Documentation
¶
Index ¶
- Constants
- func AlterServiceName(result *STResult, altService string) error
- func ApplyKrb5OpsecDefaults(cfg *config.Config)
- func BuildKeytabFromNTHash(username, realm, nthash string) (*keytab.Keytab, error)
- func DefaultGroups() []uint32
- func EncKeyFromTicketResult(tr *TicketResult) types.EncryptionKey
- func FormatKDC(kdc, defaultPort string) string
- func GetAPReq(spn, username, password, domain, hashes, aesKey, kdcHost string, ...) ([]byte, error)
- func GetASREP(username, domain, kdcHost string, format ...string) (string, error)
- func GetNTHash(password string) []byte
- func LoadAdditionalTicket(path string) (messages.Ticket, error)
- func MakePrincipalName(nameType int32, name string) types.PrincipalName
- func ParseHashes(hashes string) (string, error)
- func SaveMultiCCache(filename string, entries []CacheEntry) error
- func SaveST(filename string, result *STResult) error
- func SaveTGS(filename string, result *TGSResult) error
- func SaveTGT(filename string, result *TGTResult) error
- func SynthesizeKrb5Config(realm, kdc string) string
- func SynthesizeKrb5ConfigWithKpasswd(realm, kdc, kpasswdServer string) string
- func WrapInSPNEGO(krb5Token []byte) ([]byte, error)
- type CacheEntry
- type Client
- func (c *Client) GenerateAPReq(spn string) ([]byte, []byte, error)
- func (c *Client) GenerateAPReqFull(spn string) ([]byte, types.EncryptionKey, error)
- func (c *Client) GenerateAPReqWithBinding(spn string, channelBinding []byte) ([]byte, types.EncryptionKey, error)
- func (c *Client) GenerateDCERPCToken(spn string) ([]byte, types.EncryptionKey, error)
- type ExtraSID
- type FileTime
- type GroupMembership
- type KerbKeyListEntry
- type KeyListResult
- type KeyListSecrets
- type PAC
- type PACRequest
- type SID
- type STRequest
- type STResult
- type TGSOptions
- type TGSResult
- type TGTRequest
- type TGTResult
- type TicketConfig
- type TicketResult
- type TransportKDCDialer
Constants ¶
const ( PACTypeLogonInfo = 1 PACTypeCredentialInfo = 2 PACTypeServerChecksum = 6 PACTypeKDCChecksum = 7 PACTypeClientInfo = 10 PACTypeDelegationInfo = 11 PACTypeUPNDNSInfo = 12 PACTypeAttributesInfo = 17 PACTypeRequestorSID = 18 )
PAC Buffer Types (MS-PAC 2.4)
const ( ChecksumHMACMD5 = 0xFFFFFF76 // -138 as uint32 ChecksumSHA196AES128 = 15 ChecksumSHA196AES256 = 16 )
Checksum Types
const ( UACNormalAccount = 0x00000010 UACDontExpirePassword = 0x00000200 )
User Account Control Flags
const ( SEGroupMandatory = 0x00000001 SEGroupEnabledByDefault = 0x00000002 SEGroupEnabled = 0x00000004 )
Group Attributes
const (
LogonExtraSIDs = 0x0020
)
User Flags
const PA_KERB_KEY_LIST_REP = 162
PA-DATA type for KERB-KEY-LIST-REP (MS-KILE 2.2.12)
const PA_KERB_KEY_LIST_REQ = 161
PA-DATA type for KERB-KEY-LIST-REQ (MS-KILE 2.2.11)
Variables ¶
This section is empty.
Functions ¶
func AlterServiceName ¶
AlterServiceName rewrites the SPN in a ticket (for -altservice).
func ApplyKrb5OpsecDefaults ¶
ApplyKrb5OpsecDefaults stamps the proxy-/DNS-safety invariants onto a programmatically-built *config.Config. Call it after config.New() and before constructing a gokrb5 client. Safe to call repeatedly.
func BuildKeytabFromNTHash ¶
BuildKeytabFromNTHash creates a keytab from an NTLM hash for pass-the-hash attacks. The NTLM hash is used directly as the RC4-HMAC key (etype 23).
func DefaultGroups ¶
func DefaultGroups() []uint32
DefaultGroups returns the default high-privilege group RIDs
func EncKeyFromTicketResult ¶
func EncKeyFromTicketResult(tr *TicketResult) types.EncryptionKey
EncKeyFromTicketResult builds a types.EncryptionKey from a TicketResult's session key.
func FormatKDC ¶
FormatKDC normalizes a "host" or "host:port" string into a canonical "host:port" using net.JoinHostPort, which correctly brackets IPv6 literals. Required so that callers passing "[::1]:88", bare "::1", "10.0.0.1:8888", or "dc.example.com" all produce valid krb5.conf entries — the naïve fmt.Sprintf("%s:88", kdc) form mangles every IPv6 case.
