{"id":19170587,"url":"https://github.com/ccob/gssapi-abuse","last_synced_at":"2025-04-15T11:06:59.259Z","repository":{"id":187955212,"uuid":"675622416","full_name":"CCob/gssapi-abuse","owner":"CCob","description":"A tool for enumerating potential hosts that are open to GSSAPI abuse within Active Directory networks","archived":false,"fork":false,"pushed_at":"2023-08-31T06:45:05.000Z","size":23,"stargazers_count":150,"open_issues_count":1,"forks_count":22,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-15T11:06:42.790Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CCob.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-08-07T10:49:10.000Z","updated_at":"2025-03-18T10:38:40.000Z","dependencies_parsed_at":null,"dependency_job_id":"e8f4f67d-fa70-459e-a12a-2d6f3d08c84c","html_url":"https://github.com/CCob/gssapi-abuse","commit_stats":null,"previous_names":["ccob/gssapi-abuse"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CCob%2Fgssapi-abuse","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CCob%2Fgssapi-abuse/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CCob%2Fgssapi-abuse/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CCob%2Fgssapi-abuse/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CCob","download_url":"https://codeload.github.com/CCob/gssapi-abuse/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249058371,"owners_count":21205910,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-09T09:54:31.341Z","updated_at":"2025-04-15T11:06:59.239Z","avatar_url":"https://github.com/CCob.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# gssapi-abuse\n\ngssapi-abuse was released as part of my DEF CON 31 talk.  A full write up on the abuse vector can be found here: \n[A Broken Marriage: Abusing Mixed Vendor Kerberos Stacks](https://www.pentestpartners.com/security-blog/a-broken-marriage-abusing-mixed-vendor-kerberos-stacks/)\n\nThe tool has two features.  The first is the ability to enumerate non Windows hosts that are joined to Active Directory that offer GSSAPI authentication over SSH.\n\nThe second feature is the ability to perform dynamic DNS updates for GSSAPI abusable hosts that do not have the correct forward and/or reverse lookup DNS entries.  GSSAPI based authentication is strict when it comes to matching service principals, therefore DNS entries should match the service principal name both by hostname and IP address.\n\n## Prerequisites \n\ngssapi-abuse requires a working krb5 stack along with a correctly configured krb5.conf.  \n\n### Windows\n\nOn Windows hosts, the MIT Kerberos software should be installed in addition to the python modules listed in `requirements.txt`, this can be obtained at the [MIT Kerberos Distribution Page](https://web.mit.edu/kerberos/dist/index.html).  Windows krb5.conf can be found at `C:\\ProgramData\\MIT\\Kerberos5\\krb5.conf`\n\n### Linux\n\nThe `libkrb5-dev` package needs to be installed prior to installing python requirements\n\n### All\n\nOnce the requirements are satisfied, you can install the python dependencies via pip/pip3 tool\n\n```\npip install -r requirements.txt\n```\n\n## Enumeration Mode\n\nThe enumeration mode will connect to Active Directory and perform an LDAP search for all computers that do not have the word `Windows` within the Operating System attribute.  \n\nOnce the list of non Windows machines has been obtained, gssapi-abuse will then attempt to connect to each host over SSH and determine if GSSAPI based authentication is permitted.\n\n### Example\n\n```\npython .\\gssapi-abuse.py -d ad.ginge.com enum -u john.doe -p SuperSecret!\n[=] Found 2 non Windows machines registered within AD\n[!] Host ubuntu.ad.ginge.com does not have GSSAPI enabled over SSH, ignoring\n[+] Host centos.ad.ginge.com has GSSAPI enabled over SSH\n```\n\n## DNS Mode\n\nDNS mode utilises Kerberos and dnspython to perform an authenticated DNS update over port 53 using the DNS-TSIG protocol.  Currently `dns` mode relies on a working krb5 configuration with a valid TGT or DNS service ticket targetting a specific domain controller, e.g. `DNS/dc1.victim.local`. \n\n### Examples\n\nAdding a DNS `A` record for host `ahost.ad.ginge.com`\n```\npython .\\gssapi-abuse.py -d ad.ginge.com dns -t ahost -a add --type A --data 192.168.128.50\n[+] Successfully authenticated to DNS server win-af8ki8e5414.ad.ginge.com\n[=] Adding A record for target ahost using data 192.168.128.50\n[+] Applied 1 updates successfully\n```\n\nAdding a reverse `PTR` record for host `ahost.ad.ginge.com`.  Notice that the `data` argument is terminated with a `.`, this is important or the record becomes a relative record to the zone, which we do not want.  We also need to specify the target zone to update, since `PTR` records are stored in different zones to `A` records. \n```\npython .\\gssapi-abuse.py -d ad.ginge.com dns --zone 128.168.192.in-addr.arpa -t 50 -a add --type PTR --data ahost.ad.ginge.com.\n[+] Successfully authenticated to DNS server win-af8ki8e5414.ad.ginge.com\n[=] Adding PTR record for target 50 using data ahost.ad.ginge.com.\n[+] Applied 1 updates successfully\n```\n\nForward and reverse DNS lookup results after execution\n\n```\nnslookup ahost.ad.ginge.com\nServer:  WIN-AF8KI8E5414.ad.ginge.com\nAddress:  192.168.128.1\n\nName:    ahost.ad.ginge.com\nAddress:  192.168.128.50\n```\n\n```\nnslookup 192.168.128.50\nServer:  WIN-AF8KI8E5414.ad.ginge.com\nAddress:  192.168.128.1\n\nName:    ahost.ad.ginge.com\nAddress:  192.168.128.50\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fccob%2Fgssapi-abuse","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fccob%2Fgssapi-abuse","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fccob%2Fgssapi-abuse/lists"}