5i"~ddlZddlZddlZddlmZmZddlmZddlm Z ddl m Z ddl m Z ddlmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)ddl*m+Z+m,Z,dd l-m.Z.m/Z/m0Z0m1Z1dd l2m3Z3m4Z4m5Z5m6Z6dd l7m8Z8dd l9m:Z:m;Z;mZ>dd l?m@Z@ddlAmBZBddlCmDZDddlEmFZFddlGmHZHddlGmIZIGddZJdS)N)ListDict)hashlib)logger)CCACHE)KerberosClientSocket) METHOD_DATA ETYPE_INFO ETYPE_INFO2 PADATA_TYPEPA_PAC_REQUEST PA_ENC_TS_ENC EncryptedData krb5_pvno KDC_REQ_BODYAS_REQTGS_REP KDCOptions PrincipalName EncASRepPart EncTGSRepPartrRealmChecksum APOptions AuthenticatorTicketAP_REQTGS_REQ CKSUMTYPEPA_FOR_USER_ENCPA_PAC_OPTIONSPA_PAC_OPTIONSTypes EncTicketPart)KerberosErrorCode KerberosError)Key_enctype_table_HMACMD5Enctype) PaDataTypeEncryptionType NAME_TYPE MESSAGE_TYPE)AuthenticatorChecksum)PKAuthenticatorAuthPack PA_PK_AS_REP KDCDHKeyInfo PA_PK_AS_REQ)KerberosCredential)KerberosTarget) KerberosSPN)construct_apreq_from_tgs_tgt)cms)coreceZdZdedefdZgddddddfdeed ed e fd Z gd dfd ed e fd Z gd dfd efdZ dZ dZddgdddfded efdZdefdZddZgdejejejejejejejgfdZdgdejejejgfdZejejejgfdZddgdfdZdZdZ dS) KerbrosClientccredtargetc||_||_t|j|_|jt n|j|_d|_d|_d|_d|_ d|_ d|_ d|_ d|_ d|_dS)N) credentialr=rksocccacherkerberos_session_key kerberos_TGTkerberos_TGT_encpart kerberos_TGSkerberos_cipherkerberos_cipher_type kerberos_key server_salt pkinit_tkey)selfr<r=s I/home/kali/Ninja/venv/lib/python3.11/site-packages/minikerberos/client.py__init__zKerbrosClient.__init__s$/$+"4;//$)!L0el$+"$$"$$$"$$$$) forwardable renewable proxiableNFTkdcoptswith_pacreturnctjdg}|dur\i} ttd| d<t ddi| d<|| tjd|jztj tj j } |dur)|t| d | jd } t|j|_|j|_t'|jj|j||j |_|j|jd | d} n|} |} i} ttd| d<t5|j| d| d<|| i}t7t9||d<t;t<jj|jj !dd|d<|jj"#|d<t;t<jjd|jj"#gd|d<| tj$d z d |d<| tj$d z d |d<tKj&d|d<|jg|d<||D] }||||<i}tN|d<tPj)j|d<||d<tU||d <tW|S)!Nz'Constructing TGT request with auth dataTPA-PAC-REQUEST padata-type include-pac padata-valuez$Selecting common encryption type: %sFr microsecond) patimestamppausec)saltz ENC-TIMESTAMPetypecipher kdc-options/z name-typez name-stringcnamerealmkrbtgtsnamedaystillrtimenoncerapvnomsg-typepadatareq-body),rdebugintr r dumpappendnamedatetimenowtimezoneutcrreplacer[r'valuerFrGr&enctyper?get_key_for_enctyperIrHencryptrrsetrr, PRINCIPALusernamesplitdomainupper timedeltasecretsrandbitsrr- KRB_AS_REQrr)rKsupported_encryption_methodrR enctimestampnewnow no_preauthkdc_req_body_extrarSpadatas pa_data_1rz timestamp enc_timestamp pa_data_2 kdc_req_bodykeykdc_reqs rLbuild_asreq_ltszKerbrosClient.build_asreq_lts.s,8999 ' 9!