Data

Tools

Indexes

Applications

Experiments

Open Source Science

https://github.com/byt3n33dl3/crackmapkeros

Kerberos Attacks by cracking the system or router that provides a gateway for Active Directory.

https://github.com/byt3n33dl3/crackmapkeros

Science Score: 13.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
  • DOI references
  • Academic publication links
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (5.5%) to scientific vocabulary

Keywords

active-directory domain-controller kerberoasting kerberos kerberos-attack tgs tgt
Last synced: 6 months ago · JSON representation

Repository

Kerberos Attacks by cracking the system or router that provides a gateway for Active Directory.

Basic Info
  • Host: GitHub
  • Owner: byt3n33dl3
  • License: mit
  • Language: Python
  • Default Branch: main
  • Homepage: https://crackerblitz.com
  • Size: 143 KB
Statistics
  • Stars: 20
  • Watchers: 1
  • Forks: 1
  • Open Issues: 0
  • Releases: 0
Topics
active-directory domain-controller kerberoasting kerberos kerberos-attack tgs tgt
Created almost 2 years ago · Last pushed almost 2 years ago
Metadata Files
Readme License

README.md

berberosmd

KerberossianCracker | Kerberos Constrained Delegation

If you have compromised a user account or a computer (machine account) that has kerberos constrained delegation enabled, it's possible to impersonate any domain user (including administrator) and authenticate to a service that the user account is trusted to delegate to.

Domain Compromise via DC Print Server and Kerberos Delegation

This lab demonstrates an attack on Active Directory Domain Controller (or any other host to be fair) that involves the following steps and environmental conditions:

  • Attacker has to compromise a system that has an unrestricted kerberos delegation enabled.
  • Attacker finds a victim that runs a print server. In this lab this happened to be a Domain Controller.
  • Attacker coerces the DC to attempt authenticating to the attacker controlled host which has unrestricted kerberos delegation enabled.
    • This is done via RPC API RpcRemoteFindFirstPrinterChangeNotificationEx that allows print clients to subscribe to notifications of changes on the print server.
    • Once the API is called, the DC attempts to authenticate to the compromised host by revealing its TGT to the attacker controlled compromised system.
  • Attacker extracts DC01's TGT from the compromised system and impersonates the DC to carry a DCSync attack and dump domain member hashes.

This lab builds on Domain Compromise via Unrestricted Kerberos Delegation

Execution (referenced from: RTT)

Our environment for this lab is:

  • attacker compromised host with kerberos delegation enabled (attacker, server)
  • domain controller running a print service (victim, target)

We can check if a spool service is running on a remote host like so: If the spoolss was not running, we would receive an error. The above clearly shows the attack was successful and an NTLM hash for the user spotless got retrieved - get cracking or passing it now.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ KerberosPublicKeyInfo ::= SEQUENCE { apticket [0] EXPLICIT Ticket, tgsticket [1] EXPLICIT Ticket OPTIONAL, tgs_seskey [2] EXPLICIT EncryptionKey OPTIONAL ... } ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credit to some UADC and Crackmapexec

Owner

  • Name: Sulaiman
  • Login: byt3n33dl3
  • Kind: user
  • Location: Error 403: Not on earth

I N F R A X 8 6

GitHub Events

Total
  • Watch event: 2
Last Year
  • Watch event: 2

Issues and Pull Requests

Last synced: 9 months ago

All Time
  • Total issues: 0
  • Total pull requests: 0
  • Average time to close issues: N/A
  • Average time to close pull requests: N/A
  • Total issue authors: 0
  • Total pull request authors: 0
  • Average comments per issue: 0
  • Average comments per pull request: 0
  • Merged pull requests: 0
  • Bot issues: 0
  • Bot pull requests: 0
Past Year
  • Issues: 0
  • Pull requests: 0
  • Average time to close issues: N/A
  • Average time to close pull requests: N/A
  • Issue authors: 0
  • Pull request authors: 0
  • Average comments per issue: 0
  • Average comments per pull request: 0
  • Merged pull requests: 0
  • Bot issues: 0
  • Bot pull requests: 0
View more stats
Top Authors
Issue Authors
Pull Request Authors
Top Labels
Issue Labels
Pull Request Labels