CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/auxiliary/scanner/kerberos/kerberos_login.md
Views: 1904
Kerberos Login/Bruteforce
The auxiliary/scanner/kerberos/kerberos_login
module can verify Kerberos credentials against a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. It will also store kerberos tickets that can be used even after the user's password has been changed.
Kerberos accounts which do not require pre-authentication will have the TGT logged for offline cracking, this technique is known as AS-REP Roasting.
This module is able to identify the following information from the KDC:
Valid/Invalid accounts
Locked/Disabled accounts
Accounts with expired passwords, when the password matches
AS-REP Roastable accounts
Target
To use the kerberos_login
module, make sure you are able to connect to the Kerberos service on a Domain Controller.
Scenarios
Creating a single Kerberos ticket (TGT)
To create a single Kerberos ticket (TGT), set the username and password options:
Auth Brute
The following demonstrates basic usage, using a custom wordlist, targeting a single Domain Controller to identify valid domain user accounts and additionally bruteforcing passwords:
Create a new ./users.txt
file and ./wordlist.txt
, then run the module:
ASREPRoasting
Accounts that have Do not require Kerberos preauthentication
enabled, will receive an ASREP response with a ticket-granting-ticket present. The technique of cracking this ticket offline is called ASREPRoasting.
Cracking ASREP response with John:
Cracking ASREP response with Hashcat:
You can see previously cracked creds with:
Options
The kerberos_login
module only requires the RHOST
, DOMAIN
and USER_FILE
options to run.
The DOMAIN option
This option is used to specify the target domain. If the domain name is incorrect an error is returned and domain user account enumeration will fail.
An example of setting DOMAIN:
The USER_FILE option
This option is used to specify the file containing a list of user names to query the Domain Controller to identify if they exist in the target domain or not. One per line.
An example of setting USER_FILE:
The PASS_FILE option
If you happen to manage all the found passwords in a separate file, then this option would be suitable for that. One per line.
The USERPASS_FILE option
If each user should be using a specific password in your file, then you can use this option. One username/password per line:
The DB_ALL_CREDS option
This option allows you to reuse all the user names and passwords collected by the database:
The DB_ALL_PASS option
This option allows you to reuse all the passwords collected by the database.
The DB_ALL_USERS option
This option allows you to reuse all the user names collected by the database.
The Timeout option
This option is used to specify the TCP timeout i.e. the time to wait before a connection to the Domain Controller is established and data read.
An example of setting Timeout: