关联漏洞
标题:
Microsoft Windows Kerberos 安全漏洞
(CVE-2022-33679)
描述:Microsoft Windows Kerberos是美国微软(Microsoft)公司的一个用于在网络集群中进行身份验证的软件。Kerberos 同时作为一种网络认证协议,其设计目标是通过密钥系统为客户机/服务器应用程序提供强大的认证服务。 Microsoft Windows Kerberos存在安全漏洞。以下产品和版本受到影响:Windows Server 2019,Windows Server 2019 (Server Core installation),Windows Server 2022,W
介绍
# CVE-2022-33679 Checker
Lightweight checker that tests whether a set of Active Directory credentials is exposed to CVE-2022-33679 (Kerberos AS-REP roast without pre-authentication). The code is derived from [Bdenneu/CVE-2022-33679](https://github.com/Bdenneu/CVE-2022-33679) and keeps only the detection path—**it never attempts exploitation. It isn't an exploit!**.
## Requirements
- Python 3.9+
- Network reachability to the target Domain Controller (TCP/88)
- Optional tooling: [`uv`](https://docs.astral.sh/uv/) for environment management, or standard `python3 -m venv`
- Dependencies listed in `requirements.txt`: `impacket==0.10.0`, `arc4==0.3.0`
## Installation
### Using uv (recommended)
```bash
uv venv
source .venv/bin/activate
uv pip install -r requirements.txt
```
### Using pip
```bash
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
```
## Usage
```bash
uv run python CVE-2022-33679_Checker.py DOMAIN/username [-dc-ip DC_IP] [-ts] [-debug]
```
Argument | Description
---------|------------
`DOMAIN/username` | Credential to test, in `domain/user` format. The domain part is required.
`-dc-ip` | (Optional) IP of the Domain Controller. When omitted, the script resolves the FQDN from `DOMAIN`.
`-ts` | Prefixes logs with timestamps.
`-debug` | Enables verbose logging, including Impacket installation path.
### Notes
- A successful check never sets credentials or resets passwords; it only asks the KDC for an AS-REP without pre-authentication.
- If the supplied user does not exist, the script reports `Usuario no encontrado en el dominio`.
- A vulnerable response causes the script to exit with code `1`; a safe response exits with `0`.
## Examples
Check a user against an explicit DC IP:
```bash
uv run python CVE-2022-33679_Checker.py CONTOSO/alice -dc-ip 192.168.1.10
```
Possible outcomes:
- `Sistema vulnerable a CVE-2022-33679: Se recibió AS-REP sin pre-autenticación`
- `Sistema NO vulnerable: Requiere pre-autenticación Kerberos`
## Troubleshooting
- `Domain should be specified!`: make sure the target is `DOMAIN/user`, not just `user`.
- `Error de Kerberos: ...`: enable `-debug` for more context, verify the DC IP, and confirm the account name.
## Responsible Use
Operate the checker only on systems you are authorized to test. The script is intended for defensive validation of CVE-2022-33679 mitigations.
## References
- [Microsoft Security Response Center CVE-2022-33679](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33679)
- [Bdenneu/CVE-2022-33679](https://github.com/Bdenneu/CVE-2022-33679)
文件快照
[4.0K] /data/pocs/b501f12c4f9f997c09070a9bda56cbfd07ea5169
├── [6.4K] CVE-2022-33679_Checker.py
├── [1.1K] LICENSE
├── [2.5K] README.md
└── [ 29] requirements.txt
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。