Skip to content

All Kerberos tickets use chmod 600 by default #2086

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
laxa wants to merge 1 commit into
base: master
Choose a base branch
from
Open

All Kerberos tickets use chmod 600 by default #2086

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion examples/GetUserSPNs.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -227,7 +227,7 @@ def outputTGS(self, ticket, oldSessionKey, sessionKey, username, spn, fd=None):
ccache = CCache()
try:
ccache.fromTGS(ticket, oldSessionKey, sessionKey)
ccache.saveFile('%s.ccache' % username)
ccache.saveFile('%s.ccache' % username, chmod=0o600)
except Exception as e:
logging.error(str(e))

Expand Down
2 changes: 1 addition & 1 deletion examples/getST.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -170,7 +170,7 @@ def saveTicket(self, ticket, sessionKey):
service = "%s/%s@%s" % (service_class, service_hostname, service_realm)
self.__saveFileName += "@" + service.replace("/", "_")
logging.info('Saving ticket in %s' % (self.__saveFileName + '.ccache'))
ccache.saveFile(self.__saveFileName + '.ccache')
ccache.saveFile(self.__saveFileName + '.ccache', chmod=0o600)

def doS4U2ProxyWithAdditionalTicket(self, tgt, cipher, oldSessionKey, sessionKey, nthash, aesKey, kdcHost, additional_ticket_path):
if not os.path.isfile(additional_ticket_path):
Expand Down
2 changes: 1 addition & 1 deletion examples/getTGT.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ def saveTicket(self, ticket, sessionKey):
ccache = CCache()

ccache.fromTGT(ticket, sessionKey, sessionKey)
ccache.saveFile(self.__user + '.ccache')
ccache.saveFile(self.__user + '.ccache', chmod=0o600)

def run(self):
userName = Principal(self.__user, type=options.principalType.value)
Expand Down
2 changes: 1 addition & 1 deletion examples/goldenPac.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1009,7 +1009,7 @@ def exploit(self):
from impacket.krb5.ccache import CCache
ccache = CCache()
ccache.fromTGS(tgs, oldSessionKey, sessionKey)
ccache.saveFile(self.__writeTGT)
ccache.saveFile(self.__writeTGT, chmod=0o600)
break
if exception is None:
# Success!
Expand Down
2 changes: 1 addition & 1 deletion examples/raiseChild.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1233,7 +1233,7 @@ def exploit(self):
from impacket.krb5.ccache import CCache
ccache = CCache()
ccache.fromTGT(parentTGT['KDC_REP'], parentTGT['oldSessionKey'], parentTGT['sessionKey'])
ccache.saveFile(self.__writeTGT)
ccache.saveFile(self.__writeTGT, chmod=0o600)

# 8) If target was specified, a PSEXEC shell is launched
if self.__target is not None:
Expand Down
2 changes: 1 addition & 1 deletion examples/ticketConverter.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ def is_ccache_file(filename):

def convert_kirbi_to_ccache(input_filename, output_filename):
ccache = CCache.loadKirbiFile(input_filename)
ccache.saveFile(output_filename)
ccache.saveFile(output_filename, chmod=0o600)


def convert_ccache_to_kirbi(input_filename, output_filename):
Expand Down
2 changes: 1 addition & 1 deletion examples/ticketer.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1092,7 +1092,7 @@ def saveTicket(self, ticket, sessionKey):
ccache.fromTGT(ticket, sessionKey, sessionKey)
else:
ccache.fromTGS(ticket, sessionKey, sessionKey)
ccache.saveFile(self.__target.replace('/','.') + '.ccache')
ccache.saveFile(self.__target.replace('/','.') + '.ccache', chmod=0o600)

def run(self):
ticket, adIfRelevant = self.createBasicTicket()
Expand Down
4 changes: 3 additions & 1 deletion impacket/krb5/ccache.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -590,10 +590,12 @@ def loadFile(cls, fileName):
except FileNotFoundError as e:
raise e

def saveFile(self, fileName):
def saveFile(self, fileName, chmod=None):
f = open(fileName, 'wb+')
f.write(self.getData())
f.close()
if chmod is not None:
os.chmod(fileName, chmod)

@classmethod
def parseFile(cls, domain='', username='', target=''):
Expand Down
8 changes: 6 additions & 2 deletions impacket/krb5/keytab.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,14 @@
from enum import Enum
from six import b

from struct import pack, unpack, calcsize
from struct import unpack
from binascii import hexlify

from impacket.structure import Structure
from impacket import LOG

import os


class Enctype(Enum):
DES_CRC = 1
Expand Down Expand Up @@ -281,10 +283,12 @@ def loadKeysFromKeytab(cls, fileName, username, domain, options):
LOG.warning("No matching key for SPN '%s' in given keytab found!", username)


def saveFile(self, fileName):
def saveFile(self, fileName, chmod=0o600):
f = open(fileName, 'wb+')
f.write(self.getData())
f.close()
if chmod is not None:
os.chmod(fileName, chmod)

def prettyPrint(self):
print("Keytab Entries:")
Expand Down