM
[*] Start Time                    : 22/08/2024 12:27:40 PM
[*] End Time                      : 22/08/2024 22:25:25 PM
[*] RenewTill                     : 23/08/2024 12:26:04 PM
[*] Flags                         : (0x40a10000) forwardable, renewable, pre_authent, enc_pa_rep

@anadrianmanrique anadrianmanrique added enhancement Implemented features can be improved or revised waiting for response Further information is needed from people who opened the issue or pull request labels Aug 22, 2024
@shikatano
Copy link
Contributor Author

Correct, the use case is to renew a TGT. I wanted to be able to renew a TGT using Impacket from Linux and noticed the functionality didn't exist. Initially, I submitted a PR for an example script to do this but was advised to make the functionality exist in getST instead of adding a new example script (#1529). Comparing to the renew functionality using Rubeus renew, the session key seems to stay the same.

@darkoperator
Copy link

darkoperator commented Aug 25, 2024 via email

@anadrianmanrique anadrianmanrique merged commit 2b2977a into fortra:master Aug 26, 2024
@anadrianmanrique
Copy link
Contributor

Merged. Thanks for the PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@anadrianmanrique anadrianmanrique

Labels
enhancement Implemented features can be improved or revised medium Medium priority item waiting for response Further information is needed from people who opened the issue or pull request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@shikatano @ShutdownRepo @anadrianmanrique @darkoperator