🥷
Active directory

gssapi-abuse

In order to apply "Shadow Credentials" to the target account, the gssapi-abuse tool manipulates the msDS-KeyCredentialLinkattribute of Active Directory user and computer accounts. Michael Grafnetter's (@MGrafnetter) work from DSInternals served as the foundation for this utility.

Tool Source

gssapi-abuse is a tool developed for gaining control over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, essentially adding "Shadow Credentials" to the target account. This tool is based on code from DSInternals by Michael Grafnetter (@MGrafnetter). It's important to emphasize that this tool should only be used responsibly and with proper authorization for security assessments and testing in controlled environments.

Installation

  1. Ensure you have a working krb5 stack along with a correctly configured krb5.conf.
  2. On Windows, install the MIT Kerberos software and the required python modules listed in requirements.txt. The Windows krb5.conf file is typically located at C:\ProgramData\MIT\Kerberos5\krb5.conf.
  3. On Linux, install the libkrb5-dev package before installing python requirements.
  4. Install the python dependencies using pip:

How to Use

gssapi-abuse has two main features, Enumeration Mode and DNSMode.

Enumeration Mode:

Connect to Active Directory and perform an LDAP search forall computers without the word "Windows" in the Operating Systemattribute.

Attempt to connect to each host over SSH and determine ifGSSAPI-based authentication is permitted.

DNS Mode:

Utilizes Kerberos and dnspython to perform an authenticatedDNS update over port 53 using the DNS-TSIG protocol.

Requires a working krb5 configuration with a valid TGT orDNS service ticket targeting a specific domain controller.

Examples:

Adding a DNS A record for host ahost.ad.ginge.com:

Adding a reverse PTR record for host ahost.ad.ginge.com:

After execution, verify the results using nslookup for both forward and reverse DNS lookup.

Additional Information

  • This     tool is part of a DEF CON 31 talk. For a detailed understanding of the     abuse vector, refer to the write-up: A Broken     Marriage: Abusing Mixed Vendor Kerberos Stacks.
  • Caution:     This tool is powerful and can impact DNS records. Use it with care,     especially considering its potential disruptions, especially when clearing     the msDS-KeyCredentialLink attribute of accounts configured for     passwordless authentication.
Table of Contents:

Navigation

HomeTools

Services by CQR

Penetration Testing
Social Engineering
OSINT Recon
Vulnerability Assessment
Automotive Penetration Testing
DevSecOps
Smart Contract Audit
Incident Response
SOC Services
Risk Assessment
API Penetration Testing
Active Directory Audit
Fuzz Testing
Security Code Review
NOC Service
Forensics
Reverse Engineering

Related Posts

OSINT Recon: what is open source inteligence

October 2, 2023

Explore Tools Categories

🔎

Osint

🎩

Brute-force

🥷

Active directory

📵

Wireless security

🌩️

Cloud Security

🧩

Network assessment

🕸️

Web vulnerability detection

📝

Information Gathering Tools

📶

Wireless Attacks

💫

Vulnerability Analysis

⚗️

Forensics Tools

⚠️

Stress Testing

👓

Sniffing & Spoofing

Tools