Last active
August 29, 2015 14:22
-
-
Save nuit/76c83d3df79e860988b0 to your computer and use it in GitHub Desktop.
Python TGS - Kerberos Simulation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import socket | |
| import sys | |
| from thread import * | |
| import sqlite3 | |
| from Crypto.Cipher import DES | |
| from Crypto import Random | |
| HOST = '' | |
| PORT = 8888 | |
| s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| print '[+] Socket criado.' | |
| try: | |
| s.bind((HOST, PORT)) | |
| except socket.error as msg: | |
| print '[-] Ligacao falhou. Erro: ' + str(msg[0]) + ' - Mensagem: ' + msg[1] | |
| sys.exit() | |
| s.listen(10) | |
| print '[+] Socket ouvindo..' | |
| # AS recebe do cliente: nome_cliente+nome_servico | |
| def clientthread(conn): | |
| conn.send('\n[+] Conexao estabelecida.\n\n') | |
| login =conn.recv(1024) | |
| login=login.replace("[","") | |
| login=login.replace("'","") | |
| login=login.replace("]","") | |
| login=login.strip() | |
| tgsn = conn.recv(1024) | |
| con=sqlite3.connect('kerberus.db') | |
| c=con.cursor() | |
| sql="""SELECT * FROM usuario | |
| WHERE usuario=:login""" | |
| sql2="""SELECT * FROM servidor | |
| WHERE servico=:tgsn""" | |
| c.execute(sql, {"login":login}) | |
| d=c.fetchone() | |
| if ((d!=None) and (d[1]==login)): | |
| print '[+] Usuario identificado.' | |
| k_user=d[2] | |
| k_user=str(k_user).strip() | |
| # Geracao da Chave de Sessao - WEAK | |
| nr = Random.get_random_bytes(4) | |
| nr=nr.encode('hex') | |
| # Geracao do TGS - Ticket Granting Server | |
| c1=dict(n1=str(nr),tgs=str(tgsn)) # chave_sessao(nr)+id_servico(tgsn) | |
| p1=c1 | |
| p1['k_usr']=k_user | |
| c12=p1['n1']+','+p1['tgs']+','+p1['k_usr']+',' | |
| c12=str(c12) | |
| if (len(c12)%2!=0): | |
| c12+=str(1) | |
| c12=c12*8 | |
| else: | |
| c12=c12*8 | |
| # Cifrado com a chave privada do usuario | |
| des1=DES.new(k_user,DES.MODE_ECB) | |
| tgs=des1.encrypt(c12) | |
| tgs=tgs.encode('hex') | |
| # Geracao do TGT - Ticket Granting Ticket | |
| c.execute(sql2, {"tgsn":tgsn}) | |
| e=c.fetchone() | |
| if ((e!=None) and (e[1]==tgsn)): | |
| print '[+] Servico identificado.' | |
| k_server=e[2] | |
| k_server=str(k_server).strip() | |
| c2=login+','+str(nr) # chave_sessao(nr)+id_usuario(login) | |
| c2=str(c2) | |
| if (len(c2)%2!=0): | |
| c2+=str(1) | |
| c2=c2*8 | |
| else: | |
| c2=c2*8 | |
| # Cifrado com a chave de servico | |
| des2=DES.new(k_server,DES.MODE_ECB) | |
| c2=des2.encrypt(c2) | |
| c2=c2.encode('hex') | |
| print '\n[+] TGS Gerado: %s' % tgs | |
| conn.send(str(tgs)) | |
| conn.send(str(c2)) | |
| print '\n[+] TGT Gerado: %s' % str(c2) | |
| con.close() | |
| conn.close | |
| s.close() | |
| else: | |
| print '[-] Servico nao identificado.' | |
| con.close() | |
| conn.close() | |
| s.close() | |
| else: | |
| print '[-] Acesso negado.' | |
| conn.send('\n[-] Usuario nao identificado.\n\n') | |
| con.close() | |
| conn.close() | |
| s.close() | |
| while 1: | |
| conn, addr = s.accept() | |
| print '[+] Conectado com ' + addr[0] + ':' + str(addr[1]) | |
| start_new_thread(clientthread ,(conn,)) | |
| s.close() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import socket | |
| import ssl | |
| import sys | |
| from Crypto.Cipher import DES | |
| import datetime, time | |
| def conn_tgs(tgs,tgt): | |
| # Se conecta ao TGS | |
| server_endpoint = ('127.0.0.2', 9999) | |
| conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| conn.connect(server_endpoint) | |
| conn.send(tgt) | |
| # Decifra o pacote TGS | |
| tgs=tgs.decode('hex') | |
| senha='senh1234' | |
| des2=DES.new(senha,DES.MODE_ECB) | |