+.>"?"?@@9]-}d.CDDIIKK9^ >>),58S8XXYYYh/344#5ckkak.H.HTWTcddeejjllI)*E*KLD ; ADD08$/:]:]^yCGCS:];T;TUUD(001BAyRVWWMM C M9!+o">">??9],7R7Xdq-r-rssxxzz9^ >>), *3w<< 8 8,}'i6I6O`d`o`x`~`~@CaDaD)E)EFF,w/06688,w'i6I6OaikokzlBlHlHlJlJaK)L)LMM,w 2 : : ::CCPQCRR,v!3!;!;!;;DDQRDSS,w!*2..,w6<=,w# 00s*3/L ''&/$/5'*'($\22'* rN)rOrPz renewable-okcddlm}|jdkrtdtjtjj}i}tt||d<ttj j|j jdd|d<|j j|d <ttjjd |j jgd|d <|t jd zd|d<|t jd zd|d<t+jd|d<|jg|d<t/|}t1j|}i} |j| d<|d| d<t+jd| d<|| d<i} |j jj| d<|j jj| d<d| d<i} d| d<| | | d<i} |!| | d<|j j"| d<i} tG| | d<|$| | d<|j jj%| d <tM| } |j '| d!"}tQ}||d#<g}|d!ur\i}tStUd$|d%<tWd&d!i|d'<|,|i}tZj.j|d%<||d'<|,|i}d(|d)<d*|d+<||d,<||d-<t_|S).Nr)keysz5RC4 encryption is not supported for certificate auth!rcrdrerfrgrhrir_rjrZrlrmrnroracusecctime paChecksumpgqz1.2.840.10046.2.1 algorithm parameters public_keypkAuthenticatorclientPublicValue clientDHNonceT) wrap_signedsignedAuthPackrVrWrXrYrp rqrrrs)0 asn1cryptorr~ Exceptionryrzr{r|rrrr,rr?rrrrSRV_INSTrr}rrrrsha1rvdigestr[dhparamsrrDomainParametersPublicKeyAlgorithmget_public_keyr/ PublicKeyInfodh_noncer0 sign_authpackr3rur r rwr* PK_AS_REQr)rKrrRrSrrzkdc_req_body_datarchecksum authenticatordppkaspkiauthpacksigned_authpackpayloadr pa_data_0rasreqs rLbuild_asreq_pkinitz KerbrosClient.build_asreq_pkinitbs4 &",, J K KK h/344#%/G %=%=M",9;N;Teiete}fDfDEHfIfI.J.J K KG#5;;==G,9;M;Semoso~pFpLpLpNpNeO.P.P Q QG #h&8a&@&@&@ @IIVWIXXF #h&8a&@&@&@ @IIVWIXXG&/33G ; ABG/00,\,++-- . . 5 5 7 7(-?-;;1;55-"+B//- (-  " O $ &"S' O $ &"S' "S' #(#k++B//#l $--c22${/>>@@$|( / > >( "&"4"4T":":( "o6?(? h  (O11(--//QU1VV/ NN'-'  ' 9!+.>"?"?@@9]-}d.CDDIIKK9^ >>))'17)M%llnn)N .. %%-% %/"%  rNc6|jj||||}n||||}t jd|j|}|j dkrt|d|S)N)rSzSending TGT request to server KRB_ERRORzPreauth failed!) r? certificaterrrrtr@sendrecvrvrxr%)rKrrRrSreqreps rL do_preauthzKerbrosClient.do_preauths _ , !4(34 *  '>>>>>>sB2B66 CC C Cc tj}tj|djD]}t |d}|t jks|t jkr|t jkrt j|d}n*|t jkrtj|d}|jD]X}|d|t|d<tj dt|dj d|dY|j |}||vrtd||}||}||_|S) Nze-datarWrYr^raz Server supports encryption type z with salt z,Preferred enc type not in supported enctypes) collections OrderedDictr loadnativer*r r r+rrtrxr?get_preferred_enctyperencoderI) rKrsupp_enc_methods enc_method data_type enc_info_listenc_infopreferred_enc_typer^s rL"select_preferred_encryption_methodz0KerbrosClient.select_preferred_encryption_methods!,..