A user-supplied port is preserved: "10.0.0.1:8888" stays on 8888. The defaultPort applies only when input has no port (bare host) or a malformed trailing-colon form ("host:"). This matches operator expectation for lab/tunnel routing where the KDC may not be on the canonical 88/464.
func GetAPReq ¶
func GetAPReq(spn, username, password, domain, hashes, aesKey, kdcHost string, channelBinding []byte) ([]byte, error)
GetAPReq is a helper function to get a Kerberos AP-REQ token for a given SPN. This is used by services like MSSQL that need Kerberos authentication. Parameters:
- spn: Service Principal Name (e.g., "MSSQLSvc/server.domain.local:1433")
- username: Kerberos principal name
- password: User password (can be empty if using hashes/aesKey/ccache)
- domain: Kerberos realm
- hashes: NTLM hashes in format "LMHASH:NTHASH" (optional)
- aesKey: AES key for Kerberos (optional)
- kdcHost: KDC hostname/IP (optional, uses domain if empty)
- channelBinding: Channel binding token (optional, for TLS channel binding)
Returns the SPNEGO-wrapped AP-REQ token suitable for use in authentication.
func GetASREP ¶
GetASREP fetches the AS-REP for a user and returns the hash. The format parameter controls the output: "hashcat" (default) or "john". Hashcat: $krb5asrep$23$user@REALM:checksum$data John: $krb5asrep$user@REALM:checksum$data
func LoadAdditionalTicket ¶
LoadAdditionalTicket loads a service ticket from a ccache file for S4U2Proxy with RBCD.
func MakePrincipalName ¶
func MakePrincipalName(nameType int32, name string) types.PrincipalName
MakePrincipalName creates a types.PrincipalName (exposed for external use).
func ParseHashes ¶
ParseHashes parses the LMHASH:NTHASH format and returns the NT hash
func SaveMultiCCache ¶
func SaveMultiCCache(filename string, entries []CacheEntry) error
SaveMultiCCache saves multiple credential entries to a single ccache file. The default principal is taken from the first entry.
func SynthesizeKrb5Config ¶
SynthesizeKrb5Config builds the in-memory krb5.conf text for callers that need only the KDC. For kpasswd callers, use SynthesizeKrb5ConfigWithKpasswd. kdc may be a bare host, host:port, or bracketed IPv6 — FormatKDC normalizes.
func SynthesizeKrb5ConfigWithKpasswd ¶
SynthesizeKrb5ConfigWithKpasswd is SynthesizeKrb5Config plus a kpasswd_server per-realm line. Both kdc and kpasswdServer accept the same input forms.
func WrapInSPNEGO ¶
WrapInSPNEGO wraps a raw GSSAPI KRB5 token in SPNEGO NegTokenInit format. This is required for DCE/RPC auth type 9 (GSS_NEGOTIATE) and HTTP Negotiate auth.
Types ¶
type CacheEntry ¶
type CacheEntry struct {
TicketBytes []byte
SessionKey types.EncryptionKey
CName types.PrincipalName
CRealm string
SName types.PrincipalName
SRealm string
AuthTime time.Time
EndTime time.Time
RenewTill time.Time
Flags uint32
}
CacheEntry holds data for a single credential entry in a ccache file.
type Client ¶
func NewClientFromSession ¶
func (*Client) GenerateAPReq ¶
GenerateAPReq returns the raw bytes of an AP-REQ for the given SPN. Returns: (apReqBytes, sessionKeyBytes, encryptionType, error)
func (*Client) GenerateAPReqFull ¶
GenerateAPReqFull returns the raw bytes of an AP-REQ and the full encryption key. This creates a simple AP-REQ that will be wrapped in SPNEGO by the SMB2 library.
func (*Client) GenerateAPReqWithBinding ¶
func (c *Client) GenerateAPReqWithBinding(spn string, channelBinding []byte) ([]byte, types.EncryptionKey, error)
GenerateAPReqWithBinding creates an AP-REQ with optional channel binding.
func (*Client) GenerateDCERPCToken ¶
GenerateDCERPCToken returns a manually constructed AP-REQ wrapped in SPNEGO for DCE/RPC binding. Crucially, this sets the Sequence Number to 0 as required by DCE/RPC.
