Kerberos Authentication
Authenticating using Kerberos
The Kerberos authentication protocol is supported by CrackMapExec. With the new released version there is two ways we can authenticate using Kerberos: with a ticket in the ccache format or with user's credentials.
Ccache file
Kerberos TGT are usually stored in .ccache files. If we get access to a valid .ccache file, we can use it to authenticate as the user it belongs to since it contains the user's credentials.
We can generate a TGT using the getTGT.py script from the Impacket suite. The TGT will be saved on our attacker machine in a file with the .ccache extension.
Then, we can set the environment variable KRB5CCNAME, which specify the path of the .ccache file.
We can then authenticate to the target using the --use-kcache
CME flag, which will retrieve the value of the KRB5CCNAME environment variable to authenticate.
Authenticating with the MSSQL protocol using the Kerberos protocol requires to specify the target FQDN or hostname instead of the IP address. MSSQL protocol does not proceed to DNS resolution such as the LDAP and the SMB protocol.
Username and password
Instead of using the by default NTLM authentication protocol when authenticating with a username and password, we can use the flag --kerberos
flag to authenticate via the Kerberos protocol.
Enumerate users using Kerberos
It is possible to enumerate users and those vulnerable to AESREPRoast attacks using the --kerberos
flag. We can think of this case of use as Kerbrute integrated in CrackMapExec. When authenticating a user using Kerberos, three messages can be displayed to the attacker giving information about whether this user exists or not and if preauthentication is needed before requesting a TGT.
| The username does not exist. |
| The username exists, but the password is wrong. |
| This user is vulnerable to the AESREPRoast attack. |
To use Kerberos authentication we might need to configure our /etc/host file with the FQDN of the domain and domain controller.
Using AES-128 or AES-256
It is also possible to use the AES-128 and AES-256 hash to authenticate via Kerberos, which has the advantage of being more stealthy. We can use secretdump.py
to retrieve a user's AES hashes and then, using the --aeskey
flag in CME.
Last updated