hacktricks/network-services-pentesting/pentesting-kerberos-88/README.md

94 lines
5 KiB
Markdown
Raw Normal View History

2022-05-01 13:25:53 +00:00
# 88tcp/udp - Pentesting Kerberos
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
2022-09-09 11:28:04 +00:00
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
2022-04-28 16:01:33 +00:00
</details>
2022-05-01 13:25:53 +00:00
## Basic Information
2022-04-28 16:01:33 +00:00
2022-05-01 13:25:53 +00:00
Firstly, Kerberos is an authentication protocol, not authorization. In other words, it allows to identify each user, who provides a secret password, however, it does not validates to which resources or services can this user access.\
2022-07-13 13:37:24 +00:00
Kerberos is used in Active Directory. In this platform, Kerberos provides information about the privileges of each user, but it is the responsability of each service to determine if the user has access to its resources.
**Default Port:** 88/tcp/udp
2022-05-01 13:25:53 +00:00
```
PORT STATE SERVICE
88/tcp open kerberos-sec
```
2022-05-01 13:25:53 +00:00
### **To learn how to abuse Kerberos you should read the post about** [**Active Directory**](../../windows-hardening/active-directory-methodology/)**.**
2022-05-01 13:25:53 +00:00
## More
2022-05-01 13:25:53 +00:00
### Shodan
* `port:88 kerberos`
2022-05-01 13:25:53 +00:00
### MS14-068
2022-05-01 13:25:53 +00:00
Simply stated, the vulnerability enables an attacker to modify an existing, valid, domain user logon token (Kerberos Ticket Granting Ticket, TGT, ticket) by adding the false statement that the user is a member of Domain Admins (or other sensitive group) and the Domain Controller (DC) will validate that (false) claim enabling attacker improper access to any domain (in the AD forest) resource on the network.
2022-05-01 13:25:53 +00:00
{% embed url="https://adsecurity.org/?p=541" %}
Other exploits: [https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek)
2022-05-01 13:25:53 +00:00
## HackTricks Automatic Commands
2021-08-12 13:04:16 +00:00
2022-05-01 13:25:53 +00:00
```
2021-08-12 13:04:16 +00:00
Protocol_Name: Kerberos #Protocol Abbreviation if there is one.
Port_Number: 88 #Comma separated if there is more than one.
Protocol_Description: AD Domain Authentication #Protocol Abbreviation Spelled out
2021-08-15 17:17:54 +00:00
Entry_1:
Name: Notes
Description: Notes for Kerberos
Note: |
Firstly, Kerberos is an authentication protocol, not authorization. In other words, it allows to identify each user, who provides a secret password, however, it does not validates to which resources or services can this user access.
2022-07-13 13:37:24 +00:00
Kerberos is used in Active Directory. In this platform, Kerberos provides information about the privileges of each user, but it is the responsability of each service to determine if the user has access to its resources.
2021-08-15 17:17:54 +00:00
https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88
Entry_2:
Name: Pre-Creds
Description: Brute Force to get Usernames
Command: nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="{Domain_Name}",userdb={Big_Userlist} {IP}
Entry_3:
Name: With Usernames
Description: Brute Force with Usernames and Passwords
Note: consider git clonehttps://github.com/ropnop/kerbrute.git ./kerbrute -h
Entry_4:
Name: With Creds
Description: Attempt to get a list of user service principal names
Command: GetUserSPNs.py -request -dc-ip {IP} active.htb/svc_tgs
2021-08-12 13:04:16 +00:00
```
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
2022-09-09 11:28:04 +00:00
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
2022-04-28 16:01:33 +00:00
</details>