Kerberos attacks ----> bolt action

tests/CrackKerberos/CrackMapExec.sln

@@ -0,0 +1,25 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.29009.5
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Certify", "Certify\Certify.csproj", "{64524CA5-E4D0-41B3-ACC3-3BDBEFD40C97}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{64524CA5-E4D0-41B3-ACC3-3BDBEFD40C97}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{64524CA5-E4D0-41B3-ACC3-3BDBEFD40C97}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{64524CA5-E4D0-41B3-ACC3-3BDBEFD40C97}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{64524CA5-E4D0-41B3-ACC3-3BDBEFD40C97}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {07B108A3-1131-4969-9E7A-B7FD5682E61B}
+	EndGlobalSection
+EndGlobal

tests/CrackKerberos/CrackMapExec.yar

@@ -0,0 +1,10 @@
+rule Certify
+{
+    meta:
+        description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project."
+        author = "Will Schroeder (@harmj0y)"
+    strings:
+        $typelibguid = "64524ca5-e4d0-41b3-acc3-3bdbefd40c97" ascii nocase wide
+    condition:
+        uint16(0) == 0x5A4D and $typelibguid
+}

tests/CrackKerberos/CrackMapTicket/ArgumentParser.cs

@@ -0,0 +1,23 @@
+using System.Collections.Generic;
+
+namespace Certify
+{
+    public static class ArgumentParser
+    {
+        public static ArgumentParserResult Parse(IEnumerable<string> args)
+        {
+            var arguments = new Dictionary<string, string>();
+
+            foreach (var argument in args)
+            {
+                var idx = argument.IndexOf(':');
+                if (idx > 0)
+                    arguments[argument.Substring(0, idx)] = argument.Substring(idx + 1);
+                else
+                    arguments[argument] = string.Empty;
+            }
+
+            return ArgumentParserResult.Success(arguments);
+        }
+    }
+}

tests/CrackKerberos/CrackMapTicket/ArgumentParserResult.cs

@@ -0,0 +1,23 @@
+using System.Collections.Generic;
+
+namespace Certify
+{
+    public class ArgumentParserResult
+    {
+        public bool ParsedOk { get; }
+        public Dictionary<string, string> Arguments { get; }
+
+        private ArgumentParserResult(bool parsedOk, Dictionary<string, string> arguments)
+        {
+            ParsedOk = parsedOk;
+            Arguments = arguments;
+        }
+
+        public static ArgumentParserResult Success(Dictionary<string, string> arguments)
+            => new ArgumentParserResult(true, arguments);
+
+        public static ArgumentParserResult Failure()
+            => new ArgumentParserResult(false, new Dictionary<string, string>());
+
+    }
+}