type FileTime ¶
FileTime represents Windows FILETIME
func TimeToFileTime ¶
TimeToFileTime converts time.Time to Windows FileTime
type GroupMembership ¶
GroupMembership represents a group RID and attributes
type KerbKeyListEntry ¶
type KerbKeyListEntry struct {
KeyType int32 `asn1:"explicit,tag:0"`
KeyValue []byte `asn1:"explicit,tag:1"`
}
KerbKeyListEntry represents a single entry in KERB-KEY-LIST-REP
type KeyListResult ¶
type KeyListSecrets ¶
type KeyListSecrets struct {
Domain string
KDCHost string
RODCKeyVersionNo int // RODC krbtgt account number (e.g., 20000)
RODCKey []byte // AES256 key of the RODC krbtgt account
}
KeyListSecrets provides functionality for the KERB-KEY-LIST-REQ attack to dump secrets from an RODC (Read-Only Domain Controller).
func NewKeyListSecrets ¶
func NewKeyListSecrets(domain, kdcHost string, rodcNo int, rodcKeyHex string) (*KeyListSecrets, error)
NewKeyListSecrets creates a new KeyListSecrets instance.
func (*KeyListSecrets) DumpUsers ¶
func (k *KeyListSecrets) DumpUsers(users []string) []KeyListResult
func (*KeyListSecrets) GetUserKey ¶
func (k *KeyListSecrets) GetUserKey(username string) (string, error)
GetUserKey uses the KERB-KEY-LIST-REQ attack to retrieve the NT hash.
type PAC ¶
type PAC struct {
// User information
Username string
Domain string
DomainSID *SID
UserID uint32
PrimaryGroupID uint32
Groups []uint32
GroupAttributes []uint32
ExtraSIDs []*SID
ExtraSIDAttrs []uint32
FullName string
LogonScript string
ProfilePath string
HomeDirectory string
HomeDirectoryDrive string
LogonServer string
LogonCount uint16
BadPasswordCount uint16
UserAccountControl uint32
UserFlags uint32
UserSessionKey [16]byte
SubAuthStatus uint32
Reserved3 uint32
FailedILogonCount uint32
// Timestamps
LogonTime time.Time
LogoffTime time.Time
KickOffTime time.Time
PasswordLastSet time.Time
PasswordCanChange time.Time
PasswordMustChange time.Time
LastSuccessfulILogon time.Time
LastFailedILogon time.Time
// UPN_DNS_INFO (type 12)
UPN string
DNSDomainName string
SamAccountName string
UPNFlags uint32
// PAC_ATTRIBUTES_INFO (type 17)
AttributesFlags uint32
// UPN SID (from UPN_DNS_INFO extended format)
UPNSid *SID
// PAC_REQUESTOR (type 18)
RequestorSID *SID
// Client Info (type 10) - separate from LogonInfo fields
ClientInfoTime time.Time
ClientInfoName string
// Delegation Info (type 11)
S4U2ProxyTarget string
TransitedServices []string
// Signature data
ServerChecksumType uint32
ServerChecksumData []byte
KDCChecksumType uint32
KDCChecksumData []byte
ServerKey []byte
KDCKey []byte
EncType int32
// Credential Info (Encrypted)
CredentialInfo []byte
// Conditional buffer flags
ExtraPAC bool // include UPN_DNS_INFO (type 12)
OldPAC bool // exclude AttributesInfo (type 17) + RequestorSID (type 18)
}
PAC represents a Privilege Attribute Certificate
func GetPAC ¶
func GetPAC(req *PACRequest) (*PAC, error)
GetPAC retrieves the PAC for the target user using S4U2Self + User-to-User. This allows retrieving another user's PAC with just normal user credentials.
func NewPAC ¶
func NewPAC(username, domain string, domainSID *SID, userID, primaryGroup uint32, groups []uint32) *PAC
NewPAC creates a new PAC with default values
func (*PAC) DecryptCredentialInfo ¶
DecryptCredentialInfo decrypts the PAC_CREDENTIAL_INFO buffer using the AS-REP key Returns the decrypted data (which usually contains NTLM hash / password)
type PACRequest ¶
type PACRequest struct {
Username string
Password string
Domain string
NTHash string
AESKey string
DCIP string
TargetUser string // User whose PAC we want to retrieve
}
PACRequest holds configuration for a PAC retrieval request.
type SID ¶
type SID struct {
Revision uint8
SubAuthorityCount uint8
IdentifierAuthority [6]byte
SubAuthority []uint32
}
SID represents a Windows Security Identifier
func ParseNDRSID ¶
ParseNDRSID parses a SID from NDR format (Count + SID)
type STRequest ¶
type STRequest struct {
Username string
Password string
Domain string
NTHash string
AESKey string
DCIP string
DCHost string
SPN string // Target service SPN
Impersonate string // User to impersonate (S4U2Self)
AdditionalTicket string // Path to additional ticket ccache (S4U2Proxy with RBCD)
AltService string // Alternative service name to set in ticket
SelfOnly bool // Only do S4U2Self, skip S4U2Proxy (-self)
ForceForwardable bool // Force forwardable flag in S4U2Self ticket
U2U bool // User-to-User
Renew bool // Renew TGT
}
STRequest holds configuration for a service ticket request.
