TCP 88: Kerberos
Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.
-- Wikipedia
Related
AS-REP Roasting
If Kerberos preauthentication is disabled for a user, the Key Distribution Center (KDC) just issues a Ticket Granting Ticket (TGT) for any user we request (AS_REQ). Part of the reply (AS_REP) is encryted using the users password, and can then be cracked offline.
See also YouTube - Conda - Attacking Active Directory - AS-REP Roasting.
Requirements
Only works on user accounts that have Kerberos preauthentication disabled
List of potential usernames (may be queried from LDAP using a domain account)
Impacket
Rubeus
kerbrute
A tool to perform Kerberos pre-auth bruteforcing GitHub - ropnop/kerbrute
Enumerate users
bruteforce password of one user
Kerberoasting
If we have access to any user account on the domain, we can request (TGS_REQ) Ticket Granting Service (TGS) tickets for any service account (using SPN). The reply (TGS_REP) contains the TGS, encrypted with the service accounts password, that can then be cracked offline.
See also YouTube - Conda - Attacking Active Directory - Kerberoasting
Requirements
Only works on service accounts that have a Service Principal Name (SPN) set
Creds/User account on the domain (low priv is sufficient)
Impacket
Rubeus
TODO
kerberoast
Use exported tickets from Mimikatz
Sync time
It's necessary to sync the client time to the domain controller.
Error (when not synced)
SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
ntpdate
Manually
Get server time
Set local time accordingly
Last updated