search

Kerberos

Kerberos is an authentication mechanism protocol used by LDAP (basically Active Directory) we can test for anonymous LDAP queries binds and enumerate users and can perform other attacks

hashtag
Anonymous Binds

  • When LDAP and Kerberos ports are open, it's always a best practice to check for anonymous binds. When anonyomous binds are enabled, we can query information about the users and information about them. Sometimes the sysadmins tend to leave the user's password in their description section which will be a quick win if anonymous binds are enabled

ldapsearch -h $ip -x -s base namingcontexts
ldapsearch -h $ip -x -b "DC=domain,DC=tld" > ldap-anonymous
ldapsearch -h $ip -x -b "DC=domain,DC=tld" '(objectClass=person)' > ldap-people

Machine: Cascade - Herearrow-up-right

hashtag
Kerberos Attacks

hashtag
ASREPRoasting

circle-info

Long story short,

Kerberos authentication mechanism works by encrypting the timestamp with the user's password. And sending that encrypted timestamp to the server. The server decrypts the timestamp with the user's password and sends back a request with the user's password.

The request sent by the server with the user's password is known as ASRESPonse. This ticket can be cracked offline to obtain the password of the user.

Fully Explained ( Youtube ) : Herearrow-up-right

  • Once the valid usernames are identified perform ASREPRoasting

  • With the obtained hash, the password for the user can be obtained by cracking with hashcat / john

hashtag
Kerberoasting

circle-info

To perform kerberoasting a valid user credentials is required / an access to the machine is required

hashtag
From Linux

hashtag
From Windows

hashtag
Cracking

PreviousPHPMyAdminNextPOP3

Last updated