$S]33: B Bj*]3449:(((I9O,O,OJ)))_Z%?@@]] j, , , %j&@AA]!(BB;CF;KnXg%6778 \\~V^_fVgGhGhGmGmGmowx~ooABBBB<<=MNN/// A B BB , -$  ++--4$ rNoverride_snamec  |\}}|dStjdtjtjj}i} tt|| d<ttj j |j jdd| d<|j j| d<|Cttj j d|j jgd| d <n6ttjj |d| d <|tjd zd | d<|tjd zd | d<t-jd| d<||j | d<n|| d<i} |durEt3t5d| d<t7ddi| d<i} t:| d<t<jj | d<tA| d kr| g| d<tC| | d<tE| } tjd|j#$z|j#%| d} | j&dkr| j'} | |_(|dks|j j)dur| StT| d d|_+| d d|_,t[|j+j.|j /ta| d d|_1n| j'd!tdj3j krti| | j'} tjd"|5| }|6|} tjd#| j'} | |_(|j j7q|8| \|_9|_:|_+|j |_,|j;<|j(|j9d$tjd%dS| d d&}|j+=|j1d'|} t}j?|j'|_9ns#t$rf}tjd( tj?|j'|_9n(#t$r}tjBd)|d}~wwxYwYd}~nd}~wwxYwt[|j+j.|j9d*d+|_:|j;<|j(|j9d$tjd%dS),aJ decrypt_tgt: used for asreproast attacks Steps performed: 1. Send and empty (no encrypted timestamp) AS_REQ with all the encryption types we support 2. Depending on the response (either error or AS_REP with TGT) we either send another AS_REQ with the encrypted data or return the TGT (or fail miserably) 3. PROFIT Nz2Generating initial TGT without authentication datarcrdrerfrgrhrir_rjrrZrlrmrnroraTrVrWrXrYrprqrrrszSending initial TGT to %sF)throwrr error-codez1Got reply from server, asikg to provide auth dataz"Got valid TGT response from server) override_ppz Got valid TGTrbz(EncAsRepPart load failed, is this linux?z+Failed to load decrypted part of the reply!rr)Crrrtryrzr{r|rrrr,rr~r?rrrrrget_principalnamerr}rrget_supported_enctypesrur r rvrr-rlenrrr@ get_addr_strrrxrrC nopreauthr'rFrGr&rrr+rHr$KDC_ERR_PREAUTH_REQUIREDr%rrrdecrypt_asrep_certrDrBrAadd_tgtdecryptrrrrerror)rKoverride_etype decrypt_tgtrRrrS_rrzrrrrrr cipherTexttemprs rLget_TGTzKerbrosClient.get_TGTs     ! !&!S[ 6,CDDDh/344#, *3w<< 8 8,}'i6I6O`d`o`x`~`~@CaDaD)E)EFF,w/06688,w(y7J7Pbjlpl{mCmImImKmKbL*M*MNN<)y7I7O`naAaAaCaC*D*DEE<!3!;!;!;;DDQRDSS,v!3!;!;!;;DDQRDSS,w!*2..,w?AACC<)<) !+.>"?"?@@9]-}d.CDDIIKK9^ ''&/$/5'*^^a!{78$\22'*w#,*TY-C-C-E-EEFFF 388::u55#X 34Udo74?? J(Z)AB4":w744/79\9\]klopzl{}DmE^F^F:G:GHH4 j"3"L"RRR    3 <CDDD!%!H!H!M!M 4 5 53 <4555 34 _ ,PTPgPghkPlPlM4d79M:@4;t($*CSWXXX <    6J):   & &t'8!Z H H4 , 1$ 7 7 >D     L;<<< !.!3D!9!9!@T     \?@@@ W   #4#7#?AZ[`AablAmnn4;t($*CSWXXX <    6s<*T U9U4(UU4 U,U''U,,U44U9spn_userc& |jtd|j|\}}}||t|d|d}t |j}||d|dfS#t$r}ddd|fcYd}~Sd}~wwxYw)Nrrrr)rArget_tgsr&rr)rKrtgsrrrrs rLtgs_from_ccachezKerbrosClient.tgs_from_ccacheMs  k * + ++,,X663 3 o I Yy !9Z#8 9 93  3 s:T ))  dA sA3A66 BB B Bc ||\}}}}||||fS|j(|\}}|tdt jd|ztjtj j } i} ttgd| d<|j | d<tt jj|d| d<| tjd zd | d <t-jd| d<|r|| d<n|jdkrdg| d<n |jg| d<i} t2| d<t5|jd| d<|jd| d<| j| d<| d | d<|rQt9} d | _d| _i} d| d<| | d<tA| | d<d | d<|j!"