8.9 C
London
Wednesday, September 11, 2024

Abuse – A Instrument For Enumerating Potential Hosts That Are Open To GSSAPI Abuse Inside Lively Listing Networks




Abuse – A Instrument For Enumerating Potential Hosts That Are Open To GSSAPI Abuse Inside Lively Listing Networks

gssapi-abuse was launched as a part of my DEF CON 31 discuss. A full write up on the abuse vector could be discovered right here: A Damaged Marriage: Abusing Blended Vendor Kerberos Stacks

The device has two options. The primary is the power to enumerate non Home windows hosts which can be joined to Lively Listing that provide GSSAPI authentication over SSH.

The second characteristic is the power to carry out dynamic DNS updates for GSSAPI abusable hosts that shouldn’t have the proper ahead and/or reverse lookup DNS entries. GSSAPI based mostly authentication is strict with regards to matching service principals, subsequently DNS entries ought to match the service principal identify each by hostname and IP deal with.

Stipulations

gssapi-abuse requires a working krb5 stack together with a accurately configured krb5.conf.

Home windows

On Home windows hosts, the MIT Kerberos software program needs to be put in along with the python modules listed in necessities.txt, this may be obtained on the MIT Kerberos Distribution Web page. Home windows krb5.conf could be discovered at C:ProgramDataMITKerberos5krb5.conf

Linux

The libkrb5-dev bundle must be put in previous to putting in python necessities

All

As soon as the necessities are happy, you may set up the python dependencies by way of pip/pip3 device

pip set up -r necessities.txt

Enumeration Mode

The enumeration mode will connect with Lively Listing and carry out an LDAP seek for all computer systems that shouldn’t have the phrase Home windows inside the Working System attribute.

As soon as the checklist of non Home windows machines has been obtained, gssapi-abuse will then try to connect with every host over SSH and decide if GSSAPI based mostly authentication is permitted.

Instance

python .gssapi-abuse.py -d advert.ginge.com enum -u john.doe -p SuperSecret!
[=] Discovered 2 non Home windows machines registered inside AD
[!] Host ubuntu.advert.ginge.com doesn't have GSSAPI enabled over SSH, ignoring
[+] Host centos.advert.ginge.com has GSSAPI enabled over SSH

DNS Mode

DNS mode utilises Kerberos and dnspython to carry out an authenticated DNS replace over port 53 utilizing the DNS-TSIG protocol. Presently dns mode depends on a working krb5 configuration with a sound TGT or DNS service ticket targetting a particular area controller, e.g. DNS/dc1.sufferer.native.

Examples

Including a DNS A document for host ahost.advert.ginge.com

python .gssapi-abuse.py -d advert.ginge.com dns -t ahost -a add --type A --data 192.168.128.50
[+] Efficiently authenticated to DNS server win-af8ki8e5414.advert.ginge.com
[=] Including A document for goal ahost utilizing knowledge 192.168.128.50
[+] Utilized 1 updates efficiently

Including a reverse PTR document for host ahost.advert.ginge.com. Discover that the knowledge argument is terminated with a ., that is vital or the document turns into a relative document to the zone, which we are not looking for. We additionally must specify the goal zone to replace, since PTR information are saved in several zones to A information.

python .gssapi-abuse.py -d advert.ginge.com dns --zone 128.168.192.in-addr.arpa -t 50 -a add --type PTR --data ahost.advert.ginge.com.
[+] Efficiently authenticated to DNS server win-af8ki8e5414.advert.ginge.com
[=] Including PTR document for goal 50 utilizing knowledge ahost.advert.ginge.com.
[+] Utilized 1 updates efficiently

Ahead and reverse DNS lookup outcomes after execution

nslookup ahost.advert.ginge.com
Server: WIN-AF8KI8E5414.advert.ginge.com
Handle: 192.168.128.1

Identify: ahost.advert.ginge.com
Handle: 192.168.128.50

nslookup 192.168.128.50
Server: WIN-AF8KI8E5414.advert.ginge.com
Handle: 192.168.128.1

Identify: ahost.advert.ginge.com
Handle: 192.168.128.50



Latest news
Related news

LEAVE A REPLY

Please enter your comment!
Please enter your name here