tests/CrackKerberos/CrackMapTicket/Certify.csproj

@@ -0,0 +1,134 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <PropertyGroup>
+    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+    <ProjectGuid>{64524CA5-E4D0-41B3-ACC3-3BDBEFD40C97}</ProjectGuid>
+    <OutputType>Exe</OutputType>
+    <RootNamespace>Certify</RootNamespace>
+    <AssemblyName>Certify</AssemblyName>
+    <TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
+    <FileAlignment>512</FileAlignment>
+    <Deterministic>true</Deterministic>
+    <TargetFrameworkProfile />
+    <NuGetPackageImportStamp>
+    </NuGetPackageImportStamp>
+    <PublishUrl>publish\</PublishUrl>
+    <Install>true</Install>
+    <InstallFrom>Disk</InstallFrom>
+    <UpdateEnabled>false</UpdateEnabled>
+    <UpdateMode>Foreground</UpdateMode>
+    <UpdateInterval>7</UpdateInterval>
+    <UpdateIntervalUnits>Days</UpdateIntervalUnits>
+    <UpdatePeriodically>false</UpdatePeriodically>
+    <UpdateRequired>false</UpdateRequired>
+    <MapFileExtensions>true</MapFileExtensions>
+    <ApplicationRevision>0</ApplicationRevision>
+    <ApplicationVersion>1.0.0.%2a</ApplicationVersion>
+    <IsWebBootstrapper>false</IsWebBootstrapper>
+    <UseApplicationTrust>false</UseApplicationTrust>
+    <BootstrapperEnabled>true</BootstrapperEnabled>
+    <LangVersion>8.0</LangVersion>
+    <Nullable>enable</Nullable>
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugSymbols>true</DebugSymbols>
+    <DebugType>full</DebugType>
+    <Optimize>false</Optimize>
+    <OutputPath>bin\Debug\</OutputPath>
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+    <LangVersion>8.0</LangVersion>
+    <Nullable>enable</Nullable>
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugType>none</DebugType>
+    <Optimize>true</Optimize>
+    <OutputPath>bin\Release\</OutputPath>
+    <DefineConstants>TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>0</WarningLevel>
+    <LangVersion>8.0</LangVersion>
+    <Nullable>enable</Nullable>
+  </PropertyGroup>
+  <ItemGroup>
+    <Reference Include="Interop.CERTCLILib, Version=1.0.0.0, Culture=neutral, processorArchitecture=MSIL">
+      <SpecificVersion>False</SpecificVersion>
+      <EmbedInteropTypes>True</EmbedInteropTypes>
+      <HintPath>.\Interop.CERTCLILib.dll</HintPath>
+    </Reference>
+    <Reference Include="Interop.CERTENROLLLib, Version=1.0.0.0, Culture=neutral, processorArchitecture=MSIL">
+      <SpecificVersion>False</SpecificVersion>
+      <EmbedInteropTypes>False</EmbedInteropTypes>
+      <HintPath>.\Interop.CERTENROLLLib.dll</HintPath>
+    </Reference>
+    <Reference Include="System" />
+    <Reference Include="System.Core" />
+    <Reference Include="System.DirectoryServices" />
+    <Reference Include="System.DirectoryServices.AccountManagement" />
+    <Reference Include="System.Drawing" />
+    <Reference Include="System.Web.Extensions" />
+    <Reference Include="System.Windows.Forms" />
+    <Reference Include="System.Xml.Linq" />
+    <Reference Include="System.Data.DataSetExtensions" />
+    <Reference Include="System.Data" />
+    <Reference Include="System.Xml" />
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="Commands\CAs.cs" />
+    <Compile Include="Commands\Download.cs" />
+    <Compile Include="Commands\Find.cs" />
+    <Compile Include="Commands\ICommand.cs" />
+    <Compile Include="Commands\PKIObjects.cs" />
+    <Compile Include="Commands\Request.cs" />
+    <Compile Include="Domain\ADObject.cs" />
+    <Compile Include="ArgumentParser.cs" />
+    <Compile Include="ArgumentParserResult.cs" />
+    <Compile Include="Domain\CertificateAuthorityWebServices.cs" />
+    <Compile Include="Domain\CommonOids.cs" />
+    <Compile Include="Domain\CertificateTemplate.cs" />
+    <Compile Include="Domain\CertificateAuthority.cs" />
+    <Compile Include="CommandCollection.cs" />
+    <Compile Include="Domain\EnrollmentAgentRestriction.cs" />
+    <Compile Include="Domain\EnterpriseCertificateAuthority.cs" />
+    <Compile Include="Domain\PKIObject.cs" />
+    <Compile Include="Info.cs" />
+    <Compile Include="Lib\CertSidExtension.cs" />
+    <Compile Include="Lib\HttpUtil.cs" />
+    <Compile Include="Lib\LdapSearchOptions.cs" />
+    <Compile Include="Version.cs" />
+    <Compile Include="Lib\Cert.cs" />
+    <Compile Include="Lib\DisplayUtil.cs" />
+    <Compile Include="Lib\Elevator.cs" />
+    <Compile Include="Lib\Interop.cs" />
+    <Compile Include="Lib\LdapOperations.cs" />
+    <Compile Include="Program.cs" />
+    <Compile Include="Properties\AssemblyInfo.cs" />
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="app.config" />
+    <None Include="ILMerge.props" />
+    <None Include="packages.config" />
+  </ItemGroup>
+  <ItemGroup>
+    <BootstrapperPackage Include="Microsoft.Net.Framework.3.5.SP1">
+      <Visible>False</Visible>
+      <ProductName>.NET Framework 3.5 SP1</ProductName>
+      <Install>false</Install>
+    </BootstrapperPackage>
+  </ItemGroup>
+  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+  <Import Project="..\packages\dnMerge.0.5.15\build\dnMerge.targets" Condition="Exists('..\packages\dnMerge.0.5.15\build\dnMerge.targets')" />
+  <Target Name="EnsureNuGetPackageBuildImports" BeforeTargets="PrepareForBuild">
+    <PropertyGroup>
+      <ErrorText>This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them.  For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}.</ErrorText>
+    </PropertyGroup>
+    <Error Condition="!Exists('..\packages\dnMerge.0.5.15\build\dnMerge.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\dnMerge.0.5.15\build\dnMerge.targets'))" />
+  </Target>
+</Project>

tests/CrackKerberos/CrackMapTicket/CommandCollection.cs

@@ -0,0 +1,47 @@
+using System;
+using System.Collections.Generic;
+using Certify.Commands;
+
+namespace Certify
+{
+    public class CommandCollection
+    {
+        private readonly Dictionary<string, Func<ICommand>> _availableCommands = new Dictionary<string, Func<ICommand>>();
+
+        // How To Add A New Command:
+        //  1. Create your command class in the Commands Folder
+        //      a. That class must have a CommandName static property that has the Command's name
+        //              and must also Implement the ICommand interface
+        //      b. Put the code that does the work into the Execute() method
+        //  2. Add an entry to the _availableCommands dictionary in the Constructor below.
+
+        public CommandCollection()
+        {
+            _availableCommands.Add(CAs.CommandName, () => new CAs());
+            _availableCommands.Add(Request.CommandName, () => new Request());
+            _availableCommands.Add(Download.CommandName, () => new Download());
+            _availableCommands.Add(Find.CommandName, () => new Find());
+            _availableCommands.Add(PKIObjects.CommandName, () => new PKIObjects());
+        }
+
+        public bool ExecuteCommand(string commandName, Dictionary<string, string> arguments)
+        {
+            bool commandWasFound;
+
+            if (string.IsNullOrEmpty(commandName) || _availableCommands.ContainsKey(commandName) == false)
+                commandWasFound= false;
+            else
+            {
+                // Create the command object 
+                var command = _availableCommands[commandName].Invoke();
+
+                // and execute it with the arguments from the command line
+                command.Execute(arguments);
+
+                commandWasFound = true;
+            }
+
+            return commandWasFound;
+        }
+    }
+}