|j#dtI| %d}i}t2|d<tLj'j|d <tQt|d!<tS|jd"|d"<tU|j|d#|d$<i}tVj,j|d%<t[|%|d&<i}t2|d<tLj.j|d <|g|d'<t_| |d(<tY|}t jd)|j01|%}|j2d*krtg|d+t jd,|j4}tkj6|j!7|j#d-|d.d/j4}tq|d0d1|d0d2}|j9:||t jd3||_;|||fS)4a Requests a TGS ticket for the specified user. Retruns the TGS ticket, end the decrpyted encTGSRepPart. spn_user: KerberosTarget: the service user you want to get TGS for. override_etype: None or list of etype values (int) Used mostly for kerberoasting, will override the AP_REQ supported etype values (which is derived from the TGT) to be able to recieve whatever tgs tiecket NzNo TGT found in CCACHE!z$Constructing TGS request for user %s)rOrP renewable_ok canonicalizercrgrerir_rjrrZrlrnrorairauthenticator-vnocrealmrfrrsi cksumtypercksumz seq-numberrprq ap-optionsticketr`rrWrYrrrsz"Constructing TGS request to serverrzget_TGS failed!zGot TGS reply, decrypting...rrbrrrzGot valid TGS reply)>><<>>> _ 2 23C D D(h/344#,5()!&t'8'B!C!CX $ 1' :W #W #  : :W /778QSTVcdvVwVwV|V|V~V~AEFF &&.#.4&"355))&D-h788&)D4MYo*p*pqq&, * 2 8,}!'!4!4!6!6,~, *3w<< 8 8,}'i6I6O`d`o`x`~`~@CaDaD)E)EFF,w/06688,w 2 : : ::CCPQCRR,v!*2..,w$,w(.t/@/J(K(K'L,#$+!+f(4:+j'.+h(66+j  #,0111 )  SXXZZ ( (% Z; 4 l< B&& pD ud # ##,/000 # #c(mJ7@AA B&(mJ'1) NN44a C C' ))0)$T%9%A%A$B[]^`cdn`opx`y%z%z{{C- M%  +]5-A*-MNN#+c=))),*+++ mS) ++rN)rOrPrcB |js(tjd||j|}d}t jt jj }i}t|d<t|jd|d<|jd|d<|j |d<| d|d <|j|jd t#|d } i} t| d <t&jj| d <t-t/| d<t1|jd| d<t3|j| d| d<i} t6jj| d<t;| | d<t<jj ddd} | |j!"z } | |j#"z } | |"z } tjd| $ztjd| ztKj&|jd| } tjd| $zi}tOtQd|d<| |d<i}tSt<jj|*d|d<|j#|d <tW||d!<||d"<i}tOtYd#|d<t[||d<|Ft]|t^r|g}nLt]|t`r|}n4|*}n|jj!1d$}i}tet/||d%<tSt<j3j|d|d&<|jj#4|d'<|t j5d()z d|d*<tmj7d+|d,<|jj8g|d-<i}t|d <t&j9j|d <| |g|d.<tu||d/<t9|}tjd0|j;<|}|j=d1kr%d2}|j>d3d4krd5}t||tjd6|j>}tjA|jB|jd7|d8d9j>}t|d:d;|d:d<}|jDE||tjd=||_F|||fS)>z0 user_to_impersonate : KerberosTarget class z0[S4U2self] TGT is not available! Fetching TGT...KerberosrrrfrrrZrr Nrprqr r r`rrWrYlittleFsignedz4U2self] S4UByteArray: %sz[S4U2self] chksum_data: %sHMAC_MD5rrreuserName userRealmrz auth-packagez PA-FOR-USERrdrcrirgr_rjrlrnrorarrrsz$[S4U2self] Sending request to serverrzS4U2self failed!rrzlS4U2self: Failed to get S4U2self! Error code (16) indicates that delegation is not enabled for this