hacktricks/pentesting/pentesting-kerberos-88
CoolHandSquid c8b2886c6e
88 Yaml
2021-08-15 13:17:54 -04:00
..
harvesting-tickets-from-linux.md GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
harvesting-tickets-from-windows.md GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
README.md 88 Yaml 2021-08-15 13:17:54 -04:00

88tcp/udp - Pentesting Kerberos

Basic Information

Firstly, Kerberos is an authentication protocol, not authorization. In other words, it allows to identify each user, who provides a secret password, however, it does not validates to which resources or services can this user access.
Kerberos is used in Active Directory. In this platform, Kerberos provides information about the privileges of each user, but it is responsability of each service to determine if the user has access to its resources.

Default Port: 88/tcp/udp

PORT   STATE SERVICE
88/tcp open  kerberos-sec

To learn how to abuse Kerberos you should read the post about Active Directory.

More

Shodan

  • port:88 kerberos

MS14-068

Simply stated, the vulnerability enables an attacker to modify an existing, valid, domain user logon token Kerberos Ticket Granting Ticket, TGT, ticket by adding the false statement that the user is a member of Domain Admins or other sensitive group and the Domain Controller DC will validate that false claim enabling attacker improper access to any domain in the AD forest resource on the network.

{% embed url="https://adsecurity.org/?p=541" caption="" %}

Other exploits: https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek

HackTricks Automatic Commands

Protocol_Name: Kerberos    #Protocol Abbreviation if there is one.
Port_Number:  88   #Comma separated if there is more than one.
Protocol_Description: AD Domain Authentication         #Protocol Abbreviation Spelled out

Entry_1:
  Name: Notes
  Description: Notes for Kerberos
  Note: |
    Firstly, Kerberos is an authentication protocol, not authorization. In other words, it allows to identify each user, who provides a secret password, however, it does not validates to which resources or services can this user access.
    Kerberos is used in Active Directory. In this platform, Kerberos provides information about the privileges of each user, but it is responsability of each service to determine if the user has access to its resources.

    https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88

Entry_2:
  Name: Pre-Creds
  Description: Brute Force to get Usernames
  Command: nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="{Domain_Name}",userdb={Big_Userlist} {IP}

Entry_3:
  Name: With Usernames
  Description: Brute Force with Usernames and Passwords
  Note: consider git clonehttps://github.com/ropnop/kerbrute.git ./kerbrute -h

Entry_4:
  Name: With Creds
  Description: Attempt to get a list of user service principal names
  Command: GetUserSPNs.py -request -dc-ip {IP} active.htb/svc_tgs