hacktricks/network-services-pentesting/pentesting-kerberos-88/README.md
2023-08-03 19:12:22 +00:00

5.6 KiB
Raw Blame History

88tcp/udp - Kerberos渗透测试

☁️ HackTricks云 ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

基本信息

首先Kerberos是一种身份验证协议而不是授权协议。换句话说它允许识别每个用户用户提供一个秘密密码但它不验证该用户可以访问哪些资源或服务。
Kerberos在Active Directory中使用。在这个平台上Kerberos提供了关于每个用户特权的信息但每个服务决定用户是否可以访问其资源。

默认端口: 88/tcp/udp

PORT   STATE SERVICE
88/tcp open  kerberos-sec

要学习如何滥用Kerberos您应该阅读有关Active Directory的文章。

更多信息

Shodan

  • port:88 kerberos

MS14-068

简而言之此漏洞使攻击者能够通过添加虚假声明修改现有的有效域用户登录令牌Kerberos票据授予票证TGT票证并且域控制器DC将验证该虚假声明从而使攻击者可以不当访问网络上的任何域在AD林中资源。

{% embed url="https://adsecurity.org/?p=541" %}

其他利用:https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek

HackTricks自动命令

Protocol_Name: Kerberos    #Protocol Abbreviation if there is one.
Port_Number:  88   #Comma separated if there is more than one.
Protocol_Description: AD Domain Authentication         #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for Kerberos
Note: |
Firstly, Kerberos is an authentication protocol, not authorization. In other words, it allows to identify each user, who provides a secret password, however, it does not validates to which resources or services can this user access.
Kerberos is used in Active Directory. In this platform, Kerberos provides information about the privileges of each user, but it is the responsability of each service to determine if the user has access to its resources.

https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88

Entry_2:
Name: Pre-Creds
Description: Brute Force to get Usernames
Command: nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="{Domain_Name}",userdb={Big_Userlist} {IP}

Entry_3:
Name: With Usernames
Description: Brute Force with Usernames and Passwords
Note: consider git clonehttps://github.com/ropnop/kerbrute.git ./kerbrute -h

Entry_4:
Name: With Creds
Description: Attempt to get a list of user service principal names
Command: GetUserSPNs.py -request -dc-ip {IP} active.htb/svc_tgs
☁️ HackTricks 云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