Kerberos
Check for valid users
This is useful if you have a list of usernames and do not know which are valid on the domain. Can also be used to find from a list of valid users which are vulnerable to the more vicious attacks below.
Using LDAP
LDAP filter for users that do not require Kerberos PREAUTH. The syntax above (&(
means a logical AND, where both filters must be true.
Using Impacket GetNPUsers.py
Check for valid users (no credentials required)
Check for users without PREAUTH required (credentials required)
Using Rubeus with ASREPRoast module
Check ASREPRoast for all users in current domain
$format
can be either [
hashcat
|
john
]
for both Impacket and Rubeus
Brute Force
Attempt to validate users and/or passwords through a brute force attack. Has a high possibility of locking out accounts. Not recommended.
With kerbrute.py
With Rubeus using the 'brute' module
Password Spray
Similar to a brute force attack, but only use one (or a few) passwords. This minimizes the chances of account lockout. TODO: Add More
Kerberoast
TGS Service key is derived from NTLM hash, so having one can give the other.
Enumeration using LDAP
LDAP filter for users with linked services
Using Impacket GetUserSPNs.py
Using Rubeus with kerberoast module
Hashcat format:
13100
John format:
krb5tgs
Overpass The Hash/Pass The Key (PTK)
Using Impacket getTGT.py
Pass The Ticket
From Linux
Check type and location of tickets:
If none return, default is /tmp/krb5cc_%{uid}
.
For KEYRING
tickets, you can use tickey to retrieve them.
Using Impacket
Convert tickets between Linux/Windows format with ticket_converter.py
From Windows
Using Mimikatz to export the tickets
Inject ticket with Mimikatz:
Using Rubeus with dump module
Inject ticket with Rubeus ptt module
Execute a command with PsExec after injecting the ticket
Silver ticket
Create an unlimited use ticket for a single service. After generating a Silver ticket, follow the same instructions as above to use
Using Impacket ticketer.py
Using Mimikatz
Golden ticket
Create a unlimited use ticket. It will be valid until the krbtgt password is changed or TGT expires. Tickets must be used right after created. Follow the same instructions as above to use.
Using Impacket ticketer.py
Using Mimikatz
Misc
Get NTLM hash from password
{password}
is where the password is inserted.
Delegation
Allows a service impersonate the user to interact with a second service, with the privileges and permissions of the user
If a user has delegation capabilities, all its services (and processes) have delegation capabilities.
KDC only worries about the user who is talking to, not the process.
Any process belonging to the same user can perform the same actions in Kerberos, regardless of whether it is a service or not.
Unable to delegate if NotDelegated (or ADS_UF_NOT_DELEGATED) flag is set in the User-Account-Control attribute of the user account or user in Protected Users group.
Unconstrained delegation
User1 requests a TGS for $Service, of User2.
The KDC checks if User2 has the TrustedForDelegation flag set.
The KDC includes a TGT of User1 inside the TGS for $Service.
$Service receives the TGS with the TGT of User1 included and stores it for later use.
Last updated