byt3n33dl3/ExchangeBeros

# ExchangeBeros ExchangeBeros 是一个 Python 脚本，像许多其他工具（例如 [SPNExec.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetUserSPNs.py)）一样，它可以为设置了 SPN 的用户账户打印 "kerberoast" 哈希。 该工具带来了以下附加功能：对于每个没有 SPN 的用户，它尝试设置一个（滥用对 `SPN` 属性的写入权限），打印 "kerberoast" 哈希，并删除为该操作设置的临时 SPN。这被称为定向 Kerberoasting。 该工具可用于针对域中的所有用户，或列表中提供的用户，或 CLI 中提供的一个用户。 关于此攻击的更多信息 - [The Hacker Recipes - Kerberoast](https://www.thehacker.recipes/ad/movement/kerberos/kerberoast) - [The Hacker Recipes - Targeted Kerberoasting](https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting) ## 用法 该工具支持以下身份验证方式 - (NTLM) 明文密码 - (NTLM) [Pass-the-hash](https://www.thehacker.recipes/active-directory-domain-services/movement/lm-and-ntlm/pass-the-hash) - (Kerberos) 明文密码 - (Kerberos) [Pass-the-key](https://www.thehacker.recipes/ad/movement/kerberos/ptk) / [Overpass-the-hash](https://www.thehacker.recipes/ad/movement/kerberos/opth) - (Kerberos) [Pass-the-cache](https://www.thehacker.recipes/ad/movement/kerberos/ptc) ([Pass-the-ticket](https://www.thehacker.recipes/ad/movement/kerberos/ptt) 的一种) 除其他功能外，ExchangeBeros 支持多级详细度，只需在命令后附加 `-v`、`-vv` ... :) ``` usage: exchangeberos.py [-h] [-v] [-q] [-D TARGET_DOMAIN] [-U USERS_FILE] [--request-user username] [-o OUTPUT_FILE] [--use-ldaps] [--only-abuse] [--no-abuse] [--dc-ip ip address] [-d DOMAIN] [-u USER] [-k] [--no-pass | -p PASSWORD | -H [LMHASH:]NTHASH | --aes-key hex key] Queries target domain for SPNs that are running under a user account and operate targeted Kerberoasting optional arguments: -h, --help show this help message and exit -v, --verbose verbosity level (-v for verbose, -vv for debug) -q, --quiet show no information at all -D TARGET_DOMAIN, --target-domain TARGET_DOMAIN Domain to query/request if different than the domain of the user. Allows for Kerberoasting across trusts. -U USERS_FILE, --users-file USERS_FILE File with user per line to test --request-user username Requests TGS for the SPN associated to the user specified (just the username, no domain needed) -o OUTPUT_FILE, --output-file OUTPUT_FILE Output filename to write ciphers in JtR/hashcat format --use-ldaps Use LDAPS instead of LDAP --only-abuse Ignore accounts that already have an SPN and focus on targeted Kerberoasting --no-abuse Don't attempt targeted Kerberoasting authentication & connection: --dc-ip ip address IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted it will use the domain part (FQDN) specified in the identity parameter -d DOMAIN, --domain DOMAIN (FQDN) domain to authenticate to -u USER, --user USER user to authenticate with secrets: -k, --kerberos Use Kerberos authentication. Grabs credentials from .ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line --no-pass don't ask for password (useful for -k) -p PASSWORD, --password PASSWORD password to authenticate with -H [LMHASH:]NTHASH, --hashes [LMHASH:]NTHASH NT/LM hashes, format is LMhash:NThash --aes-key hex key AES key to use for Kerberos Authentication (128 or 256 bits) ``` # 致谢 致谢 [Impacket](https://github.com/SecureAuthCorp/impacket/) 团队及其所有贡献者。

标签：ACL滥用, Active Directory, Checkov, HTTP, Impacket, Kerberoasting, Kerberos攻击, Modbus, Plaso, Python, SCADA, SPN操作, 协议分析, 哈希传递, 域渗透, 无后门, 权限提升, 模拟器, 电子数据取证, 目标化Kerberoasting, 票据传递, 网络安全, 逆向工具, 隐私保护