impacket icon indicating copy to clipboard operation
impacket copied to clipboard

Published 20 hours ago verified publisher icon fortra

Added ability to set the RENEW ticket option to renew a TGT

Open shikatano opened this issue 2 years ago • 1 comments

per discussion in #1529

shikatano avatar Jul 22 '23 15:07 shikatano

Awesome! Didn't test it yet but it's a great addition

ShutdownRepo avatar Jul 22 '23 20:07 ShutdownRepo

Hello, I've been testing this PR. From what understand, the use case, involves to use getST.py to request a TGT, which at the beggining sound a bit confusing. Despite this, from my test, I can see that -renew flag keeps the same session key of the old ticket, used also for auhentication. That's not the case when -renew flag is not being passed. Please confirm that this is the expected behavior. Thanks!

python getST.py -spn krbtgt/DOMAIN.COM domain.com/Administrator:password -dc-ip 1.1.1.1
Impacket v0.11.0 - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Getting ST for user
[*] Saving ticket in Administrator.ccache

└─$ python describeTicket.py Administrator.ccache
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Number of credentials in cache: 1
[*] Parsing credential[0]:
[*] Ticket Session Key            : 1c7d8facbd37ae6a45d6724a086612dd
[*] User Name                     : Administrator
[*] User Realm                    : DOMAIN.COM
[*] Service Name                  : krbtgt/DOMAIN.COM
[*] Service Realm                 : DOMAIN.COM
[*] Start Time                    : 22/08/2024 12:25:11 PM
[*] End Time                      : 22/08/2024 22:25:11 PM
[*] RenewTill                     : 23/08/2024 12:26:04 PM
[*] Flags                         : (0x40a10000) forwardable, renewable, pre_authent, enc_pa_rep

└─$ KRB5CCNAME=Administrator.ccache python getST.py  -k -no-pass -spn krbtgt/DOMAIN.COM domain.com/Administrator -dc-ip 1.1.1.1 -renew

└─$ python describeTicket.py Administrator.ccache
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Number of credentials in cache: 1
[*] Parsing credential[0]:
[*] Ticket Session Key            : 1c7d8facbd37ae6a45d6724a086612dd
[*] User Name                     : Administrator
[*] User Realm                    : DOMAIN.COM
[*] Service Name                  : krbtgt/DOMAIN.COM
[*] Service Realm                 : DOMAIN.COM
[*] Start Time                    : 22/08/2024 12:25:25 PM
[*] End Time                      : 22/08/2024 22:25:25 PM
[*] RenewTill                     : 23/08/2024 12:26:04 PM
[*] Flags                         : (0x40a10000) forwardable, renewable, pre_authent, enc_pa_rep

KRB5CCNAME=Administrator.ccache python getST.py  -k -no-pass -spn krbtgt/DOMAIN.COM domain.com/Administrator -dc-ip 1.1.1.1
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting ST for user
[*] Saving ticket in Administrator.ccache

 python describeTicket.py Administrator.ccache
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Number of credentials in cache: 1
[*] Parsing credential[0]:
[*] Ticket Session Key            : f0893ce585c39d386814511f46ea8299
[*] User Name                     : Administrator
[*] User Realm                    : DOMAIN.COM
[*] Service Name                  : krbtgt/DOMAIN.COM
[*] Service Realm                 : DOMAIN.COM
[*] Start Time                    : 22/08/2024 12:27:40 PM
[*] End Time                      : 22/08/2024 22:25:25 PM
[*] RenewTill                     : 23/08/2024 12:26:04 PM
[*] Flags                         : (0x40a10000) forwardable, renewable, pre_authent, enc_pa_rep

anadrianmanrique avatar Aug 22 '24 15:08 anadrianmanrique