Kerberos - Port 88
Master pentesting Kerberos on port 88 with VeryLazyTech’s lazy methodology—exploits included!
Last updated
Was this helpful?
Master pentesting Kerberos on port 88 with VeryLazyTech’s lazy methodology—exploits included!
Last updated
Was this helpful?
Kerberos operates on a principle where it authenticates users without directly managing their access to resources. This is an important distinction because it underlines the protocol's role in security frameworks.
In environments like Active Directory, Kerberos is instrumental in establishing the identity of users by validating their secret passwords. This process ensures that each user's identity is confirmed before they interact with network resources. However, Kerberos does not extend its functionality to evaluate or enforce the permissions a user has over specific resources or services. Instead, it provides a secure way of authenticating users, which is a critical first step in the security process.
After authentication by Kerberos, the decision-making process regarding access to resources is delegated to individual services within the network. These services are then responsible for evaluating the authenticated user's rights and permissions, based on the information provided by Kerberos about the user's privileges. This design allows for a separation of concerns between authenticating the identity of users and managing their access rights, enabling a more flexible and secure approach to resource management in distributed networks.
To learn how to abuse Kerberos you should read the post about
Default Port: 88/tcp/udp
The first step is identifying Kerberos services on the target network. Port scanning tools are essential here.
Nmap Scan for Kerberos (Port 88):
This command performs both TCP and UDP scans to identify open Kerberos ports. Scanning both protocols is crucial since Kerberos can operate on either.
Masscan for Larger Networks:
Masscan is faster than Nmap for large networks, though it may not be as precise. After detecting Kerberos, use Nmap to gather more detailed information.
User account enumeration is a powerful starting point in Kerberos. Attackers can brute-force or enumerate valid usernames.
Kerbrute:
Kerbrute is designed specifically for brute-forcing Kerberos usernames and can provide insight into valid users within the domain.
Impacket’s GetNPUsers.py for AS-REP Roasting:
If pre-authentication is disabled, GetNPUsers.py helps identify accounts vulnerable to AS-REP roasting by obtaining encrypted data that can be cracked offline.
RPCClient User Enumeration:
rpcclient can be used to enumerate usernames if anonymous login is allowed on the server. This step often supplements Kerberos user enumeration.
Testing for Pre-Authentication Bypass (AS-REP Roasting)
AS-REP roasting exploits accounts without pre-authentication enabled, allowing attackers to retrieve an encrypted timestamp that can be brute-forced offline.
Impacket’s GetNPUsers.py (for AS-REP Roasting):
Running this without passwords will attempt to identify accounts where pre-authentication is disabled, providing hashes that attackers can brute-force offline.
Offline Cracking with Hashcat:
Hashcat, using mode 18200, cracks AS-REP hashes. Use a robust wordlist to attempt decrypting the hash for possible credentials.
Performing Kerberoasting
Kerberoasting targets service accounts, allowing attackers to obtain service principal names (SPNs) and then request a ticket to perform offline cracking.
Gather SPNs with Impacket’s GetUserSPNs.py:
This command extracts SPNs, which are service accounts registered within Active Directory. By obtaining these SPNs, attackers can attempt to crack them offline.
Using Rubeus for Kerberoasting (on Windows):
Rubeus is a powerful Kerberos manipulation tool. The kerberoast command will list all the service tickets that can be used for offline cracking.
Offline Cracking with John the Ripper:
John the Ripper can also be used to crack service account hashes extracted via Kerberoasting, especially if hashcat isn’t available.
Pass-the-Ticket (PTT) and Silver Ticket Attacks
In Kerberos, tickets play a crucial role. Attackers who obtain tickets can impersonate legitimate users.
Mimikatz for Pass-the-Ticket Attack:
Mimikatz allows attackers to inject Kerberos tickets into their session, granting them access to services or resources as the user associated with the ticket.
Generating a Silver Ticket with Mimikatz:
ExplanationSilver tickets are forged tickets that target specific services rather than domain-wide (as with Golden Tickets). Silver tickets provide long-term access to a particular service without interacting with the domain controller.
Rubeus for Ticket Extraction:
Rubeus can extract all active Kerberos tickets on the machine, providing the attacker with potentially reusable tickets for Pass-the-Ticket attacks.
Password Cracking with AS-REP and Kerberoast Hashes
Offline password cracking is a critical step after obtaining AS-REP or Kerberoast hashes.
Hashcat Cracking for Kerberoast Hashes:
Mode 13100 in Hashcat is dedicated to Kerberoast hash cracking. This approach can potentially yield the plaintext password of service accounts if a match is found in the wordlist.
Password Cracking with John the Ripper (Kerberoasting):
John the Ripper provides a krb5tgs format specifically for Kerberos TGS (Ticket Granting Service) hashes, allowing for flexible wordlist cracking.
PowerView: This is a PowerShell tool useful for enumerating Active Directory objects, including SPNs, permissions, and trust relationships.
PowerView provides extensive Active Directory enumeration and is instrumental in identifying Kerberos accounts, SPNs, and potential targets for privilege escalation.
GPPPassword (for Credential Discovery): Although not directly a Kerberos tool, GPPPassword can extract plaintext passwords from Group Policy Preferences, which can sometimes grant access to Kerberos service accounts.
Tickets in Windows are managed and stored by the lsass (Local Security Authority Subsystem Service) process, responsible for handling security policies. To extract these tickets, it's necessary to interface with the lsass process. A non-administrative user can only access their own tickets, while an administrator has the privilege to extract all tickets on the system. For such operations, the tools Mimikatz and Rubeus are widely employed, each offering different commands and functionalities.
Mimikatz is a versatile tool that can interact with Windows security. It's used not only for extracting tickets but also for various other security-related operations.
Rubeus is a tool specifically tailored for Kerberos interaction and manipulation. It's used for ticket extraction and handling, as well as other Kerberos-related activities.
When using these commands, ensure to replace placeholders like <BASE64_TICKET> and <luid> with the actual Base64 encoded ticket and Logon ID respectively. These tools provide extensive functionality for managing tickets and interacting with the security mechanisms of Windows.
Credential Storage in Linux
Linux systems store credentials in three types of caches, namely Files (in /tmp directory), Kernel Keyrings (a special segment in the Linux kernel), and Process Memory (for single-process use). The default_ccache_name variable in /etc/krb5.conf reveals the storage type in use, defaulting to FILE:/tmp/krb5cc_%{uid} if not specified.
Extracting Credentials
Keyring Extraction Overview
The keyctl system call, introduced in kernel version 2.6.10, allows user space applications to interact with kernel keyrings. Credentials in keyrings are stored as components (default principal and credentials), distinct from file ccaches which also include a header. The hercules.sh script from the paper demonstrates extracting and reconstructing these components into a usable file ccache for credential theft.
Ticket Extraction Tool: Tickey
The 2017 paper, , outlines methods for extracting credentials from keyrings and processes, emphasizing the Linux kernel's keyring mechanism for managing and storing keys.
Building on the principles of the hercules.sh script, the tool is specifically designed for extracting tickets from keyrings, executed via /tmp/tickey -i.
Learn & practice
Become VeryLazyTech ! 🎁
Follow us on Twitter , Github , and Medium .
Visit our for e-books and courses. 📚
Support us and . ☕