type STResult ¶
type STResult struct {
Ticket []byte
SessionKey types.EncryptionKey
CName types.PrincipalName
SName types.PrincipalName
Realm string
AuthTime time.Time
EndTime time.Time
RenewTill time.Time
Flags uint32
}
STResult holds the result of a service ticket request.
func RequestTGS ¶
func RequestTGS(tgtBytes []byte, sessionKey types.EncryptionKey, spn, username, realm, kdcHost string) (*STResult, error)
RequestTGS requests a service ticket using a pre-existing TGT. This is used for cross-realm referrals (e.g., forged golden ticket -> inter-realm TGT).
type TGSOptions ¶
type TGSOptions struct {
Username string
Password string
NTHash string // NTLM hash for pass-the-hash (just the NT part, 32 hex chars)
Domain string
KDCHost string
TargetUser string
SPN string
}
TGSOptions configures TGS request authentication
type TGSResult ¶
type TGSResult struct {
Username string
SPN string
Hash string
EType int32
TicketBytes []byte // Raw marshaled ticket (for ccache saving)
SessionKey types.EncryptionKey // Session key (for ccache saving)
Realm string // Realm (for ccache saving)
}
TGSResult holds the result of a TGS request for Kerberoasting
func GetTGS ¶
GetTGS requests a service ticket (TGS) for the given SPN and returns it in hashcat format. This is used for Kerberoasting attacks.
func GetTGSWithHash ¶
GetTGSWithHash requests a service ticket using pass-the-hash authentication.
func GetTGSWithOptions ¶
func GetTGSWithOptions(opts TGSOptions) (*TGSResult, error)
GetTGSWithOptions requests a service ticket with configurable authentication options.
type TGTRequest ¶
type TGTRequest struct {
Username string
Password string
Domain string
NTHash string
AESKey string
DCIP string
DCHost string
Service string // SPN for requesting service ticket via AS-REQ (optional)
PrincipalType int32 // Principal name type (default: KRB_NT_PRINCIPAL)
}
TGTRequest holds configuration for a TGT request.
type TGTResult ¶
type TGTResult struct {
Ticket []byte // Marshaled ticket bytes
SessionKey types.EncryptionKey
CName types.PrincipalName
SName types.PrincipalName
Realm string
AuthTime time.Time
EndTime time.Time
RenewTill time.Time
Flags uint32
}
TGTResult holds the result of a successful TGT request.
func GetTGT ¶
func GetTGT(req *TGTRequest) (*TGTResult, error)
GetTGT requests a TGT from the KDC and returns the result.
type TicketConfig ¶
type TicketConfig struct {
// Required
Username string
Domain string
DomainSID string
// Key (one required)
NTHash string // 32 hex chars
AESKey string // 32 or 64 hex chars
Keytab string // keytab file path (silver ticket only)
// Optional - for silver tickets
SPN string // Service Principal Name (e.g., cifs/dc.domain.local)
// PAC options
UserID uint32 // Default: 500 (Administrator)
PrimaryGroupID uint32 // Default: 513 (Domain Users)
Groups []uint32 // Default: 513, 512, 520, 518, 519
ExtraSIDs []string // Additional SIDs to include
ExtraPAC bool // include UPN_DNS_INFO in PAC
OldPAC bool // exclude PAC_ATTRIBUTES + PAC_REQUESTOR
// Ticket options
Duration int // Hours, default: 87600 (10 years)
KVNO int // Key version number, default: 2
}
TicketConfig holds configuration for ticket creation
type TicketResult ¶
TicketResult contains the generated ticket
func CreateTicket ¶
func CreateTicket(cfg *TicketConfig) (*TicketResult, error)
CreateTicket creates a golden or silver ticket
type TransportKDCDialer ¶
type TransportKDCDialer struct{}
TransportKDCDialer routes every KDC connection (AS, TGS, kpasswd) through pkg/transport, so a configured -proxy / ALL_PROXY tunnels Kerberos traffic in lockstep with the rest of the tool. Without this, gokrb5's default path uses raw net.Dial and leaks the operator's real source IP to the KDC.
Every gokrb5 client constructor in our fork (NewWithPassword, NewWithKeytab, NewFromCCache) requires a KDCDialer; passing this type is how the rest of the codebase satisfies that contract while keeping the proxy guarantee.
Source Files