account!z#[S4U2self] Got reply, decrypting...r rrbrrrz[S4U2self] Got valid TGS reply)GrCrrtrr?rryrzr{r|rrr[r}rFrrBrrvr-rr~rrrrrGr*rrr,rrrrrhexr(rrurrrrr r isinstancestrlistrrUNKNOWNrrrrrrrr@rrxrr%rrrr&rArrE)rKuser_to_impersonaterrRrr auth_package_namerzrrrr! S4UByteArray chksum_datarpa_for_user_enc pa_for_userr"r#rr$r%rrrs rLS4U2selfzKerbrosClient.S4U2selfs   <BCCC<<>>> _ 2 23C D D( h/344#,5()!&t'8'B!C!CX $ 1' :W #W #  : :W/778QSTVcdvVwVwV|V|V~V~AEFF &&.#.4&"355))&D-h788&)D4MYo*p*pqq&, * 2 8,}!'!4!4!6!6,~$*33Ax%3PP,%.55777,%,33555,#**,,,,,,|/?/?/A/AABBB,,|;<<<!$";RNN+,+koo.?.??@@@ &Ij1122&"&/ -I>+m / @ @ E E G G+n3,zHH8T"",HH))++HHo&,,S118, *3w<< 8 8,}'i6G6M^f(g(ghh,w/06688,w 2 : : ::CCPQCRR,v!*2..,w4<=,w+!+f(4:+j'5+h(66+j #,5666 )  SXXZZ ( (% Z; 4 l< B&& yD ud # ##,4555 #$T%9%A%A$B[]^`cdn`opx`y%z%z{{C- M%  +]5-A*-MNN#+c=))),/000$ mS  rNctjdd|ztjtjj}|j |}i}ttd|d<tdttdgi|d<i}t |d<t#|jd |d <|jd |d <|j|d <|d |d<|j|jdt1|d}i} t | d<t2jj| d<t9t| d<t;|jd| d<t=|j|d| d<i} t@j!j| d<tE| | d<i} tGtgd| d<tItJj&j|d| d<|jj'(| d<|t j)dzd | d<tUj+d| d<|jj,g| d <|g| d!<i} t | d<t2j-j| d<| |g| d"<t]| | d#<tC| } |j/0| }|j1d$kr%d%}|j2d&d'krd(}tg||tjd)|j2}tij5|j6|jd*|d+d,j2}to|d-d.|d-d/}|j89||tjd0|||fS)1Nz[S4U2proxy] Impersonating %srdzPA-PAC-OPTIONSrWr~z%resource-based constrained delegationrYrrrfrrrZrr rprqr r r`r)rOrPzconstrained-delegationrrcrerirgr_rjrlrnrorarrrrsrzS4U2proxy failed!rrznS4U2proxy: Failed to get S4U2proxy! Error code (16) indicates that delegation is not enabled for this account!z+[S4U2proxy] Got server reply, decrypting...r rrbrrrz[S4U2proxy] Got valid TGS reply):rrtjoinrryrzr{r|r?rrur r!r"rrvrrrCr[r}rFrrBrr-rr~rrrrGr*rrrrr,rrrrrrrrrr@rrxrr%rrrr&rAr)rKs4uself_ticketrrrzr  pa_pac_optsrrr pa_tgs_reqr"r#rr$r%rrrs rL S4U2proxyzKerbrosClient.S4U2proxyxs4,-9S9S9U9U0V0VVWWWh/344# _ 2 23C D D(+";/?#@#@AA+m .:McSzR{N|N|:}:}/~  !E!E!G!G+n,5()!&t'8'B!C!CX $ 1' :W #W #  : :W/778QSTVcdvVwVwV|V|V~V~AEFF &&.#.4&"355))&D-h788&)D4MYo*p*pqq&*(06*]%f~~2244*^, *3/s/s/s+t+t u u,}'i6H6N_g_y_y_{_{(|(|}},w/06688,w 2 : : ::CCPQCRR,v!*2..,w4<=,w(6'7,#$+!+f(4:+j%{3+h(66+j # )  SXXZZ ( (% Z; 4 l< B&& {D ud # ##,<=== #$T%9%A%A$B[]^`cdn`opx`y%z%z{{C- M%  +]5-A*-MNN#+c=))),0111 mS  rNrc 8t|||j||||S)N)r seq_numberap_optscb_data)r7rC)rKrr sessionkeyrrGrHrIs rLconstruct_apreqzKerbrosClient.construct_apreqs1 %       rNcl||\}}}||d|S)Nr )r?rE)rK target_user service_spnrrrs rLgetSTzKerbrosClient.getSTs2 MM+66#}c H { 3 33rNcd}|dD]/}|ddkr!tj|dj}n0td tj|dj}n9#tj|dddj}YnxYw|d }|d d krtd t j|d j}tddgd|dDzd}t tj |d dddd}|j j|} |d} | |j jjz| z} |dd} t"| } | t$jkr|| d|_nA| t$jkr|| d|_n| t$jkrt/dt1| j|j}|dd}| |d|}t7j|j}t"t|dd } t1| j|dd!