| t=des2.decrypt(tgs) | |
| t=t.split(',') | |
| chave_sessao=t[0] | |
| print '\n[+] CHAVE_DE_SESSAO identificada: %s\n' % chave_sessao | |
| ts=time.time() | |
| hora = datetime.datetime.fromtimestamp(ts).strftime('%H%M%S') | |
| hora=dict(h=hora) | |
| if (len(hora['h'])%2!=0): | |
| hora+=str(1) | |
| hora=hora['h']+',' | |
| hora=hora*8 | |
| else: | |
| hora=hora['h']+',' | |
| hora=hora*8 | |
| # Cifragem do authenticator usando a chave de sessao | |
| k=str(chave_sessao) | |
| des1=DES.new(k,DES.MODE_ECB) | |
| c3=des1.encrypt(str(hora)) | |
| hora=hora.split(',') | |
| c3=c3.encode('hex') | |
| conn.send(str(c3)) | |
| print '[+] AUTH enviado ao TGS: %s\n' % c3 | |
| conn.close() | |
| def conn_auth(user): | |
| # Se conecta com o authserver | |
| server_endpoint = ('127.0.0.1', 8888) | |
| conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| conn.connect(server_endpoint) | |
| conn.recv(1024) | |
| user=conn.send(user) | |
| tgs='http' | |
| conn.send(tgs) | |
| tgs=conn.recv(1024) | |
| tgt=conn.recv(1024) | |
| print '\n[+] TGS Recebido: %s' % tgs | |
| print '\n[+] TGT Recebido: %s' % tgt | |
| conn.close() | |
| conn_tgs(tgs,tgt) | |
| for arg in sys.argv: | |
| if arg=="kinit": | |
| user =sys.argv[2:] # nome_cliente | |
| user=str(user) | |
| conn_auth(user) | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # configuracao do banco de dados | |
| import sqlite3 | |
| conn=sqlite3.connect('kerberus.db') | |
| c=conn.cursor() | |
| c.execute('''CREATE TABLE usuario (id real, usuario text, senha text)''') | |
| c.execute('''CREATE TABLE servidor (id real, servico text, senha text)''') | |
| c.execute("INSERT INTO usuario VALUES ('1','[email protected]','senh1234')") | |
| c.execute("INSERT INTO servidor VALUES ('1','http','serv1234')") | |
| conn.commit() | |
| conn.close() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import socket | |
| import sys | |
| from thread import * | |
| from Crypto.Cipher import DES | |
| import datetime, time | |
| HOST = '127.0.0.2' | |
| PORT = 9999 | |
| s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| print '[+] Socket criado.' | |
| try: | |
| s.bind((HOST, PORT)) | |
| except socket.error as msg: | |
| print '[-] Ligacao falhou. Erro: ' + str(msg[0]) + ' - Mensagem: ' + msg[1] | |
| sys.exit() | |
| s.listen(10) | |
| print '[+] Socket ouvindo..' | |
| def clientthread(conn): | |
| tgt=conn.recv(1024) | |
| print '\n[+] TGT Recebido: %s' % tgt | |
| tgt=tgt.strip() | |
| tgt=str(tgt) | |
| tgt=tgt.decode('hex') | |
| # Decifrando os TGT para verificar o cliente | |
| des3=DES.new('serv1234',DES.MODE_ECB) | |
| r=des3.decrypt(tgt) | |
| r=r.split(',') | |
| print '\n[+] CLIENTE identificado: %s' % r[0] | |
| chave_sessao=r[8] | |
| k=chave_sessao[:-1] | |
| k=str(k) | |
| print '[+] CHAVE_DE_SESSAO identificada: %s' % k | |
| # Recebe o authenticator | |
| c3=conn.recv(1024) | |
| # Decifrando o authenticator para obter o horario | |
| c3=c3.split() | |
| c3=c3[0] | |
| c3=c3.decode('hex') | |
| des4=DES.new(k,DES.MODE_ECB) | |
| h=des4.decrypt(c3) | |
| h=h.split(',') | |
| h=h[0] | |
| hora=h[0:2] | |
| mnt=h[2:4] | |
| seg=h[4:6] | |
| print "[+] HORA_CLIENTE: %s:%s:%s" % (hora, mnt, seg) | |
| hv=int(h)+500 | |
| ts=time.time() | |
| hs=datetime.datetime.fromtimestamp(ts).strftime('%H%M%S') | |
| if (int(hs)<=int(hv)): | |
| print '\n[+] Acesso liberado. ;D' | |
| else: | |
| print '\n[-] Tempo expirou.' | |
| while 1: | |
| conn, addr = s.accept() | |
| start_new_thread(clientthread ,(conn,)) | |
| s.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment