zoocoup

# The LKDC is wanting for official documentation. Here's any bits of information I've found as of 20121113

The LKDC is used for local authentication for peer-to-peer services, specifically AFP file sharing, Screen Sharing 
and Back to My Mac.

AFP548 “Kerberos in Leopard: The Local KDC part 1”:
http://web.archive.org/web/20100603060100/http://www.afp548.com/article.php?story=20080709091503862
(The original article seems to have been lost when the site 
redesigned, but here's a cached version)

shaunhess

At work recently I needed to pull together some information from the registry of a few thousand machines and include the last time the key had been updated. Lately I've been turning to Powershell more and more for my day to day tasks and this time was no different. However this simple task turned out to not be so easy, and it all revolved around acquiring the LastWriteTime of the registry keys.

Digging through WMI and .NET proved less fruitful than I had hoped, so off to Google I went. It seemed everyone had the solution if you wanted to query the machine locally, but with thousands of hosts in my Enterprise that wasn't going to work. Plus, who doesn't enjoy a good challenge. One particular script was very useful in pointing my team in the right direction, posted by Tim Medin over at blog.securitywhole.com. So we decided to adapt and modify his script to work with remote hosts.

I've only tested against a few machines at home, but I wanted to share it while I had time. I will update the post if I find issues

jbaker10

#!/usr/bin/python

import os, subprocess, plistlib, re, sys
from os import listdir
from subprocess import PIPE

def isRoot():
    if not os.geteuid() == 0:
        print "\nRunning as standard account."
        print "Re-launching script with sudo rights..."

sooop

import Foundation

class StreamReader {
    let encoding: String.Encoding
    let chunkSize: Int
    let fileHandle: FileHandle
    var buffer: Data
    let delimPattern : Data
    var isAtEOF: Bool = false
    

eienf

import Foundation

class StreamReader {
    let encoding: NSStringEncoding
    let chunkSize: Int
    let fileHandle: NSFileHandle
    var buffer: NSMutableData
    let delimPattern : NSData
    var isAtEOF: Bool = false
    

its-a-feature

Domain: TEST.local
User Enumeration:
  Windows:
    net user
    net user /domain
    net user [username]
    net user [username] /domain
    wmic useraccount
  Mac:
    dscl . ls /Users

TarlogicSecurity

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

teddziuba

#!/usr/bin/env python3

"""
Mac OSX Catalina User Password Hash Extractor

Extracts a user's password hash as a hashcat-compatible string.

Mac OSX Catalina (10.15) uses a salted SHA-512 PBKDF2 for storing user passwords
(hashcat type 7100), and it's saved in an annoying binary-plist-nested-inside-xml-plist
format, so previously reported methods for extracting the hash don't work.

brunerd

#!/bin/bash
: <<-EOL
MIT License

Copyright (c) 2020 Joel Bruner

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

jborean93

# Copyright: (c) 2021, Jordan Borean (@jborean93) <[email protected]>
# MIT License (see LICENSE or https://opensource.org/licenses/MIT)

Function Get-RegKeyInfo {
    <#
    .SYNOPSIS
    Gets details about a registry key.

    .DESCRIPTION
    Gets very low level details about a registry key.