}||| fS)"Nc^d}d}t||krtjt|g|z}t|t|z|kr||d|t|z z }n||z }|dz }t||k|S)NrNrr_)rrrbytesr)r~keysizeoutput currentNum currentDigests rL truncate_keyz6KerbrosClient.decrypt_asrep_cert..truncate_keys 6: Vw  L |!4!4u!<==DDFFM 6{{S''''11 }3gF 3344V  mF!OJ Vw   =rNrrrWr0rYzPA_PK_AS_REP not found! dhSignedDataencap_content_info content_typez1.3.6.1.5.2.3.2z%Keyinfo content type unexpected valuecontent1c,g|]}t|S)r6).0xs rL z4KerbrosClient.decrypt_asrep_cert..sMMM1AMMMrNsubjectPublicKeyrr bigFr. serverDHNoncerra rzBRC4 key truncation documentation missing. it is different from AESrbrrrr)r1rrrr8 SignedDatar2rurA from_bytesr9 BitStringrvr?rexchangerr'r)AES256rJAES128RC4NotImplementedErrorr&rrr)rKas_reprWpapkasrepsdkeyinfoauthdatapubkey shared_key server_noncefullKeyrarbrenc_datadec_dataencasrep session_keys rLrz KerbrosClient.decrypt_asrep_certs    8 ..b2> 233:G E , - --A GN344;22A GN3BCC899@222 # $' ^ 111 : ; ;;  wy1 2 2 9( rwwuMM9K0LMMMMNNPQ R R& >>$.2D)EFFKKMMabbQSXch> i i&'0088*), 1: :\ I'  W %% % & gn"l7B//4 "l7B//4   a b bb FND,--# J  )( ^^CH - -(  x ( ( /( 3xy9:: ;&FNHUOJ$?@@+ ; &&s *A774B-)NF)!__name__ __module__ __qualname__r4r5rMrr6boolrrrrrrr6rrrr+ DES_CBC_CRC DES_CBC_MD4 DES_CBC_MD5 DES3_CBC_SHA1ARCFOUR_HMAC_MD5AES256_CTS_HMAC_SHA1_96AES128_CTS_HMAC_SHA1_96r)r?rErKrOrr`rNrLr;r;s, , ^    MtLsLsCGPTchCUY22S 2NR2^d2222hFpEoEoBFIIz~IKQIIIIV>h=g=gy}   rv     "6%)HoHoHoOSeie e ALe ^be e e e N K    ^!^!^!^!@WVVlzmGHVHbcqc}~L~Z[i[z{I{abpbHlIF,F,F,F,T59DnDnDnESEdeseKLZLrDso!o!o!o!dDRCbcqdJKYKqCrC!C!C!C!LDHVWcequ    4448'8'8'8'8'rNr;)Krryrtypingrr unicryptor minikerberosrminikerberos.common.ccacher!minikerberos.network.clientsocketr"minikerberos.protocol.asn1_structsr r r r r rrrrrrrrrrrrrrrrrrr r!r"r#minikerberos.protocol.errorsr$r% minikerberos.protocol.encryptionr&r'r(r)minikerberos.protocol.constantsr*r+r,r- minikerberos.protocol.structuresr.minikerberos.protocol.rfc4556r/r0r1r2r3minikerberos.common.credsr4minikerberos.common.targetr5minikerberos.common.spnr6!minikerberos.protocol.ticketutilsr7rr8r9r;r`rNrLrs4------BBBBBBEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE JIIIIIIISSSSSSSSSSSS____________BBBBBBmmmmmmmmmmmmmm888888555555//////JJJJJJg 'g 'g 'g 'g 'g 'g 'g 'g 'g 'rN